Privacy Policy

Company

UltraDigital Ltd.
15 Bristol Street, Island Bay
Wellington, New Zealand

Data Protection Officer

External Data Protection Officer
Email: datenschutz@stepcare.app

Responsibilities

UltraDigital Ltd.
New Zealand

Management

Management

Brief Description

Welcome to the StepCare App! The protection of your personal data is our top priority. Before you use the app, we want to inform you transparently and understandably about the processing of your data. Here you will learn what data we collect, how we use it, and what rights you have. With your consent, you enable us to provide the StepCare App safely, efficiently, and in compliance with data protection regulations.

Purpose of Data Processing

The StepCare App processes personal data for the following purposes:

  • Provision and management of user accounts (Art. 6 para. 1 lit. b GDPR).
  • Support of communication and documentation in daily care (Art. 6 para. 1 lit. b GDPR).
  • Optional: Use of AI functions such as translations and text optimizations (Art. 6 para. 1 lit. a GDPR).
  • Improvement of the app and IT security (Art. 6 para. 1 lit. f GDPR).

The processing of your personal data is based on the General Data Protection Regulation (GDPR):

  • Contract fulfillment (Art. 6 para. 1 lit. b GDPR): Provision of the StepCare App and its functions, including communication, documentation, and user management.
  • Consent (Art. 6 para. 1 lit. a GDPR): Use of optional functions, such as AI-supported translations, text optimizations, or uploading profile pictures.
  • Legitimate interest (Art. 6 para. 1 lit. f GDPR): IT security, error resolution, and improvement of app performance.

Data Sources

The personal data we process comes exclusively from the following sources:

Directly from You

Data that you provide yourself during registration and use of the app (e.g., name, email address, profile picture, chat messages).

Automatically through App Usage

Usage data such as IP address, device information, access times, and log data.

Employee Accounts

Additionally, employee accounts can be created by the company. In this case, the user receives an invitation to register and must consent to the processing of personal data before using the app.

We do not collect data from external or public sources. All data provided by you is used exclusively for the purposes described within the app. Optionally, a Single-Sign-on Provider (SSO) such as Google or Microsoft can be used for registration, which may share user data such as name, email address, and profile picture. The decision to use SSO is up to the user.

Legitimate Interests

The processing of personal data based on legitimate interests is carried out to:

  • Ensure IT security and system stability: Protection against unauthorized access, misuse, and attacks on our systems.
  • Continuously improve the app: Analysis of usage data to optimize functions and user-friendliness.
  • Resolve errors and provide technical support: Efficient processing of support requests and technical problem-solving.
  • Ensure compliance with legal and regulatory requirements: Documentation and tracking of data processing.

Our legitimate interests are always balanced against the rights and freedoms of users to ensure that there is no disproportionate impairment.

Standard Deletion Periods

The StepCare App stores personal data only as long as necessary for the respective purposes. After the respective period expires, the data is deleted, anonymized, or pseudonymized. The standard periods are as follows:

User Data (e.g., Name, Email, Profile)

Until account deletion by the user or after 12 months of inactivity.

Communication Data (e.g., Chat Messages, Direct Messages, Tasks)

Storage until manual deletion by the user or at the latest 24 months after creation.

Event Data (e.g., Reports, Documentation)

Storage until completion of the documented event, maximum 12 months after completion.

Log Data (e.g., Log Files, IP Addresses)

Automatic deletion after 12 months.

Backup Data

Backups are created daily and weekly and are completely deleted or overwritten after 30 days. The automatic deletion of backups is currently being implemented.

AI Data

Data processed for AI-supported functions (e.g., translations, transcriptions) is only stored temporarily and deleted immediately after processing.

The exact deletion processes are defined in our deletion concept. Should legal retention periods exist (e.g., for tax or business data), the data will be deleted after these periods expire.

Necessity

The provision of certain personal data is necessary to use the StepCare App and provide the associated services.

Required Information

To create a user account and use the core functions of the app (e.g., communication, documentation), the provision of name, email address, and other basic profile data is required. Without this information, use of the app is not possible.

Optional Information

The provision of additional data, such as a profile picture or the use of AI functions, is voluntary. Not providing this data has no impact on the basic functionality of the app.

For employees, registration is done by the company. However, the final consent to data processing must be given by the respective user.

Consequences of Non-Provision

  • If the provision of required information is refused, the StepCare App cannot be used, as this data is necessary for contract fulfillment and service provision.
  • If optional data is not provided, certain additional functions (e.g., AI-supported translations or transcriptions) will not be available.

The processing is always carried out in compliance with data protection regulations and user rights.

Recipients of Personal Data Outside the Company

In the context of using the StepCare App, personal data is only transmitted to the following external recipients if necessary for providing the app and its functions:

Technical Service Providers

  • Supabase (Location: Germany): Hosting of the database, uploaded files (downloads, images, videos, profile photos), and authentication.
  • Resend (Location: Ireland): Sending of transaction emails.

AI Service Providers

  • OpenAI (Location: USA): The transmitted data is processed anonymously and exclusively for the respective request and is not used for training AI models.

Data processing by AI functions: Data processed for AI functions is not used for training or improving AI models but exclusively for providing the desired function.

Note: The transmission to OpenAI is encrypted and based on Standard Contractual Clauses (SCCs) to ensure an adequate level of data protection.

All external service providers are carefully selected and contractually obligated to use the data only within the scope of order processing and in accordance with applicable data protection regulations. There is no transfer of data for advertising purposes or to third parties not directly involved in providing the app.

Intention to Transfer to a Third Country or International Organization

In the context of using the StepCare App, personal data is transferred to a third country (outside the European Union) to a limited extent. Specifically, this concerns:

Recipients in Third Countries

  • OpenAI (Location: USA): Processing of data for optional AI functions (e.g., translations, transcriptions).
  • Pushy (Location: USA): Sending of optional push notifications for chat and tasks.

The transfer is only based on your explicit consent according to Art. 6 para. 1 lit. a GDPR and Art. 49 para. 1 lit. a GDPR.

Measures to Protect Data

  • To ensure an adequate level of data protection, Standard Contractual Clauses (SCCs) according to Art. 46 GDPR are concluded with OpenAI.
  • OpenAI processes the data exclusively encrypted and does not use it for training purposes of AI models.

Risk Notice

Due to the data transfer to the USA, there is a risk that US authorities may be able to access the data without you being able to take legal action against it.

Option to Deactivate

The use of AI functions is optional. You can deactivate these functions at any time in the app settings to prevent the transfer of your data to OpenAI.

There is no transfer to other third countries or international organizations unless required by law or you have explicitly consented.

EU Commission Adequacy Decision

For the USA, the country to which data is transferred when using the optional AI functions (through OpenAI), there is currently no adequacy decision by the EU Commission according to Art. 45 GDPR. This means that the EU does not recognize the data protection standards in the USA as equivalent to those in the EU.

Measures to Protect Your Data

  • To nevertheless ensure an adequate level of protection, the transfer is based on Standard Contractual Clauses (SCCs) according to Art. 46 GDPR. These contractual clauses obligate the recipient (OpenAI) to comply with strict data protection requirements.
  • All data transmitted to OpenAI is encrypted and only processed temporarily.

Option to Avoid Data Transfer

You can avoid the transfer of your data to the USA by deactivating the optional AI functions in the app settings.

If you have questions about the protection measures or the transfer, you can contact our Data Protection Officer at any time.

Guarantees and Maintenance of Guarantees

UltraDigital ensures that appropriate guarantees for the protection of your data are implemented when transferring personal data to a third country, particularly to OpenAI in the USA.

Guarantees for Data Transfer: Standard Contractual Clauses (SCCs)

  • The data transfer is based on the Standard Contractual Clauses approved by the EU Commission according to Art. 46 para. 2 lit. c GDPR. These obligate the recipient (e.g., OpenAI) to comply with EU data protection standards and implement appropriate technical and organizational measures.
  • Encryption: All transmitted data is encrypted and can only be used for the intended purpose. OpenAI is not authorized to store the data or use it for training purposes.

UltraDigital strives to ensure the highest transparency and to enable you to have insight into the data protection measures at any time.

Your Rights

If you have consented to the processing of personal data by a corresponding declaration, you can withdraw this consent at any time for the future. The legality of the data processing carried out on the basis of the consent until the withdrawal is not affected by this.

Right to Information

You have the right to information about the personal data we process about you. For information requests that are not made in writing, we ask for your understanding that we may then require proof from you that you are the person you claim to be.

Right to Rectification

Furthermore, you have a right to rectification, meaning you can demand that we correct your incorrect personal data without delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data — also by means of a supplementary declaration.

Right to Deletion

You have the right to demand that your data be deleted without delay. We are obligated to delete personal data without delay if one of the following reasons applies:

  • The purposes for which the personal data was collected no longer apply.
  • You withdraw your consent to the processing. There is no other legal basis for the processing.
  • You object to the processing. There is no other legal basis for the processing.
  • The personal data was processed unlawfully.
  • The deletion of the personal data is necessary to fulfill a legal obligation under Union law or the law of the member states to which the controller is subject.
  • The personal data was collected in relation to offered services of the information society according to Article 8 paragraph 1.

Right to Restriction of Processing

You have the right to demand the restriction of processing if one of the following conditions is met:

  • The accuracy of the personal data is contested by you.
  • The processing is unlawful; you oppose the deletion.
  • The personal data is no longer needed for the purposes of the processing; you need the data for the assertion, exercise, or defense of legal claims.
  • You have objected to the processing according to Art. 21 para. 1 GDPR.

As long as it is not yet clear whether the legitimate reasons of the controller outweigh yours, the processing will be restricted.

Right to Object to Processing

In particular, you have the right to object to the processing of your data in connection with direct marketing if this is based on a balancing of interests. For this, please contact the controller of the processing.

Right to Data Portability

You have the right to receive the data you have provided in a structured, commonly used, and machine-readable format from the controller. A transfer to another controller must not be hindered by us.

Right to Lodge a Complaint with a Supervisory Authority

The State Commissioner for Data Protection and Freedom of Information Mecklenburg-Vorpommern
Werderstr. 74 a
19055 Schwerin
Phone: 0385/59494-0
Email: info@datenschutz-mv.de