PRIVACY POLICY FOR THE R+V GESUNDHEIT APP

VERSION OF: NOVEMBER 2024

PRIVACY POLICY FOR THE R+V GESUNDHEIT APP

  • Introduction

  • 1. General information

  • 2. Name and contact details of the controller

  • 3. Data protection officer contact details

  • 4. Purposes and scope of processing

  • 5. Contact form

  • 6. Invoice submission

  • 7. Encryption

  • 8. Provision of personal data

  • 9. Recipients or categories of recipients of personal data

  • 10. Sentry error tracking

  • 11. Legal basis for processing of personal data

  • 12. Your rights

  • 13. Data erasure

  • 14. Data transfer to third countries

Introduction

Internet technology and electronic data processing can make people feel that they are losing track of where their data is stored and for what purpose. When it comes to financial and health data, it is particularly important for customers to be able to trust that their personal data is securely protected and diligently handled. For those reasons we would like to explain how R+V Krankenversicherung AG (hereinafter referred to as “R+V”) maintains the confidentiality of your personal data and respects your personal rights.

1. General information

The R+V Gesundheit app (hereinafter referred to as “app”) is a communication application for iOS and Android devices that enables R+V policyholders to electronically scan and submit documents to R+V with their mobile device’s camera. The app can also be used to access/display documents. The following privacy policy contains information about all the purposes for which we process personal data in conjunction with the use of the R+V Gesundheit app.

The use of the app is optional. You decide in your capacity as an insured person whether to download and/or install the app and/or register to use it. The option of submitting documents by post is still available to you.

Before you are able to access the app you have to complete a secure identification procedure.

2. Name and Contact Details of the Controller

R+V Krankenversicherung AG
Raiffeisenplatz 1
65189 Wiesbaden
Germany
Commercial Register no. HRB 7094
Wiesbaden Local Court

3. Data protection officer contact details

R+V Krankenversicherung AG
Data Protection Officer
Raiffeisenplatz 1
65189 Wiesbaden
Germany

Telefon: 0800 533-1112
Fax: 0611 533-4500
E-Mail: datenschutz@ruv.de

4. Purposes and scope of processing

The app is a communication medium that enables you to submit doctors’, dentists’ and hospital invoices electronically, as well as other health service-related documents such as prescriptions and invoices for medications, therapeutic aids and medical aids, among other things. You can find a comprehensive description of services in the Terms and Conditions of Use.

The R+V app offers two different mode of use options:

Option 1: Use without a “Meine R+V” user account

With this option, the following data is processed when you use the app: When you use the app for the first time, your first name, last name, date of birth and insurance number are required for initialisation. Later on, these data are used to assign the submitted documents to you. You will also be asked to provide your email address for registration and you will need to set a password. Then a user account will be created for you with the data you have provided.

Option 2: Use with a “Meine R+V” customer account

If you already have a user account for the “Meine R+V” customer portal, you can use the R+V Gesundheit app with your portal login credentials. On the login page you will be asked to enter your user name (which is your email address) and the password for the “Meine R+V” customer portal. For security reasons, you have to re-enter this data again once a year.

If you use option 2 (“Meine R+V” login credentials), we provide you with an app feature that allows you to view the claim documents in your mailbox. The information and documents contained in the mailbox are part of the “Meine R+V” online file. This means you can see the majority of documents stored on “Meine R+V” platform in the app.
 

With both options you can set up a biometric login (e.g. Touch ID or Face ID) if your mobile device has the technical capability and the appropriate settings have been made on the device. If biometric recognition is already set up on your mobile device, the app will ask you after the first login whether you would like to use biometric login for the app. Setting up a biometric login is not mandatory. You can activate the feature by accepting the prompt and placing your finger on the screen (Touch ID) or holding your face in front of it (Face ID). You can disable and re-enable biometric login at any time in the app settings.

To scan documents for submission, the app needs to access the smartphone camera. The first time you use the scan function, we ask for your consent to access the camera. The camera will only be accessed after you have given your express consent. You can disable access at any time in the device settings. However, without camera access, it is not possible to scan and submit documents to R+V.

5. Contact form

If you contact us by email, the information you provide will be stored for the purpose of processing your enquiry and for possible follow-up questions. The app contains contact details (email address and phone number) for getting in touch with R+V. You can use these to send us your suggestions and questions about the app or to let us know about any problems you have encountered. Emails are not encrypted by the app. Please do not send invoices or other personal data relating to your insurance policy to the email address provided in the app. Unencrypted emails can be intercepted and read by third parties.

The legal basis for the processing of your data as described in this section is Article 6 (1) f) of the General Data Protection Regulation (GDPR). It is in our legitimate interest to offer you the opportunity to contact us quickly and easily so that we can answer your questions and address your concerns.

6. Invoice submission

When you submit documents to us, your personal data will be used by R+V and by R+V service providers for the purpose of claims processing. The R+V service providers are listed in the annexes to your insurance policy certificate and can be viewed here.

You can submit documents to us using the scan or PDF upload feature. We use the documents exclusively for the purpose of claims processing. The legal basis is Article 6 (1) a) and b) GDPR. In some cases, the documents may contain special categories of personal data, e.g. health data within the meaning of Article 9 (1) GDPR. In this case the legal basis for processing is your consent pursuant to Article 9 (2) a) GDPR.

7. Encryption

Data transmissions from the app to R+V are made via a state-of-the-art, encrypted data connection.

With option 1, the date of birth, insurance number and email address are stored in encrypted form in the app.

With option 2, which involves logging into the “Meine R+V” customer portal, these personal data are retrieved from the server and displayed via a secure and encrypted connection. Only the encrypted email address is stored in the app.
 

When you submit documents to R+V, the documents and the associated information (including date of submission, image files and, if applicable, the document name you have assigned and your insurance number) are stored locally on your mobile device in encrypted form. This serves the purpose of clarity and traceability. You can view the corresponding documents in the app’s document archive.

The scanned documents are encrypted with a key generated in the app with both option 1 and option 2.

8. Provision of personal data

We ask that you only provide us with data that is necessary or legally required for the respective purpose (e.g. to process claims or to contact you if your scan is illegible). If we ask you to provide us with data voluntarily, we will draw your attention to that. 

9. Recipients or categories of recipients of personal data

Our app contains third-party code. We assure you that we will not pass on your personal data to third parties, unless we are legally entitled or obliged to do so, or you have given us your prior consent. When we use service providers to perform claims processing tasks, our contractual arrangements with those service providers are compliant with data protection legislation.

10. Sentry error tracking

We use the Sentry tool for error monitoring, session replay, performance optimisation and distributed tracing, which make an important contribution to the error-free operation and stability of the app.

These features are voluntary. You can opt-in after you login to the app to use it for the first time and they can be disabled or re-enabled in your device settings at any time.

The provider is Sentry, a brand of Functional Software, Inc., 45 Fremont St. San Francisco, California 94105, USA.

The Sentry tool is used for the purpose of maintaining the stability of the app. The legal basis for processing the data is our legitimate interest in pursuing the aforementioned objectives, Article 6 (1) f) GDPR.

The data processed in this connection are crash reports, device ID, device model, operating system version, app version, pseudonymised or abbreviated IP address and report timestamp. Information on how Sentry works can be found here: https://sentry.io/welcome/

An overview of the data collected by Sentry can be found here: https://sentry.io/trust/privacy/

These data are stored for a period of 90 days.

11. Legal basis for processing of personal data

If we obtain the consent of the data subject for processing activities involving personal data, the legal basis for the processing of the personal data is Article 6 (1) a) of the EU’s General Data Protection Regulation (GDPR).
If it is necessary to process personal data for the purpose of executing the contract with the data subject, the legal basis is Article 6 (1) b) GDPR.

In the absence of applicable statutory permissions as defined in Article 9 (2) b) and f) GDPR, the legal basis for the processing of special categories of personal data is your consent in accordance with Article 9 (2) a) GDPR.

The legal basis for the processing of personal data necessary for compliance with a legal obligation to which our company is subject is Article 6 (1) c) GDPR.

The legal basis for processing which is necessary in order to protect the vital interests of the data subject or of another natural person is Article 6 (1) d) GDPR.

The legal basis for processing which is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, is Article 6 (1) f) GDPR. In the event of a general weighing of interests, we weigh our own commercial interests, in case of doubt, against the respective interests of the data subject.

12. Your rights

You can assert your legal rights to information, rectification, erasure, restriction of processing, revocation and data portability vis-a-vis our data protection officer.

If the data processing is based on a general weighing of interests, you have the right to object to the processing of your data on grounds relating to your particular situation.

You have the right to lodge a complaint with a competent data protection supervisory authority (Article 77 GDPR).

You can object to the processing or use of your personal data for advertising or market and opinion research purposes at any time with future effect. Please address your objection to ruv@ruv.de.

13. Data erasure

Documents that are scanned and submitted via the app are stored in the app. If you restore the app’s factory settings, it has to be initialised again. If you restore your smartphone’s factory settings, the data stored in the app – including the transmission reports for documents already submitted – will be erased from your smartphone.

On Android devices, this data is erased as soon as the app is uninstalled. On iOS devices, due to restrictions imposed by the manufacturer Apple, your data is not completely erased when you uninstall the app. You have to actively erase the data from your keychain yourself. The scanned documents are not transferred to a new device.

14. Data transfer to third countries

If necessary, we will transfer your personal data to service providers in third countries outside the EU/EEA, e.g. in the context of IT services, or to experts. The selection of service providers and contractual arrangements with them are always compliant with statutory provisions.

With certain types of contracts, we may transfer your data to reinsurers in third countries outside the EU/EEA.

In particular, in cases where the insured risk or the policyholder is located in a third country, it may be necessary to transfer data to the third country (e.g. intermediaries, other insurers).

In some cases there are also statutory reporting obligations requiring us to transfer your data to authorities and similar bodies in third countries outside the EU/EEA. Such a transfer may also be necessary in the event of international legal disputes (e.g. to lawyers).

If your consent is required in individual cases, we will obtain it separately.