Privacy Policy

At SkillBridge Health, protecting personal data is a core organizational value and a fundamental part of how our platform is designed, operated, and governed.

Document Information

Version:May 2026
Provider:SkillBridge GmbH
Registered Office:Lorscher Str. 5, 64646 Heppenheim, Germany
Registration Details:Amtsgericht Darmstadt, HRB 108658
Managing Directors:Kokilan Kanesalingam, Armin Azimi
External DPO:Mr. Siegfried Baaske (datenschutz@skillbridgehealth.de)

This privacy notice applies to the SkillBridge website and, as applicable, to the use of the SkillBridge App / Platform.

A. Website Privacy Notice

Information on data processing during your visit to our website

1. Controller

The controller responsible for processing personal data on the website is:

SkillBridge GmbH

Lorscher Str. 5, 64646 Heppenheim, Germany

Email: info@skillbridgehealth.de

Phone: +49 176 62876572

Website: https://www.skillbridgehealth.de/

2. Data Protection Officer

SkillBridge has appointed **Mr. Siegfried Baaske** as its external Data Protection Officer. He can be contacted via email at datenschutz@skillbridgehealth.de.

3. Purpose of this Privacy Notice

This Privacy Notice explains how personal data is processed when visiting the SkillBridge website, contacting SkillBridge, requesting a demo or pilot, or entering into business communications. For the use of the SkillBridge App / Platform, Section B applies in addition.

4. Processing Principles

SkillBridge processes personal data only where necessary for defined purposes.

SkillBridge does not process patient data, diagnoses, treatment data or medical records via the website.

Use for advertising purposes takes place only where legally permitted or where consent has been given. Optional tracking or marketing technologies are used only with consent.

5. Website Access and Server Logs

When the website is accessed, technically necessary access data may be processed in order to deliver the website, maintain stability and security, and investigate attacks or malfunctions.

Data CategoryPurposeLegal BasisRetention
IP address, date/time, requested URL, referrer URL, browser/device details, HTTP status, data volumeWebsite delivery, IT security, error analysis, abuse detectionArt. 6(1)(f) GDPR (Legitimate Interest)Generally up to 30 days (longer for security incidents)

6. Contact by E-mail or Contact Form

If you contact SkillBridge, we process the data you provide in order to handle your enquiry.

DataPurposeLegal BasisRetention
Name, company, role, email address, phone, message content, attachmentsHandling & documenting the enquiry, response, pre-contractual communicationArt. 6(1)(b) GDPR (for contract enquiries)
Art. 6(1)(f) GDPR (for general enquiries)
Until completion of enquiry (subject to statutory retention obligations)

7. Demo, Pilot and Sales Enquiries

For demo, pilot, offer or cooperation enquiries, we process personal data of contacts at prospects or customers.

Purposes: Scheduling, product presentation, offer preparation, contract negotiation and customer communication.

Data Categories: Contact details, company data, communication contents, interest in functions, meeting notes and sales status.

Legal Basis: Article 6(1)(b) GDPR (pre-contractual measures) or Article 6(1)(f) GDPR (B2B communication).

8. Newsletter and Marketing Communication

Where SkillBridge offers a newsletter or similar electronic marketing, such messages are generally sent only on the basis of consent or another legal basis. Consent can be withdrawn at any time with effect for the future. If no newsletter is activated, no newsletter processing takes place.

9. Cookies, Local Storage and Similar Technologies

The website may use cookies, local storage or similar technologies. Strictly necessary technologies serve to provide the website and generally do not require consent. Optional analytics, marketing or convenience technologies are used only with consent.

CategoryExamplesLegal Basis
Strictly necessarySession cookies, security/consent storage, language settings, load balancingSection 25(2) TDDDG; Art. 6(1)(f) or Art. 6(1)(b) GDPR
Optional / analytics / marketingAnalytics, conversion tracking, marketing pixels, external mediaConsent under Section 25(1) TDDDG and Art. 6(1)(a) GDPR

Before optional tools are activated, providers, purposes, retention periods, recipients and third-country aspects must be added to this Privacy Notice and consent management must be implemented.

10. External Links, Social Media and Embedded Content

The website may contain links to external websites or profiles. When external links are opened, the privacy information of the respective provider applies. External content such as maps, videos, appointment tools or social media plugins may only be embedded if the relevant data protection information and consent requirements are implemented.

11. Hosting and Infrastructure

The productive platform data of the SkillBridge SaaS solution is processed and stored in the **AWS Europe (Frankfurt, eu-central-1) Region** in the standard operating model. Primary productive data storage therefore takes place in data centres located in Germany.

AWS provides the cloud infrastructure. SkillBridge is responsible for the secure configuration and operation of the application within the agreed scope. Users and customers remain responsible for their devices, users, roles, instructions and lawful use.

12. Recipients and Service Providers

Personal data may be transferred to the following recipients or categories of recipients where necessary:

  • Hosting and infrastructure providers, in particular Amazon Web Services;
  • E-mail, communication and ticketing service providers, where used;
  • Legal, tax and data protection advisors;
  • Authorities, courts or other bodies where legally required;
  • Praskla Technologies Pvt Ltd: only for development and consulting purposes without routine access to productive personal customer data (productive exceptional access is subject to strict conditions described in Section B).

13. Third-Country Transfers

Transfers of personal data to countries outside the European Union or European Economic Area take place only where there is a legal basis, an adequacy decision, appropriate safeguards such as EU Standard Contractual Clauses, or an exception under the GDPR. In the standard operating model, no routine third-country transfer of productive personal customer data to Praskla Technologies Pvt Ltd is intended.

14. Retention

ProcessingStandard Retention
Website server logsGenerally up to 30 days, longer only in case of security incidents or legal enforcement
Contact and demo enquiriesUntil completion; in contract-related cases according to commercial and tax retention obligations
Newsletter dataUntil withdrawal or unsubscribe; proof of consent according to statutory accountability obligations
Contract and invoice dataAccording to statutory retention obligations, generally up to 10 years

15. Data Subject Rights

Subject to statutory requirements, you have the following rights under the GDPR:

Access (Art. 15)
Rectification (Art. 16)
Erasure (Art. 17)
Restriction (Art. 18)
Portability (Art. 20)
Object (Art. 21)
Withdraw Consent
Lodge Complaint

16. Right to Lodge a Complaint

You may lodge a complaint with a data protection supervisory authority. The authority responsible for SkillBridge GmbH is:
The Hessian Commissioner for Data Protection and Freedom of Information
Postfach 3163, 65021 Wiesbaden, Germany.

17. Updates to this Privacy Notice

SkillBridge may update this Privacy Notice, in particular where the website, the App, service providers or the law change. The current version will be made available on the website.

B. Data Protection Information for Users of the SkillBridge App / Platform

Details on how user data is processed when utilizing the platform app

1. Allocation of Roles

For use of the SkillBridge App / Platform, the relevant hospital, care facility or employer is generally the controller within the meaning of Article 4(7) GDPR. SkillBridge generally processes personal data as processor on behalf of the controller pursuant to Article 28 GDPR.

RoleDescription / Contact
Controller[Name of hospital / organisation / employer to be inserted by customer]
ProcessorSkillBridge GmbH, Lorscher Str. 5, 64646 Heppenheim
SkillBridge DPOMr. Siegfried Baaske, datenschutz@skillbridgehealth.de

In the standard operating model, SkillBridge does not decide whether a shift is staffed, which person is assigned or what employment-law consequences arise. These decisions remain exclusively with the customer / employer.

2. Purpose of the App

  • Internal visibility of open shifts;
  • Coordination of availabilities, responses, shift preferences, preferred days off and shift requests;
  • Support for approval and communication processes;
  • Notifications regarding operational events;
  • User administration, access security, logging and technical stability.

SkillBridge is not a staff provider, medical device, payroll system, HR department, temporary employment provider or clinical decision-making software.

3. Legal Bases

The specific legal basis for App use is determined by the customer / employer. Depending on the deployment scenario, Article 6(1)(b), (c) or (f) GDPR, Section 26 BDSG, a works or service agreement, or voluntary consent for optional functions may be relevant.

4. Categories of Data Processed

CategoryExamplesPurposes
Master dataname, work e-mail address, internal user ID, organisational unit, ward, teamuser account, assignment, communication
Login/authentication datae-mail address, user ID, roles, tenant assignment, session metadata, IP addresslogin, access control, security
Shift & coordination dataopen shifts, requests, responses, availabilities, preferred days off, swap requests, status informationshift and absence coordination
Qualification/role dataroles, deployment areas, qualification groups, permission groupsappropriate internal coordination; no automated suitability decision
Notification datapush tokens, technical e-mail events, notification statusoperational notifications
Log dataaudit logs, role changes, error messages, security eventssecurity, traceability, incident response

5. Data Not Intended for Processing

The App is not intended to process patient data, diagnoses, treatment information, medical records, patient health data, sickness reasons of employees or other special categories of personal data under Article 9 GDPR. Free-text fields must not be used to enter such data.

6. E-mail Address for Login

For login, authentication, account assignment and security evidence, SkillBridge processes in particular users' work e-mail addresses. The e-mail address is personal data and is used solely for user administration, access security, notifications, traceability and support within the agreed scope.

7. Push Notifications

The App may use push notifications to inform users about open shifts, responses or status changes. Push notifications are convenience and support functions. They do not replace the customer's internal responsibility and should not contain sensitive content, patient data or health data.

8. Hosting, Data Location and Environments

Productive platform data is processed and stored in AWS Europe (Frankfurt, eu-central-1) in the standard operating model. Production, test/staging and development environments are technically and organisationally separated. Productive personal customer data is not used in development environments unless it has first been lawfully anonymised, made synthetic or expressly approved in an individual case.

9. Praskla Technologies Pvt Ltd and Third-Country Access

Praskla Technologies Pvt Ltd, based in Tamil Nadu, India, acts as a development and consulting service provider for SkillBridge. In the standard operating model, Praskla has access only to separate development environments and no routine access to productive personal customer data or production systems.

Exceptional Access Rule:

Access by Praskla to production or production-near systems is permitted only in a documented exceptional case if:

  • A serious technical error cannot reasonably be analysed or remedied without such access;
  • SkillBridge approves the access and the affected hospital/clinic gives express approval in advance;
  • The access is time-limited, using MFA, secure connections, least privilege, and is fully logged;
  • The access is immediately revoked and reviewed after completion.

Where the exceptional access constitutes a third-country transfer, appropriate safeguards, in particular EU Standard Contractual Clauses, are used.

10. Recipients and Categories of Recipients

  • Authorised administrators, managers, approvers and users within the relevant organisation;
  • SkillBridge GmbH as technical service provider and processor;
  • Amazon Web Services as hosting and infrastructure provider;
  • Technical services for authentication, e-mail and push notifications;
  • Praskla Technologies Pvt Ltd only in the described exceptional case or for separate development work;
  • Authorities or courts where legally required.

11. No Automated HR Decisions

SkillBridge does not make solely automated decisions within the meaning of Article 22 GDPR. SkillBridge does not decide on shift staffing, professional suitability, approval or rejection of requests, remuneration, allowances, working hours, employment-law consequences or HR measures. The final decision remains with the customer / employer. SkillBridge does not create performance or conduct profiles for automated evaluation.

12. Retention of App Data

Data CategoryStandard Retention
User accounts and operational usage dataDeletion or return generally within 30 days after contract termination or documented deletion instruction
Authentication, access and security logsGenerally 90 days
Incident and support logsAs long as necessary for analysis, follow-up, security and legal defence
Billing and tax recordsAccording to statutory retention obligations, generally up to 10 years
BackupsDeletion according to regular backup rotation cycle

13. Obligation to Provide Data

Certain data is required to use the App, in particular work e-mail address, user ID, role and organisational assignment, and technical security data. Without this data, the App cannot be used or can be used only to a limited extent. Whether and to what extent App use is mandatory is decided by the customer / employer, not SkillBridge.

14. Data Subject Rights

Subject to the statutory requirements, data subjects have rights of access, rectification, erasure, restriction, data portability, objection, withdrawal of consent and complaint to a supervisory authority. Since the customer / employer is generally the controller for App use, requests regarding data subject rights should first be addressed to the customer / employer. SkillBridge supports the customer under the data processing agreement.

15. Contacts

Controller for App Use:[Name and contact details of hospital / organisation to be inserted by customer]
Processor:SkillBridge GmbH, Lorscher Str. 5, 64646 Heppenheim
Email: info@skillbridgehealth.de

C. Brief Validation of Key Scenarios

Validation overview of privacy coverage

ScenarioCoverage in this Notice
Website visitServer logs, hosting, cookies and rights are covered.
Contact / demo enquiryContact and sales data, purposes and legal bases are covered.
Login with e-mail addressE-mail address is expressly identified as personal login/authentication data.
App availability / preferred days off / shift requestEmployee and coordination data are described; legal basis is determined by the customer.
Patient or health dataNot intended and expressly excluded.
Praskla development workDevelopment environment only; no routine access to productive personal data.
Praskla exceptional accessOnly with customer approval, ticket, MFA, logging, least privilege and SCC where required.
Works council / employee representationNo automated HR decision and no performance profiling as standard purpose.

18. Clarifications on Cookies, Analytics, Push Services, BYOD and Co-Determination

Analytics and marketing tools: In the standard setup, SkillBridge does not use analytics, marketing or tracking technologies that are not technically necessary unless they are specifically listed in the current cookie and tool list and activated only after valid consent. Before optional tools are activated, provider, purposes, legal basis, retention, recipients and any third-country reference will be added to this privacy notice and the cookie banner.

Server logs: Technical server and security logs are limited to what is necessary and are generally not retained longer than required for security, error analysis, legal defence or statutory obligations.

Push and e-mail delivery: App notifications may use technical push services such as Firebase Cloud Messaging, Apple Push Notification service or comparable services. Push content should not contain patient, diagnosis, health or sickness information. Depending on the provider, global delivery infrastructure and therefore third-country involvement may exist; where required, appropriate safeguards and supplementary measures are used.

Co-determination and BYOD: The relevant clinic / organisation is responsible for employment-law, co-determination and BYOD rules, including coordination with works councils, staff councils or employee representative bodies, internal use policies, private devices, device protection, notification rules and whether app use is mandatory or voluntary.