top of page
Technology

Heart.ai Privacy Policy

 

Heart.ai enables customers to perform web-based analysis of cardiac CT datasets. In this process, personal data is occasionally processed. The protection of this data is of paramount importance to Laralab and we want you to feel secure when using our software. In the following, we inform our users in detail about the type, scope and purpose of the personal data collected, used and processed by us and inform you about the rights to which you are entitled as a data subject. We reserve the right to change the privacy policy at any time with effect for the future. The current version can be accessed at any time under www.laralab.com/product-data-privacy-note.

1. Name and address of the responsible person 

The responsible party within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

Laralab GmbH, Herzog-Heinrich  Str. 13, 80336 Munich, Germany.

mail: support@laralab.de

2. Access data in server log files

When you visit our software, access data is automatically stored in so-called server log files. This includes the date and time of access and, if applicable, the search term entered. 

The temporary storage of the IP address by the system is necessary to enable delivery of the software and its contents to your terminal device. For this purpose, your IP address must remain stored for the duration of the session. 

The legal basis for the temporary storage of your data and the log files is Art. 6 para. 1 lit. b GDPR. This data is evaluated exclusively to ensure the permanent and trouble-free operation of the software and to improve the content of our software and to ensure the security of our information technology systems. An evaluation of your personal data for marketing purposes does not take place in this context at any time.

The collection of data for the provision of the software and the storage of the data in log files is necessary for the operation of our software. Consequently, there is no possibility to object.

 

3. Use of cookies

In order to make the use of our software attractive and to enable the use of certain functions, we use so-called "cookies". These are small text files that are placed and stored on your end device via a browser. 

Cookies can contain a so-called cookie ID. It consists of a string of characters by which software and servers can be assigned to a specific browser in which the respective cookie was stored. 

The following data is stored and transmitted in the cookies: Language settings, search terms entered, frequency of page views, use of software functions, origin of the user, operating system used, terminal device used, browser used, resolution of the terminal device.

Your data collected on our software is anonymized by technical precautions. Therefore, it is no longer possible to assign the data to you. The data is not stored together with other of your personal data.

The legal basis for the processing of personal data using cookies is Art. 6 (1) lit. a GDPR.

The purpose of using technically necessary cookies is to simplify the use of our software for you (e.g. your settings are stored). The functions of our software cannot be offered without the use of cookies. For this is necessary, as we can understand that you have agreed to our software terms of use. Therefore, it is important that you are recognized as a software user in an anonymous form. In case of non-acceptance or deactivation of cookies, the functionality of our software may be limited.

 

4. Data processing when using heart.ai

If you use a personalized access to our software, we process the access data, in particular the e-mail address, exclusively to enable you to use our software. The legal basis for this data processing is Art. 6 para.1 lit. b GDPR. This data processing is necessary to enable you to access our software. Further personal data of the user are not collected and/or added to this data set.

If patient data is imported into our software by the user, we process this data exclusively to ensure the analysis of this data and the provision of our services. The legal basis for this data processing is Art. 6 para.1 lit. b in conjunction with. Art. 9 para.2 lit.a GDPR.

Here, we pursue the goal of data economy in accordance with Art. 5 para.1 lit. c) GDPR. The user is enabled to pseudonymize the data records imported in this way. In this case, the patient data records are assigned identification numbers, which are then provided exclusively to the customer. This effectively ensures that Laralab processes personal data of patients, as identification of individuals by Laralab is then factually excluded.

The data processed during the use of the software is always stored securely and encrypted by us in accordance with our deletion concept automatically deleted.

5. Hosting

For the provision of our software, it is hosted externally by Amazon Web Services EMEA Sàrl Avenue John F. Kennedy 38, 1855 Luxembourg, Luxembourg (hereinafter: "AWS"). The data processed through our software is processed through AWS's servers and stored there. The servers used by our software are located in AWS EU Frankfurt Region (eu-central-1). These locations are: Amazon FRA50, Kleyerstrasse 88-90, Frankfurt am Main 60326, Germany, Amazon FRA52, Weismullerstrasse 25, Frankfurt am Main 60314, Germany, Amazon FRA53, Karl Landsteiner Ring 4, Russelsheim 65428, Germany, and Amazon FRA54, Eschborner Landstrasse 100, Frankfurt am Main 60489, Germany.

 

We chose AWS as our hosting provider because AWS has ISO27001 certification and therefore meets the highest IT and data protection requirements. AWS's data centers are located exclusively within the European Union. The data processed via our software is thus under no circumstances transferred to or processed at locations outside the European Union.

The use of AWS takes place in accordance with Art. 6 para. 1 p. 1 lit. b in conjunction with. Art. 28 GDPR. We have concluded an order processing contract with AWS. This contract ensures that AWS processes the data exclusively in accordance with our instructions and in compliance with the GDPR, and that the protection of the rights of the data subject and in particular of patients is guaranteed. For more information about data protection at AWS, please see the provider's privacy policy:  https://aws.amazon.com/compliance/gdpr-center/?nc1=h_ls

 

6. Data security

We secure our software and other systems by numerous technical and organizational measures against loss, destruction, access, modification or distribution of your data by unauthorized persons.

 

7. Data deletion and storage period

If we process personal data in deviation from Section 4, this data will be deleted or blocked as soon as the purpose of the storage no longer applies or you have revoked your consent. In addition, storage may take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the responsible party is subject. If the purpose of storage ceases to apply, if you revoke your consent or if a storage period prescribed by the European Directive and Regulation Maker or another competent legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions, unless there is a necessity for further storage of the data for the conclusion or performance of a contract.

8. Right to information

You and, under certain circumstances, the patentee, have the right to receive from us at any time, free of charge, information about the personal data stored about you and a copy of this information. You also have a right of access to the following information: 

  • the purposes of processing,

  • the categories of personal data processed,

  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations,

  • if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration,

  • the existence of a right to obtain the rectification or erasure of personal data concerning him or her, or to obtain the restriction of processing by the controller, or a right to object to such processing,

  • the existence of a right of appeal to a supervisory authority,

  • if the personal data are not collected from the data subject: any available information on the origin of the data, and,

  • the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

Furthermore, you have the right to be informed whether personal data have been transferred to a third country or to an international organization. If this is the case, you also have the right to obtain information about the appropriate safeguards in connection with the transfer. We assure that we process your data exclusively on servers within the EU.

9. Right to rectification 

You have the right to request the immediate correction and/or completion of any personal data concerning you that is inaccurate or incomplete. We shall carry out the correction without delay.

 

10. Right to restriction of processing

You have the right to request us to restrict processing if one of the following conditions is met:

  • The accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data.

  • The processing is unlawful, the data subject objects to the erasure of the personal data and requests instead the restriction of the use of the personal data.

  • The controller no longer needs the personal data for the purposes of the processing, but the data subject needs it for the assertion, exercise or defense of legal claims.

  • The data subject has objected to the processing pursuant to Article 21 (1) of the GDPR and it is not yet clear whether the legitimate grounds of the controller override those of the data subject.

If the processing of personal data concerning you has been restricted, such data may - apart from being stored - only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction is lifted.

11. Right to erasure

You have the right to request that we erase the personal data concerning you without undue delay, provided that one of the following reasons applies and to the extent that the processing is not necessary:

  • The personal data was collected or otherwise processed for such purposes for which it is no longer necessary.

  • The data subject revokes his or her consent on which the processing was based pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR and there is no other legal basis for the processing.

  • The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing or the data subject objects to the processing pursuant to Article 21(2) GDPR.

  • The personal data have been processed unlawfully.

  • The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.

  • The personal data was collected in relation to information society services offered pursuant to Article 8 (1) GDPR.

If the personal data have been made public by us and we as a controller are obliged to erase the personal data pursuant to Article 17 (1) of the GDPR, we shall implement reasonable measures, including technical measures, taking into account the available technology and the cost of implementation, to inform other data controllers which process the published personal data, that the data subject has requested from those other data controllers the erasure of all links to the personal data or copies or replications of the personal data, unless the processing is necessary. 

The right to erasure does not exist insofar as the processing is necessary:

  • for the exercise of the right to freedom of expression and information;

  • for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

  • for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) GDPR;

  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or

  • for the assertion, exercise or defense of legal claims.

 

12. Right to information

If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right against us to be informed about these recipients.

13. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without hindrance from us, provided that the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, when exercising your right to data portability pursuant to Article 20(1) of the GDPR, you have the right to obtain that the personal data be transferred directly from us to another controller, insofar as this is technically feasible and insofar as this does not adversely affect the rights and freedoms of other persons.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

14. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions.

We will no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If we process your personal data for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing. This also applies to profiling, insofar as it is related to such direct advertising. If you object to us processing your personal data for direct marketing purposes, we will no longer process it for these purposes.

You also have the right to object, on grounds relating to your particular situation, to processing of your personal data which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

To exercise the right to object, you may contact us at any time. You are also free, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.

15. Right to revoke consent in accordance with data protection law.

You have the right to revoke your consent to the processing of personal data at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

16. Right to automated decisions in individual cases, including profiling. 

You have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you, unless the decision is 

  • is not necessary for the conclusion or performance of a contract between you and us, or 

  • is permitted by legislation of the Union or the Member States to which we are subject and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or 

  • is made with your express consent.

  • If the decision is 

- necessary for the conclusion or performance of a contract between you and us, or 

- it is made with your express consent, 

we shall take reasonable steps to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person on our part, to express your point of view and to challenge the decision.

18. Existence of automated decision making

We do not perform automated decision making or profiling.

19. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. 

The supervisory authority to which the complaint has been submitted will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR. The supervisory authority responsible for us is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany.

bottom of page