CImA

Privacy Policy

1. Introduction

With this privacy policy, we inform you about the type, scope, and purpose of the collection and use of personal data by CIMA CARE GmbH, the operator of the Children Immunization App (CIMA). We take data privacy seriously and handle personal information confidentially and in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. Since new technologies and continuous improvements to our application may require updates to this Privacy Policy, we recommend reviewing it regularly. The term "personal data" refers to all information that can be linked to an identifiable individual, such as names, addresses, phone numbers, and health-related information. For definitions of key terms, such as "processing" and "consent," we refer to Article 4 of the GDPR.

2. Name and Address of the Data Controller

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is the:
CIMA CARE GmbH
Hafferlstrasse 7
4020 Linz
Email: support@cima.care

3. General Information on Data Processing

3.1 Scope of Processing Personal Data

We process personal data only to the extent necessary to provide a functional and secure platform for healthcare providers to manage children's vaccination records. The processing of personal data occurs only with the appropriate legal basis, such as user consent, contractual necessity, legal obligations, or legitimate interests, as permitted by applicable data protection laws. In cases where obtaining prior consent is not feasible, data processing may still occur if legally permitted.

3.2 Legal Basis for Processing Personal Data

We process personal data in accordance with the General Data Protection Regulation (GDPR) based on the following legal grounds:
Consent (Article 6(1)(a) GDPR): When we obtain explicit consent, such as for sending notifications to parents/guardians.
Contractual Necessity (Article 6(1)(b) GDPR): When processing is required to provide our services to healthcare providers.
Legal Obligation (Article 6(1)(c) GDPR): When processing is necessary to comply with public health regulations or other legal requirements.
Vital Interests (Article 6(1)(d) GDPR): When processing is required to protect the health and well-being of children receiving vaccinations.
Legitimate Interests (Article 6(1)(f) GDPR): When processing is necessary for the proper functioning, security, and improvement of our application, provided it does not override the rights of the data subject.
Provision of Healthcare and Public Health (Article 9(2)(h) & (i) GDPR): Since our application processes children's vaccination records, which are considered special category health data, processing is permitted when necessary for the provision of health or social care services and for public health purposes such as ensuring proper immunization.
Healthcare providers using our system must ensure they comply with local regulations regarding the collection and processing of health-related data.

3.3 Data Deletion and Retention Period

personal data will be deleted or anonymized as soon as it is no longer necessary for the purposes for which it was collected. However, we may retain data for longer if required by European or national laws, including health regulations and data retention requirements applicable to healthcare records. Data will also be blocked or deleted if a legally prescribed retention period expires unless further storage is necessary for contract conclusion or fulfilment.

4. Information We Collect

We collect and process the following types of information necessary for managing children's vaccination records:

4.1 Data Entered by Healthcare Providers

Authorized clinic staff members manually input the following data into the application:
Children's Data
  • Full name
  • Date of birth
  • Gender
  • Medical record number/patient ID (if applicable)
  • Vaccination history and schedule
  • Allergy information
Parent/Guardian Data
  • Full name
  • Relationship to the child
  • Contact information (email address, phone number, physical address)
  • Health insurance information (if applicable and necessary for billing)
Healthcare Provider Staff Data
  • Full name
  • Professional credentials and identification
  • Clinic or organization affiliation
  • Contact information
  • Login credentials

4.2 Data Collected Automatically

When using the application, we may automatically collect certain data to ensure proper functionality, security, and usability. This includes:
Device Information
  • Device type, operating system, and app version
  • IP Address
  • App Usage Data, including interaction logs and system performance data
Location Data
If permitted by the user, we may collect approximate or precise location data to:
  • Ensure access to the correct regional version of the app
  • Enable internal reporting, analysis, and clinic-specific access
  • Comply with country-specific healthcare regulations
  • Improve service availability and optimize regional healthcare insights
Log Data
The server log files are stored for a maximum of 7 days and then deleted. Data storage is carried out for security reasons, e.g., to clarify misuse cases. If data needs to be retained for evidence purposes, it is exempt from deletion until the incident is fully resolved.

5. Purpose of Processing Personal Data

We process personal data for the following purposes:

5.1 Core Service Functions

  • Track and manage children's vaccination schedules.
  • Generate vaccination reminders and health-related notifications for parents/guardians.
  • Provide healthcare providers with tools to access and manage vaccination records.
  • Generate reports for healthcare providers to support immunization efforts.
  • Utilize location data to ensure users access the correct regional version of the app and receive location-specific vaccination guidelines and public health resources.

5.2 Service Improvement

  • Analyze app usage patterns to improve functionality and user experience.
  • Identify and resolve technical issues to enhance performance.
  • Develop new features and optimize system efficiency.
  • Use location data to optimize regional service offerings and ensure compliance with country-specific healthcare policies.

5.3 Security and Compliance

  • Ensure the security and integrity of the application.
  • Maintain records as required by health regulations.
  • Generate anonymized or pseudonymized public health statistics.
  • Respond to legal requests and comply with regulatory requirements.

6. Data Sharing and Disclosure

We may share your personal data in the following circumstances:

6.1 Healthcare Providers

  • Authorized healthcare providers within the clinic or medical practice who use the application to manage vaccination records.
  • Electronic health record (EHR) systems or other integrated healthcare platforms, where applicable, subject to future integration.

6.2 Parents/Guardians

  • Limited information (such as vaccination reminders and notifications) may be shared with parents/guardians as part of the app’s functionality.

6.3 Third-Party Service Providers

We work with third-party service providers to operate and improve our application. These providers are contractually obligated to protect personal data and only process it as necessary to provide their services, which may include:

  • Cloud hosting and data storage providers
  • Notification and messaging platforms
  • SMS gateways and communication services, such as Twilio and Africa’s Talking
  • Analytics providers
  • Customer support tools

6.4 Legal and Regulatory Requirements

We may disclose personal data to public health authorities, regulatory agencies, or law enforcement when required by law, including:

  • To comply with applicable health regulations.
  • To respond to lawful government requests, court orders, or legal processes.
  • To protect the rights, safety, or security of users and the public.

6.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. If this happens, we will notify affected users and ensure that their data remains protected under the same or similar privacy terms.

6.6 External Links

Our application may contain links to third-party websites, services, or resources for informational purposes. These external sites are not operated or controlled by us, and we are not responsible for their content, privacy policies, or practices. When you follow an external link, you will be subject to that third party's privacy policies and terms of use. We recommend reviewing their policies before providing any personal information.

7. Handling Contact Data

If you contact us via the provided email or contact forms, we store your details to process and respond to your request. Your data will not be shared with third parties except as required for service fulfillment.

8. Google Maps

Our internal admin web application integrates the “Google Maps” service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, to visualize clinic locations and service areas. This feature is used exclusively for internal administrative purposes. When using Google Maps, Google may process data such as IP addresses and location data, depending on user settings and permissions. This data may be processed in the USA. By using this feature, users acknowledge and agree to Google's Privacy Policy, which can be found at https://www.google.com/policies/privacy/. In Google’s Privacy Center, users can manage and adjust their privacy settings.

9. Health Notifications and General Health Messages

We send general health messages and vaccination reminders to parents/guardians. These communications are strictly limited to vaccination-related topics and serve to:

  • Provide information and reminders related to children's vaccinations
  • Support informed decision-making regarding immunizations
  • Promote timely and appropriate vaccination for overall family health

9.1 Legal Basis for Data Processing

We process data for these notifications based on Article 6(1)(b), Article 6(1)(c), and Article 6(1)(a) GDPR.

9.2 Right to Object and Removal Option

Parents/guardians can opt out of general health messages by following the opt-out instructions in the message. However, essential notifications (such as vaccination schedules and legally required health alerts) cannot be disabled.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Industry-standard security practices
  • Access Controls
  • Security assessments and regular monitoring
  • Incident Response Plan
It is your responsibility to protect your login information. Please note that e-mail communications are typically not encrypted and should not be considered secure.

11. User Rights

As a user of the application, you have the right to request free information about the personal data stored about you. You also have the right to correct incorrect data, restrict the processing of, or delete your personal data. If applicable, you may assert your right to data portability. Should you believe that your data has been processed unlawfully, you may file a complaint with the relevant supervisory authority. For personal data related to children and their parents/guardians, the healthcare provider who entered or manages the data is responsible for responding to requests for access, correction, or deletion. Parents/guardians wishing to exercise their data rights must contact the healthcare provider directly. We provide the necessary tools and support to healthcare providers to fulfill these obligations under applicable data protection laws.

11.1 Deletion of Data

If your request does not conflict with a legal obligation to retain data (e.g., data retention obligations), you have the right to request the deletion of your personal data. Data stored by us will be deleted when it is no longer necessary for the purposes it was collected for, and no statutory retention periods apply. If deletion cannot be carried out because the data is required for permissible legal purposes, we will restrict processing. In such cases, the data will be blocked and not processed for any other purposes.

11.2 Right to Object

You have the right to object to the processing of your personal data at any time. If you exercise this right, we will no longer process your personal data, unless there are compelling legitimate grounds for processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our application, legal requirements, or data protection practices. The latest version will always be available within the application or on our official website. We encourage users to review this Privacy Policy periodically. If we make significant changes that affect your rights or require additional consent, we will notify healthcare providers through the application or other appropriate channels. By continuing to use the application after any updates, you acknowledge and accept the revised Privacy Policy.

13. Contact Information

If you wish to request a correction, blocking, deletion, or information about the personal data stored about you, or if you have questions regarding the collection, processing, or use of your personal data, or wish to revoke any previously given consent, please contact the following address:
CIMA CARE GmbH
Hafferlstraße 7
4020 Linz
Email: support@cima.care