Document Information
This privacy notice applies to the SkillBridge website and, as applicable, to the use of the SkillBridge App / Platform.
A. Website Privacy Notice
Information on data processing during your visit to our website
1. Controller
The controller responsible for processing personal data on the website is:
SkillBridge GmbH
Lorscher Str. 5, 64646 Heppenheim, Germany
Email: info@skillbridgehealth.de
Phone: +49 176 62876572
Website: https://www.skillbridgehealth.de/
2. Data Protection Officer
SkillBridge has appointed **Mr. Siegfried Baaske** as its external Data Protection Officer. He can be contacted via email at datenschutz@skillbridgehealth.de.
3. Purpose of this Privacy Notice
This Privacy Notice explains how personal data is processed when visiting the SkillBridge website, contacting SkillBridge, requesting a demo or pilot, or entering into business communications. For the use of the SkillBridge App / Platform, Section B applies in addition.
4. Processing Principles
SkillBridge processes personal data only where necessary for defined purposes.
Use for advertising purposes takes place only where legally permitted or where consent has been given. Optional tracking or marketing technologies are used only with consent.
5. Website Access and Server Logs
When the website is accessed, technically necessary access data may be processed in order to deliver the website, maintain stability and security, and investigate attacks or malfunctions.
| Data Category | Purpose | Legal Basis | Retention |
|---|---|---|---|
| IP address, date/time, requested URL, referrer URL, browser/device details, HTTP status, data volume | Website delivery, IT security, error analysis, abuse detection | Art. 6(1)(f) GDPR (Legitimate Interest) | Generally up to 30 days (longer for security incidents) |
6. Contact by E-mail or Contact Form
If you contact SkillBridge, we process the data you provide in order to handle your enquiry.
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Name, company, role, email address, phone, message content, attachments | Handling & documenting the enquiry, response, pre-contractual communication | Art. 6(1)(b) GDPR (for contract enquiries) Art. 6(1)(f) GDPR (for general enquiries) | Until completion of enquiry (subject to statutory retention obligations) |
7. Demo, Pilot and Sales Enquiries
For demo, pilot, offer or cooperation enquiries, we process personal data of contacts at prospects or customers.
Purposes: Scheduling, product presentation, offer preparation, contract negotiation and customer communication.
Data Categories: Contact details, company data, communication contents, interest in functions, meeting notes and sales status.
Legal Basis: Article 6(1)(b) GDPR (pre-contractual measures) or Article 6(1)(f) GDPR (B2B communication).
8. Newsletter and Marketing Communication
Where SkillBridge offers a newsletter or similar electronic marketing, such messages are generally sent only on the basis of consent or another legal basis. Consent can be withdrawn at any time with effect for the future. If no newsletter is activated, no newsletter processing takes place.
9. Cookies, Local Storage and Similar Technologies
The website may use cookies, local storage or similar technologies. Strictly necessary technologies serve to provide the website and generally do not require consent. Optional analytics, marketing or convenience technologies are used only with consent.
| Category | Examples | Legal Basis |
|---|---|---|
| Strictly necessary | Session cookies, security/consent storage, language settings, load balancing | Section 25(2) TDDDG; Art. 6(1)(f) or Art. 6(1)(b) GDPR |
| Optional / analytics / marketing | Analytics, conversion tracking, marketing pixels, external media | Consent under Section 25(1) TDDDG and Art. 6(1)(a) GDPR |
Before optional tools are activated, providers, purposes, retention periods, recipients and third-country aspects must be added to this Privacy Notice and consent management must be implemented.
10. External Links, Social Media and Embedded Content
The website may contain links to external websites or profiles. When external links are opened, the privacy information of the respective provider applies. External content such as maps, videos, appointment tools or social media plugins may only be embedded if the relevant data protection information and consent requirements are implemented.
11. Hosting and Infrastructure
The productive platform data of the SkillBridge SaaS solution is processed and stored in the **AWS Europe (Frankfurt, eu-central-1) Region** in the standard operating model. Primary productive data storage therefore takes place in data centres located in Germany.
AWS provides the cloud infrastructure. SkillBridge is responsible for the secure configuration and operation of the application within the agreed scope. Users and customers remain responsible for their devices, users, roles, instructions and lawful use.
12. Recipients and Service Providers
Personal data may be transferred to the following recipients or categories of recipients where necessary:
- Hosting and infrastructure providers, in particular Amazon Web Services;
- E-mail, communication and ticketing service providers, where used;
- Legal, tax and data protection advisors;
- Authorities, courts or other bodies where legally required;
- Praskla Technologies Pvt Ltd: only for development and consulting purposes without routine access to productive personal customer data (productive exceptional access is subject to strict conditions described in Section B).
13. Third-Country Transfers
Transfers of personal data to countries outside the European Union or European Economic Area take place only where there is a legal basis, an adequacy decision, appropriate safeguards such as EU Standard Contractual Clauses, or an exception under the GDPR. In the standard operating model, no routine third-country transfer of productive personal customer data to Praskla Technologies Pvt Ltd is intended.
14. Retention
| Processing | Standard Retention |
|---|---|
| Website server logs | Generally up to 30 days, longer only in case of security incidents or legal enforcement |
| Contact and demo enquiries | Until completion; in contract-related cases according to commercial and tax retention obligations |
| Newsletter data | Until withdrawal or unsubscribe; proof of consent according to statutory accountability obligations |
| Contract and invoice data | According to statutory retention obligations, generally up to 10 years |
15. Data Subject Rights
Subject to statutory requirements, you have the following rights under the GDPR:
16. Right to Lodge a Complaint
You may lodge a complaint with a data protection supervisory authority. The authority responsible for SkillBridge GmbH is:
The Hessian Commissioner for Data Protection and Freedom of Information
Postfach 3163, 65021 Wiesbaden, Germany.
17. Updates to this Privacy Notice
SkillBridge may update this Privacy Notice, in particular where the website, the App, service providers or the law change. The current version will be made available on the website.
B. Data Protection Information for Users of the SkillBridge App / Platform
Details on how user data is processed when utilizing the platform app
1. Allocation of Roles
For use of the SkillBridge App / Platform, the relevant hospital, care facility or employer is generally the controller within the meaning of Article 4(7) GDPR. SkillBridge generally processes personal data as processor on behalf of the controller pursuant to Article 28 GDPR.
| Role | Description / Contact |
|---|---|
| Controller | [Name of hospital / organisation / employer to be inserted by customer] |
| Processor | SkillBridge GmbH, Lorscher Str. 5, 64646 Heppenheim |
| SkillBridge DPO | Mr. Siegfried Baaske, datenschutz@skillbridgehealth.de |
In the standard operating model, SkillBridge does not decide whether a shift is staffed, which person is assigned or what employment-law consequences arise. These decisions remain exclusively with the customer / employer.
2. Purpose of the App
- Internal visibility of open shifts;
- Coordination of availabilities, responses, shift preferences, preferred days off and shift requests;
- Support for approval and communication processes;
- Notifications regarding operational events;
- User administration, access security, logging and technical stability.
SkillBridge is not a staff provider, medical device, payroll system, HR department, temporary employment provider or clinical decision-making software.
3. Legal Bases
The specific legal basis for App use is determined by the customer / employer. Depending on the deployment scenario, Article 6(1)(b), (c) or (f) GDPR, Section 26 BDSG, a works or service agreement, or voluntary consent for optional functions may be relevant.
4. Categories of Data Processed
| Category | Examples | Purposes |
|---|---|---|
| Master data | name, work e-mail address, internal user ID, organisational unit, ward, team | user account, assignment, communication |
| Login/authentication data | e-mail address, user ID, roles, tenant assignment, session metadata, IP address | login, access control, security |
| Shift & coordination data | open shifts, requests, responses, availabilities, preferred days off, swap requests, status information | shift and absence coordination |
| Qualification/role data | roles, deployment areas, qualification groups, permission groups | appropriate internal coordination; no automated suitability decision |
| Notification data | push tokens, technical e-mail events, notification status | operational notifications |
| Log data | audit logs, role changes, error messages, security events | security, traceability, incident response |
5. Data Not Intended for Processing
6. E-mail Address for Login
For login, authentication, account assignment and security evidence, SkillBridge processes in particular users' work e-mail addresses. The e-mail address is personal data and is used solely for user administration, access security, notifications, traceability and support within the agreed scope.
7. Push Notifications
The App may use push notifications to inform users about open shifts, responses or status changes. Push notifications are convenience and support functions. They do not replace the customer's internal responsibility and should not contain sensitive content, patient data or health data.
8. Hosting, Data Location and Environments
Productive platform data is processed and stored in AWS Europe (Frankfurt, eu-central-1) in the standard operating model. Production, test/staging and development environments are technically and organisationally separated. Productive personal customer data is not used in development environments unless it has first been lawfully anonymised, made synthetic or expressly approved in an individual case.
9. Praskla Technologies Pvt Ltd and Third-Country Access
Praskla Technologies Pvt Ltd, based in Tamil Nadu, India, acts as a development and consulting service provider for SkillBridge. In the standard operating model, Praskla has access only to separate development environments and no routine access to productive personal customer data or production systems.
Exceptional Access Rule:
Access by Praskla to production or production-near systems is permitted only in a documented exceptional case if:
- A serious technical error cannot reasonably be analysed or remedied without such access;
- SkillBridge approves the access and the affected hospital/clinic gives express approval in advance;
- The access is time-limited, using MFA, secure connections, least privilege, and is fully logged;
- The access is immediately revoked and reviewed after completion.
Where the exceptional access constitutes a third-country transfer, appropriate safeguards, in particular EU Standard Contractual Clauses, are used.
10. Recipients and Categories of Recipients
- Authorised administrators, managers, approvers and users within the relevant organisation;
- SkillBridge GmbH as technical service provider and processor;
- Amazon Web Services as hosting and infrastructure provider;
- Technical services for authentication, e-mail and push notifications;
- Praskla Technologies Pvt Ltd only in the described exceptional case or for separate development work;
- Authorities or courts where legally required.
11. No Automated HR Decisions
SkillBridge does not make solely automated decisions within the meaning of Article 22 GDPR. SkillBridge does not decide on shift staffing, professional suitability, approval or rejection of requests, remuneration, allowances, working hours, employment-law consequences or HR measures. The final decision remains with the customer / employer. SkillBridge does not create performance or conduct profiles for automated evaluation.
12. Retention of App Data
| Data Category | Standard Retention |
|---|---|
| User accounts and operational usage data | Deletion or return generally within 30 days after contract termination or documented deletion instruction |
| Authentication, access and security logs | Generally 90 days |
| Incident and support logs | As long as necessary for analysis, follow-up, security and legal defence |
| Billing and tax records | According to statutory retention obligations, generally up to 10 years |
| Backups | Deletion according to regular backup rotation cycle |
13. Obligation to Provide Data
Certain data is required to use the App, in particular work e-mail address, user ID, role and organisational assignment, and technical security data. Without this data, the App cannot be used or can be used only to a limited extent. Whether and to what extent App use is mandatory is decided by the customer / employer, not SkillBridge.
14. Data Subject Rights
Subject to the statutory requirements, data subjects have rights of access, rectification, erasure, restriction, data portability, objection, withdrawal of consent and complaint to a supervisory authority. Since the customer / employer is generally the controller for App use, requests regarding data subject rights should first be addressed to the customer / employer. SkillBridge supports the customer under the data processing agreement.
15. Contacts
Email: info@skillbridgehealth.de
C. Brief Validation of Key Scenarios
Validation overview of privacy coverage
| Scenario | Coverage in this Notice |
|---|---|
| Website visit | Server logs, hosting, cookies and rights are covered. |
| Contact / demo enquiry | Contact and sales data, purposes and legal bases are covered. |
| Login with e-mail address | E-mail address is expressly identified as personal login/authentication data. |
| App availability / preferred days off / shift request | Employee and coordination data are described; legal basis is determined by the customer. |
| Patient or health data | Not intended and expressly excluded. |
| Praskla development work | Development environment only; no routine access to productive personal data. |
| Praskla exceptional access | Only with customer approval, ticket, MFA, logging, least privilege and SCC where required. |
| Works council / employee representation | No automated HR decision and no performance profiling as standard purpose. |
18. Clarifications on Cookies, Analytics, Push Services, BYOD and Co-Determination
Analytics and marketing tools: In the standard setup, SkillBridge does not use analytics, marketing or tracking technologies that are not technically necessary unless they are specifically listed in the current cookie and tool list and activated only after valid consent. Before optional tools are activated, provider, purposes, legal basis, retention, recipients and any third-country reference will be added to this privacy notice and the cookie banner.
Server logs: Technical server and security logs are limited to what is necessary and are generally not retained longer than required for security, error analysis, legal defence or statutory obligations.
Push and e-mail delivery: App notifications may use technical push services such as Firebase Cloud Messaging, Apple Push Notification service or comparable services. Push content should not contain patient, diagnosis, health or sickness information. Depending on the provider, global delivery infrastructure and therefore third-country involvement may exist; where required, appropriate safeguards and supplementary measures are used.
Co-determination and BYOD: The relevant clinic / organisation is responsible for employment-law, co-determination and BYOD rules, including coordination with works councils, staff councils or employee representative bodies, internal use policies, private devices, device protection, notification rules and whether app use is mandatory or voluntary.