This content is aimed at both UK healthcare professionals involved in ADHD care and non-clinical stakeholders such as commissioners and budget decision-makers working in ADHD service pathways.

Privacy Policy hiToco - UK Version 

Last update of the privacy policy: 27/11/2025 

Orientation guide 
The protection of your personal data and your child´s data is very important to us. With this privacy policy, we would like to inform you about the scope and purpose of the personal data we collect, use and process in the United Kingdom. In doing so, we comply with the provisions of the European Data Protection Regulatuion (GDPR), the UK General Data Protection Regulation (UK-GDPR) and other relevant data protection laws. 

An overview of the individual chapters for better orientation can be found here: 

  1. Preamble - Here you will find a brief overview of the content of the application and the data protection topics. 

  2. Contact - How can you get in touch with us quickly and easily? 

  3. Data processing and storage - Which of your and your child´s data is stored and processed, how, for what purpose, where, by whom and for how long? 

  4. Legal basis - On what legal basis do we process your and your child´s data? 

  5. Data transfer - To which processors and other third parties is your and your child´s data transferred, for what purposes and on what legal basis? 

  6. Data security - What do we do to protect your and your child´s data as much as possible? 

  7. Your rights - Here you will find an overview of all your rights as a data subject. 

1. Preamble 
The hiToco application® is a guided, digital self-help programme for parents and guardians of children with ADHD and/or ODD aged 4 to 11. The children act as patients and the parents as users of the application.  

The medical device software hiToco® supports families with children with attention-deficit/hyperactivity disorder (ADHD) and/or a social behaviour disorder with oppositional defiant disorder (ODD) in dealing with these disorders in everyday life. By using hiToco®, parents and other guardians learn to adapt their parenting behaviour together with their child in an interactive way. This leads to an alleviation of the child's externalising problem behaviour, including the symptoms of ADHD and/or ODD and the associated psychosocial impairments.  

The application creates a personalised training plan based on specific user input during the user account creation process. Specific features such as reminders, feedback loops, and other functionalities allow the user to interact with the software. 

hiToco® is based on the evidence-based therapy manual THOP (therapy programme for children with hyperkinetic and oppositional problem behaviour). 

As part of app registration and use, various personal data is collected from you and your child. This data includes health data within the meaning of Art. 9 para. 1 of UK-GDPR, which is specially protected by law.  In this privacy policy, we explain for what purposes and how we process this data, how we protect this data and how you can exercise your rights as set out in the GDPR/UK-GDPR.  

2. Contact 
You can reach us directly either via the help/feedback button in the hiToco app or by emailing us at support@hitoco.co.uk. Our core hours are Monday to Friday (excluding public holidays) from 8:00 to 18:00, but you can also contact us outside these hours. You will receive a response to your enquiry within 24 hours at the latest. 

The controller within the meaning of Art. 4 (7) of the EU General Data Protection Regulation/ United Kingdom General Data Protection Regulation (hereinafter "GDPR/UK- GDPR") and other data protection regulations is: 

Medigital GmbH 
Medice-Allee 1 
58638 Iserlohn 
E-mail: support@hitoco.co.uk 

Authorised representative 
Felix Lambrecht 

Internal data protection officer: 
If you have any questions about our data protection measures, the processing of your data or the protection of your rights as a data subject, please contact our data protection team as follows: 

Medigital GmbH 
Data protection 
Medice-Allee 1 
58638 Iserlohn 
Phone: +49 (0)2371 937 0  
e-mail: privacy-medigital@medice.de 

For confidential matters relating to data protection, you can contact our data protection officer directly at dsb@medice.de 

Competent supervisory authority: 
Information Commissioner's Office (ICO) 
Wycliffe House, Water Lane, 
Wilmslow, Cheshire, SK9 5AF, UK 
Website: https://www.ico.org.uk 

3. Data processing and storage 
The data protection term “personal data” refers to all information relating to an identified or identifiable person, such as contact details, age, or gender. An IP address can also be considered personal data. 

The following personal data is collected and processed from you and your child 

Users (parents/guardians):  

  • Profile and contact details (profile name (optional), e-mail address) 

  • Data for secure authentication and traffic data for your correspondence with us (messages via the feedback function) 

  • Online identifiers (user IDs, IP address, shortened IP address, device push token, access times, information on the end device used) 

  • Health data (stress level based on visual mood markers) 

  • Demographic data (marital status, land, region)  

  • Tracking data (after separate consent) 

  • Subjective feedback data 

  • Push token (for push notifications, if activated) 

  • Device data in the event of a support request (app version number, model type, operating system version) 

  • Optional: biometric data (fingerprint, facial features) 

  • Optional: Tracking data after separate consent (number of logins, session duration, total usage time in hours/days, progress status of training plan/content/program, progress status of therapy homework, average time to complete a module, tools used, answers to the initial questionnaire, evaluation of behavior diary over time) 

Patient (child): 

  • Behavioural data (evaluation of situational behaviour / behaviour in problem situations based on user input) 

The personal data is processed for the following purposes 

Obligatory: 

  • For the intended use of the application 

  • Optional: for providing quick login via fingerprint/face recognition 

  • To fulfil legal requirements  

  • For billing purposes  

  • To ensure secure operation, in particular by maintaining data protection and data security, e.g. by logging and analysing access attempts.  

Optional - with separate consent: 

  • For quality assurance, improvement and further development of the application to permanently guarantee the technical functionality and user-friendliness of the app 

  • To send the reminders defined by the user 

  • For the automated sending of notifications/reminders based on the reading/editing progress within the app 

Processing of personal data when using the app 

You have the option of registering in our app by providing personal data. 

Your registration enables us to offer you content or services which, due to the nature of the matter, can only be offered to registered users. Registered persons are free to change the personal data provided during registration at any time. 

We also need your device model name, your operating system version, and your app version number so that we can identify any errors in the event of a malfunction of the app. 

Separate/optional consent  

Usage and traffic data collected during the use of the hiToco app (navigation paths through the app, frequency of use of certain features, end system used (product, operating system version), etc.) help us to improve the app and the user experience and, in the event of errors, to better analyse and understand the causes. This data is processed exclusively by us and, as far as possible, this data is processed anonymously for these purposes, i.e. without reference to your identity. 

We may process this data on the basis of your voluntary consent pursuant to Art. 6 (1) (a) GDPR/UK-GDPR for the above-mentioned purposes of permanently ensuring technical functionality, user-friendliness, and the improvement and further development of the app.We ask you for this consent as part of the registration process, as we are dependent on data from real usage scenarios in everyday care to improve the hiToco app. This consent is optional and you can use the hiToco app without restrictions if you do not give this consent. You can revoke this consent at any time under "Settings". 

User enquiries and making contact  

When you contact us (by email, contact form, or telephone), personal data such as your email address, your name and telephone number (if applicable), and device data (app version number, model type, operating system version) will be stored and processed for the purpose of responding to your request or for contacting you and for the associated technical administration. This data processing is based on a legitimate interest in processing your request in accordance with Art. 6 (1) (f) GDPR/UK-GDPR. 

Customer support for the hiToco app is provided by MEDICE Arzneimittel Pütter GmbH & Co. KG, the parent company of Medigital GmbH. For this purpose, there is a corresponding contractual agreement on data processing under joint responsibility pursuant to Art. 26 GDPR/UK-GDPR between MEDICE Arzneimittel Pütter GmbH & Co. KG and Medigital GmbH. 

Information e-mails to registered users 

Once you have successfully registered, we will regularly send you information on the progress of the programme within the app.  

Within the application, further information is sent by email, e.g. the welcome email, presentation of the benefits of the app, subscription information and reminder emails. This data processing is carried out on the basis of a legitimate interest in accordance with Art. 6 para. 1 lit. f) GDPR/UK- GDPR. You can object/opt-out to the use of your email address for the aforementioned purposes at any time with effect for the future. After receipt of your objection, the use of your e-mail address for information purposes will be discontinued immediately. 

Place of processing 

The personal data entered in the app (including health data) is processed on access-protected servers of the Telekom Healthcare Cloud in Germany. 

Access and processing rights to the files to be processed are exclusively reserved for designated, authorized employees of MEDICE Arzneimittel Pütter GmbH (as the parent company of Medigital GmbH), Medigital GmbH, and the processors listed under “Services used” who are subject to the instructions of Medigital GmbH (in accordance with Art. 28 GDPR/UK-GDPR). 

The personal data collected with separate consent for tracking purposes is processed on access-protected servers of the Telekom Healthcare Cloud in Germany. 

Access and processing rights to the data are restricted exclusively to designated, authorized employees of MEDICE Arzneimittel Pütter GmbH (as the parent company of Medigital GmbH), Medigital GmbH, and the processors listed under “Services used” who are subject to the instructions of Medigital GmbH (in accordance with Art. 28 GDPR/UK-GDPR). 

The data transmitted to us when you contact us is processed and stored in the CRM system of MEDICE Arzneimittel Pütter GmbH & Co. KG on the servers of salesforce.com Germany GmbH in Frankfurt am Main. 

Access and editing rights to the files to be processed are restricted exclusively to designated, authorized employees of MEDICE Arzneimittel Pütter GmbH (as the parent company of Medigital GmbH), Medigital GmbH, and the processors listed under “Services used” (in accordance with Art. 28 GDPR/UK-GDPR). 

Storage and deletion periods 

We process and store your personal data and your child's data only for the period necessary to achieve the purpose of the hiToco application. 

Your data will continue to be stored for a transitional period of 90 days after the contractually agreed period of use (90 days after activation of your account) has expired. 

If your account is inactive for 10 consecutive weeks during the transition period, you will receive a notification 14 days before the end of the transition period regarding your account status and the automatic deletion and deactivation of your user account at the end of the transition period.  

During this period, you can extend the period of use by another 90 days. You will only have access to the app's features again after activating the additional period of use. 

You can request an extension of the usage period a total of 3 times (= a total of 12 months from account activation). After the transition period has expired, a new user account must be created. 

The data collected in the course of contacting us (support inquiries) will be deleted after final processing of your enquiry. This is the case when it can be inferred from the circumstances that the matter in question has been conclusively clarified.  

4. Legal basis 
The legal basis for the processing of your ans your childs data is your informed, voluntary/explicit consent in accordance with Art. 6 para. 1 lit. a) in conjunction with Art. 9 para. 2 lit. a)  GDPR/UK-GDPR  as well as the provision of the digital service contractually agreed with you in accordance with Art. 6 para. 1 lit. b) GDPR/UK-GDPR. 

5. Data transmission 

Personal data may be transmitted to the following third parties: 

  • Competent authorities: In certain circumstances, relevant data could be disclosed to law enforcement authorities in the event of an attack on our systems, to fulfil national security requirements or for law enforcement purposes. 

  • The companies of the MEDICE Health Family (MEDICE Arzneimittel Pütter GmbH & Co. KG, MEDICE UK) involved in the provision and delivery of the services agreed with you 

  • Processors of Medigital GmbH (Deutsche Telekom Healthcare and Security Solutions GmbH; Sendinblue GmbH) 

  • Processor of MEDICE Arzneimittel Pütter GmbH & Co. KG (salesforce.com Germany GmbH) 

To this end, a corresponding contractual agreement on joint responsibility for data processing in accordance with Art. 26 GDPR/UK-GDPR was concluded between Medigital, MEDICE, and MEDICE UK as companies of MEDICE Health Family Holding GmbH, with MEDICE as the parent company. In addition, corresponding agreements on data processing on behalf of others in accordance with Art. 28 GDPR/UK-GDPR were concluded with all service providers used.  

All processors and sub-processors are subject to written agreements ensuring that personal data is processed only in accordance with the controller’s instructions and under appropriate technical and organisational safeguards. 

Medigital GmbH guarantees that your data will only be passed on to entities that can demonstrate an appropriate data protection concept in accordance with the applicable regulations and laws and with which, if necessary, appropriate contractual agreements in accordance with Art. 26 or Art. 28 GDPR/UK-GDPR exist. 

The following services are used in the app: 

Deutsche Telekom Healthcare Cloud 

Deutsche Telekom Healthcare and Security Solutions GmbH, Friedrich-Ebert-Allee 140, 53113 Bonn (operator of the Telekom Healthcare Cloud) is responsible for hosting the application. Our app uses the Telecom Health Cloud to manage the backend and for secure data storage. The Telecom Health Cloud offers an infrastructure specially developed for healthcare data that meets the highest security standards. All stored data is encrypted and subject to strict data protection guidelines in accordance with the EU General Data Protection Regulation (GDPR/UK-GDPR). Data processing takes place exclusively on servers within the European Union to ensure compliance with data protection regulations. For this purpose, corresponding contractual agreements have been concluded with the service provider in accordance with Art. 28 GDPR/UK-GDPR. 

Further information on the Telekom Healthcare Cloud can be found at: https://www.telekom.com/en/company/data-privacy-and-security/governance-data-privacy   

salesforce 

Our parent company, MEDICE Arzneimittel Pütter GmbH & Co. KG, which is responsible for customer support for the app, uses CRM solutions from salesforce.com Germany GmbH, Erica-Mann-Str. 31-37, 80636 Munich, Germany.  

The CRM platform (customer relationship management platform) is used for managing customer and consent data, sales and marketing management, and providing customer support. 

When you contact customer support (by email, contact form, or phone), the following personal data may be collected and processed: 

  • Contact details (first and last name, email address, telephone number) 

  • Communication data (content of the inquiry/correspondence) 

All stored data is encrypted and subject to strict data protection guidelines in accordance with the EU General Data Protection Regulation (GDPR). Data processing takes place exclusively on servers within Germany. 

The parent company of salesforce.com Germany GmbH, salesforce.com Inc., is a US company certified under the EU-US Privacy Framework, which means that the adequacy decision of the EU Commission pursuant to Art. 45 GDPR applies and thus confirms an adequate level of data protection. Corresponding contractual agreements have been concluded with the service provider in accordance with Art. 28 GDPR on the basis of the European Commission's standard contractual clauses. 

For more information on salesforce's privacy policy, please visit: https://www.salesforce.com/company/legal/privacy/  

Sendinblue 

We use the Brevo solution for sending emails in this app. The provider is Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. 

Brevo enables us to send transactional emails such as registration confirmations, two-step authentication (2FA), password reset emails, status updates from the app (module progress in the training plan), account inactivity notifications and other notifications securely and reliably. The email addresses of our users are processed for this purpose. Brevo stores and processes this data on servers in Germany and complies with the requirements of the GDPR/UK-GDPR. 

The shipping service provider is used on the basis of an order processing contract in accordance with Art. 28 GDPR/UK-GDPR. 

You can find more information about Brevo's privacy policy https://www.brevo.com/de/datenschutz-uebersicht/. 

6. Data security 
The security of your personal data and your child's data is very important to us. We will only process the personal data that you provide, together with that of your child, where we have obtained your explicit consent. 

Any collection, storage, utilisation and transmission of data involves confidentiality risks (e.g. the possibility of identifying the person concerned). These risks cannot be completely ruled out and increase the more data can be linked together.  We have put in place security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.  

To this end, we take the following technical and organisational measures, among others:  

  • Two-factor authentication via email: To protect your data and your child's data from unauthorized access and thus ensure their confidentiality and integrity, we offer you the option of two-factor authentication via email when you log in to the app. In this case, you must confirm your email address by entering a six-digit code. This ensures that only you have access to your user account. 

  • Personal Account: Access to your account is controlled by a password and a username that is unique to you once you setup the account.  

  • SSL/TLS encryption: Personal data is only transmitted via state-of-the-art encrypted connections. We implement the applicable requirements of the Federal Office for Information Security and use this technology to protect the transmission of your data. 

  • Strict separation of the storage and processing of health and contact data with access authorisation only for authorised employees of Medigital GmbH. 

  • Access limitation: we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.  

  • Anonymisation of the data collected as part of quality assurance, further development and continuous improvement of the application. This means that it is not possible to identify you personally. 

  • Different passwords for all software tools used internally 

  • Virus protection for all IT hardware used 

  • Firewall for our internal company network  

  • Regular training on data security and protection for all employees 

  • Regular updates of all software components 

  • Regular data backups to ensure availability 

  • Regular risk analyses of the corresponding IT systems 

7. Your rights 
When processing your personal data and your child´s data, our aim is to guarantee your data protection rights at all times. Our service times and all contact options can be found under point 2 "Contact" of the detailed privacy policy. 

You can exercise the following rights in relation to your personal data and your child´s data:   

  • Right to Access – You can request access to the personal data (commonly known as “Data subject access request”). This enables you to receive a copy of the personal data we hold about you and your child at any time and to check whether we are lawfully processing it.  

  • Right to Transparency - You can request information about the processing of the data via the in-app contact form or the service e-mail address support@hitoco.co.uk.   

  • Right to Correct - You can use the in-app contact form, or the service e-mail address support@hitoco.co.uk to request that the personal data be amended if it is incorrect or incomplete. This enables us to have any incomplete or inaccurate data we hold about you and your child corrected, though we may need to verify the accuracy of the new data you provide to us 

  • Right to Restrict use of the data - You can request the restriction of the processing of the personal data via the in-app contact form, or the service email address: support@hitoco.co.uk 

(1) For the duration of the verification of the accuracy of the data.  

(2) If the processing is unlawful and you object to erasure.  

(3) If the data are no longer required by the controller for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims.  

(4) In the event of an objection to the data processing, as long as the corresponding balancing of interests has not been clarified. 

  • Right to Data Portability - You can use the in-app contact form, or the service e-mail address: support@hitoco.co.uk to request that the data collected about you and your child be transferred to you or to a body specified by you

  • Right to Erasure - You can request the deletion of the data collected about you and your child. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. 

  • Right to Objection - You can object to the processing of the personal data for reasons arising from your particular situation at any time, informally and without giving reasons. If the processing is based on Art. 6 para. 1 lit. e) or f) DSGVO/UK-GDPR. 

  • You can revoke/withdraw your consent to data processing via the app itself in the section Account à Data protection à Consent "Edit usage data", via the in-app contact form, or the service e-mail address support@hitoco.co.uk  informally at any time, without giving reasons.   

You and your child will not suffer any disadvantages in the event of a cancellation/objection. The cancellation is effective for the future; the previous data transfers remain lawful. If you withdraw/revoke your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw/revoke your consent.

If you have any further questions about the handling of your personal data and your child´s data or would like to exercise your rights, you can do so via the in-app contact form or the service email address support@hitoco.co.uk. Or you can contact our representative in UK or our data protection officer at:  

Data protection Officer Medigital GmbH 

Medigital GmbH 
Data protection 
Medice-Allee 1 
58638 Iserlohn 

Phone: +49 (0)2371 937 0  
E-Mail: privacy-medigital@medice.de 

  • If there is a basis for complaint, you can lodge a complaint with the competent data protection authority at: 

You have the right to make a complaint at any time, if there is a basis for complaint, to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (https://www.ico.org.uk) or any other competent data protection authority in the relevant jurisdiction.  

The ICO's contact details can be found on their website at https://www.ico.org.uk/.  

Medice UK is registered with the ICO, reference number <ZB333984> 

Information Commissioner's Office (ICO) 
Wycliffe House, Water Lane, 
Wilmslow, Cheshire, SK9 5AF, UK 
Website: https://www.ico.org.uk