Privacy Policy for the Streamcheck App & Services

Last updated: 29 April 2026

Streamcheck GmbH appreciates your interest in the Streamcheck app and our products. Protecting your personal information, especially your health-related data, is our highest priority. Below we explain in detail which data we collect, how we process it, and which rights you have.

1. Identity and contact details of the controller

The controller responsible for collecting and processing your personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Streamcheck GmbH
Arnsdorf 26, 02894 Vierkirchen, Germany
Email: support@streamcheck.io
Website: https://streamcheck.io

2. What data protection covers

Data protection covers personal data. This means all information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). This includes in particular health data generated when you use the app, as well as your address, payment, and technical usage information.

3. Required app permissions

To use the Streamcheck app fully, the application needs access to certain functions of your device. These permissions are requested before first use and can be managed by you at any time in your device settings.

  • Push notifications: This permission is needed to remind you of upcoming measurements or to send important messages about your account or our services. The legal basis is your consent (Art. 6 para. 1 sentence 1 lit. a GDPR).
  • Bluetooth: Bluetooth access is technically necessary to establish a connection between your smartphone and the Streamcheck measuring device and to securely transmit measurement data. The legal basis for processing related data is performance of our contract with you (Art. 6 para. 1 sentence 1 lit. b GDPR).

4. Scope, purpose, and legal bases of data processing

4.1. Registration and purchase

When you create a user account or purchase products in our shop, we process the following data:

  • Address information: name, address, email address.
  • Payment information: depending on the selected payment method, for example credit card information or bank details. These are processed directly by our payment service providers.
  • Device identification and IP address: for fraud prevention and to ensure account security.

The purpose is contract conclusion, delivery of goods, invoicing, customer communication, and management of your user account.

Your address information (name, address, email address) is transmitted to our service providers Stripe (for payment processing) and Silver ERP (for order processing and customer administration).

The legal basis is performance of the purchase and usage contract with you (Art. 6 para. 1 sentence 1 lit. b GDPR).

4.2. App use (health data)

When you use the app with the measuring device, the following health data (a special category of personal data under Art. 9 GDPR) is collected and processed:

  • Uroflowmetry measurement data: data about urine flow, for example volume, flow rate, and duration.
  • Biomarker data: results from the analysis of test strips in the test cup.
  • IPSS questionnaire: your answers to the International Prostate Symptom Score questionnaire.

The purpose of this processing is to enable analysis, documentation, and tracking of your measurement values and to present the results clearly in the app.

Your health data is processed only on the basis of your explicit consent, which you provide separately during the order process (Art. 9 para. 2 lit. a GDPR). Without this consent, the main function of the app cannot be used.

4.3. Automatically collected technical data

Each time you use the app and our website, certain technical data is processed automatically, in particular log files containing IP address, date and time of access, amount of data transferred, and information about your smartphone such as device type, operating system, and version.

The purpose is to ensure operation, system security and stability, data backup, and technical error analysis.

The legal basis is our legitimate interest in the secure and functional operation of our services (Art. 6 para. 1 sentence 1 lit. f GDPR).

4.4. Anonymized statistical analysis (post-market surveillance and research)

For the purposes described in this section, we process aggregated and anonymized uroflowmetry and biomarker measurement data. Directly identifying information, such as name, email, address, or account ID, is not included in this processing.

The data is anonymized before aggregation, access is restricted to the persons within Streamcheck GmbH responsible for these activities, and re-identification of individual users is neither intended nor technically possible.

4.4a. Post-market surveillance under the Medical Device Regulation

As the manufacturer of a CE-marked medical device, Streamcheck GmbH is required under the EU Medical Device Regulation (MDR 2017/745) to maintain a post-market surveillance system (Art. 83 MDR) and to record and evaluate statistically significant changes in product performance and safety through trend reporting (Art. 86 MDR).

Fulfilling these obligations requires statistical analysis of measurement data collected during intended product use.

The purpose is anonymized data analysis for post-market surveillance under the MDR. The legal basis is Section 27 BDSG in conjunction with Art. 9 para. 2 lit. j GDPR. Processing is necessary to fulfill our obligations under Art. 83 and Art. 86 MDR.

4.4b. Scientific research and academic cooperation

To promote scientific understanding of urological health and uroflowmetry methodology, Streamcheck GmbH uses the same anonymized and aggregated dataset for scientific research purposes. This research is carried out internally and, where applicable, in cooperation with academic and clinical research partners, such as universities and university hospitals.

If data is shared with external research partners, this is done only in anonymized and aggregated form and on the basis of written agreements prohibiting any attempt at re-identification.

The purpose is scientific research, method development, and academic cooperation in the field of urological health. The legal basis is Section 27 BDSG in conjunction with Art. 9 para. 2 lit. j GDPR. This processing takes place without consent and is not dependent on a consent switch in the app. Individual data subject rights may be restricted under Section 27 para. 2 BDSG where exercising them would seriously impair the statistical or scientific purposes.

5. Data recipients and third-party providers

We only share your data with third parties where this is legally permitted or where you have consented. To provide our services, we use carefully selected technical service providers.

5.1. Hosting and data processing: Amazon Web Services (AWS)

Our app and the entire technical infrastructure are hosted by Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg (AWS).

  • Server location: your data, including health data, is processed and stored exclusively in data centers within the European Union (region: EU Central, Frankfurt am Main).
  • AWS services used: AWS Cognito, Lambda, RDS (MySQL), CloudFront, ElasticBeanstalk, Simple Email Service, Amplify, S3, EC2, CloudWatch.
  • Legal basis: our legitimate interest in secure infrastructure (Art. 6 para. 1 lit. f GDPR) and a data processing agreement (Art. 28 GDPR).

5.2. Payment processing: Stripe

For secure processing of your purchases, we use Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. The legal basis is contract performance (Art. 6 para. 1 lit. b GDPR).

5.3. App analytics and stability: Google Firebase

To improve and analyze our app, we use Google Firebase services (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).

  • Firebase Analytics & Crashlytics: to analyze usage behavior and app crashes so that we can optimize the app and improve stability.
  • Firebase Cloud Messaging: for technical handling of push notifications.
  • Firebase App Distribution: to manage test versions of the app.
  • Processed data: pseudonymized IP address, log files, smartphone data. No health data is transmitted to Firebase.
  • Legal basis: our legitimate interest in a user-friendly and stable app (Art. 6 para. 1 lit. f GDPR). It cannot be ruled out that data may be transferred to the USA. We have concluded EU Standard Contractual Clauses with Google to ensure an appropriate level of data protection.

6. Storage period

We store your personal data only for as long as necessary for the relevant purposes.

  • Contract data (purchase) is stored in accordance with statutory retention obligations, for example under commercial or tax law, generally for 6 to 10 years.
  • Health data and account data are stored for as long as your user account with us is active. If you delete your account, this data is deleted unless statutory retention obligations prevent deletion.
  • Technical log files are stored for security reasons for a maximum of 14 days and then deleted or anonymized.
  • Anonymized data for post-market surveillance and research is no longer personal data within the meaning of the GDPR once anonymized and aggregated. The anonymized dataset is retained for as long as our obligations under the Medical Device Regulation require, in particular Art. 10 para. 8 MDR (at least 10 years after the last product of the relevant type has been placed on the market), and, where used for scientific research purposes, beyond that for the period required under good scientific practice.

Deleting your user account ends any further transfer from your account into the anonymized dataset, but does not retroactively remove anonymized aggregates already created, because these are no longer personal data.

7. Your rights as a data subject

You have the following rights with regard to your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to withdraw consent (Art. 7 para. 3 GDPR): you may withdraw your consent to the processing of health data at any time with effect for the future. Withdrawal applies only to the health data processing described in section 4.2. The anonymized statistical processing described in section 4.4 remains unaffected.
  • Right to object (Art. 21 GDPR): you have the right to object at any time to processing based on our legitimate interest (Art. 6 para. 1 lit. f GDPR).

To exercise your rights, please contact us directly using the contact details in section 1.

8. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data violates the GDPR (Art. 77 GDPR).

9. Data security

We take extensive technical and organizational security measures, such as encryption and access controls, to protect your data against unauthorized access, misuse, and loss.

10. Changes to this privacy policy

We reserve the right to adapt this privacy policy if our services change or new legal requirements apply. The current version at the time of your use applies.