Privacy policy for "TK-App" from version 7.4.0

This data privacy policy informs users about the type, scope and purpose of the personal data collected and used by the responsible provider of this app. The legal basis for data protection and privacy is contained in the EU General Data Protection Regulation (GDPR), the Sozialgesetzbuch (SGB) [German Social Code] and the Bundesdatenschutzgesetz (BDSG) [German Federal Data Protection Act]. TK only collects and uses your personal data in compliance with these provisions. Such personal data includes all information related to an identifiable or identified natural person. This includes your health insurance number, for example.

As a TK insuree, you will soon be able to use various services and offers with the TK-App, such as sending a statement of fitness for work from home or on the road. This data privacy policy applies exclusively to the use of the TK-App.

1. Responsible entity

The entity responsible for the collection, processing and use of personal data in connection with the TK-App is

Techniker Krankenkasse
Bramfelder Straße 140
22305 Hamburg

Tel: +49 40 - 46 06 62 53 00
E-Mail: tk-app-team@tk.de

Any personal data collected by the app is obtained either on the basis of your express consent (Art. 6(1) point (a) GDPR) to comply with legal obligations to which TK is subject (Art. 6(1) point (c) GDPR), to perform tasks in the public interest or in the exercise of official authority vested in TK (Art. 6(1) point (e) GDPR), or for purposes of the legitimate interests pursued by TK (Art. 6(1) point (f) GDPR). Provided there are no statutory retention periods that prevent their erasure, the data are only stored for as long as necessary to fulfil the purpose for which they were collected.

2. Installation of the TK-App

The TK-App is available through distribution platforms operated by third parties, called app stores. (Google Play and Apple App Store). Downloading the app may require prior registration with the respective app store and installation of the app store software. Techniker Krankenkasse has no control over the collection, processing and use of personal data in connection with your registration and the provision of downloads in the respective app store and app store software. In this respect, the responsible entity is solely the operator of the respective app store. Please contact the respective app store provider directly for more information if required.

3. Information on use of third-party keyboards

Please note that the use of keyboards other than those provided by the operating system can result in security breaches. Entries you make can be recorded without your knowledge and sent to untrustworthy third parties. For this reason, we advise that you use the native keyboard.

4. What data are required to use the service?

In the following, we would like to provide you with information about what data is collected, processed and stored via the TK-App.

4.1 Basic functions

Network access & network connections
Network access is essential since the TK-App can only be used in online mode. The only function available offline is the display of any Covid certificates you have added.

Storage
When using the TK-App, security-relevant data are encrypted and stored locally. Some of the settings in the TK-App can also be stored locally, for example your consent to the data privacy policy or information about screens that should no longer be displayed.

Device status
Your device must undergo a security check before you can use it to access the TK-App. This involves the detection and analysis of your device status.

4.2 Configuration data

The TK-App can only be used with two-factor authentication. After installation, you will therefore be requested to log in with your "Meine TK" user account, which serves as the first factor. If you do not yet have an account, you can register for the online service. You will find further information about the collection, processing and storage of data in connection with your "Meine TK" user account in the "Meine TK" data privacy policy . The second factor is your device. Your device is registered to help us secure its connection to your "Meine TK" user account. This unique assignment involves the execution of an identification process for security purposes. The data required for configuration purposes are necessary for the functioning of the app. The configuration process has to be repeated if you switch to another device or reinstall the app.

4.2.1 Registration using your "Meine TK" user account

The following data are collected when registering with your "Meine TK" user account.

Insurance number / username and password
Your insurance number and/or username serve as your unique identifiers with our online service "Meine TK". You also need this username to log in to the TK-App.

Your personal password, which you created for using the "Meine TK" online service, is also required for logging into the TK-App. If you change your password, the new password will also be valid for the TK-App.

Every attempt to log in via the TK-App is stored in order to protect your data and our systems.

Use of biometric identifiers to log in
If your device's technology supports biometric log-in, the log-in process is classified as secure and you have activated this function on the device, you will be asked if you would like to use these identifiers to log in to the TK-App. Your consent is voluntary. You can decline this offer or, should you choose to accept it, you can withdraw your consent at any time by changing the settings. The TK-App uses the operating system's mechanisms for checking biometric identifiers. The TK-App does not receive any of these biometric identifiers; it only receives the result. When you configure the app, TK uses the biometric identifiers in the system to generate cryptographic material and store it on the device. At no time does TK receive any data about your biometric identifiers. Devices with Android operating systems use the Google Play Integrity service to perform regular checks to ensure that the device is functioning at the necessary security level. The result is transmitted to TK. TK does not transmit or store any of your personal data during this process.

Do not use the fingerprint sensor option if you share your device with other users.

4.2.2 Registration for "Meine TK"

The following data are collected and processed when registering for "Meine TK":

• First and last name
• Date of birth
• E-mail address
• Insurance number

4.2.3 Device registration

The following data are collected for the purpose of creating your device registration.

Identification for creating your device registration
For identification purposes you need to use a verification code or your TK-HealthID in your TK-Ident App. Your verification code is a security code which will be delivered via mail. Always keep the verification code safe from third-party access.

Data collected when registering your device
TK collects and stores the following data when registering your device:

• User ID
• Model of the linked device (for example: Samsung Galaxy S9)
• Serial number of the linked device
• OS type (for example: ANDROID_x86)
• OS version (for example: 9.0.0)
• Last login (for example: 01.08.18 10:47)
• Installed version of the TK-App (for example: 2.0)
• Security-relevant changes to the device (for example: JailBreak/Root or a beta version of an operating system)
• Execution and time of device registration together with the associated identification procedure

4.3 Data collected when using push notifications

You can opt in to receive notifications when there is a new message in your TK Mailbox or an electronic sick note (eAU) has been transferred from your doctors`s office to TK. To enable this feature, your smartphone registers with the applicable push service (Apple Push Notification Service or Google Cloud Messaging) after the app has been downloaded. The service then sends a token to your device. The token is transmitted from the TK-App to TK and stored in a database there. If a notification needs to be sent, TK sends the message with the token to the push service, which forwards it to your device.

If you disable the push notifications in the settings, the token is deleted in the TK database.

4.4 Use of data for loading an individual and personalized starting page

We use your customer data (first name, surname, gender and participation conditions for TK-Fit) to provide you with an individual starting page. These data are only kept in the main memory while you are using the app. As soon as you close the TK-App, the data are deleted again.

In addition, TK is also fulfilling its duty to educate, advise and inform in the course of digitalization via "Meine TK" and the TK-App. For further information, please refer to the data privacy policy of "Meine TK"

4.5 Notifications for necessary health insurance processes

As part of our consulting mandate, we use your data on your insurance relationship and membership to inform you of open concerns in this area (for example, passport photo upload for the insurance card). Insurance benefit data is explicitly excluded from this. The notification takes place via a notification card on the starting page, which is removed after the request has been dealt with.

4.6 Electronic confirmation of service

For some services, e.g. physiotherapy, your signature confirms that you have received the service. An alternative, digital procedure is provided with the electronic service confirmation. Your participation is voluntary and can be revoked by you at any time in the settings.

A participating service provider will contact you and, if you wish to use the feature, you can declare your participation in the settings. In the process, your insurance number will be transmitted as a hash to DAVASO GmbH. The company organizes the data exchange between the service providers and the participating insured persons on behalf of TK.

After a treatment, the service providers transmit your insurance number, date, time and the type of treatment to DAVASO GmbH. After logging into TK-App, you retrieve this data about the treatment. The service provider receives feedback as to whether you have confirmed or declined the service. The service data is neither stored permanently on your smartphone nor at DAVASO GmbH. Your insurance number remains stored at DAVASO GmbH for as long as you participate.

4.7 E-Rezept (ePrescription) functionality

If prescriptions are issued electronically, they are stored centrally in the Rezeptservice [prescription service] of the telematics infrastructure. ePrescription functionality serves to access the prescription service and to receive, manage and redeem electronic prescriptions. In doing this, TK neither stores nor does it have access to the data. In principle, use of the prescription service is optional. The legal basis in this respect is Art. 6 para. 1 sentence 1 (a), Art. 9 para. 2 (a) of the GDPR.

The following data are processed when using the ePrescription:

• Nams,adress, insurance number, insurance status
• Health data in the form of the prescribed medication as well as the medication dispensed by the pharmacy
• Accident information (if available)
• Location data (if these have been authorised by you)

The following sections provide details on the data which are processed within the scope of TK-Ident.

Registration for the prescription service
To access the data in the prescription service, you have to confirm your identity. This is because only you or your representative and the doctor's practice which issued the prescription and the redeeming pharmacy may access the data in the prescription service.

You can register for the prescription service using your digital identity (TK-Ident). For this you need the TK-Ident App. To register to use this app you require either your eHealth card or your German Personalausweis [personal identity card] with online identification function (eID). The digital identity which you have stored is then used to create a connection to the prescription service.

Please refer to the TK-Ident App for details on the data protection policy for the identity provider.

Downloading prescriptions
Once you are registered, your prescriptions saved in the prescription service are downloaded and displayed. The prescriptions which have been called up are only kept in the working memory whilst the app is in use. The data are deleted again as soon as you close the TK-App.

Redeeming prescriptions
You can redeem a prescription using the app by assigning it to a pharmacy. Communication in this case is via the prescription service; there is no direct communication between the TK-App and the pharmacy. If the prescription is assigned to a pharmacy, this is logged in the prescription service and the prescription status is changed to "in Einlösung" [to be redeemed]. The status of a prescription can be viewed in the app at any time.

Searching for a pharmacy
To assign a prescription to a pharmacy, your search criteria are sent to a pharmacy directory service and a search is performed. A search can also be carried out based on your current location. This function is optional. For it to be enabled, you must allow access to your location in your device's settings. Based on the search criteria provided, a list of suitable pharmacies is shown in the app.

Messages from pharmacies
Communication with pharmacies is via the prescription service; the messages from pharmacies are stored here and downloaded by the TK-App. The called-up messages are only stored in the working memory whilst the app is being used. The data are deleted as soon as the TK-App is closed.

Deletion
You can delete the prescriptions saved in the prescription service at any time via the app. Furthermore, the prescriptions in the prescription service are deleted automatically 100 days after being issued or following the last status change (Section 360, para. 11 SGB V [German Social Code, book V]).

5. Authorisations for the use of functions in your operating system

Before you can use the special service functions offered by the app, you are required to authorise access to specific operating system functions. You will therefore be asked to grant the appropriate access authorisation once when you start using the app or when you use the respective functions. In the vast majority of cases, however, your consent will not be required for the operation of the TK-App.

Camera & media library
Access to your system camera is essential if you wish to send TK a document for processing (a photo of your fit note, for example). Your device memory is also accessed if you wish to send TK a photo or PDF file that you have already stored.

Notifications
You can receive push notifications from the TK-App (section 4.3).

Physical activities
You can authorise access to any exercise data recorded by your smartphone for use with our TK-Fit service (section 6.4).

Telephone
When you install the app, older Android operating systems (OS) will ask you to consent to the use of your phone (the app is able to initiate and manage phone calls). This is because older operating systems included access to your device status within the scope of this consent. This authorisation is necessary for the TK-App to execute its basic functions (section 4.1). At no time does TK use your contact or call data. Newer operating systems no longer issue this authorisation request since it is one of the basic functions of your operating system.

Location data
If you wish to search for a pharmacy based on your location within the scope of the e-prescription functionality (section 4.7), you need to authorise this function.

Microphone
When registering for our TK-Safe service (section 6.4), there is one specific constellation that requires access to your microphone. This authorisation is necessary to review the authenticity of your device and generate your TK-Safe security key.

Overview of permissions granted and withdrawal of authorisations
The "Settings > Security > System Authorisations" menu item in the TK-App allows you to track the authorisations you have granted and withdraw these at any time. You can also view and revoke your authorisations in the respective operating systems.

6. Does TK and/or its partners receive the data, and for what purposes?

TK and its partners receive and process the data you provide in the TK-App for specific purposes. The following section provides detailed information about the purposes of the data that is collected and who receives it:

All data that is collected, processed and stored in the TK-App is only transmitted to TK and is not forwarded to third parties. The data transferred between the TK-App and the recipients described here is always transmitted using state-of-the-art SSL encryption technology.

6.1 Authentication and data transfer for other TK apps and partner apps

You can use your TK-App to authenticate yourself for other TK apps and partner apps. In addition to your authentication, these apps may also require certain personal information, such as

• First and last name
• Date of birth
• Health insurance number
• Health insurance company

which are stored by TK. When using this function, you will be shown whether and which data will be transmitted with your authentication. However, TK will only transfer the necessary data after you have given your explicit consent.

6.2 Video playback through AdmiralCloud

The data collected by the AdmiralCloud server include details on how the user uses the AdmiralCloud services, the IP address, data on the browser type, browser language, date and time of viewing. These are used only to manage the service.

6.3 TK-Fit and TK-Safe services in the TK-App

TK-Fit and TK-Safe are optional services in the TK-App for which data are collected, stored and processed. In order to use these services, you are required to consent to the data privacy policies of TK-Safe and TK-Fit as well as this data privacy policy. You will find these policies and all other information in the TK-App and at tk.de, for TK-Safe and TK-Fit. Please note that this information is currently only available in German.

7. Data collection for analysis purposes and troubleshooting

Data is collected in the TK-App in order to ensure that the app is accurate and error-free and to further develop the app in line with needs and requirements. TK has commissioned Mapp Intelligence (formerly Webtrekk GmbH) as the provider of this service. The TÜV Saarland technical inspection association has certified Webtrekk GmbH as a service provider for data protection with regard to web monitoring software.

7.1 Analysis to ensure accuracy and error-free functioning

To keep the app accurate and error-free, TK uses crash reporting. Crash reporting ensures that if an error occurs, it can be traced back to the point where it occurred in order to identify the cause. The information collected is stored exclusively on TK servers.

• Client IP (truncated)
• End device ID for crash reporting. This is a randomly generated number, which does not allow any association of device and person.
• App version
• Operating system
• Screen resolution
• Mobile device
• Date and time
• Content and functions accessed

7.2 Analysis of cross-platform usage behavior

In order to provide you with an ideal online service, the TK would like to improve the integration of its digital offers. Therefore, we would like to analyze the use of content from the app and from tk.de in a coherent and cross-platform manner. Coherent means that we recognize you when you restart the app. Cross-platform means that we recognize if and which content from our website tk.de you use in addition to the app. In addition to the information mentioned under 7.1, the following data will be collected after your consent for this purpose:

• Visitor ID
• Storage of the end device ID to record user sessions (see 7.1).

The visitor ID is generated from the ID of your "Meine TK" ["My TK"] account. It is obfuscated at TK and separately at Mapp Intelligence using a salt and hash process. This means that the visitor ID can no longer be traced back to your person. Your personal usage behavior effectively remains anonymous. You can change your consent or refusal to the analysis of usage behavior under "App Analysis" in the settings.

7.3 Feedback feature

Another function that helps ensure the accuracy and user-oriented further development of the TK-App is the feedback feature. In the "Settings" and "Anonymous Feedback" sections, you can send TK feedback about the app. To identify the context of your feedback, the following data is sent along with it:

• Operating system and installed version
• Mobile device
• Screen resolution
• Date and time
• TK-App version

The feedback is transmitted in an anonymous form and use of the feedback feature is voluntary.

When you write your feedback, make sure that it does not contain any personal and/or social data. Every feedback response is sent to us in the form of an encrypted text message and is stored for the duration of the feedback review and then deleted. Please note that we will not send you any response to your feedback.

8. Retention periods and deletion of the used data

8.1 Retention periods during active use

When you actively use the app, certain data are stored until you delete your device registration and uninstall the app. The analysis data collected for analysing the user behaviour (see Section 7.2) is stored for 24 months for evaluation purposes.

8.2 Deletion of your data

You can delete the data collected and stored in connection with the TK-App by deleting your device registration and uninstalling the TK-App from your device.

Please note that we cannot delete all your data if you only uninstall the TK-App from your device. TK does not receive any information about the deletion of the TK-App through the respective operating system. Your "Meine TK" account will not be affected by the deletion of the TK-App and must be deleted separately if needed. Analytical data on user behaviour (see section 7.2) are deleted automatically after 24 months.

Documents such as letters received that you downloaded from the TK-App and stored permanently on your device are not automatically deleted when you uninstall the app.

Deletion of device registration
You can delete your device registration at any time in the TK-App, "Meine TK" or via our telephone support hotline. When you delete your device registration, we will erase all the data collected for this purpose (section 4.2.3). The same applies to the deletion of your "Meine TK" user account. If you reinstall the TK-App, the data collected to register your device will be erased and replaced by the more recent data.

Data erasure when uninstalling the app
Uninstalling the TK-App will erase the following locally stored data:

• Cryptographic material for logging in with biometric identifiers
• Your consent to the data privacy policy
• Information about screens that should no longer be displayed (app onboarding or information regarding the overview of medication, for example)
• Your consent to the analysis of user behaviour
• Information on personalising the homepage, for example displaying TK-Fit
• Language (German/English)

9. Your rights

You are entitled to the following rights:

a) Right to obtain information (Section 15 GDPR)
b) Right to rectification (Section 16 GDPR)
c) Right to erasure (deletion) (Section 17 GDPR)
d) Right to restriction of processing (Section 18 GDPR)
e) Right to object (Section 21 GDPR)

The app is not used for profiling or scoring measures pursuant to Section 22 GDPR.

10. Communication channels

If you want to contact TK, please call us at +49 40 - 4606 625 300 or send us an e-mail to service@tk.de.

If you want to contact the TK-App developer team, please send us an e-mail to tk-app-team@tk.de or send us anonymous feedback via the TK-App using the feedback feature (located in the app settings). Please note that we cannot respond to your anonymous feedback.

11. Contact information for data protection officers and supervisory authorities:

Techniker Krankenkasse
Beauftragter für den Datenschutz
Bramfelder Str. 140
22305 Hamburg
E-Mail: datenschutz@tk.de

Der Bundesbeauftragte für Datenschutz und die Informationsfreiheit [German Federal Commissioner for Data Protection and Freedom of Information]
Der BfDI: www.bfdi.bund.de

Bundesamt für Soziale Sicherung [German Federal Office for Social Security]
The BAS: www.bundesamtsozialesicherung.de

12. Amendments or revisions to the data privacy policy

The data privacy policy is currently valid in the version dated 2. June 2025. In the course of the further development of our app or the implementation of new technologies, it may be necessary to amend or revise this data privacy policy.