Last updated: May 26, 2026

Privacy Policy for the ABAStroke Application

Back to Privacy Documents

1. Purpose of this document

The ABAStroke Application is operated by us, ABAStroke sp. z o.o.

ABAStroke is a mobile application for home-based neurological rehabilitation in cases of post-stroke cognitive deficits. By combining the methodology of Applied Behavior Analysis (ABA) and machine learning algorithms (AI), ABAStroke offers patients practically unlimited exercise possibilities as part of independent, personalized and effective therapy.

This Privacy Policy explains how we process your data, i.e. personal data, when you use the ABAStroke application (hereinafter: the “Application”). We also inform you how we protect your data, when it is deleted, and what rights you have under data protection laws.

The Controller is not a healthcare provider within the meaning of applicable law and does not conduct medical activity.

The services provided within the Application do not constitute healthcare services, in particular they do not include the provision of medical advice, making diagnoses, conducting treatment or taking therapeutic decisions.

Any information made available within the service is for informational purposes only and may not be treated as a substitute for professional medical consultation. If you need medical advice or a diagnosis, you should contact an appropriate specialist or healthcare provider.

2. Personal data controller

The data controller for this Application is:

ABAStroke sp. z o.o. ul. Warszawska 3/3 31-155 Kraków

If you have questions regarding our data protection measures, data processing or the protection of the rights of data subjects, you may contact our Data Protection Officer as follows: michal@abastroke.com

3. Scope of personal data processed

The Controller processes personal data to the extent necessary to achieve the purposes of processing, in accordance with the principle of data minimization set out in Article 5(1)(c) GDPR and taking into account the information security requirements arising from ISO/IEC 27001.

In connection with the use of an authentication mechanism based on one-time activation codes, the Controller does not process standard user identification data. The Application is activated solely by entering this code, followed by its automatic verification in the system.

The verification process is automated and limited to checking the correctness and validity of the code, without the need to obtain or process additional user identification data.

Consequently, the Application does not process other data enabling direct identification of the patient, such as first name, surname, PESEL number or residential address, and the scope of data processing remains limited to the minimum necessary to provide the service. The scope of processed data includes in particular:

The Controller processes special categories of personal data referred to in Article 9(1) GDPR on the basis of Article 9(2)(a) GDPR and with the application of appropriate technical and organizational measures ensuring their protection, in accordance with Article 32 GDPR.

Data processing is carried out with due regard to the principles of confidentiality, integrity and availability of data, and with the application of security measures adequate to the identified risk, including access control mechanisms, operation logging and security incident management.

Users may optionally consent to data anonymization for further development purposes, in order to ensure technical functionality and ease of use. This consent may be withdrawn at any time without giving reasons. We cooperate with recognized medical and scientific research institutions in the further development of our products. Data necessary for scientific purposes is transferred only in anonymized form, so that researchers cannot draw any conclusions regarding any specific user. Our shared goal is further development so that our users receive the best possible support and guidance during therapy.

4. Integration with an external system and verification of the activation code

The Controller informs you that the Application uses integration with an external system of your health insurance fund.

Logging into the Application takes place solely by entering an activation code, which is then subject to automatic verification in the system. For this purpose, users must apply to their health insurer for an individual code. The verification process is automated and consists of checking the validity and correctness of the entered code in the external system.

As part of this process, the Application transfers to the system only the data necessary to perform the verification, i.e. in particular the activation code and technical information related to the request, such as a timestamp or data necessary to secure communication. The system does not transfer to the Application data identifying the user in the form of first name, surname or other data enabling direct identification of the patient.

Verification of the code in the system is a condition for obtaining access to the functionality of the Application. If positive verification of the code is not possible, the user will not obtain access to the system.

The transfer of data to the system takes place only to the extent necessary to perform the authentication process and on the basis of the Controller’s legitimate interest consisting in ensuring secure access to the Application and its proper functioning (Article 6(1)(f) GDPR). To the extent that data may be processed by the system as a separate controller or processor, responsibility for its further processing is governed by separate arrangements between the parties.

The Controller ensures that integration with the health insurance fund system has been designed in a manner that minimizes the scope of transferred data and limits the risk of its unauthorized disclosure, in accordance with the data minimization principle arising from Article 5(1)(c) GDPR.

5. Purposes and legal bases for data processing

The Controller processes users’ personal data in accordance with the provisions of the GDPR, only to the extent necessary to achieve specified purposes and on the basis of appropriate legal bases indicated in Article 6(1) and, in the case of special categories of data, Article 9(2) of that Regulation.

Personal data is processed for the purpose of enabling use of the Application and its functionalities, including in particular user authentication, session handling and ensuring access to system resources. The legal basis for this processing is Article 6(1)(b) GDPR, i.e. necessity for the performance of a contract for use of the Application or to take steps prior to entering into such a contract.

Data may also be processed for the purpose of ensuring the proper operation and security of the Application, including activity monitoring, abuse detection, maintaining system logs and managing security incidents. The legal basis for processing in this respect is Article 6(1)(f) GDPR, i.e. the Controller’s legitimate interest consisting in ensuring the security and integrity of the system and protection against abuse.

With regard to handling user requests and contacting the user, data is processed for the purpose of responding to inquiries or resolving technical problems. The legal basis for processing is Article 6(1)(b) GDPR or Article 6(1)(f) GDPR, depending on the nature of the request.

The Controller also processes data for the purpose of fulfilling legal obligations arising from provisions of law, in particular in the field of personal data protection and information security. In such case, the basis for processing is Article 6(1)(c) GDPR.

In the case of health-related data, constituting special categories of personal data within the meaning of Article 9(1) GDPR, the Controller indicates that the Application does not provide medical services. Such data is processed only on the basis of the user’s explicit consent, in accordance with Article 9(2)(a) GDPR and Article 6(1)(a) GDPR. Providing medical data is voluntary and takes place only to the extent resulting from the functionality of the Application.

The user has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before its withdrawal.

6. What rights do you have?

You may contact us at any time if you have questions regarding your data protection rights or wish to exercise the following rights:

If consent to the processing of health-related data is withdrawn, further use of Application functionalities requiring the processing of such data may be limited or impossible.

The Controller fulfills a request to withdraw consent without undue delay, no later than within the time limit arising from provisions of law, and ensures that the process of withdrawing consent is as easy as giving it.

Withdrawal of consent results in cessation of data processing to the extent to which the processing was carried out on its basis, unless further processing is permitted on another legal basis.

Withdrawal of consent does not affect the lawfulness of data processing carried out before its withdrawal. Withdrawal of consent does not affect the processing of personal data that is carried out on the basis of other legal grounds provided for in Article 6(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), in particular where processing is necessary for the performance of a contract, compliance with a legal obligation imposed on the controller or the pursuit of its legitimate interests.

If you no longer wish data processing necessary for proper use of the Application to take place, you may also object to it in the Application and thereby permanently delete your user account and all data associated with it.

The user has the right to request restriction of processing of their personal data in cases provided for by law, in particular when:

During the period of restriction of processing, data may only be stored or processed to the extent necessary for the establishment, exercise or defense of claims or in other cases provided for by law. Each restriction of processing is appropriately marked in the Controller’s systems.

7. Deletion and data retention period

Unless otherwise specified, we delete your data as soon as it is no longer needed:

Users’ personal data is processed for a period not longer than 90 days from the date of its collection, in accordance with the storage limitation principle set out in Article 5(1)(e) GDPR, unless further storage is required under provisions of law, in particular in connection with the fulfillment of obligations arising from Article 6(1)(c) GDPR.

After this period, the data is definitively and irreversibly deleted or anonymized in a manner preventing its further attribution to a specific person. In connection with the above, after the indicated period expires, the Controller no longer has the user’s personal data and has no possibility of restoring it.

The Controller informs you that it is not a healthcare provider or a controller of medical records. Your personal data, together with the therapy report, is transferred to ePA if you give such consent. Therapy data may be transferred to ePA only if the user uses such a function or gives the required consent. The scope and frequency of data transfer depend on the available ePA function and the user’s settings.

Upon effective transfer of the data, ePA becomes a separate controller of personal data within the scope of the processing purposes it carries out. In such case, all requests regarding personal data, including the exercise of the rights referred to in Articles 15 to 22 GDPR, should be addressed directly to that entity.

Your user account data is automatically deleted after the end of therapy. Alternatively, we will delete your data immediately upon your request from within the ABAStroke Application or in another manner.

Of course, you may request information about stored data at any time. Data protection inquiries and other legal matters may also be stored for a longer period within legally applicable retention and limitation periods.

8. Deletion of the user account and user data

In accordance with the interpretation of DiGAV (Section 4(2)) by the BfArM authority, the account together with all personal data is automatically deleted after expiry of the validity period (90 days) for DiGA users in Germany.

The user has the right to delete their account at any time, without having to provide a reason.

If a request to delete the account is submitted, the Controller promptly takes actions aimed at deleting it, together with the personal data assigned to it, in accordance with Article 17 GDPR (right to erasure, the so-called “right to be forgotten”).

Deletion of the account results in permanent and irreversible deletion of the user’s personal data, subject to cases in which further processing of data is required under provisions of law, in particular for the purpose of fulfilling legal obligations or asserting, establishing or defending claims (Article 6(1)(c) and (f) GDPR).

Notwithstanding the above, if the data has been transferred to competent public authorities or other authorized entities, those entities become separate data controllers. In such case, the exercise of rights related to further processing of the data should be addressed directly to those entities.

9. Technical data

The technical data we collect informs us about the operating system and Application version you use to access ABAStroke. The following information is collected automatically if you actively use the ABAStroke Application. Where legally permitted and technically feasible, we collect this data only after you have given active consent in the Application.

For security reasons, this data is transmitted via an encrypted connection. Your data is generally stored for as long as you hold an active license to use the Application, i.e. 90 days. Alternatively, the data is stored until you decide to delete individual data or the entire user account. The data is collected in order to ensure that you can use the Application as intended.

10. Application configuration

Use of the Application requires configuration by providing data. An activation code is required for configuration.

The first activation of access to the Application takes place by entering an activation code, which is verified in the system. After positive verification of the code, the Application may create a technical user account and link the active installation of the Application with the user’s device.

During later use of the Application, access to the active installation may be secured by mechanisms specific to the device, such as device binding, system lock, device PIN or biometric authentication, if the user has enabled them and the device supports them. The Application offers the possibility of authentication, after obtaining informed consent, using biometric authentication methods supported by your smartphone, such as fingerprint or Face ID. Responsibility for your biometric data lies with the relevant authentication service provider. We receive only the authentication result.

For security reasons, the collected data is transmitted via an encrypted connection. Your data is generally stored for as long as you hold an active license to use the ABAStroke Application. Alternatively, the data is stored until you decide to delete individual data or the entire user account. The purpose of requesting data is to create a user account, which is necessary for safe and proper use of the Application.

11. Push notifications

We have not currently implemented push notifications.

12. Functionality/User-friendliness

By consenting to the use of technical functions, you consent to our processing of the information provided in the Application in order to ensure its continuous technical functionality, user-friendliness and further development.

13. Third-party software

In order to ensure the proper, secure and stable operation of the Application, the Controller also uses software components originating from third parties, including open-source components and other elements referred to as SOUP (Software of Unknown Provenance), i.e. software that has not been produced directly by the Controller but is used as part of the system.

These components are selected with due diligence and are subject to regular monitoring, validation and updating in accordance with the Controller’s applicable software security management and risk management policy. The purpose of these activities is to reduce the risk of errors, security vulnerabilities and disruptions in the functioning of the Application.

If significant vulnerabilities, security incidents or changes in SOUP components are disclosed that may affect data security or the manner of using the Application, the Controller may take appropriate technical and organizational measures, in particular:

If the nature of the event allows and it is justified, users may be informed of significant changes by means of messages displayed in the Application.

To the extent required by law or resulting from the nature of the technologies used, the Controller may provide additional information regarding the components used, including information on open-source licenses and technical solutions applied. This information may be included in technical documentation, user documentation or made available upon justified request of authorized entities.

Use of the Application means acceptance of the fact that its functioning may, to a limited extent, depend on external components over which the Controller does not exercise full control, while ensuring that appropriate organizational and technical measures are applied to protect data and minimize risk for users.

14. Recipients of personal data

In accordance with the description and purposes above, we make your data available to the following recipients, who are necessary for the provision of our services and communication with you:

In addition, the Controller may entrust the processing of personal data to third parties providing services to it that are necessary to ensure the proper functioning of the Application and to achieve the purposes indicated in this Policy.

Entrusting the processing of data takes place only on the basis of a written or electronic agreement concluded in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), which obliges the processor to apply appropriate technical and organizational measures ensuring protection of personal data and to process data only on documented instructions from the Controller.

The Controller uses only processors that provide sufficient guarantees of implementing appropriate security measures compliant with GDPR requirements, industry standards and information security management principles. These entities may process personal data only to the extent and for the period necessary to perform the entrusted services.

We currently do not use any operations involving automated decision-making that produces legal effects concerning the recipients of those decisions or similarly significantly affects them.

15. Transfer of data outside the European Economic Area (EEA)

Personal data is not transferred outside the European Economic Area.

16. Processing in processes involving automated decision-making, including profiling

We currently do not use any operations involving automated decision-making that produces legal effects concerning the recipients of those decisions or similarly significantly affects them.

17. How do we protect your data?

To guarantee data protection and security, we take comprehensive security measures to ensure the confidentiality, integrity and availability of your personal data. In doing so, we take into account the current state of technical knowledge and applicable data protection regulations. Your data is stored only in an encrypted storage area in the Application. The integrity of this storage area is guaranteed by the operating system of your smartphone. Data is synchronized with our database management system. All data is additionally encrypted in the database using a key assigned to the user. Regular backups protect against accidental data loss.

As part of its information security management system, the Controller has implemented and maintains procedures and safeguards compliant with the requirements of ISO 27001 (Information Security Management System). The Controller holds an ISO/IEC 27001 compliance certificate, confirming the application of globally recognized standards in the field of information protection, risk management and continuous improvement of applied safeguards.

The security measures applied include in particular data access control, encryption, system monitoring, regular testing and evaluation of the effectiveness of safeguards, security incident management and training of persons authorized to process personal data.

The Controller continuously analyzes threats and takes actions aimed at minimizing the risk of personal data breaches.

18. What can you do to ensure the security of your data?

To ensure the highest possible level of security for your data, you must take appropriate measures to protect the Application and the data transmitted through it.

These include:

19. Changes to the Privacy Policy

The Controller reserves the right to amend or update this Privacy Policy at any time, in particular in the event of changes in law, technological development, implementation of new Application functionalities or changes in the manner of processing personal data.

If material changes are introduced to the content of the Privacy Policy, including changes in its translations made available to users, the user will be informed of the new version of the document upon first launch of the Application after its publication. Until the user has read the current content of the Privacy Policy and has given renewed consent by selecting the appropriate checkbox, access to the functionality of the Application may be limited or completely blocked.

The checkbox used to accept the updated Privacy Policy is unchecked by default, and the button enabling continued use of the Application remains inactive until the user gives consent.

The user may read the full content of the current Privacy Policy through the “View Privacy Policy/Read more” function, which opens a dedicated window or panel containing the applicable version of the document.

Continued use of the Application after acceptance of the new version of the Privacy Policy means confirmation that the user has read its content and accepts the changes introduced. The Controller recommends regularly reviewing the current content of the Privacy Policy in order to obtain up-to-date information regarding the principles of personal data processing and protection.

20. How can you contact us?

If you have any questions regarding how we use your personal data, you may contact us by email or by post at the following addresses:

ABAStroke sp. z o.o. ul. Warszawska 3/3 31-155 Kraków - marked: “personal data protection”

email: contact@abastroke.com, michal@abastroke.com