Privacy Statement

Valid as of June 25, 2024

Preamble

We would like to inform you in this privacy statement about the type, scope, and purpose of personal data collection, processing, and use upon use of the websites provided by Lecturio, including “www.healer.lecturio.com” and of the services offered on such websites (e.g. apps). Lecturio is trustworthy and the protection of your personal data is very important. This is why we would like to show you in a transparent way how and why your data are being used. We would like to offer you user-friendly, good, customer-oriented and secure services by storing, processing, and using personal data. 

Lecturio also complies with U.S. laws, including the Family Educational Rights and Privacy Act (“FERPA”), where applicable, which provide privacy protections for personal data.

§ 1 Definitions

Personal data

“personal data” means any information relating to an identified or identifiable natural person (“data subject” or “you”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Controller

“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor

“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Third party

“third party” means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

§ 2 Name and contact data of the controller

The following party is responsible within the meaning of EU-GDPR and other applicable data protection laws of the European Union and its member states:

Lecturio GmbH
Käthe-Kollwitz-Str. 1
04109 Leipzig
(“Lecturio”, “we” or “us”)

Telephone: +49 341 355 699 – 70
support@lecturio.com

§ 3 Name and contact data of the data protection officer

The data protection officer of the controller for data processing is:

Mr. Stephan Hartmann
Lecturio GmbH
Käthe-Kollwitz-Str. 1
04109 Leipzig
(“data protection officer”)

Any person concerned may contact the data protection officer directly at any time at the above mentioned address or via email to data-privacy@lecturio.com if he/she has any questions or suggestions regarding data protection.

§ 4 Purpose and legal basis of data processing

Collection of general data and information

Specific data transmitted by your browser when visiting our websites are stored automatically by our servers. The log files created thereby include data like your IP address, the URL and landing page, the time, type, and number of requests, data volume transferred, date, time and duration of individual accesses, your browser type as well as other similar information that serve as emergency response in the case of attacks on our IT systems and as protection against license abuse.

The collection and use of the information stored in the log files only serve to correctly deliver the contents of our websites, for anonymous evaluations for statistical purposes (like analyzing the user behavior), to improve our services, and to provide law enforcement authorities information necessary for prosecution in the case of cyber attacks. These data are not used to draw conclusions about a person concerned.

Data and information provided by the user

You may submit as registered user your own comments, learning notes, keywords (“tags”), reviews and other similar information within the framework of use of our services (“user contents”) which are partially visible for other users also. We reserve the right to store, process, and use posts that are visible for other users in anonymous form after the deletion of the user account also, unless you ask us not to. You can find out more about this in our terms of use: https://www.lecturio.com/lecturio-healer-terms-conditions/

Monitoring of learning progress

Our system collects data about your personal user behavior, such as your learning progress, performance data associated with Healer, or similar activities in order to provide you with optimal support while learning. Your educational institution and persons associated with your educational institution will have access to your personal information and performance data. Such data may include, but not be limited to, the cases you worked on, your performance on those cases, and other metrics associated with your use of Healer. Data regarding your learning progress are not passed on to unauthorized third parties under any circumstances.

Lecturer’s learning content

Learning content uploaded and created by using services provided by us – such as clinical cases, videos, screencasts, quiz questions, documents, and similar educational content (“educational content”) – is only available to users within the same organization in which they were created or submitted and to which they have been allocated.

§ 5 Recipient of personal data

Additional processors and third parties are necessary for the delivery of our service. These receive, inter alia, personal data. These services and the purposes for which the data are submitted to them are listed in the following paragraphs. Apart from this, only specific employees from Lecturio have access to personal data when this is required for delivering a service.

§ 6 User account and registration

We store and use data provided by you when subscribing to our services or using our services, such as when opening a member account, for the purpose of performing the services you would like to use according to the contract. These data include email address, password, name, title as well as other information (such as age, sex, final degree, etc.) that you submit when setting up a member account. If you have submitted on this occasion a high school email address also, it will be used for the sole purpose of verifying if you attend that specific school or educational institute.

§ 7 Customer service

We use the Zendesk ticket system, a customer service platform from Zendesk Inc, 989 Market Street #300, San Francisco, CA 94102, USA (“Zendesk”), to process customer enquiries. For this purpose, necessary data such as surname, first name, postal address, telephone number, email address and technical data such as browser type or app version are collected via our services, such as the website and mobile apps, in order to be able to respond to your request for information. We treat all data provided confidentially. Data provided and the message history with our customer chat are stored for follow-up questions and subsequent contact. The data will be deleted upon termination of membership with Lecturio and at the request of the person concerned.

Further information on the security of your personal data and data processing by Zendesk can be found in Zendesk’s privacy policy at http://www.zendesk.com/company/privacy. If you have any questions, you can also contact Zendesk’s data protection officer directly: privacy@zendesk.com

§ 8 Cookies and tracking technologies

We and our service providers use cookies and other tracking technology to recognize your browser or device and to capture and remember certain information about your activities on our Services. Cookies are small text information that is stored on your computer. Cookies enable us to speed up the navigation on our website, to adapt it to your needs and interests, and to avoid the misuse of our services. Our server may thus identify your computer as soon as you connect to our website, so that you do not have to log in every time you visit our website. 

We use both session ID cookies and persistent cookies. For the session ID cookie, the data is temporarily stored on your computer, but once you close your browser the cookie terminates. A persistent cookie is a small text file stored on your hard drive for an extended period of time. This allows us to track your activities while using our Services or interacting with ads through our Services and help improve the functionality, navigation, and performance of our Services. If you prefer, you can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off cookies by adjusting your browser settings. You may delete the cookies at any time in the security settings of your browser. You can configure your browser settings according to your wishes and refuse to accept cookies. But please note that you may not be able to use all functions of the website in this case. You can find out more about cookies, including how to see what cookies have been set and how to manage and delete them, at allaboutcookies.org.

Google Analytics (GA) and Google Tag Manager

We use Google Analytics and Google Tag Manager, a web analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (“Google”). Google Analytics and Google Tag Manager also use so-called “cookies”, text files that are stored on your computer and enable an analysis of your use of our website. The information generated by the cookie about your use of our website is usually transmitted to a Google server in the USA and stored there.

We have activated IP anonymization so that your IP address will be previously shortened by Google within member states of the European Union or in other contractual states to the Agreement on the European Economic Area. Your full IP address will be transferred to a Google server in the USA and shortened there only in exceptional cases. Google will use this information on our behalf in order to evaluate the use of the website, to compile reports on website activities, and to provide other services associated with website use and internet use on our behalf.

The IP address transmitted by your browser within the scope of Google Analytics will not be merged with other data from Google.

You may prevent the storage of cookies by setting your browser accordingly; but please note, that you may not be able to use all functions of the website to the full extent in this case. You can also prevent Google to process and collect data generated by the cookie with regard to your use of our website (incl. your IP address) by using the following link to download and install the browser plugin for deactivation: https://tools.google.com/dlpage/gaoptout

You will find more information about the data protection regulation of Google Analytics on: https://support.google.com/analytics/answer/6004245

§ 9 User engagement

Braze

We use the platform braze a service of Braze, Inc., Braze Inc., 330 W 34th St 18th floor, New York, NY 10001, USA (“Braze”) to improve the customer experience. We process personal information such as name, email address, and activity data. In addition, we automatically receive and store cookie information and other information about the use of our service in server log files, including the IP address, the requested page, the time spent on these pages, access times, and information about the browser and operating system used.

We use this information to ensure you a better introduction to our service by means of a tooltip tour, to analyze the use of the services, to improve the functionality and user-friendliness of the service, and to better adapt the service to your needs.

You will find more information about the security of your personal data on https://www.braze.com/company/legal/privacy

The processing of personal data by Braze takes place in accordance with Article 6 (1) (f) GDPR on the basis of our legitimate interest in the most reliable possible user-friendliness of our services.

§ 10 Newsletter

You have the possibility to subscribe to our newsletter. The submission of your email address is necessary for this purpose. We use Episerver (“Episerver”), a service provided by Episerver GmbH, Wallstrasse 16, 10179 Berlin, Germany, to send our newsletter. We use the so-called double-opt-in process (DOI). After subscription to our newsletter, you will receive an email where you will be asked for confirmation. When registering for the newsletter, we will store your IP address and the date of registration. This storing only serves as proof in the case that a third party misuses an email address and subscribes to the newsletter without the knowledge of the party concerned.

A so-called tracking pixel is used upon opening a newsletter. The following data are stored thereby: email address, newsletter, opening date, and time. The links in our newsletters contain tracking information that enables us to determine which links were of interest to you if you have clicked them. The following data are stored in Episerver via the tracking link: email address, newsletter, link, date and time.

You can revoke your approval to receive newsletters at the email address specified by you at any time for the future by sending an email to support@lecturio.com.

§ 11 Duration during which personal data are stored

The duration of personal data storage is based upon the legal storage period and the personal data are routinely deleted after the expiry of this period or immediately after termination of the membership of Lecturio or at an earlier date upon request of a person concerned, insofar as the data are not required to fulfill or initiate a contract. The following data are stored beyond the termination of the contract for so long as they are required for a specific purpose:

  • offer data: 1 year (after feedback from the client),
  • contract documents: 10 years,
  • IP data: 3 years (regular limitation period)
  • legal matters: 6 years
  • claims: 10 years

 

In order to terminate your membership, please contact our customer service by sending an email to healer@lecturio.com.

§ 12 Rights of the data subject

If your personal data are processed as a data subject, you have the following rights:

  • the right to information according to Art. 15 GDPR
  • the right to correction according to Art. 16 GDPR
  • the right to erasure (“right to be forgotten”) according to Art. 17 GDPR
  • the right to restriction of processing according to Art. 18 GDPR
  • the right to information according to Art. 19 GDPR
  • the right to data portability according to Art. 20 GDPR
  • the right not to be subject to an automated decision according to Art. 22 GDPR
  • the right to revoke your consent to the processing of personal data in accordance with Art. 7 Para. 3 GDPR.using

 

To assert these rights, please contact the data protection officer or the responsible person via the contact details provided.

There is no right to deletion if the data may not be deleted due to a legal obligation or if it has to be processed due to a legal obligation, and data processing is necessary to assert, exercise, or defend legal claims.

In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state or other state of your place of residence, your place of work, or the place of the alleged violation, if you are of the opinion that the processing of your personal data violates applicable data protection law.

§ 13 Right of objection

Insofar as we process your data on the basis of legitimate interests in accordance with Art. 6 Para. 1 lit. f GDPR, you have the right to object to the processing of your data on grounds relating to your particular situation, or if the objection is directed against direct marketing. In the latter case, you have a general right to object, which we will implement without requiring any reasons.

§ 14 Incident response and breach notification

In the event of a data breach, our organization follows a comprehensive incident response plan to ensure swift and effective handling of the situation. The procedures include immediate containment and assessment of the breach to understand its scope and impact. Upon identifying a breach, we promptly secure our systems to prevent further unauthorized access. We conduct a thorough investigation to determine the nature of the breach, the data affected, and the potential risk to data subjects.

Notification is a critical component of our incident response. Within 72 hours of becoming aware of the breach, we notify the relevant supervisory authority in accordance with Article 33 of the GDPR, providing detailed information about the breach, its consequences, and the measures taken to mitigate the effects. If the breach poses a high risk to the rights and freedoms of individuals, we also inform the affected data subjects without undue delay, as stipulated by Article 34 of the GDPR. The notification includes clear and specific details on the nature of the breach, the likely consequences, and the measures we have taken or will take to address the breach and protect the individuals involved.

§ 15 International data transfers

Our organization ensures that any transfer of personal data to countries outside the European Union (EU) is conducted in full compliance with GDPR requirements to protect the privacy and rights of data subjects. We utilize several transfer mechanisms to safeguard data during international transfers, including Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs).

Binding Corporate Rules are internal policies adhered to by our multinational organization, approved by European data protection authorities, that ensure adequate protection of personal data transferred outside the EU. These rules establish a framework for data protection compliance across all our global operations, ensuring consistent application of GDPR principles.

Standard Contractual Clauses, provided by the European Commission, are contractual commitments that bind the parties involved in the data transfer to comply with specific data protection obligations. By incorporating SCCs into our data transfer agreements with third-party service providers and partners, we ensure that any personal data leaving the EU is afforded the same level of protection as within the EU.

Additionally, we continuously monitor the legal landscape and adapt our practices to comply with any new regulations or guidelines issued by data protection authorities. This proactive approach ensures that our international data transfers remain secure and compliant, safeguarding the privacy and rights of our data subjects at all times.

§ 16 Miscellaneous

If a third party registered with us by using your email address, please inform us and we will immediately delete your profile, if this is what you desire.

We reserve the right to update this privacy statement at any time in the course of improving our services and implementing new technologies. We therefore recommend that you reread this privacy statement from time to time.