Privacy policy

1. Key Privacy Terms Explained

​

In plain language, we explain what the most important terms in this policy mean:

​

• GDPR (General Data Protection Regulation): A set of European rules that ensures your personal information is properly protected and gives you control over your own data.

• Data Controller: The organization that decides why and how your information is used. In this case, that is myLSCare.

• Personal Data: Any information that allows us to identify you, such as your email address or a pseudonym/alias.

• Health Data: Extra sensitive information about your medical situation, such as your symptoms, treatment schedule, or notes in your diary. This data receives extra strict protection under the law.

• Technical Data: Information about your phone (such as model and operating system), technical error messages (crashes), and general usage patterns. We use this exclusively to ensure the app functions properly from a technical perspective and to improve it.

• Processing: Everything we do with your data, such as collecting, storing, viewing, or deleting it.

• Pseudonymization: A technique where your identity is decoupled from your medical data and replaced by a unique code. This ensures you are not directly identifiable in the database.

• Encryption: Making your information unreadable to unauthorized parties. The data can only be read again with the correct digital key.

• Privacy by Design: This means that when designing the app, we took your privacy into account from the very beginning, for example, by storing login credentials and medical data strictly separated from each other.

​

​

​

2. Introduction

​

In this privacy policy, we explain how myLSCare handles the information we receive from you. This includes not only your general personal data, but specifically your sensitive health data and other information, such as technical data about your phone. We consider the protection of your data to be incredibly important. Therefore, we treat it with great care and process it in strict accordance with European and Dutch privacy legislation (including the GDPR and the Dutch GDPR Implementation Act (UAVG)).

This policy applies to all data we process in connection with the myLSCare app and the associated website (hereinafter collectively: the “Services”). This concerns everyone who visits our website, uses the mobile application, or contacts us.

 

​

Who this policy applies to

 

We process the personal data of everyone who has been in contact with us or uses our Services. This primarily concerns:

• App users: Individuals who use the myLSCare app to track their symptoms and treatment.

• Website visitors: Anyone who visits our website for information or to stay informed about developments.

• Contact persons: Individuals who contact us via email or online forms for questions or feedback.

 

​

How we collect your information

 

We receive your data directly from you when you interact with our Services. This happens when you:

​

• download and install the myLSCare app on your phone;

• create a personal account within the app;

• enter medical information, symptoms, or notes yourself in the app;

• use specific features or functionalities of the app;

• grant permissions within the app (such as for receiving push notifications);

• fill out a form on our website or contact our team in any other way.

 

 

The party responsible for your data

 

Within the meaning of the European General Data Protection Regulation (GDPR), myLSCare is the data controller for the use of your data as described in this policy. Our full details are:

​

myLSCare
Princetonlaan 6
3584 CB Utrecht
The Netherlands

 

​

What our Services do (and don't do)

 

Through our Services, we support people with Lichen Sclerosus (LS):

​

• Information and self-management: We provide easy-to-understand information from reliable sources and support in managing the condition.

• Tracking symptoms and treatment: The ability to log personal symptoms, treatment schedules, and notes in a diary.

• Insights through statistics: Displaying clear statistics based on your own input to help recognize patterns in your symptoms.

• No use of AI: No algorithms or Artificial Intelligence (AI) are used. The statistics are a direct, factual representation of your own input.

• Not a medical device: The myLSCare app is positioned as an informative tool and productivity aid. The app does not qualify as a medical device under European legislation (MDR).

• No medical advice: We do not provide medical advice, do not make diagnoses, and the app never replaces contact with your healthcare provider.

 

​

The types of data we use

 

We distinguish between different types of information to protect your privacy as best as possible:

​

• Personal data: Information that allows us to identify you, such as your email address or a unique ID number.

• Health data: This includes data about your medical situation, such as your symptoms, photos, or notes in your diary. Because this is highly sensitive information, we secure it extra strictly.

• Other data: This refers to technical data, such as your phone model or how often you open the app. We use this exclusively to ensure the app functions properly from a technical perspective.

 

 

​
 

3. The Data We Collect From You

 

Data collected when downloading the app

 

When you download the myLSCare app, certain data is automatically processed by the app store (Apple App Store or Google Play). This includes your username, email address, the time of download, and your unique device ID. This processing is performed entirely by Apple or Google. myLSCare has no influence over this and is not responsible for it. We recommend consulting the privacy policy of the respective store for more information.

​​

​

Data collected when using myLSCare

 

The data we collect in the app is necessary to provide you with the app and to improve our service. We collect as little data as possible (data minimization) to respect your privacy.

​

• Account data: We need your email address and password to create and secure your myLSCare account. Your email address is also used to send important messages about your account (for example, when resetting a password).

• Personal information: We only ask your preferred name (a chosen first name or pseudonym) to make communication in the app more personal. You do not have to provide your real (first) name.

• Device information: We process technical information from your mobile phone, such as the model, operating system, and crash information. We need this to resolve errors in the app quickly.

• Usage and interaction: To continuously improve myLSCare and measure the app's growth, we analyze general usage patterns. For example, we look at how often the app is opened and how different features are interacted with. This interaction data is linked to a unique, technical ID number (pseudonymization). We analyze this data solely on an aggregated level (as a large group) to discover trends and optimize the app, not to track you as an individual.

• Location and language: We use the language and region settings of your phone or app store to offer the app in the correct language and to comply with country-specific privacy legislation.

• Health and sensitive information: We exclusively process the health data that you voluntarily enter into the app yourself. This involves categories such as:

  • Symptoms: For example, the severity of flare-ups, itching, or pain.

  • Treatment schedule: The steps and routines you set up and check off yourself.

  • Diary: Your personal notes.

• Demographic information (optional): When using the app for the first time, we voluntarily ask you to share some additional data, such as your biological sex and age category. This data is optional. You can also use the app without answering these questions. We use this information to improve the app and plan future features.

• Push Notifications (optional): If you grant permission, we will send you local push notifications as treatment reminders (for example, to remind you to apply your ointment). For this purpose, we store a unique push token linked to your device. You can withdraw your consent at any time via your phone's notification settings. We do not use push notifications for marketing purposes.

​​

​

Data via our website and forms

 

If you contact us via our website or fill out a form, we collect the data that you voluntarily leave there:

​

• Via the website: Usually, this only involves your email address, the content of your message, and "how we may call you". Therefore, you do not have to provide your real name.

• Via online forms: For surveys or registrations, we sometimes ask for additional information, such as your age, sex, or your relationship to the condition LS (for example, whether you are a patient yourself or a relative/loved one).

​

​

 

4. Why We Need Your Data

 

Our purposes and legal bases

​

We only use your data for the specific purposes for which a legal basis exists. Below, we describe what we do and on which legal basis per purpose:

​

• Provision of our services: To be able to deliver the functionalities of the myLSCare app to you, such as tracking your treatment plan and displaying statistics. (Legal basis: Performance of the contract – Art. 6(1)(b) GDPR and your explicit consent for the processing of health data – Art. 9(2)(a) GDPR).

• User management: For contractual purposes and the management of the user relationship. (Legal basis: Performance of the contract – Art. 6(1)(b) GDPR).

• Security, quality, and maintenance: To guarantee the technical functionality, security, and user-friendliness, to resolve errors (crashes), and to technically maintain the app. (Legal basis: Legitimate interest – Art. 6(1)(f) GDPR).

• Contact and communication: To answer your questions, process your feedback, or keep you informed via our website. (Legal basis: Performance of the contract – Art. 6(1)(b) GDPR or Legitimate interest – Art. 6(1)(f) GDPR).

• Product development and needs assessment: To gain insight into the composition of our user group, so that we can prioritize the functional development of the app and better align it with the needs of the target group. (Legal basis: Legitimate interest – Art. 6(1)(f) GDPR or Consent – Art. 6(1)(a) GDPR).

• Legal obligations: If we are legally required to retain certain data. (Legal basis: Legal obligation – Art. 6(1)(c) GDPR).

 

We will not use your data for purposes other than those mentioned above without your prior consent.

 

​

How we handle your consent

​

How we request consent depends on how you share information with us:

​

• When creating an app account: Because you will be using our full service, we ask you to provide unambiguous consent to our Privacy Policy (including the processing of your health data) and we ask you to agree to our Terms and Conditions.

• When filling out a form on our website (such as the waiting list): We exclusively ask for your consent to process the data you enter in accordance with this Privacy Policy, so that we can contact you. You do not need to accept our Terms and Conditions for this.

 

Do you no longer want us to process your data? You can easily withdraw your consent at any time:

​

• Do you have an account in the app? You can withdraw your consent by deleting your account within the app. Your data will then be immediately removed from our active systems (backup copies will follow within 30 days). We also recommend deleting the app from your phone.

• Did you fill out a form on our website? You can withdraw your consent via the unsubscribe link at the bottom of our emails, or by sending us an email directly at hi@my-ls-care.com. We will then remove your data from our systems immediately.

​  

​​

​

5. Security of Your Data
 

Data security is our highest priority. We take comprehensive technical and organizational measures to protect your (health) data:

​

• Architecture & Pseudonymization: We apply "Privacy by Design". Your login credentials (Clerk) and medical data (Convex) are stored strictly separated across different systems. In our database, your medical data is linked to a unique code rather than directly to your personal data.

• Encryption Standards:

  • Data in transit: All data is transmitted encrypted via secure connections using the latest standards (TLS 1.3/HTTPS).

  • Data at rest: In our databases, your data is rendered unreadable through strong encryption (AES-256).

• Secure Infrastructure: Our services utilize cloud platforms and partners that comply with the highest international security standards (ISO 27001, SOC 2).

• Access Control & 2FA: Access to our software systems is strictly limited based on the 'need-to-know' principle. Two-factor authentication (2FA) is mandatory for all myLSCare administrators who have access to the backend systems.

• App Security: The security of the data within the app also depends on the security of your own phone (such as your passcode or biometric lock). We strongly advise users to always secure their device with a PIN or biometrics.

• Monitoring by Partners: Our infrastructure partners (such as Convex and Clerk) continuously monitor their systems for security incidents and vulnerabilities. We rely on their expertise and systems to ensure the security of the data environment.

​

​

​

 

6. Our Partners (Data Processors)

​

myLSCare does not sell your personal data to third parties. We only share your data with carefully selected partners when it is necessary to ensure our Services operate safely and stably. We have entered into strict Data Processing Agreements (DPAs) with all of these parties, anchoring your privacy and data security. By working with these specialized parties, we can guarantee a level of security that complies with rigorous international standards. Should we change partners for any of these specific purposes in the future, we will update this list and, where it impacts the processing of your (health) data, request your consent again.

​​

​

Our technical partners (data processors)

​

The following specialized partners support myLSCare in providing our services:

​

• Clerk (Authentication)

  • Purpose: Secure login and account management.

  • Data: Your chosen pseudonym/alias, email address, and password. This data is stored in an unreadable format using encryption. We explicitly ask you not to use your real name.

• Convex (Database)

  • Purpose: The secure, centralized location for the encrypted storage of your (health) data and settings.

  • Data: Pseudonymized health data, notes, and app settings.

• PostHog (Analytics)

  • Purpose: Gaining insight into app growth and account usage to ensure platform stability.

  • Data: Exclusively general events related to account management and access (such as opening the app, logging in, logging out, and deleting an account). This data is linked to a unique code (pseudonymization). We do not send any medical information, symptoms, photos, or diary notes to PostHog.

• Sentry (Error Tracking)

  • Purpose: Automatically reporting technical errors for rapid troubleshooting.

  • Data: Technical error messages, app version, and device information (such as operating system and device model).

• Wix (Website hosting)

  • Purpose: Securely hosting our website and processing contact requests you send via the site.

  • Data: The information you fill out yourself in the contact form, such as your pseudonym/alias, email address, the country from which you contact us, and the content of your message. In addition, technical data necessary to keep the website running securely and stably (such as your IP address) is processed.

• Sanity (App Content)

  • Purpose: Retrieving and displaying informative articles in the 'About LS' tab within the myLSCare app.

  • Data: When loading articles, your IP address is briefly processed by Sanity’s servers to display the content. No personal health data of yours is stored or processed via Sanity.

• Google Forms

  • Purpose: Securely collecting feedback and surveys outside of the app.

  • Data: Exclusively the information you enter into the form yourself. Filling out these forms does not require a Google account, ensuring your answers are not linked to a personal Google profile.

 

​

Our guarantees when working with partners

 

All of these service providers are contractually bound to:

​

• process your data only in accordance with our strict instructions;

• implement appropriate technical and organizational security measures;

• not use your data for their own (commercial) purposes;

• fully comply with the GDPR and other applicable privacy legislation.

 

​

Legal obligations

 

We may share your data if we are legally required to do so, for example by a court order or a request from law enforcement authorities. We will inform you about this, unless doing so is legally prohibited.

 

 

Who we never share your data with

 

To protect your privacy, it is our strict policy to never share your data for the commercial purposes of others. This means that we will under no circumstances share your data with:

• advertisers or marketing companies;

• data brokers;

• social media platforms;

• other third parties for their own commercial purposes.

 

​​

 

 

7. Where Your Data is Stored
 

We have designed our systems so that the processing of your data primarily takes place within the European Economic Area (EEA). Below we explain how this works:

​

• Health Data (EEA): All your sensitive health data and personal notes are exclusively stored on secured servers within the EEA (via our partner Convex). This data does not leave Europe.

• Account Data (International): For the management of your account and login details, we use Clerk. This data (such as your email address and encrypted password) may be processed on servers in the United States.

• Safeguards for International Data Transfers: When data is processed outside the EEA, we ensure a level of protection equivalent to European standards. We base this on:

  • EU-U.S. Data Privacy Framework: Clerk is certified under this framework, meaning they comply with strict European privacy requirements.

  • Standard Contractual Clauses (SCCs): Where necessary, we use the standard contracts approved by the European Commission to guarantee the security of your data.

 

​

​​

​

8. How Long We Retain Your Data

​

​We do not retain your data longer than necessary for the purposes for which it was collected, unless we are legally required to retain it for a longer period. Below is an overview of the retention periods per category:

​

• Active users: We retain your personal and health data for as long as your account is active.

• Account deletion: If you delete your account, all your personal and health data is immediately removed from our active systems. Following account deletion, data remains in encrypted backups for a maximum of 30 days before being permanently overwritten.

• Inactivity: If you do not use the app for a period of one year, we will permanently delete your data. You will always receive a warning prior to this.

• Technical and usage data: Data collected for troubleshooting and app improvement (such as technical logging and analytics data via PostHog) is retained for a maximum of 12 months. After this period, this data is deleted or fully anonymized.

• Proof of legal acceptance: To comply with our legal burden of proof, we retain data regarding your acceptance of our Privacy Policy and Terms and Conditions for a period of 5 years. This solely concerns the date and time of acceptance, the version number, and an encrypted verification code (salted hash).

• Contact forms (website): Messages and responses submitted via the website are retained for as long as reasonably necessary to fully handle your question or request.

 

​

​

​

9. Your Privacy Rights and Control Over Your Data

 

Overview of your legal rights

​

Your data belongs to you. Under the GDPR, you have strong rights to maintain control over your information:

​

• Right to information (Art. 15 GDPR): You have the right to be informed in an clear and understandable way about what we do with your data. This privacy policy is our way of fulfilling this right.

• Right of access and data portability (Art. 15 & 20 GDPR): You can request a copy of all data we process about you. We will provide this in a commonly used digital format so you can reuse it elsewhere.

• Right to rectification (Art. 16 GDPR): You can adjust your data yourself within the app. For data you cannot change yourself, you can email us.

• Right to be forgotten / Erasure (Art. 17 GDPR): You can have all your data removed from our systems at any time:

  • For app users: You can delete your account directly through the settings in the app. We will initiate the deletion process immediately. If you delete your account, all your personal and health data is immediately removed from our active systems. Following account deletion, data remains in encrypted backups for a maximum of 30 days before being permanently overwritten.

  • For website users: Send us an email at hi@my-ls-care.com. We will ensure that your data is removed from our systems.

• Right to restriction of processing (Art. 18 GDPR): You can request to temporarily pause the use of your data, for example, if you contest the accuracy of the data.

• Right to object (Art. 21 GDPR): You can object to the way we process your data if you disagree with our legitimate interest.

• Right to human intervention (Art. 22 GDPR): myLSCare does not make use of automated decision-making or profiling. Your data is never processed by AI models or used to train algorithms.

• Right to withdraw consent (Art. 7(3) GDPR): You can easily withdraw your given consent at any time. Do you use the app? You can do this by deleting your account in the app and uninstalling the app from your device. Have you shared data via our website (for example, via a form)? You can withdraw your consent by sending us an email at hi@my-ls-care.com.

• Right to lodge a complaint (Art. 77 GDPR): Do you have a complaint about how we handle your data? We would, of course, prefer to resolve this together with you via hi@my-ls-care.com. In addition, you always have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens - www.autoriteitpersoonsgegevens.nl).

​
 

How to exercise these rights

​

1. Directly via the app

​

• Updating data: You can modify your medical input and personal settings at any time directly within the app.

• Managing push notifications: You can withdraw your consent for push notifications at any time via your phone's settings. For your convenience, you will find a link within the myLSCare app settings that redirects you straight to these system settings.

• Deleting your account: You have full control. You can delete your account, along with all associated personal and health data, at any time via Settings > Delete Account.

  • Please note: As soon as you delete your account, your data is immediately removed from our active databases. From that moment on, you will no longer have access to the app. Please keep in mind that due to the technical nature of backups with our partners (such as Clerk and Convex), it can take up to a maximum of 30 days before your data is completely removed from all backup copies through automatic overwriting.

​

 

2. Via email

​

For all other requests (such as requesting a copy of your data or questions regarding website forms), you can send an email to hi@my-ls-care.com.

​

• Timeframes: We will respond to your request within 30 days at the latest. For complex requests, this period may be extended up to 60 days, but we will always keep you informed.

• Identification: To ensure that we send the data to the correct person, we may ask you to verify your identity. We do this strictly to prevent your sensitive data from falling into the wrong hands.

 

 

 

 

10. Applicable Regulations

​

To guarantee the security of your data and the quality of our services, this privacy policy complies with the following regulations:

​

• The General Data Protection Regulation (GDPR): The European standard for privacy and data protection.

• The Dutch GDPR Implementation Act (UAVG): The specific Dutch implementation of the privacy rules.

• Medical Device Regulation (MDR): Where applicable, we adhere to the European regulations for medical devices to guarantee the safety and reliability of the app.

• App Store Guidelines: We comply with the strict privacy and security requirements of Apple (App Store) and Google (Play Store) for distributing mobile applications.

 

​

 

 

11. Changes to this Privacy Policy

​

We may update this privacy policy from time to time. This may be necessary due to new features in the app, changes in our operations, or updates to legislation.

​

• Publication: The current version of the privacy policy is always accessible via the app or our website.

• Minor changes: For minor, textual changes or clarifications that do not affect how we handle your data, the publication of the new version is sufficient.

• Significant changes: In the event of substantial changes (such as a new data storage partner or a new purpose for processing), we will proactively inform you. Where necessary, we will always ask for your explicit consent again before the change takes effect for you.

 

 

 

 

12. Age Policy (18+)

​

​We recognize that the privacy of minors requires additional protection. Therefore, we maintain the following policy:

​

• Age restriction: The myLSCare app is exclusively designed for and targeted at individuals aged 18 and older. Minors are not permitted to use the app or share data with us.

• Removal of data: If we discover that we have inadvertently collected personal data from a minor (under the age of 18), we will take immediate steps to remove this information from our active systems.

• Notification by parents/guardians: If you, as a parent or legal guardian, discover that a minor has shared data with us, please contact us at hi@my-ls-care.com. We will then immediately remove the relevant data from our active systems (backup copies will be permanently overwritten within a maximum of 30 days).

 

 

 

13. Additional Information

​

• No medical advice (MDR): myLSCare is a tool for self-management and logging personal data. The app is not a medical device within the meaning of the EU MDR. The information in the app is intended solely for support purposes and never replaces the advice, diagnosis, or treatment by a doctor or other professional healthcare provider.

• Geographical availability: Currently, the myLSCare app is specifically targeted at users in the Netherlands.

• Data breach protocol: In the unlikely event of a data breach affecting your personal data, we will act immediately in accordance with the data breach notification obligation under the GDPR. We will directly inform the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and, if the risk to you is deemed high, inform you personally.

 

 

 

14. Contact Information

​

Do you have questions about this privacy policy, do you want to exercise your rights, or do you have a suggestion on how we can improve our privacy protection even further? We are happy to help.

 

myLSCare

• Email: hi@my-ls-care.com

• Address: Princetonlaan 6, 3584 CB Utrecht, The Netherlands   

• Chamber of Commerce (KvK) number: 96235640

​

We aim to respond to all privacy-related questions within 30 days.