Privacy Policy

Privacy Policy


The protection of personal data with respect to data processing is important to medaia GmbH, Reininghausstraße 13a, 8020 Graz, as the data controller. Consequently, when using personal data, medaia GmbH complies with all the provisions of the General Data Protection Regulation (GDPR) and the Data Protection Act (DSG) and strives for the best possible transparency.

medaia GmbH processes personal data in accordance with the principles of lawfulness, good faith, transparency, accuracy, purpose limitation, data minimization and storage limitation.

The SkinScreener app does not use any analytics or tracking tools (SDKs) to analyse and/or track user behaviour. Furthermore, the app is ad-free and no data is shared with advertising service providers.

Regarding all data collected in the app, the following applies:

1) The data will not be used for tracking purposes (i.e., the data will not be linked to other third-party data about the user or device for advertising or ad measurement, or shared with a data broker).

2) The data will not be used for third party advertising, your advertising or marketing purposes or for any other purpose.


The data protection officer is Mr. Marko Drndarevic.

Questions can be sent to the following address:

Marko Drndarevic, medaia GmbH, Reininghausstraße 13a, 8020 Graz,


medaia GmbH processes personal data exclusively in the context of the use of its SkinScreener app and the homepage. The following legal justifications are considered:

2.1. Use of our SkinScreener app

Legal basis

The processing of personal data is necessary within the framework of the fulfilment of contractual obligations pursuant to Art 6 (1) lit b GDPR for authentication in the app, for the provision of risk assessments and for post market surveillance (ISO 13485:2016).

The purposes of processing:

The processing activities are carried out for the purpose of enabling the use of the app in an authenticated manner and thus the correct allocation of the purchased scans or annual subscriptions. The data for authentication is provided by Google and Apple via their plugin.

In order to be able to make an even better and more precise assessment of the correctness of the risk assessment in the context of post-market surveillance, information on age and gender is required.

Furthermore, we will keep you informed via email about new functions or changes and adjustments to our app and our terms and conditions. In order to be able to address you personally in the email, we collect your first and last name, which is done exclusively for this purpose.

Optionally ("Opt in"), there is the possibility to link the image data with the email address in order to enable queries within the scope of post-market surveillance, for scientific purposes and for quality assurance. This link can be removed at any time under "Settings".

Categories of data:

Email address


Date of birth


Google ID (when using Android devices)

Apple ID (when using iOS devices)

2.2. UV index[1] and dermatologists nearby

Legal basis

The processing of personal data is necessary in the context of the fulfilment of contractual obligations pursuant to Art 6 (1) lit b GDPR to display the local UV index and the dermatologists in your area.

Purpose of processing:

We collect your location solely for the purpose of determining the local UV index as well as the dermatologists in your area.

Data categories:


2.3. Push notifications

Legal basis

On the basis of your expressed consent according to Art 6 (1) lt a GDPR , our app sends you push notifications.

Purposes of processing:

We use push notifications within our app to inform you that there is a skin lesion rated yellow or red in your image library, so that you are reminded to seek a specialist examination.

You can give and withdraw your consent at any time via your app settings.

[1] The location-based UV index informs you about the local UV radiation level.

2.4. Customer feedback

The processing of personal data is necessary within the framework of the legitimate interests of medaia GmbH pursuant to Art 6 para 1 lit f GDPR to respond to customer feedback and enquiries.

Purpose of processing:

The processing activities are carried out for the purpose of providing targeted responses to customer feedback as well as customer survey enquiries.

Data categories:

Google account/Apple account email address


You have the right to contradict the processing of this data. In the event of a contradiction, we would like to point out that it will not be possible to answer your questions within the scope of the customer surveys and customer feedback.

2.5. Processing of anonymous image data

All images taken with the SkinScreener app and rated as yellow or red, as well as the analyses and recommendations, are saved on your mobile device. If the app is deleted from the device, all images taken are also deleted.

In order to carry out post-market surveillance and to further develop the artificial intelligence of our app, anonymised analysed images with risk assessment, gender, age, information on the device type and operating system are transmitted via an encrypted connection to the ISO-certified data centre (location: Austria, local storage at the same location) and stored and processed for research purposes, further development and market monitoring of the SkinScreener app. The images are anonymised and given an internal ID before being transmitted to our data centre and can no longer be assigned to you. The user has the option of linking the image data with the e-mail address. This is exclusively for the purpose of queries within the framework of the quality assurance of our medical product. This link can be withdrawn at any time under "Settings".


Recipients of personal data are medaia GmbH employees who require this data to fulfil contractual obligations and to safeguard legitimate interests.

Your data are not transferred to third parties or processed outside of Austria. The physical location of the data is in Austria.

Depending on the purpose of the processing, medaia GmbH will pass the data to processors commissioned by it, insofar as they need the data to fulfil the respective task. medaia GmbH pays attention to compliance with data protection regulations when selecting its processors and has entered into agreements with the processors which ensure that personal data are processed confidentially and carefully.

medaia GmbH uses the Raiffeisen Computing Centre Graz of Raiffeisen Rechenzentrum GmbH for order processing. This processor has the appropriate ISO certifications and processes data exclusively in accordance with data protection regulations.


The personal data are stored for the period of the business relationship and beyond in accordance with the statutory retention periods. In this respect, medaia GmbH is subject to retention obligations pursuant to the following laws:

  • Austrian Business Code (UGB),
  • Federal Fiscal Code (BAO),
  • Austrian General Civil Law (ABGB),


You have a right to information, correction, erasure and restriction of the processing of personal data by medaia GmbH.

Complaints can be lodged with the Austrian Data Protection Authority (



All employees of medaia GmbH are subject to strict confidentiality with regard to information entrusted to or made known to them in the course of their work.


Data security is of great importance to us. medaia GmbH has taken all necessary technical and organizational measures to ensure the security of data processing and to process personal data in such a way that it is protected against access by unauthorized third parties. The IT infrastructure of medaia GmbH as well as of the processor complies with current security requirements and is checked regularly. For maximum security, the data is stored on the Raiffeisen Rechenzentrum server, which has the following certificates for data security:

  • ISO/IEC 27001 (IT-Security) 
  • ISO/IEC 27018 (Data protection in public clouds acting as PII processors) 
  • ANSI/TIA-942 (Data Center Certification)
  • DIN EN 50600 (Center Center Certification)


The website is operated by medaia GmbH as the data protection controller. In this notice, we inform you about which personal data we process within the scope of this website. It is possible to use the website without providing personal data.

8.1. Visiting our website 

Legitimate interest pursuant to Art. 6(1) point (f) GDPR

medaia GmbH processes the data within the scope of its overriding legitimate interest pursuant to Art 6(1) point (f) GDPR to achieve the stated purposes, in particular to make the website available.

The purposes of processing:

The processing of your data serves the purpose of provision of the website as well as system security and improvement of the website and thus the public image of medaia GmbH.

Categories of data:

  • IP address of the requesting computer
  • Date and time of access
  • Name and URL of the retrieved data
  • Amount of data transmitted
  • Message whether the retrieval was successful
  • Identification data of the browser and operating system used
  • Website from which the access is made
  • Name of your internet access provider

8.2. Cookies

Our website uses what are known as cookies. These are small text files that are stored on your end device with the help of the browser. They do no harm. We use cookies to make our offer user-friendly. Some cookies remain stored on your end device until you delete them. They enable us to recognize your browser the next time you visit us. If you do not want this, you can set up your browser so that it informs you about the setting of cookies and you can then allow this only in individual cases. If you disable cookies, the functionality of our website may be limited. You can find a list of the cookies used by our website and more detailed information in our cookie banner.

8.2.1. Functional cookies

We process functional cookies (session cookies and permanent cookies) on the basis of the exemption provision in § 96 para. 3 TKG. Your consent is not required.

Session cookies are used to display our website content. Session cookies are deleted after the session is closed.

Permanent cookies are used to improve user-friendliness, e.g. to be able to save the language selection you have made and to be able to display our website in the language you have chosen when you visit it again.

8.2.2. Analysis tools

Legal basis

We process the data within the scope of your express consent in accordance with § 96 para 3 TKG to achieve the stated purposes for improving the website. You can give your consent to the use of the analysis tools via our cookie banner.

You can revoke your consent at any time via our cookie banner or by deleting all or individual cookies in the browser settings. If you revoke your consent or change the browser settings so that cookies are no longer stored, you can no longer be recognised by us when you visit our websites again.

In the event of revocation, we would like to point out that it may not be possible to use all functions and contents of the website to their full extent.

Purpose of processing:

The processing of your data serves web usage analysis purposes, in particular to compile reports on website activities and thus to be able to improve our website.

Transfer of your data to third countries: Google Analytics 

In the frame of the website analysis, your data will be transferred to third countries. We would like to point out that the transfer of your data to providers in the USA as well as worldwide, such as Google or YouTube, is a data transfer without the existence of an adequacy decision and without appropriate guarantees. This transfer takes place on the basis of your consent in accordance with the exceptional provision of Article 49 (1) a DSGVO.

In order to protect the interests of users in the protection of their personal data, this is done by anonymising the data. Your IP address is thus already transmitted to Google in an unrecognisable form.
You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. In addition, you can prevent the collection of the data generated by the cookie and related to your use of the website (incl. your encrypted IP address) to Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link:

This website also uses cookies with the purpose of targeting visitors via remarketing campaigns with online advertising at a later time in the Google advertising network. To serve remarketing ads, third-party providers such as Google use cookies based on a visit to our website. You as a user have the option to deactivate the use of cookies by Google by visiting this Google deactivation page at

The following data is collected as part of the registration process:
(1) The encrypted IP address of the user
(2) Date and time of access
(3) Frequency of page views
(4) Use of website functions
(5) The user’s operating system
(6) The user’s internet service provider
(7) Websites from which the user’s system accesses our website
(8) Websites that are accessed by the user’s system via our website
(9) Operating systems of the end devices used Google Firebase - EN

Our app uses Google Firebase (Google LLC,1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, "Google"). This service also processes personal data, among other things. In most cases, these are "instance IDs" that are provided with a time stamp. These IDs are assigned to a specific user and allow the linking of different events or processes. This data does not allow us to draw any conclusions about the specific user. We do not personalise the data. We process this aggregated data to analyse and optimise user behaviour, for example by evaluating crash reports.

For Firebase Analytics, Google also uses the advertising ID of the mobile device. You can restrict the use of the advertising ID in the device settings of your mobile device.

For Android: Settings > Google > Ads > Reset AD ID
For iOS: Settings > Privacy > Advertising > No Ad Tracking

8.2.3. Social media plug-ins

We work together with various social networks. When using these services, your browser is automatically connected to the relevant network. It transmits your IP address and other information, such as cookies, if you have visited the respective platform before.

We do not collect any personal data via the plugins integrated on our website. The processing of your personal data within the scope of the plugins is based on your express consent in accordance with § 96 para. 3 TKG via our cookie banner. The purpose of these plugins is to be able to offer you a greater range of information about our services.

If you give your consent by actively clicking on "I agree" in the cookies banner when visiting our website, your personal data (IP address) may be transmitted to the social network. This happens regardless of whether you have a user account with the social network. If you have a user account with one of the social networks and are logged into your user account while clicking on the cookie banner on our website, the data collected via the respective plugin will be directly linked to your account. If you do not wish to be linked to your user account, you must log out of your social media account before activating the plugin. We have no influence on the extent to which and the purpose for which the social networks actually collect personal data via the plugins.

Revocation of consent is possible at any time by deleting all or individual cookies in the browser settings.

In the event of revocation, we would like to point out that it may not be possible to use all functions and contents of the website to their full extent.

  • Facebook

This website uses social media plug-ins of the social network, which is operated by Facebook Inc. 1601 South California Avenue, Palo Alto, CA 94304, USA. After activating the plug-in, a direct connection is established between your browser and the Facebook server. Facebook thereby receives the information that you have visited our site with your IP address. If you click the Facebook “Like Button” while you are logged in to your Facebook account, you can link the contents of our pages on your Facebook profile. This allows Facebook to associate visits to our pages with your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Facebook. For more information, please refer to the Facebook privacy policy at If you do not want Facebook to be able to associate visits to our pages with your Facebook user account, please log out of your Facebook user account.

  • Twitter

This website uses the Twitter feed and a follow plug-in of the network Twitter ( The feed is provided by Twitter Inc. 795 Folsom St., Suite 600, San Francisco, CA 94107, USA. Additionally, a follow plug-in is used which is installed below the Twitter feed.  With the plug-in it is possible to follow us on Twitter. When you visit one of our websites that contains such a plug-in, your browser establishes a direct connection to the Twitter server. The content of the plug-in is transmitted from Twitter directly to your browser. We have no influence on the amount of data that Twitter collects. The user’s IP address and the URL of the respective website are transmitted to Twitter when the plug-in is clicked, but they are only used for the purpose of displaying the plug-in. Further information about the plug-in can be found here ( Information on data protection can be found in the Twitter privacy policy (

Interaction with social networks

We work together with various social networks. When you use this service, your browser is automatically connected to the relevant network. In doing so, it transmits your IP address and also other information, such as cookies, if you have visited the platform in question before.

We avoid, as far as possible, this type of data transfer until you actually interact with one of the platforms. By clicking on the relevant icon (e.g. the Facebook logo), you indicate that you are willing to communicate with the selected platform and for information about you, such as your IP address, to be sent to this social network.

8.3. Period of storage

We store your personal data for a period of 3 months. A longer storage period only takes place as far as this is necessary to investigate attacks on our website.