Skip to main content

Privacy Policy

Your privacy and data protection are our top priorities

Last updated: June 11, 2025

This Privacy Policy is available in German, French and English. In case of discrepancies between language versions, the German version prevails.

⚠️ Notice: This Privacy Policy is currently under legal review. The subprocessors section is being verified and updated.

1. Introduction

Welcome to ViaCommuna, a health application designed to support stroke patients and their families throughout the recovery process. We are committed to protecting your privacy and ensuring the security of your personal health information. This Privacy Policy explains how we collect, use, and protect your information when you use our app and services.

As a Swiss health-focused application, we adhere to the highest standards of data protection, including compliance with the Swiss Federal Act on Data Protection (FADP), the GDPR for EU users, and Swiss healthcare regulations. Your trust is essential to us, and we are transparent about our data practices.

2. Information We Collect

We collect different types of information to provide you with personalized stroke recovery support:

Personal Information:

  • Name, email address, and contact details
  • Age, gender, and basic demographic information
  • Emergency contact information

Health Information:

  • Stroke-related medical history and recovery progress
  • Physical therapy exercise data and progress tracking
  • Mental health assessments and mood tracking
  • Medication reminders and adherence information
  • Rehabilitation goals and milestones

Usage Data:

  • App usage patterns and feature interactions
  • Learning module completion and progress
  • Exercise session data and performance metrics
  • Communication with healthcare providers through the app

Technical Information:

  • Device information and operating system
  • IP address and location data (if enabled)
  • App performance and crash reports

3. How We Use Your Information

We use your information exclusively to provide and improve our stroke recovery services:

Treatment Support:

  • Personalizing rehabilitation programs and exercises
  • Tracking recovery progress and providing insights
  • Sending medication and therapy reminders
  • Connecting you with appropriate healthcare resources

Educational Content:

  • Customizing learning modules based on your recovery stage
  • Providing relevant stroke education and prevention information
  • Offering family support resources and guidance

App Improvement:

  • Analyzing usage patterns to enhance user experience
  • Developing new features based on user needs
  • Ensuring app stability and performance
  • Conducting research to improve stroke recovery outcomes (anonymized data only)

4. Health Data Protection

Your health information receives special protection under Swiss and international medical privacy laws. It qualifies as particularly sensitive personal data under Art. 5 lit. c FADP:

Security Measures:

  • Encryption of all data in transit (TLS 1.2+)
  • Encryption of data at rest in Swiss and EU data centres (AES-256)
  • Regular security audits and vulnerability assessments
  • Role-based access controls and full audit logging of access to health data

Access Controls:

  • Strict access controls limiting who can view your health data
  • Healthcare providers only access data with your explicit consent
  • You maintain full control over sharing your information
  • Option to export or delete your health data at any time

Compliance:

  • Swiss Federal Act on Data Protection (FADP)
  • GDPR compliance for European users
  • Swiss Medical Devices Ordinance (MedDO) where applicable
  • Regular internal and external compliance reviews

5. Information Sharing

We only share your information in specific, controlled circumstances:

Healthcare Providers:

  • With your explicit consent, we may share relevant data with your healthcare team
  • Integration with electronic health records (EHR) when authorized
  • Emergency medical information sharing if you've enabled this feature

Family and Caregivers:

  • Progress updates and basic information with designated family members
  • Emergency contact notifications if you've enabled this feature
  • Shared goal tracking and milestone celebrations

Research (Anonymized Only):

  • Aggregated, anonymized data for stroke recovery research
  • Contributing to medical research to improve stroke treatment
  • No personally identifiable information is ever shared for research

Legal Requirements:

  • We may disclose information if required by law or court order
  • Emergency situations where disclosure could prevent harm
  • Compliance with medical reporting requirements

6. Your Rights and Choices

You have full control over your personal information and health data under Swiss and international law:

Access and Control:

  • View, download, or export all your personal data
  • Correct or update your information at any time
  • Delete your account and all associated data
  • Opt-out of non-essential communications

Consent Management:

  • Withdraw consent for data processing at any time
  • Control what information is shared with healthcare providers
  • Manage family and caregiver access permissions
  • Choose your communication preferences

Swiss Data Protection Rights (FADP):

  • Right to information about data processing
  • Right of access to your personal data (Art. 25 FADP)
  • Right to rectification of incorrect data
  • Right to deletion
  • Right to data portability (Art. 28 FADP)
  • Right to object to data processing

GDPR Rights (EU Users):

  • All Swiss rights plus additional GDPR protections
  • Right to restrict processing
  • Right to lodge complaints with EU supervisory authorities

7. Data Retention

We retain your information only as long as necessary for the agreed purposes or as required by statutory retention obligations:

Active Account Data:

  • Personal information: retained while your account is active
  • Health data: retained while your account is active; deleted within 30 days after account closure, unless a statutory retention obligation applies
  • Usage data: retained for 12 months for troubleshooting and app improvement

Deletion Process:

  • Account deletion removes all personal identifiers within 30 days
  • After the retention period, data is securely and permanently deleted or anonymized
  • Backups are automatically purged according to our retention schedule (max. 90 days)
  • You can request immediate deletion of all data via your account or on request

8. International Transfers

Your data may be processed in different countries with appropriate safeguards:

Switzerland's Adequate Protection:

  • Switzerland has been recognized by the EU as providing adequate data protection
  • Swiss data protection laws meet international standards
  • Seamless data transfers within Switzerland and to the EU
  • Additional protections for transfers to other countries

Data Transfers:

  • We primarily use Swiss and EU-based service providers for data storage
  • Transfers to third countries take place only on the basis of an adequacy decision or FDPIC-recognized standard contractual clauses (Art. 16 FADP)
  • You can request information about where your specific data is stored

Safeguards:

  • All data transfers use encryption and secure protocols
  • Regular audits of all service providers regardless of location
  • Priority given to Swiss and EU-based service providers

9. Subprocessors (Third-Party Service Providers)

To operate our services we rely on carefully selected third-party providers. We maintain a Data Processing Agreement (DPA) with every provider listed below, in accordance with Art. 9 FADP and, where applicable, Art. 28 GDPR.

[TO BE VERIFIED BY LEGAL — DRAFT]
The following list is a starting point and must be reconciled with the services actually in use before publication. Each entry should state provider, purpose, data categories, server location, and legal safeguard.

Supabase Inc. — Database, authentication, file storage

  • Purpose: User accounts, health-data storage, authentication
  • Data: All account and health data
  • Location: [VERIFY — depends on configured Supabase region; default is AWS]
  • Safeguard: [VERIFY — DPA with Supabase + FDPIC-recognized SCCs for US transfer]

Vercel Inc. — Web hosting, analytics, speed insights

  • Purpose: Website hosting, performance monitoring
  • Data: Page-view telemetry, truncated IP addresses
  • Location: Global edge network; processing in EU/US
  • Safeguard: [VERIFY — Vercel DPA + SCCs]

Google LLC — Gmail SMTP (outbound email)

  • Purpose: Sending contact and support form messages
  • Data: Name, email address, message content
  • Location: United States
  • Safeguard: [VERIFY — SCCs]

Google LLC — Google Fonts

  • Purpose: Web fonts
  • Data: IP address when loading fonts
  • Location: Global
  • Safeguard: [VERIFY — self-hosting recommended]

[Add further services: e.g. crash reporting, analytics SDK, push notifications, payment processor, AI/LLM provider]

Changes to this list will be reflected in this Privacy Policy. Users will be informed in advance of material changes (e.g. the addition of a third-country provider).

10. Children's Privacy

Special protections for users under 16:

Age Restrictions:

  • Users under 16 require parental consent to use the app
  • Enhanced privacy protections for all users under 18
  • Limited data collection for minors
  • Parental controls and oversight options

Family Accounts:

  • Parents can create supervised accounts for minor children
  • Enhanced security and privacy controls for family accounts
  • Limited sharing capabilities for minor users

11. Data Breaches

In the event of a data breach that may result in a high risk to the rights of data subjects:

Notification obligations:

  • Notification to the Swiss Federal Data Protection and Information Commissioner (FDPIC) as soon as possible (Art. 24 FADP)
  • Notification to EU supervisory authorities within 72 hours under the GDPR, where applicable
  • Notification of affected users where the breach poses a high risk to their rights

Process:

  • Containment and forensic analysis by our security team
  • Documentation of all incidents in our internal data-protection register
  • Review and reinforcement of our security measures

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services or legal requirements:

  • Material changes will be announced at least 30 days in advance by email and in the app
  • The date of the last update is always displayed at the top of this page
  • Previous versions are available on request
  • Continued use of our services after a change constitutes acknowledgement

13. Contact Information

Contact us regarding privacy concerns:

Controller / Data Protection Advisor:

  • Email: privacy@viacommuna.com

General Support:

  • Email: info@viacommuna.com
  • Website: https://viacommuna.com/en/support

Mailing Address:

  • Via Communa GmbH
  • 9000 St. Gallen, Switzerland
  • Swiss commercial register no.: [CHE-XXX.XXX.XXX — TO FILL IN]

Swiss Data Protection Authority:

  • Federal Data Protection and Information Commissioner (FDPIC)
  • Website: www.edoeb.admin.ch
  • Email: info@edoeb.admin.ch

We respond to all privacy inquiries within 72 hours and aim to resolve issues within 30 days. You have the right to lodge complaints with the FDPIC.

Your Health, Your Privacy

We are committed to supporting your stroke recovery journey while maintaining the highest standards of privacy and data protection. Your trust enables us to provide better care for you and your loved ones.

Contact Privacy Team
← Back to Homepage