BIO-SENSING SOLUTIONS, S.L. (DYCARE), respects current legislation on personal data protection, user privacy and the secrecy and security of personal data. All data processed through our REHUB platform shall be processed in accordance with the principles of lawfulness, loyalty and transparency, purpose limitation and retention period, data minimisation, accuracy, integrity and confidentiality, among others, as well as respecting the other obligations and guarantees established in Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27th April 2016, adopting the necessary technical and organisational measures to prevent the loss, misuse, alteration, unauthorised access and theft of the personal data provided, taking into account the state of technology, the nature of the data and the risks to which they are exposed.
“Integrated Patient”: Patients to whom DyCare offers an integrated service, providing them with the ReHub platform and a professional to carry out the telerehabilitation.
“Referred Patient”: Patients who receive the rehabilitation service from a professional and the same professional refers the patient to the ReHub Platform to be able to undergo online rehabilitation guided by the professional. In this case, your professional shall carry out the registration on the ReHub platform and you shall receive an email to complete your registration. DyCare has a direct service agreement with the professional or the medical centre to provide its patients with access to the ReHub Platform, which regulates how their data is processed.
If you are an Integrated Patient, you are hereby informed that DyCare acts as Data Controller of your personal data entered in the ReHub platform. It is important that before contracting DyCare's integrated telerehabilitation services, you read the following documentation regarding how we process your data: A/ INTEGRATED PATIENT PRIVACY POLICY
If you are a Referred Patient, you are hereby informed that we act as Data Processor for your professional or medical centre. In particular, your professional or medical centre shall be Data Controller for the processing of your medical records. Please contact your professional or medical centre for more information.
We also inform you that we may act as a Data Controller for certain data in the manner set out in the documentation relating to how we process your data: B/ REFERRED PATIENT PRIVACY POLICY
How do I know if I’m an Integrated Patient or a Referred Patient?
If you have any doubts, please do not hesitate to contact your mutual insurance company, professional or medical centre that referred you to us or to call us on the helpline so that we can guide you.
Bio-Sensing Solutions, S.L. (“DyCare”)
Address: Av. Meridiana 354, 2CD, 08027, Barcelona
Registered in the Companies Register of Barcelona under Volume 45.087, Folio 42, Sheet B-465.593
Spanish national tax id. no.: B66508912
Email: support.rehub@dycare.com
Telephone no.: +34 935 520 029
DyCare collects and processes certain personal data about you in the context of the integrated telerehabilitation services offered through the ReHub platform for the purposes set forth below. This information note shall give you an overview of what data we collect, why we collect it and how we use it. You are hereby informed that your data shall be processed in accordance with the provisions of Regulation (EU) 2016/679 of 27th April (GDPR) and Spanish Organic Law 3/2018 of 5th December (LOPDGDD).
Joint Data Controllers
The Integrated Telerehabilitation Service is carried out by DyCare in collaboration with an organization (which varies depending on which country the service is being used) which provides the professionals who offer the service through the platform ("Physiotherapy Company"). DyCare and the Physiotherapy Company are Joint Data Controllers for processing your personal data.
The data subject may exercise their rights pursuant to the data protection regulations against each of the Joint Data Controllers.
This Privacy Policy applies to Integrated Patients
This Integrated Patient Privacy Policy contains a description of the processing of Integrated Patient data carried out by DYCARE within the framework of the integrated telerehabilitation services, consisting of the provision by DyCare of the ReHub Platform and a professional from the Physiotherapy Company to perform the telerehabilitation service ("Integrated Telerehabilitation Service").
This Privacy Policy does not apply to Referred Patients
This Integrated Patient Privacy Policy does not apply to the processing of personal data belonging to Referred Patients.
In these cases, their contractual relationship is established directly with the professional or medical centre, to which DYCARE provides services through the ReHub platform as a mere supplier and data processor. For more information on such processing, please consult the referred patient privacy policy provided to you by your professional or medical centre as data controller, which you can obtain directly from the latter.
As this Integrated Patient Privacy Policy is limited to personal data processing within the framework of the ReHub platform, you are hereby reminded that if you have visited or are visiting the website www.dycare.com,, if you have contacted or are contacting DYCARE (e.g. by telephone for more information about DYCARE products or about the company), DYCARE shall process your personal data in accordance with the relevant "DYCARE Privacy Policy".
We shall process your personal data on the basis of your consent and for the performance of our contractual obligations related to the ReHub platform, and to provide you with the Integrated Telerehabilitation Service we shall process:
Personal data obtained during registration. Identification and contact details. This data shall be used to manage your access to the Platform, to manage the Telerehabilitation Service and to send you communications relating to the Integrated Telerehabilitation Service and the platform.
Specific personal data regarding your health condition. In particular, without limitation, the Physiotherapy Company may collect information necessary to assess your injury, including collecting information about your medical condition and contraindications, scheduling treatment and monitoring your progress. Likewise, in case of using sensors with the ReHub platform, data such as force and range of motion shall be collected.
Likewise, on the basis of your specific consent:
The camera on your device can be accessed during telerehabilitation sessions so that the programme can automatically measure movements. No images are processed, only an automated image of points, vectors and movement is processed. Your consent shall be requested every time the camera on your device is accessed.
Recordings and images that you or your Professional record and upload to the platform for the duration of the treatment may be recorded and stored. You and your Professional shall have access to the recordings, unless you give separate consent to share them with third parties.
Based on DYCARE's legitimate interests, to analyse and improve our products and services, and your consent, DYCARE shall process:
Pseudo-anonymised data sets for our research and development activities; to guarantee the quality of the assistance provided to users; to manage relations with the Establishments; to manage relations with the Physiotherapy Company and its professionals; to manage and control our activities internally; to manage possible cases of loss and/or destruction of data and unauthorised access; to collect and anonymously process information relating to the devices used in connection with the ReHub platform offered by DYCARE in order to collect useful information on the use of the service by users; and, where appropriate, to exercise our rights of action and defence in court.
To comply with any other obligation arising from applicable regulations or from an order of the authorities, including accounting and tax obligations, as well as those relating to the guarantee of the products and/or services offered.
We process the following personal data for the purposes and on the legitimate basis set forth in the preceding paragraph:
Your basic personal data: name, contact details, email address, etc.
Your personal data belonging to the specific categories and, in particular, the data relating to your health condition, inherent and necessary for the provision of the services within the framework of the ReHub platform; and in addition your health data generated during the course of the processing and which are necessary for the appropriate medical follow-up.
Sets of personal and service-related data received related to your medical records, previously pseudonymised for the sole purpose of improving the operation and development of the platform.
Points and vectors: during rehabilitation sessions you shall have access to your device's camera for automated imaging of points, vectors and movement.
Images: recordings of rehabilitation exercises.
The Physiotherapy Company shall carry out your initial registration on the ReHub Platform. Your basic identification data shall be obtained from your health insurance company. You must confirm your account, complete and verify your personal data upon first access, and accept the Terms and Conditions of Use and this ReHub Integrated Patient Privacy Policy.
DyCare does not transfer or disclose any data, unless there is a reasonable need to do so in order to comply with legal proceedings, to comply with a legal obligation or to obtain the user’s consent.
Although this is not a transfer of data, the Physiotherapy Company that provides the physiotherapy service shall have access to your data as Joint Data Controller.
Although this is not a transfer of data, you are hereby informed that the Amazon Web Services tool are used to provide the Service (to find out more about their privacy policy, please visit this link: https://aws.amazon.com/es/privacy/ ).
Likewise, if your access to the ReHub Platform and the Integrated Telerehabilitation Service is covered by your health insurance policy, the information strictly necessary to manage your access to the ReHub Platform and the Integrated Telerehabilitation Service and to manage the payment with your health insurance company shall be provided to your health insurance company. All access to data shall only disclose data that are strictly necessary in accordance with the principle of proportionality and minimisation of processing. This transfer is covered by the legitimate basis of its requirement for the execution of the Integrated Telerehabilitation Service.
No international data transfers are made outside the European Economic Area (EEA), beyond the providers listed above. Where we exceptionally decide that it is necessary to transfer your data to third parties residing outside the territory of the European Union or in Countries that do not guarantee an adequate level of privacy protection, we shall do so subject to appropriate contractual safeguards provided by the third party, on the basis of Standard Contractual Clauses approved by the European Commission. We also undertake to comply, as far as possible, with the requirements imposed by the security regulations of third countries with regard to international data transfers.
In compliance with the principle of limitation of the storage period, the data collected shall be processed solely and exclusively for the time necessary and for the purposes for which they were collected at any given time.
Your personal data shall be processed for as long as your account on the ReHub platform is active. After this time, the data shall be stored for the period established by the regulations exclusively for the fulfilment of the legally established and applicable obligations.
We undertake to delete your data from our databases after the above retention period has expired and to instruct the joint data controllers and processing companies whose services we use to delete any information about you that they may hold from their databases.
DYCARE does not knowingly collect any information or data relating to minors, nor does it allow minors to be registered on the platform without parental consent ("Parental Consent").
Parental Consent shall be expressly collected when the patient first registers on the ReHub platform. Should DYCARE detect that any data collected belongs to a minor and that Parental Consent has not been validly issued for its acquisition, DYCARE has the power to delete such data as quickly as possible.
You have the right to know what personal data we process. In particular, you have the right of access, rectification, deletion and portability of the data, as well as the right to limit the processing and to object to the processing when the conditions for this are met. In addition, if the processing is carried out for marketing purposes or is based on our legitimate interest, you can object at any time. For more information about the processing of your personal data or to exercise your rights, you can contact us by email at support.rehub@dycare.com or write to us by post by sending a letter to the attention of the Data Protection Officer to the following address: Bio-Sensing Solutions S.L., Av. Meridiana 354 - 2CD, 08027 Barcelona.
Below is a brief explanation of your rights in relation to the processing of your personal data.
The right of access allows you to obtain confirmation of whether DYCARE is processing your personal data and, if necessary, allows you to access the said data and information relating thereto;
The right of rectification allows you to request the modification of any personal data that is inaccurate without undue delay and, taking into account the purposes of the processing, the integration of incomplete personal data;
The right of deletion allows you to request the deletion of your personal data without undue delay (e.g. when your personal data are no longer necessary for the purposes for which they were collected), subject to the exceptions provided for in the applicable law (e.g. when the retention of your data is necessary for compliance with the legal obligations applicable to the data controller);
The right to data portability allows you, under certain circumstances provided for in the applicable regulations, to receive in a structured, commonly used and machine-readable format the personal data you have provided to DYCARE. It may transfer this data to another data controller, provided that this right is recognised under the applicable legislation, and except in cases where it may infringe the rights and freedoms of third parties;
The right to limitation of processing allows you, in certain circumstances provided for in the applicable regulations, to limit the processing of your personal data. In such cases, DYCARE may further process your data only in certain cases, for example to exercise the right of defence or to protect the rights of another natural or legal person;
The right to object to processing allows you, in certain circumstances provided for by the applicable law, to object to the processing of your personal data, unless there are overriding legitimate grounds, rights or freedoms that allow DYCARE to continue processing the data;
You shall have the right to withdraw your consent to personal data processing at any time if there are reasons related to your particular situation, and to object at any time to the processing of your personal data that is based on a legitimate interest of DYCARE or a third party. In such cases, DYCARE shall stop the processing, unless there are compelling legitimate grounds to continue to process it.
Any rights that you exercise against any of the Joint Data Controllers, namely DyCare and the Physiotherapy Company, shall have effect in both companies unless you state otherwise.
In addition, you have the right to file a complaint at any time with the Data Protection Supervisory Authority if you believe that you have not received a satisfactory response from DYCARE regarding your rights or if you believe that your rights have been violated:
Spanish Data Protection Agency
Address: Calle Jorge Juan, 6, 28001 Madrid
Telephone no.: +34 901 100 099 / +34 91 266 35 17
Website: www.agpd.es
DyCare declares that it respects the current personal data protection legislation, the privacy of users and the secrecy and security of personal data, respecting the principles of lawfulness, loyalty and transparency, purpose limitation and retention period, data minimisation, accuracy, integrity and confidentiality, among others, as well as respecting the other obligations and guarantees established in Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27th April 2016, and Spanish Organic Law 3/2018, of 5th December, on the Protection of Personal Data and guarantee of digital rights.
We use reasonably reliable and effective physical, organisational and technological measures, controls and procedures to preserve the integrity and security of your data and to guarantee your privacy.
In addition, all staff with access to personal data have been trained and are aware of their obligations in relation to the processing of their personal data.
In the case of the contracts we sign with our suppliers, we include clauses requiring them to maintain the duty of secrecy regarding the personal data to which they have had access by virtue of the assignment, as well as to implement the necessary technical and organisational security measures to guarantee the permanent confidentiality, integrity, availability and resilience of the systems and services for the processing of personal data.
All these security measures are regularly reviewed to ensure their adequacy and effectiveness.
However, absolute security cannot be guaranteed and no security system is impenetrable, therefore, if any information under our control and subject to processing is compromised as a result of a security breach, we shall take appropriate steps to investigate the incident, notify the Supervisory Authority and, where appropriate, those users who may have been affected so that they can take appropriate action.
DYCARE reserves the right to revise this Data Protection Policy. We shall notify you of any future changes to these terms and conditions via the website or by other means so that you are aware of them.
Data Controller. If you are a Referred Patient, you are hereby informed that the Data Controller of your personal data and medical history is the professional or medical centre that has referred you to the ReHub Platform. Please contact your professional or medical centre for more information.
Data Processor: Bio-Sensing Solutions, S.L. (“DyCare”)
Address: Av. Meridiana 354, 2CD, 08027, Barcelona
Registered in the Companies Register of Barcelona under Volume 45.087, Folio 42, Sheet B-465.593
Spanish national tax id. no.: B66508912
Email: support.rehub@dycare.com
Telephone no.: +34 935 520 029
DyCare collects and processes certain personal data about you within the framework of the ReHub platform as Data Processor under the relevant Data Processor Agreement with the relevant Data Controller.
Furthermore, you are informed that, on certain occasions, we act as the Data Controller for the processing of your data. This Privacy Policy shall inform you about what data we collect, why we collect it and how we use it. You are hereby informed that your data shall be processed in accordance with the provisions of Regulation (EU) 2016/679 of 27th April (GDPR) and Spanish Organic Law 3/2018 of 5th December (LOPDGDD).
This Privacy Policy applies to Referred Patients
This Referred Patient Privacy Policy contains a description of the processing of Referred Patient data carried out by DYCARE within the framework of the ReHub Platform.
This Privacy Policy does not apply to Integrated Patients
This Referred Patient Privacy Policy does not apply to the processing of personal data belonging to Integrated Patients. For more information on such processing, please consult the Integrated Patient Privacy Policy.
As this Integrated Patient Privacy Policy is limited to personal data processing within the framework of the ReHub platform, you are hereby reminded that if you have visited or are visiting the website www.dycare.com,, if you have contacted or are contacting DYCARE (e.g. by telephone for more information about DYCARE products or about the company), DYCARE shall process your personal data in accordance with the relevant "DYCARE Privacy Policy".
Data Controllers.
Based on DYCARE's legitimate interests, to analyse and improve our products and services, and your consent, DYCARE shall process:
Pseudo-anonymised data sets for our research and development activities; to guarantee the quality of the assistance provided to users; to manage relations with the Establishments; to manage relations with the Physiotherapy Company and its professionals; to manage and control our activities internally; to manage possible cases of loss and/or destruction of data and unauthorised access; to collect and anonymously process information relating to the devices used in connection with the ReHub platform offered by DYCARE in order to collect useful information on the use of the service by users; and, where appropriate, to exercise our rights of action and defence in court.
To comply with any other obligation arising from applicable regulations or from an order of the authorities, including accounting and tax obligations, as well as those relating to the guarantee of the products and/or services offered.
Data Processor.
We shall process your personal data as Data Processor on the basis of the Data Processor Agreement we have with your professional or medical centre for the performance of our contractual obligations in connection with the ReHub platform:
Personal data obtained during registration. Identification and contact details. This data shall be used to manage your access to the Platform and to send you communications relating to the rehabilitation service offered by your professional or medical centre through the ReHub Platform.
Specific personal data regarding your health condition. In particular, without limitation, the Physiotherapy Company may collect information necessary to assess your injury, including collecting information about your medical condition and contraindications, scheduling treatment and monitoring your progress. Likewise, in case of using sensors with the ReHub platform, data such as force and range of motion shall be collected.
Recordings and images that you or your Professional record and upload to the platform for the duration of the treatment may be recorded and stored.
We process the following personal data as Data Controllers for the purposes and on the legitimate basis set forth in the preceding paragraph:
Sets of personal and service-related data received related to your medical records, previously pseudonymised for the sole purpose of improving the operation and development of the platform.
You are also informed that we process the following personal data as Data Processors:
Your basic personal data: name, contact details, email address, etc.
Your personal data belonging to the specific categories and, in particular, the data relating to your health condition, inherent and necessary for the provision of the services within the framework of the ReHub platform; and in addition your health data generated during the course of the processing and which are necessary for the appropriate medical follow-up.
Images: recordings of rehabilitation exercises.
Your professional or medical centre shall carry out your initial registration on the ReHub Platform. Your basic identification data (email and name) shall be obtained from the professional or medical centre. You must confirm your account, complete and verify your personal data upon first access, and accept the Terms and Conditions of Use and this ReHub Patient Privacy Policy.
DyCare does not transfer or disclose any data, unless there is a reasonable need to do so in order to comply with legal proceedings, to comply with a legal obligation or to obtain the user’s consent.
Although this is not a data transfer, your professional or medical centre, which provides you with physiotherapy services, shall have access to the data processed by us as Data Processor, in its capacity as Data Controller. We therefore recommend that you carefully read the professional's or medical centre’s privacy policy:
Although this is not a transfer of data, you are hereby informed that the Amazon Web Services tool are used to provide the ReHub platform (to find out more about their privacy policy, please visit this link: https://aws.amazon.com/es/privacy/).
Likewise, if your access to the ReHub Platform is covered by your health insurance policy, DyCare may provide your health insurance company with the data strictly necessary to manage your access to the ReHub Platform and rehabilitation services and to manage the payment with your health insurance company. All access to data shall only disclose data that are strictly necessary in accordance with the principle of proportionality and minimisation of processing. This transfer is covered by the legitimate basis of its requirement for the execution of the ReHub platform.
No international data transfers are made outside the European Economic Area (EEA), beyond the providers listed above. Where we exceptionally decide that it is necessary to transfer your data to third parties residing outside the territory of the European Union or in Countries that do not guarantee an adequate level of privacy protection, we shall do so subject to appropriate contractual safeguards provided by the third party, on the basis of Standard Contractual Clauses approved by the European Commission. We also undertake to comply, as far as possible, with the requirements imposed by the security regulations of third countries with regard to international data transfers.
In compliance with the principle of limitation of the storage period, the data collected shall be processed solely and exclusively for the time necessary and for the purposes for which they were collected at any given time.
Your personal data shall be processed for as long as your account on the ReHub platform is active. After this time, the data shall be stored for the period established by the regulations exclusively for the fulfilment of the legally established and applicable obligations.
We undertake to delete your data from our databases after the above retention period has expired and to instruct the joint data controllers and processing companies whose services we use to delete any information about you that they may hold from their databases.
DYCARE does not knowingly collect any information or data relating to minors, nor does it allow minors to be registered on the platform without parental consent ("Parental Consent").
Parental Consent shall be expressly collected when the patient first registers on the ReHub platform. Should DYCARE detect that any data collected belongs to a minor and that Parental Consent has not been validly issued for its acquisition, DYCARE has the power to delete such data as quickly as possible.
Data Controller. You have the right to know what personal data we process. In particular, you have the right of access, rectification, deletion and portability of the data, as well as the right to limit the processing and to object to the processing when the conditions for this are met. In addition, if the processing is carried out for marketing purposes or is based on our legitimate interest, you can object at any time. For more information about the processing of your personal data or to exercise your rights, you can contact us by email at support.rehub@dycare.com or write to us by post by sending a letter to the attention of the Data Protection Officer to the following address: Bio-Sensing Solutions S.L., Av. Meridiana 354 - 2CD, 08027 Barcelona.
Below is a brief explanation of your rights in relation to the processing of your personal data.
The right of access allows you to obtain confirmation of whether DYCARE is processing your personal data and, if necessary, allows you to access the said data and information relating thereto;
The right of rectification allows you to request the modification of any personal data that is inaccurate without undue delay and, taking into account the purposes of the processing, the integration of incomplete personal data;
The right of deletion allows you to request the deletion of your personal data without undue delay (e.g. when your personal data are no longer necessary for the purposes for which they were collected), subject to the exceptions provided for in the applicable law (e.g. when the retention of your data is necessary for compliance with the legal obligations applicable to the data controller);
The right to data portability allows you, under certain circumstances provided for in the applicable regulations, to receive in a structured, commonly used and machine-readable format the personal data you have provided to DYCARE. It may transfer this data to another data controller, provided that this right is recognised under the applicable legislation, and except in cases where it may infringe the rights and freedoms of third parties;
The right to limitation of processing allows you, in certain circumstances provided for in the applicable regulations, to limit the processing of your personal data. In such cases, DYCARE may further process your data only in certain cases, for example to exercise the right of defence or to protect the rights of another natural or legal person;
The right to object to processing allows you, in certain circumstances provided for by the applicable law, to object to the processing of your personal data, unless there are overriding legitimate grounds, rights or freedoms that allow DYCARE to continue processing the data;
You shall have the right to withdraw your consent to personal data processing at any time if there are reasons related to your particular situation, and to object at any time to the processing of your personal data that is based on a legitimate interest of DYCARE or a third party. In such cases, DYCARE shall stop the processing, unless there are compelling legitimate grounds to continue to process it.
Any rights that you exercise against any of the Joint Data Controllers, namely DyCare and the Physiotherapy Company, shall have effect in both companies unless you state otherwise.
In addition, you have the right to file a complaint at any time with the Data Protection Supervisory Authority if you believe that you have not received a satisfactory response from DYCARE regarding your rights or if you believe that your rights have been violated:
Spanish Data Protection Agency
Address: Calle Jorge Juan, 6, 28001 Madrid
Telephone no.: +34 901 100 099 / +34 91 266 35 17
Website: www.agpd.es
Data Processor.
In cases in which we act as the Data Controller, you are hereby informed that you should exercise your rights with your physiotherapist or medical centre responsible for treatment by following the instructions provided in your physiotherapist's or medical centre's privacy policy. In any case, if you exercise your rights before DYCARE, DYCARE shall forward your request to the Data Controller to deal with it, and DYCARE shall not be responsible for taking any action until it receives instructions from the Data Controller.
DyCare declares that it respects the current personal data protection legislation, the privacy of users and the secrecy and security of personal data, respecting the principles of lawfulness, loyalty and transparency, purpose limitation and retention period, data minimisation, accuracy, integrity and confidentiality, among others, as well as respecting the other obligations and guarantees established in Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27th April 2016, and Spanish Organic Law 3/2018, of 5th December, on the Protection of Personal Data and guarantee of digital rights.
We use reasonably reliable and effective physical, organisational and technological measures, controls and procedures to preserve the integrity and security of your data and to guarantee your privacy.
In addition, all staff with access to personal data have been trained and are aware of their obligations in relation to the processing of their personal data.
In the case of the contracts we sign with professionals or medical centres, we include clauses in which we are appointed Data Processor, undertaking to maintain the duty of secrecy regarding the personal data to which they give us access, as well as to implement the necessary technical and organisational security measures to guarantee the permanent confidentiality, integrity, availability and resilience of the systems and services for the processing of personal data.
In the case of the contracts we sign with our suppliers, we include clauses requiring them to maintain the duty of secrecy regarding the personal data to which they have had access by virtue of the assignment, as well as to implement the necessary technical and organisational security measures to guarantee the permanent confidentiality, integrity, availability and resilience of the systems and services for the processing of personal data.
All these security measures are regularly reviewed to ensure their adequacy and effectiveness.
However, absolute security cannot be guaranteed and no security system is impenetrable, therefore, if any information under our control and subject to processing is compromised as a result of a security breach, we shall take appropriate steps to investigate the incident, notify the Supervisory Authority and, where appropriate, those users who may have been affected so that they can take appropriate action.
DYCARE reserves the right to revise this Data Protection Policy. We shall notify you of any future changes to these terms and conditions via the website or by other means so that you are aware of them.