Data Protection Regulation
Privacy Policy – SteadyTemp Professional App
1. Introduction and Scope
This Privacy Policy explains how SteadySense GmbH (“SteadySense”, “we”, “us”, “our”) processes personal data when using the SteadyTemp Professional App (“App”) — a mobile application designed for clinical use in combination with the SteadyTemp continuous temperature sensing patch (“Patch”).
The App is intended for professional use within healthcare facilities such as hospitals, clinics, and care institutions. It enables healthcare professionals to measure and record patient temperature and, if configured, additional vital parameters.
The App operates exclusively within the healthcare facility’s secured IT environment and transmits data only to endpoints configured and controlled by the facility’s IT administrators. It does not transmit data to SteadySense or to any external third parties (e.g. Google, Firebase, or social media services).
2. Controller and Contact Details
For all processing of personal data within the hospital or healthcare facility context, the healthcare institution acts as the data controller under Article 4(7) GDPR, since it determines the purposes and means of processing patient data.
SteadySense GmbH acts as a data processor on behalf of the healthcare institution in accordance with Article 28 GDPR and processes data solely under the institution’s documented instructions.
SteadySense GmbH
Johann-Schreiner-Strasse 3, 8074 Raaba-Grambach, Austria Tel: +43 316 232004
E-Mail: gdpr@steadysense.at
Website: https://www.steadysense.at
3. Purpose of Processing
The App supports healthcare professionals in collecting and securely transmitting patient temperature data to the facility’s IT systems. Depending on configuration by the hospital IT administrator, the App enables:
- Patient identification via wristband barcode scanning;
- Continuous temperature measurement via the SteadySense temperature patch;
- (Optional) Manual input of additional vital parameters (blood pressure, heart rate, SpO₂, glucose, etc.)
- configuration is subject to a healthcare facility’s IT department
- (Optional) Operator authentication (via OAuth2);
- configuration is subject to a healthcare facility’s IT department
- Transmission measurement and entered data to the facility’s FHIR-compatible information system over encrypted connections.
- configuration is subject to a healthcare facility’s IT department
The App itself does not interpret, store, or process patient data beyond what is required for transmission and display.
4. Categories of Personal Data Processed
When used as intended, the App processes the following data:
| Data Category | Description | Source |
|---|---|---|
| Patient Identifier | Patient-ID or barcode data from wristband | healthcare facility wristband / user scan |
| Health Data | Continuous body temperature readings (FHIR Observation) | Temperature patch |
| (Optional) Vital Parameters | Optional manually entered data (blood pressure, heart rate, SpO₂, glucose, etc.) | Healthcare professional |
| (Optional) User Authentication | Authentication of user or operator | Healthcare professional |
| Technical Metadata | Device ID, timestamp, transmission status logs | App and healthcare facility network |
The App does not collect or process user analytics, location data, advertising identifiers, or cookies.
5. Legal Basis for Processing
Because processing is carried out within a healthcare facility environment, the following legal bases under the GDPR apply:
- Article 6(1)(e) and/or (c) GDPR – Processing is necessary for the performance of a task carried out in the public interest or for compliance with a legal obligation related to healthcare record-keeping.
- Article 9(2)(h) GDPR – Processing of health data is necessary for the purposes of preventive or occupational medicine, medical diagnosis, or the provision of health care and treatment.
- Article 28 GDPR – SteadySense acts as a processor, bound by a written Data Processing Agreement (DPA) with the healthcare facility.
6. Data Transmission and Recipients
Unless configured otherwise by the healthcare facility’s IT administrator:
- All data transmission between the App and healthcare facility endpoints use TLS-encrypted HTTPS connections.
- Transmission destinations (FHIR endpoints, API URLs, authentication settings) are configured exclusively by the hospital’s IT administrator.
- No data are sent to external servers, cloud services, or third-party analytics systems.
SteadySense employees cannot access identifiable patient data; any maintenance or support is performed using anonymized or test data unless otherwise contractually agreed.
7. Data Storage and Retention
- The App performs temporary caching of measurement data until successful transmission to the healthcare facility endpoint.
- Once successfully transmitted, cached data are deleted from the device.
- Long-term storage and retention of patient data occur solely within healthcare facility systems under the facility’s responsibility and retention schedules (e.g., under national medical record retention laws).
- SteadySense does not permanently store, back up, or archive identifiable health data.
8. Data Security
SteadySense applies state-of-the-art technical and organizational measures to protect personal data, including:
- Encrypted communication using TLS 1.2 or higher, unless configured otherwise by the healthcare facility’s IT administrator;
- Device-level authentication and secure session handling;
- Regular security testing and code reviews;
The healthcare institution is responsible for appropriate network security and access control within its environment.
9. Data Subject Rights
Under GDPR, data subjects (patients) have the right to:
- Access their personal data (Article 15);
- Request rectification (Article 16) or erasure (Article 17);
- Restrict processing (Article 18);
- Data portability (Article 20), where applicable;
- Lodge a complaint with a supervisory authority.
Requests regarding personal data collected via the App should be directed to the healthcare facility (controller). SteadySense will support the healthcare facility in fulfilling these rights as a processor.
Supervisory Authority (Austria): Austrian Data Protection Authority Wickenburggasse 8–10, 1080 Vienna E-Mail: dsb@dsb.gv.at
10. International Data Transfers
All processing and storage occur within the European Union/EEA. There are no transfers of personal data to countries outside the EEA or to international organizations.
11. Confidentiality
All SteadySense and healthcare facility personnel involved in data processing are subject to strict confidentiality obligations and are trained in data protection and information security.
12. Changes to This Notice
This privacy policy may be updated due to technical or legal requirements. The current version is available on the SteadyTemp website at: https://www.steadytemp.health/dataprotection-pro.
© 2025 SteadySense GmbH – All rights reserved.
- Last updated: 2025-11-05