Z38.health LogoZ38.health

Privacy Policy

Last updated: 21.05.2025

Privacy Policy for Participation in the Study "Evaluating the Effectiveness and Usability of the Z38.Health App"

The protection of your personal data is important to us. With this Privacy Policy, we inform you in accordance with Art. 13 and 14 of the General Data Protection Regulation (GDPR) about how we process your personal data in the context of your participation in the aforementioned study and what rights you have in this regard.

1. Controller for data processing

The controller within the meaning of the GDPR and other national data protection laws as well as other data protection regulations is:

Benedikt Rüschen & Tatiane Pickler

benedikt.rueschen@student.medicalschool-berlin.de, tatiane.pickler@student.medicalschool-berlin.de

In cooperation with: MSB Medical School Berlin University of Applied Sciences

2. Contact details of the Data Protection Officer (if applicable)

You can reach the Data Protection Officer of MSB Medical School Berlin at: datenschutz@medicalschool-berlin.de

3. Purposes and Legal Basis of Data Processing

We process your personal data to conduct the scientific study "Evaluating the Effectiveness and Usability of the Z38.Health App". The aim is to investigate the effectiveness and usability of the app for promoting mental health and well-being.

The processing of your data is based exclusively on your voluntarily given, informed consent pursuant to Art. 6 (1) (a) GDPR and Art. 9 (2) (a) GDPR (for health data that could be collected through the questionnaires) in conjunction with § 27 of the German Federal Data Protection Act (BDSG) for scientific research purposes.

4. Categories of personal data processed

Within the scope of the study, we process the following categories of data:

  • Contact data/Identification data: Telephone number (for registration).
  • Master data: Age, gender (during onboarding).
  • Usage data: Data about your interaction with the Z38.Health App.
  • Study-specific data (Health data): Your answers to the questionnaires used (DASS-21 Stress Subscale, WHO-5 Well-Being Index, ERQ Cognitive Reappraisal, CFQ-D, G-MAUQ).

5. Recipients or Categories of Recipients of the Data

Within the study team, only those persons have access to your data who need it to fulfill the scientific research purposes.

  • Access to your identification data (telephone number and associated user ID) is exclusively available to study leader Benedikt Rüschen during the data collection phase.
  • Access to the pseudonymized study data (usage data, questionnaire data) is available to the scientific study team (Benedikt Rüschen, Tatiane Pickler) for the purpose of analysis.
  • We use technical service providers (database providers) for the storage of your data. These providers are carefully selected and contractually obligated as processors according to Art. 28 GDPR to also process your data strictly confidentially and only according to our instructions. The servers of these providers are located within the European Union (EU). Your data will not be transferred to third parties or to countries outside the EU/EEA.

6. Duration of Data Storage

Your personal data will only be stored for as long as it is necessary to achieve the research purposes and as required by statutory retention periods.

The link between your telephone number and your study data via the user ID will be deleted after the completion of the data collection phase (expected to be 45 days after the start of the study). From this point on, no direct personal reference of the study data will be possible.

7. Pseudonymization and Data Security

We take extensive technical and organizational measures to protect your data from unauthorized access, loss, or misuse. These include:

  • Strict separation of identification data and study data in separate databases.
  • Pseudonymization: Data is assigned via a random user ID. Direct identifiers such as the telephone number are stored separately.
  • Access controls: Only authorized persons have access to the respective data categories.
  • Storage within the EU: The data is hosted on servers within the EU.

8. Your Rights as a Data Subject

You have the following rights regarding your personal data according to the GDPR:

  • Right to information (Art. 15 GDPR): You can request information about whether and what data of yours is being processed.
  • Right to rectification (Art. 16 GDPR): You can request the correction of incorrect data.
  • Right to erasure ("Right to be forgotten") (Art. 17 GDPR): You can request the deletion of your data, provided that no legal reasons (e.g., scientific research purposes under certain conditions, statutory retention obligations) prevent this. After deletion of the user ID, an allocation and thus deletion of the study data may no longer be possible.
  • Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you can request that the processing of your data be restricted.
  • Right to data portability (Art. 20 GDPR): You have the right to receive data that you have provided to us in a structured, commonly used, and machine-readable format or to request its transmission to another controller, insofar as this is technically feasible.
  • Right to object (Art. 21 GDPR): You can object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you that is carried out for scientific research purposes. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

9. Right to Withdraw Consent (Art. 7 (3) GDPR)

You have the right to withdraw your consent to data processing at any time without giving reasons for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The withdrawal can be made informally to the contact details mentioned in section 1. In the event of a withdrawal, your personal data will no longer be processed and – subject to other legal regulations – will be deleted. Analyses of pseudonymized data already carried out up to the time of withdrawal may, under certain circumstances, continue to be used.

10. Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority responsible for Berlin is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin

11. Necessity of Providing the Data

The provision of your data is necessary for participation in the study. Without your consent and the provision of data, you cannot participate in the study.

12. Automated Decision-Making / Profiling

Automated decision-making, including profiling within the meaning of Art. 22 GDPR, does not take place in the context of this study.