Privacy Policy

Privacy statement

Avi Medical Operations GmbH (hereinafter “Avi Medical” or “we”) takes the protection of your personal data seriously and would like to take this opportunity to inform you how we process your personal data when you visit our website .

1. Responsible person

Responsible within the meaning of Art. 4 No. 7 of the EU General Data Protection Regulation (GDPR) for the processing of your personal data in connection with the use of our website is:

Avi Medical Operations GmbH

Karl-Theodor-Straße 55

80803 Munich

Germany

2. Data protection officer

Our external data protection officer is available to answer all questions and contact person regarding data protection with us. He can be reached at the following e-mail address:

3. Processing of your personal data

When you visit our website, your personal data will be processed, depending on how you use our website. We will explain below when this is the case.

3.1 Data processing when you contact us

If you contact us by e-mail, via our contact form or by telephone, the data you provide to us, such as your email address, possibly your name and telephone number, and information about your request, will be stored by us in order to answer your questions.

The purpose of data processing is to process your request.

If the purpose of the contact is to conclude a user agreement for the use of the Services platform, or if it concerns an existing contract with you, Art. 6 (1) (b) GDPR is the legal basis for processing.

In other cases, the legal basis for processing personal data relating to you is Article 6 (1) (f) GDPR. The legitimate interest results from the need to process your data in order to be able to answer your request.

We only store your data for as long as is necessary for the purpose, i.e. until your request has been answered in full, or, if the request is assigned to a user contract, after the deadlines for the contract period.

There is no legal obligation to provide your personal data. However, if you do not want to provide us with your data, it is not possible to contact us.

3.2 Appointment booking

You can make appointments with the medical care centers (MVZ) operated by Avi Medical MVZ GmbH as the sponsoring company via our website. For this purpose, we process the following data and forward it to the respective MVZ, with whom you book an appointment:

• name
• email address
• birthdate
• Information about the reason for your visit
• Other information about complaints or a prescription request
• Place and time of the doctor's appointment
• Authentication means

The purpose of data processing is to coordinate appointments and prepare your doctor's appointment. We process your personal data, which in particular includes health data, on the basis of your express consent in accordance with Art. 9 para. 2 lit. a GDPR. Your consent is the legal basis for data processing.

We store your data until you withdraw your consent. You can cancel by clicking on the link provided in every newsletter email, by e-mail to or by sending a message to the contact details published in the legal notice.

There is no legal obligation to provide your personal data. However, if you do not want to provide us with your data, it is not possible to book an appointment via our website.

3.3 Newsletters

You can subscribe to our newsletter on our website, which will inform you about current developments.

We use the double opt-in procedure to subscribe to our newsletter. After you have signed up for the newsletter, you will receive an email to the specified email address asking you to confirm your subscription and confirm that you are the owner of the corresponding email address. The link provided is valid for 24 hours. If we do not receive confirmation from you within this time, we will block your information and delete it after one month. If you confirm your email address, we save your IP address and the time of registration and confirmation in order to be able to prove your registration and clarify possible misuse of your personal data.

In order to be able to send the newsletter, we need your email address, which we store for this purpose. The legal basis for data processing is your consent in accordance with Art. 6 (1) (a) GDPR.

We store your data until you withdraw your consent. You can declare your withdrawal by clicking on the link provided in every newsletter e-mail, by e-mail to or by sending a message to the contact details published in the legal notice.

There is no legal obligation to provide your data. However, if you do not provide us with your email address, you will not be able to subscribe to the newsletter.

3.4 Applications

You can apply directly for open positions via our careers page.

As part of the application process, we process the following categories of personal data from you:

• Master data (this includes, for example: name, gender, date and place of birth)
• Contact details (this includes, for example: address, e-mail address, telephone number)
• nationality
• lingua
• marital status
• Legitimation data (e.g. ID data)
• authentication data (e.g. signature sample)
• Application documents (including, for example, certificates, curriculum vitae, photo)
• Data on professional development and acquired knowledge (this includes, for example: education and training, professional experience, additional qualifications)
• Usage and inventory data (this includes, for example: IP address, name of the retrieved file, date and time of retrieval, amount of data transferred, notification of successful retrieval, web browser).

The purpose of data processing is to initiate and establish an employment relationship. The legal basis for processing your data is Art. 6 (1) (b) GDPR in conjunction with Section 26 (1) BDSG and Art. 9 (2) lit. b GDPR in conjunction with Section 26 (3) BDSG, insofar as special categories of personal data are processed.

We will store your data as long as it is necessary to process your application. In the event of rejection, your data will be deleted no later than 6 months after completion of the application process.

There is no legal obligation to provide your data. However, if you do not provide us with your data, you will not be able to apply to us.

3.5 Technical data

3.5.1 Log files

When you visit our website, a so-called log data set (so-called server log files) is temporarily and anonymously stored on our web server. It consists of:

• the page from which the page was requested (so-called referrer URL)
• the name and URL of the requested page
• the date and time of the call
• the description of the type, language, and version of the web browser used
• the IP address of the requesting computer, which is abbreviated so that a personal reference can no longer be established
• the amount of data transferred
• the operating system used
• the message as to whether the call was successful (access status/http status code)
• Time zone difference to coordinated universal time

This data is processed for the purpose of technically providing our website and for the purpose of identifying and tracing unauthorised access to the web server and other criminal offences.

The legal basis for data processing is Art. 6 (1) (f) GDPR. Our legitimate interests for the temporary storage of technical access data are to be able to provide you with a technically functional and user-friendly website and to be able to guarantee the security of our systems.

Recipients of the data are our hosting service providers.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. If the data is collected to provide the website, this is the case when the respective session has ended.

If the data is stored in log files, this is the case after seven days at the latest. Additional storage is possible. In this case, the IP addresses of the users are deleted or distorted so that it is no longer possible to assign the calling client. Data processing is necessary for the operation of our website. If you wish to object to data processing, you can do so by not visiting our website.

The provision of personal data is neither required by law nor contract, but it is absolutely necessary for our website to function.

3.5.2 General information about cookies

We use cookies on our website. Cookies are small text files which are assigned and stored on your hard drive to the browser you use using a characteristic string of characters and through which certain information flows to the location that sets the cookie. Cookies cannot run programs or transfer viruses to your computer and therefore do not cause any damage. They serve to make the website more user-friendly and effective overall, i.e. more pleasant for you.

Cookies can contain data that makes it possible to recognize the device used. However, in some cases, cookies only contain information about certain settings that are not personally identifiable. Cookies cannot directly identify a user.

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. In terms of their function, cookies again distinguish between:

• ‍Technical cookies: These are mandatory in order to move around the website, use basic functions and ensure the security of the website; they do not collect information about you for marketing purposes nor do they store which websites you have visited;‍
• Performance cookies: They collect information about how you use our website, which pages you visit and, for example, whether there are website usage errors; they do not collect information that could identify you — all information collected is anonymous and is only used to improve our website and find out what interests our users;‍
• Advertising cookies, targeting cookies: These are used to offer website users tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;‍
• Sharing cookies: These are used to improve the interaction of our website with other services (e.g. social networks); sharing cookies are stored for a maximum of 13 months.

By using cookies, we ensure the proper functioning of our website. It also allows us to optimize the website experience. These are the purposes of data processing.

Any use of cookies that is not necessarily technically necessary constitutes data processing that is only permitted with your consent in accordance with Article 6 (1) (a) GDPR. This applies in particular to the use of advertising, targeting or sharing cookies. In addition, we will only pass on your personal data processed through cookies to third parties if you have given your consent in accordance with Article 6 (1) (a) GDPR. In the following, we set out the legal bases in connection with the respective service.

The storage of cookies on a device you use and to read them also requires your consent in accordance with Section 25 (1) TTDSG, which you declare by opting. You can withdraw your consent given in this way at any time via the cookie settings. If storage is absolutely necessary to make the website available, the legal basis for storage is Section 25 (2) No. 2 TTDSG.

We only store your data for as long as it is necessary to fulfill the stated purposes. The cookies are then deleted.

Insofar as your consent is the legal basis for data processing in accordance with Art. 6 (1) (a) GDPR, you can withdraw this consent at any time. You can do this by deleting the cookies in your browser.

The provision of your personal data is neither required by law nor contract. However, without this provision, the functionality of our website may not be guaranteed. It is also possible that individual services or services are not available.

3.6 Analysis and tracking

We use the following analytics and tracking tools:

Matomo

We use the open-source tracking tool Matomo (https://matomo.org/) to analyze your user behavior. As a result, personal data relating to your activity on the website as well as device and browser information (in particular the IP address and operating system) can be stored and evaluated.

By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to constantly improve our website and its usability.

The software is set so that the IP addresses are not completely saved, but 2 bytes of the IP address are masked for anonymization (e.g. 192.168.xxx.xxx). In this way, it is no longer possible to assign the abbreviated IP address to the calling computer. The data is stored in our MySQL database; logs or report data are not sent to Matomo servers. The tool is hosted on our own servers.

The storage and reading of information on your device using cookies is based on your consent in accordance with Section 25 (1) TTDSG. You can explain these by opting in via our cookie banner.

The further processing of your personal data after storage or reading is also based on your express consent in accordance with Article 6 (1) (a) GDPR.

A subsequent revocation has no effect on the admissibility of data processing up to this point in time.

You can declare your consent in accordance with Section 25 (1) TTDSG and Art. 6 (1) (a) GDPR with a single click on the corresponding button in our cookie banner.

You can withdraw your consent at any time by sending an e-mail to or in the cookie settings.

Your personal information will be stored for as long as is necessary to fulfill the purposes described.

With the following link, you can deactivate the processing of your personal data by Matomo:

Further information on the processing of data by Matomo is available here:

Facebook Retargeting

We use functionalities of the Facebook Retargeting advertising plugin from Facebook Ireland Limited, 4 Grand Canal Square, Dublin Dublin 2, Ireland (hereinafter referred to as Facebook Retargeting). Facebook retargeting is used to carry out advertising campaigns and interact with them. Facebook retargeting reminds users of products that they have searched for or viewed but have not purchased. Cookies from Facebook are stored on your device.

In particular, the following personal data is processed by Facebook:

• Information about the user's activities
• Web page accessed
• Which products were displayed
• Which ads were clicked on
• device information, in particular device type, IP address
• Users' Facebook account if they are logged into Facebook

Data is processed on servers of Facebook Inc., Facebook, Inc., 1601Willow Road, Menlo Park, California 94025 in the USA.

Other recipients of the data include providers and service providers from Facebook Inc., e.g. for analysis purposes.

Further information on the processing of data by Facebook is available here:

The use of Facebook Retargeting allows us to place advertising on various platforms and to analyze how users interact with these ads. In this way, we aim to be able to show users personalized and therefore more relevant advertising.

The storage and reading of information on your device using cookies is based on your consent in accordance with Section 25 (1) TTDSG. You can explain these by opting in via our cookie banner.

The further processing of your personal data after storage or reading is also based on your express consent in accordance with Article 6 (1) (a) GDPR.

A subsequent revocation has no effect on the admissibility of data processing up to this point in time.

You can declare your consent in accordance with Section 25 (1) TTDSG and Art. 6 (1) (a) GDPR with a single click on the corresponding button in our cookie banner.

You can withdraw your consent at any time by sending an e-mail to or in the cookie settings.

You can prevent Facebook from collecting and processing your personal data by preventing third-party cookies from being stored on your computer, using the “DoNotTrack” function of a supporting browser, deactivating the execution of script code in your browser, or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.

Logged-in users can deactivate personalized advertising for Facebook users here:

Further information on objection and removal options vis-à-vis Facebook can be found at: https://de-de.facebook.com/privacy/explanation

Google Ads Remarketing

We use Google Ads with the additional “Google Remarketing” application from Google Ireland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland).

With this process, we can create advertisements based on existing information about you and respond to you again when you continue to use the Internet. This is done using cookies set when you visit our offers (usually cookies), which record and pseudonymize your usage behavior when you visit various websites by Google. According to its own statements, Google does not combine the data collected as part of remarketing with your personal data, which may be stored by Google.

The following data is collected:

• Length of visit
• IP address
• Pages visited
• Content that the user is interested in
• Site usage

The storage and reading of information on your device using cookies is based on your consent in accordance with Section 25 (1) TTDSG. You can explain these by opting in via our cookie banner.

The further processing of your personal data after storage or reading is also based on your express consent in accordance with Article 6 (1) (a) GDPR.

A subsequent revocation has no effect on the admissibility of data processing up to this point in time.

You can declare your consent in accordance with Section 25 (1) TTDSG and Art. 6 (1) (a) GDPR with a single click on the corresponding button in our cookie banner.

You can withdraw your consent at any time by sending an e-mail to or in the cookie settings.

You can withdraw your consent at any time without affecting the permissibility of processing until the withdrawal. The easiest way to withdraw is via our consent manager or using the following functions: a) by setting your browser software accordingly, in particular, the suppression of third-party cookies means that you do not receive ads from third-party providers; b) by setting your browser to block cookies from the domain “www.googleadservices.com”, , which setting will be deleted when you delete your cookies; c) by deactivating interest-based ads from providers, which are part of the “About Ads” self-regulation campaign, via the link , where this setting is deleted when you delete your cookies; d) by permanently deactivating it in your Firefox, Internet Explorer or Google Chrome browsers under the link . We would like to point out that in this case you may not be able to use all functions of this offer to their full extent.

Google deletes your personal data as soon as it is no longer required for the purpose of processing. Cookie information is deleted after one year at the latest.

The data transmitted to Google LLC is mainly stored on servers managed by GoogleIreland Limited (Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) in the European Economic Area (EEA).


Using Braze

To provide personalized push messages and in-app communication, we use Braze, provided by Braze Inc., based in New York, USA. Braze processes personal data such as device information, usage behavior and communication content exclusively to support our customer communication.

Processing is based on consent in accordance with Article 6 (1) (a) GDPR.

Braze is an active participant in the Data Privacy Framework, which regulates the secure and legally compliant transfer of personal data to the USA. In addition, Braze uses standard contractual clauses. As a result, Braze has committed itself to maintaining a level of data protection that corresponds to the level of data protection in the EU when processing your personal data.

The data is only stored for as long as is necessary for communication and is then deleted unless there is a legal storage obligation.

Taboola

We use functionalities of Taboola Pixels of Taboola Germany GmbH, Alt-Moabit 2, 10557 Berlin, Germany (hereinafter: Taboola called).
The Taboola Pixel is used for Implementation, analysis and optimization of online marketing campaigns as well as the Creation of target group profiles (retargeting and conversion tracking).

By integrating the Taboola Pixel, Taboola can recognize whether users have visited our website, what content they viewed or which links they have clicked on. Based on this information, we can measure the success of our campaigns and show users interest-based advertising on other websites. For this purpose, cookies from Taboola are stored on your device.

In particular, Taboola processes the following personal data:

• Information about user activities on our website
• Subpages visited, products or content viewed
• Ads or links clicked
• device information (e.g. device type, IP address, operating system, browser type)
• timestamp, referrer URL
• Pseudonymized user IDs for recognition
• Technical data for displaying and measuring ads

Processing can also be carried out on servers from Taboola Inc., 16 Madison Square West, 7th Floor, New York, NY 10010, United States of America take place. This may involve a transfer of personal data to third countries outside the EU/EEA. Taboola ensures an appropriate level of data protection by concluding standard contractual clauses in accordance with Art. 46 GDPR.

Other recipients of the data include providers and service providers of Taboola, which are used for analysis, optimization or campaign purposes.

Further information on data processing by Taboola can be found at:

The use of the Taboola Pixel helps us to measure the effectiveness of our advertising measures, our Optimize campaigns and Personalized, relevant content and advertising for users to display.

Information is stored and read out on your device based on your Consent in accordance with § 25 para. 1 TTDSG, which you can issue via our cookie banner.

The further processing of your personal data after storage or reading is also based on your Consent in accordance with Art. 6 (1) (a) GDPR.

Withdrawal of your consent is only effective for the future and does not affect the lawfulness of the processing carried out up to the revocation.

You can give your consent at any time via our cookie banner, by e-mail to  or in the Cookie settings revoked.

You can also prevent Taboola from collecting and processing your personal data by:

• prevent third-party cookies from being stored in your browser
• activate the “do-not-track” function of a supporting browser,
• disable script code execution, or
• install a script blocker such as NoScript or Ghostery.

In addition, you can deactivate personalized advertising by Taboola here:

For more information on objection and removal options against Taboola, please see the above privacy policy.

TikTok

We use functionalities of TikTok Pixels of TikTok Technology Limited, The Sorting Office, Ropemaker Place Dublin 2, Dublin, D02 HD23, Ireland (hereinafter: TikTok called). The TikTok Pixel is used for Implementation, analysis and optimization of online marketing campaigns on TikTok and the Creating target group profiles (Retargeting and Conversion Tracking).

By integrating the TikTok Pixel, TikTok can recognize whether users have visited our website, what content they viewed or which links they have clicked on. On this basis, we can measure the success of our advertising campaigns and target users on TikTok or other partner platforms with interest-based advertising. For this purpose, cookies and similar tracking technologies are stored on your device by TikTok.

TikTok processes the following personal data in particular:

• Information about activity on our website (e.g. pages viewed, clicks, purchases)
• Time and duration of the website visit
• referrer URL
• device information (e.g. device type, operating system, IP address, browser type, language settings)
• TikTok user ID (if the user is logged in to TikTok)
• Technical data for displaying and measuring advertisements

Processing can also be carried out on servers of TikTok Information Technologies UK Limited, 6th Floor, One London Wall, London, EC2Y 5EB, United Kingdom, and the TikTok Inc., 5800 Bristol Parkway, Culver City, CA 90230, United States, take place. This may involve a transfer of personal data to third countries outside the EU/EEA. TikTok ensures an appropriate level of data protection for this purpose by concluding EU standard contractual clauses in accordance with Art. 46 GDPR.

Other recipients of the data include TikTok providers and service providers, which are used for analysis, optimization or campaign purposes.

Further information on data processing by TikTok can be found at:

The use of the TikTok Pixel helps us to measure the effectiveness of our advertising measures, Optimize campaigns and Relevant, personalized content and advertising to users on TikTok and other platforms to display.

Information is stored and read out on your device based on your Consent in accordance with § 25 para. 1 TTDSG, which you can issue via our cookie banner.

The further processing of your personal data after storage or reading is also based on your Consent in accordance with Art. 6 (1) (a) GDPR.

Withdrawal of your consent is only effective for the future and does not affect the lawfulness of the processing carried out up to that point.

You can give your consent at any time via our cookie banner, by e-mail to  or in the Cookie settings revoked.

You can also prevent TikTok from collecting and processing your personal data by:

• prevent third-party cookies from being stored in your browser
• activate the “do-not-track” function of a supporting browser,
• disable script code execution, or
• use a script blocker such as NoScript or Ghostery.

In addition, you can disable personalized advertising from TikTok directly in the TikTok app:
Settings → Privacy → Ads → “Personalized Ads”

For more information on objection and removal options against TikTok, please see the above privacy policy.

Outbrain

We use functionalities of the Outbrain Pixel from Outbrain UK Limited, 121 Kingsway, First Floor, London WC2B 6PA, United Kingdom (hereinafter: Outbrain called).
The Outbrain Pixel is used to carry out, analyze and optimize online marketing campaigns as well as to create target group profiles (retargeting and conversion tracking).

By integrating the Outbrain Pixel, Outbrain can recognize whether users have visited our website, which content they viewed or which links they have clicked on. On this basis, we can measure the success of our campaigns and show users interest-based advertising on other websites. For this purpose, Outbrain stores cookies on your device.

Outbrain processes the following personal data in particular:

• Information about user activities on our website
• Subpages visited, products or content viewed
• Ads or links clicked
• device information (e.g. device type, IP address, operating system, browser type)
• timestamp, referrer URL
• Pseudonymized user IDs for recognition
• Technical data for displaying and measuring ads

Processing can also be carried out on servers of Outbrain Inc., 111 West 19th Street, 3rd Floor, New York, NY 10011, USA. This may involve a transfer of personal data to third countries outside the EU/EEA.
Outbrain ensures an appropriate level of data protection by concluding standard contractual clauses in accordance with Art. 46 GDPR.

Other recipients of the data include providers and service providers from Outbrain, which are used for analysis, optimization or campaign purposes.

Further information on data processing by Outbrain can be found at:

The use of Outbrain Pixel helps us measure the effectiveness of our advertising measures, optimize our campaigns and display personalized, relevant content and advertising to users.

The storage and reading of information on your device is based on your consent in accordance with Section 25 (1) TTDSG, which you can provide via our cookie banner.
The subsequent processing of your personal data is based on your consent in accordance with Article 6 (1) (a) GDPR.

Withdrawal of your consent is only effective for the future and does not affect the lawfulness of the processing carried out up to the revocation.
You can give your consent at any time via our cookie banner, by e-mail to  or revoke in cookie settings.

You can also prevent Outbrain from collecting and processing your personal data by:

• prevent third-party cookies from being stored in your browser
• activate the “do-not-track” function of a supporting browser,
• disable script code execution, or
• install a script blocker such as NoScript or Ghostery.

In addition, you can deactivate personalized advertising through Outbrain here:

Further information on objection and removal options against Outbrain can be found in the privacy policy mentioned above.

4. Transfer of personal data to external service providers

For some functions on our website, we involve external service providers to whom we transfer personal data. All third-party providers commissioned by us act as contractors for us in accordance with our instructions and are integrated in accordance with Art. 28 GDPR in compliance with data protection regulations. The contractual agreement provides, among other things, that contract processors commit themselves to compliance with data protection, which includes securing your personal data through appropriate technical and organizational measures — in particular by means of encryption technologies.

4.1 Cookiebot

We use functionalities of the Cookiebot cookie consent solution from Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark. Cookiebot offers a software solution that allows you to obtain consent via cookie usage and tracking of online users. Cookiebot informs users of our website about the cookies used on our website. You also have the option to deactivate cookie groups except for functional cookies (which are necessary for the smooth display of our website). We are required to document your consent or rejection in accordance with Article 7 (1) GDPR.

In particular, the following personal data is processed by cookie Bot:

• The end user's IP number in anonymized form (the last three digits are set to “0”)
• Date and time of consent
• End user browser
• The URL for which consent was given
• An anonymous, random, and encrypted key
• The consent status of the end user, which serves as proof of consent

Cookies from Cookiebot are stored on your device.

The key and consent status are also stored in the end user's browser in the “Cookie Consent” cookie so that the website can automatically read and follow the end user's consent for up to 12 months on all subsequent page requests and future end user sessions. The key is used to prove consent and for an option that checks whether the consent status stored in the end user's browser is compared to the original consent that has been sent to Cookiebot, is unchanged

When the “collective consent” feature is activated to govern consent for multiple websites through a single end user consent, Cookiebot also stores another separate, random, unique ID with the end user's consent. If all of the following criteria are met, this key is stored in encrypted form in the cookie “CookieConsentBulkTicket” in the end user's browser.

The legal basis for storage Your consent is Art. 6 para. 1 lit. c DSGVO in conjunction with Art. 5 para. 1 lit. a, para. 2, Art. 7 para. 1 GDPR and Art. 6 para. 1 lit. f DSGVO, although compelling reasons may be countered by your objection. Such a compelling reason results, for example, from the above accountability, to which we are subject by law. Consent in accordance with Section 25 Paragraph 1 TTDSG is not required, as the exception of Section 25 Paragraph 2 No. 2 TTDSG applies in this respect.

All data is hosted in an Azure data center operated by cloud provider Microsoft IrelandOperations Ltd, South County Business Park, One MicrosoftCourt, Carmanhall andLeopardstown, Dublin, D18 P521, Ireland.

Further information on the processing of data by Cookiebot is available here:

We use Cookiebot to create and display cookie statements for end users and to save and display cookie scan reports in the privacy policy. This enables us to comply with our information obligations to users of our website in accordance with Article 13, 14 GDPR and obtain and document consent to the use of cookies in accordance with data protection law.

We also use Cookiebot to obtain aggregate information about end users' choices regarding accepted cookie types and a graphical presentation of them in the service manager.

The legal basis for data processing is Art. 6 (1) (f) GDPR. Our legitimate interest lies in the purposes of data processing mentioned under 2. The interests and rights of users are taken into account accordingly by anonymizing the IP address.

Cookiebot stores your personal information for as long as is necessary to fulfill the purposes described in this privacy policy or as required by law, e.g. for tax and accounting purposes.

The cookies used by Cookiebot are stored on the user's device for up to 12 months.

You can prevent CookieBot from collecting and processing your personal data by preventing third-party cookies from being stored on your computer, using the “Do NotTrack” function of a supporting browser, deactivating the execution of script code in your browser, or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.

Further information on objection and removal options against Cybot can be found at: https://www.cookiebot.com/de/privacy-policy/

4.2 Rapidmail

We use Rapidmail to send our newsletter. The provider is Rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg im Breisgau. Rapidmail enables us to organize and analyze our newsletter.

For more information, please see Rapidmail's privacy policy:

4.3 Webflow

The website is hosted on servers from Webflow, Inc. (398 11th Street, 2nd Floor, SanFrancisco, CA 94103, USA). The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit the website. The information saved is:

• Browser type and browser version
• Operating system used
• referrer URL
• host name of the accessing computer
• date and time of the server request
• IP address

The website server is geographically located in the USA. In order to ensure appropriate guarantees to protect the transfer and processing of personal data outside the EU, data transmission to and data processing by Webflow is carried out on the basis of appropriate guarantees in accordance with Art. 46 et seq. GDPR, in particular through the conclusion of so-called standard data protection clauses in accordance with Art. 46 para. 2 lit. c GDPR. A copy of the standard data protection clauses can be requested by sending us an informal email.

4.4 Stripe

Processing of personal data in the event of missed appointments (“no show”)

If you do not cancel an agreed appointment, we reserve the right to charge you a cancellation fee. In this context, we process the following personal data:

• name
• contact details
• Appointments (date, time)
• No-show documentation
• Billing data, if applicable

Processing is carried out on the basis of Art. 9 para. 2 letter h in conjunction with Art. 9 para. 3 GDPR in conjunction with §22 para. 1 no. 1 letter b BDSG (processing for the execution of the treatment contract).

Your data will only be used to process the collection of fees and, if necessary, to assert legal claims and will not be passed on to third parties, unless required by law.

Payment processing, including the investigation of possible cases of fraud itself, is carried out by the certified external payment service provider Stripe Payments Europe Ltd, Block 4, Hartcourt Centre, Hartcourt Road, Dublin 2, Ireland (hereinafter: “Stripe”). A contract for order data processing was concluded for this purpose. The integration of Stripe gives users the easy way to use a credit card as a payment option. For this purpose, Stripe receives transaction data (cardholder name, email address, card information, expiration date, CVC code, date, time and amount of transaction), but at no time health-related data. The data is passed on exclusively for the purpose of payment processing with Stripe and only to the extent necessary for this. For more information about Stripe's use of data, please see Stripe's privacy policy at

4.5 Using Google Gemini

As part of our medical services, we use Google Gemini, provided by Google Cloud EMEA Ltd., with server location in Brussels, Belgium. With Google Gemini, automated summaries of laboratory findings are created. The aim is to provide treating doctors with a structured overview of the findings, which can be transmitted to patients via a “one-click” function. No medical diagnosis or diagnosis is carried out by AI. Processing is carried out exclusively to support medical communication.

Health data is also processed in accordance with Article 9 (1) GDPR. Processing is based on consent in accordance with Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a GDPR.

The data processed by Google Gemini is not stored permanently by Google. The summaries will be deleted after transmission, unless there is a legal storage obligation.

4.6 Using Twilio

As part of our communication services, we use Twilio, provided by Twilio Inc., based in the USA. Twilio is used to send SMS, voice messages, and other forms of communication. Processing is carried out exclusively to support communication with patients and customers.

Personal data, including special categories of personal data in accordance with Article 9 (1) GDPR, are also processed. Processing is carried out on the basis of consent in accordance with Art. 6 para. 1 lit. a and, where applicable, Art. 9 para. 2 lit. a GDPR and, where applicable, to fulfill a contract or on the basis of pre-contractual measures in accordance with Art. 6 para. 1 lit. b GDPR.

Twilio is an active participant in the Data Privacy Privacy Framework, which regulates the secure and legally compliant transfer of personal data to the USA. Twilio also uses standard contractual clauses. As a result, Twilio has committed itself to maintaining a level of data protection that corresponds to the level of data protection in the EU when processing your personal data.

Twilio only stores the data for as long as is necessary for communication, unless there is a legal storage obligation.

4.7 Using SendGrid

To send appointments, changes and reminders, messages, and other functional communications, we use SendGrid, a service provided by Twilio Inc., hosted in the USA. SendGrid processes personal data such as email addresses and message content exclusively on our behalf.

Processing is based on your consent in accordance with Article 6 (1) (a) GDPR.

Twilio, operator of the Sendgrid service, is an active participant in the Data Privacy Framework, which regulates the secure and legally compliant transfer of personal data to the USA. Twilio also uses standard contractual clauses. As a result, Twilio has committed itself to maintaining a level of data protection that corresponds to the level of data protection in the EU when processing your personal data.

SendGrid or Twilio only stores the data for the duration of the communication and then deletes it, unless there is a legal storage obligation.

5. Transfer of personal data to other third parties

The following categories of recipients may have access to your personal data:

• Government agencies/authorities, insofar as this is necessary to fulfill a legal obligation. The legal basis for the transfer is then Art. 6 (1) (c) GDPR;
• Persons employed to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the formation of joint ventures). The legal basis for the transfer is then art. 6 para. 1 p. 1 lit. b or lit. f DSGVO.

In addition, we will only share your personal data with third parties if you have given your consent in accordance with Article 6 (1) (a) GDPR.

6. Data deletion and storage period

For the processing operations carried out by us, we indicate how long the data is stored by us and when it is deleted or blocked. Unless an express storage period is specified, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage ceases to apply. In principle, your data is only stored on our servers in Germany, subject to any transfer that may take place, which is specified elsewhere.

However, storage may take place beyond the specified time in the event of an (imminent) legal dispute or other legal proceedings or if the storage is provided for by legal regulations to which we are subject as the responsible party (e.g. § 257 HGB, § 147 AO). If the storage period required by law expires, personal data will not be blocked or deleted, unless further storage by us is necessary and there is a legal basis for this.

7. Data security

We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties (e.g. TLS encryption for our website), taking into account the state of the art, implementation costs and the nature, scope, context and purpose of processing as well as the existing risks of a data breach (including its probability and effects) for the those affected. Our security measures are constantly being improved in line with technological developments.

8. Data transfer to a so-called third country

As part of our business relationships, your personal data may be passed on or disclosed to third companies. They may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively to fulfill contractual and business obligations and to maintain your business relationship with us. We will inform you of the relevant details of the transfer to the relevant bodies.

Through so-called adequacy decisions, the European Commission certifies that some third countries have data protection that is comparable to the EEA standard (a list of these countries and a copy of the adequacy decisions can be found here: other third countries to which personal data may be transferred, but there may be no consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This makes it possible to implement binding corporate regulations, standard contractual clauses issued by the European Commission for the protection of personal data, certificates or recognized codes of conduct and, if necessary, additional measures. With regard to the individual services, we will inform you where appropriate about the requirements for data transfer to third countries.

9. No obligation to provide personal data

We do not make the provision of our platform's offerings dependent on you providing us with personal data beforehand. In principle, there is also no legal or contractual obligation for you as a customer to provide us with your personal data; however, it is possible that we may only be able to provide certain offers to a limited extent or not at all if you do not provide the necessary data. If this is the case, you will be notified separately in this privacy policy.

10. Legal obligation to provide certain data

Under certain circumstances, we may be subject to a specific legal or legal obligation to provide lawfully processed personal data to third parties, in particular public bodies (Article 6 (1) (1) (c) GDPR).

11. Your rights

You can assert your rights as a data subject with regard to the processing of personal data concerning you at any time using the contact details provided above. As a data subject, you have the right to:

• to request information about your data processed by us in accordance with Art. 15 GDPR. In particular, you can provide information about the purposes of processing, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right of correction, deletion, restriction of processing or objection, the existence of a right of appeal, the origin of their data, unless they have been collected by us, and the existence of automated decision-making, including profiling and, if applicable, meaningful information about their details demand;
• in accordance with Article 16 GDPR, to immediately request the correction of incorrect data stored by us or the completion of your data stored by us;
• to request the deletion of your data stored with us in accordance with Article 17 GDPR, unless processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
• to request the restriction of the processing of your data in accordance with Article 18 GDPR, insofar as the accuracy of the data is disputed by you or the processing is unlawful;
• in accordance with Article 20 GDPR, to receive your data that you have provided to us in a structured, common and machine-readable format or to request transmission to another person responsible (“data portability”);
• to object to the processing in accordance with Article 21 GDPR, provided that the processing is carried out on the basis of Article 6 (1) (e) or (f) GDPR. This is particularly the case if processing is not necessary to fulfill a contract with you. Unless there is an objection to direct advertising, when exercising such an objection, we ask you to explain the reasons why we should not process your data as we have done. In the event of your justified objection, we will review the situation and will either stop or adjust data processing or show you our compelling legitimate reasons for continuing the processing;
• In accordance with Article 7 (3) GDPR, your consent given once (even before the GDPR came into force, i.e. before 25.5.2018) — i.e. your voluntary, informed and unequivocal will to us, made clear by a statement or other unequivocal affirmative action, that you agree to the processing of the relevant personal data for one or more specific purposes — to withdraw such consent to us at any time if you provide such have. As a result, we are no longer allowed to continue data processing based on this consent in the future and
• in accordance with Art. 77 GDPR, to complain to a data protection supervisory authority about the processing of your personal data in our company.

12. Update of the privacy policy

Due to changes in legal or regulatory requirements as well as the development of technical standards and our offering, adjustments to this data protection declaration may be necessary, which is why they are regularly reviewed for the need for changes or additions. The privacy policy can therefore be amended at any time with effect for the future.

This privacy policy was last updated in April 2023.

Avi Medical App Privacy Policy

Avi Medical App Privacy Policy

As of October 2021

Table of contents

I. Name and address of the person responsible

II. Contact details of the data protection officer

III. Data processing in the Avi Medical app

IV. Rights of the person concerned

V. Provision of the app and creation of log files

VI. Use of cookies

VII. Newsletter

VIII. Hosting

IX. Plug-ins used

X. Using SDK's

XI. Device permissions

XII. Data protection information on the use of our web application on the website

I. Name and address of the person responsible

The person responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection regulations is:

Avi Medical Operations GmbH

Nymphenburgerstraße 86

80636 Munich

germany

+49 152 54882139

II. Contact details of the data protection officer

The data protection officer of the person responsible is:

DataCo GmbH

Dachauer Strasse 65

80335 Munich

germany

+49 89 7400 45840

III. Data processing in the Avi Medical app

On this page, we inform you about the data protection regulations applicable in the Avi Medical app for Android and iOS (“app”). The app is offered by Avi Medical Operations GmbH, Nymphenburgerstr. 86, 80636 Munich, Germany (“Avi Medical Operations GmbH”, “we” or “us”). Further information about our data protection policy can be found in the privacy policy on our website:

1. Scope of processing

The Avi Medical app is an application for electronic support of medical services. Personal data is processed for the following purposes or functions:

• Appointments for doctor visits, including initial description of symptoms
• Communication with the respective medical practice via chat functionality
• Conducting video consultations
• Receipt of findings or laboratory results
• Statements with health insurance companies
• Satisfaction surveys (using a so-called “Net Promoter Score” of 1 to 10)
• Receive push notifications, emails and SMS reminders of appointments, confirmations, etc.

Within the app, the following data is collected for the purpose of registration:

• name
• First name
• email address
• birthdate
• Title and title
• address
• Name of health insurance
• Insurance number
• Billing address
• mobile number

In addition, the following data is automatically processed when using the app, if appropriate functions are used:

• Reasons to visit a doctor's appointment
• Symptoms of acute symptoms
• Basic anamnesis (patient questionnaire)
• Preferred medical practice
• Preferred doctor

2. Purpose of processing

The personal data provided is collected and used to provide an error-free provision of our app with all described functionalities.

3. Legal basis for processing personal data

The legal basis for processing personal data in the context of creating a user account and using personal data to use described functionalities is the user's consent in accordance with Art. 6 (1) (a) GDPR in conjunction with Article 9 (2) (a) GDPR.

The processing of technical data serves to protect our company's legitimate interest in providing a functional application to users and is therefore based on Article 6 (1) (FDSGVO) as the legal basis for processing.

Appointment reminders and confirmations are sent without providing health data on the basis of our legitimate interest in providing a comprehensive service in accordance with Article 6 (1) (f) GDPR.

4. Storage period

The personal data will be stored exclusively for the above-mentioned purposes until the account is deleted. When the user deletes the account, all data whose receipt is not required to fulfill legal storage obligations will be removed.

5. Withdrawal and removal option

A revocation of consent or objection to data processing can be made informally at any time by e-mail to .

6. Recipients of personal data

In order to provide all services, contract processors are engaged to take over partial services. In addition to the order processors listed under “Plugins used”, the following order processors are commissioned to deliver appointment reminders:

• rapidmail GmbH, Augustinerplatz 2, 79098, Freiburg, Germany
• LINK Mobility Austria GmbH (websms), Brauquartier 5/13, 8055 Graz, Austria

IV. Rights of the person concerned

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the person responsible:

1. Right to information

You can request confirmation from the person responsible as to whether personal data concerning you is being processed by him.

If there is such processing, you can request the following information from the person responsible:

• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the seventh-meeting personal data have been or are still being disclosed;
• the planned duration of storage of personal data relating to you or, if specific information is not possible, criteria for determining the storage period;
• the existence of a right to correct or delete the seventh personal data, a right to restrict processing by the person responsible or a right to object to this processing;
• the existence of a right to lodge a complaint with a supervisory authority;
• all available information about the origin of the data if the personal data is not collected from the data subject;
• the existence of automated decision-making, including profiling, in accordance with Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information as to whether the seventh-meeting persons will be transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate guarantees in accordance with Article 46 GDPR in connection with the transfer.

2. Right to rectification

You have the right to have the person responsible corrected and/or completed if the processed personal data, which is incorrect or incomplete. The person responsible must make the correction immediately.

3. Right to restrict processing

You can request that the processing of personal data concerning you be restricted under the following conditions:

• if you dispute the accuracy of the personal data concerning you for a period of time that enables the person responsible to verify the accuracy of the personal data;
• the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
• the person responsible no longer needs the personal data for processing purposes, but you need them to assert, exercise or defend legal claims, or
• if you have filed an objection to processing in accordance with Article 21 (1) GDPR and it is not yet clear whether the legitimate reasons of the person responsible outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data may only be processed - apart from storage - consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the person responsible before the restriction is lifted.

4. Right to deletion

a) Obligation to delete

You can request that the person responsible delete the personal data concerning you immediately, and the person responsible is obliged to delete this data immediately if one of the following reasons applies:

• The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
• You withdraw your consent on which the processing was based in accordance with Article 6 (1) (a) or Article 9 (2) (a) GDPR and there is no other legal basis for processing.
• You object to processing in accordance with Article 21 (1) GDPR and there are no overriding legitimate reasons for processing, or you object to processing in accordance with Article 21 (2) GDPR.
• The personal data concerning you was processed unlawfully.
• The deletion of personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.
• The personal data concerning you was collected in relation to information society services offered in accordance with Article 8 (1) GDPR.

b) Information to third parties

If the person responsible has made the personal data concerning you public and is obliged to delete it in accordance with Article 17 (1) GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and implementation costs, to inform data controllers who process the personal data that you, as a data subject, have deleted all links to this personal data or copies or replications of this personal data from them Requested data.

c) Exemptions

The right to deletion does not exist insofar as processing is necessary

• to exercise the right to freedom of expression and information;
• to fulfill a legal obligation which requires processing under Union or Member State law to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR, insofar as the right referred to in section a) is likely to make it impossible or seriously impair the achievement of the objectives of this processing, or
• to assert, exercise or defend legal claims.

5. Right to be informed

If you have asserted the right to correct, delete or restrict processing against the person responsible, the controller is obliged to notify all recipients to whom the personal data concerning you has been disclosed of this correction or deletion of the data or restriction of processing, unless this proves impossible or involves disproportionate effort.

You have the right vis-à-vis the person responsible to be informed about these recipients.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the person responsible, in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another person responsible without hindrance from the person responsible to whom the personal data was provided, provided that

• processing is based on consent in accordance with Art. 6 para. 1 lit. ADSGVO or Art. 9 para. 2 lit. a DSGVO or on a contract in accordance with Art. 6 para. 1S. 1 lit. b GDPR and
• processing is carried out using automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one person responsible to another person responsible, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected as a result.

The right to data portability does not apply to processing of personal data that is necessary for the performance of a task that is in the public interest or in the exercise of public authority that has been transferred to the person responsible.

7. Right of objection

For reasons arising from your particular situation, you have the right to object at any time to the processing of personal data concerning you, which is carried out on the basis of Article 6 (1) (e) or fGDPR; this also applies to profiling based on these provisions.

The controller will no longer process your personal data unless he can prove compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is associated with such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

Notwithstanding Directive 2002/58/EC, you have the option to exercise your right of objection in connection with the use of information society services by means of automated procedures using technical specifications.

8. Right to withdraw the declaration of consent under data protection law

You have the right to withdraw your data protection consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent up to the withdrawal.

9. Automated decision in individual cases, including profiling

You have the right not to be subject to a decision based exclusively on automated processing - including profiling - which has legal effect on you or significantly affects you in a similar way. This does not apply if the decision

• is necessary for the conclusion or performance of a contract between you and the person responsible,
• is permitted by Union or Member State legislation to which the person responsible is subject and that legislation contains appropriate measures to protect your rights and freedoms and your legitimate interests, or
• is done with your express consent.

However, these decisions must not be based on special categories of personal data under Article 9 (1) GDPR, unless Article 9 (2) lit. a or b GDPR applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.

With regard to the cases mentioned in 1. and 3., the controller takes appropriate measures to protect the rights and freedoms and your legitimate interests, which include at least the right to obtain the intervention of a person on the part of the person responsible, to state his own position and to challenge the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, your place of work and the place of the alleged infringement, if you believe that the processing of personal data relating to you is contrary to the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

V. Provision of the app and creation of log files

1. Description and scope of data processing

Each time you use our app, our system automatically collects data and information from the calling device.

The following data is collected here:

• The user's operating system
• The user's IP address
• date and time of access

This data is stored in our system's log files. This data is not stored together with other personal data of the user.

2. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the app to the user's device. To do this, the user's IP address must be stored for the duration of the session.

They are stored in log files to ensure that the app works. We also use the data to optimize the app and ensure the security of our information technology systems. There is no evaluation of the data for marketing purposes in this context.

These purposes also include our legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR.

3. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6 (1) (f) GDPR.

4. Storage period

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

If the data is stored in log files, this is the case after seven days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or distorted so that it is no longer possible to assign the calling client.

5. Objection and removal option

The collection of data to provide the app and the storage of the data in log files is absolutely necessary for the operation of the website. There is therefore no option for the user to object.

VI. Use of cookies

1. Description and scope of data processing

Our app uses cookies. Cookies are text files that are stored on the respective device. When a user calls up an app, a cookie can be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the device to be uniquely identified when the app is called up again.

We use cookies to make our app more user-friendly. Some elements of our app require that the calling device can be identified even after changing pages.

The following data is stored and transmitted in cookies:

• language settings
• Log-in information
• Using app features
• user behavior

User data collected in this way is pseudonymized through technical measures. It is therefore no longer possible to assign the data to the calling user. The data is not stored together with other personal user data.

2. Purpose of data processing

The purpose of using technically necessary cookies is to make it easier for users to use apps. Some functions of our website cannot be offered without the use of cookies. For this, it is necessary that the browser is recognized even after a page change.

The user data collected through technically necessary cookies is not used to create user profiles.

Analysis and marketing cookies are used to continuously improve our offering.

3. Legal basis for data processing

With your declaration of consent, the legal basis for processing personal data using analytical or marketing cookies is Art. 6 (1) (a) GDPR.

The legal basis for processing personal data using technically necessary cookies is Art. 6 (1) (f) GDPR.

4. Duration of storage, right of objection and removal

Cookies are stored on the user's device and transmitted from it to our app. As a user, you therefore also have full control over the use of cookies. By changing the settings on your device, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our app, it may no longer be possible to use all functions of the app to their full extent.

VII. Newsletter

1. Description and scope of data processing

In our app, it is possible to subscribe to a free newsletter. When you register for the newsletter, the data from the input form is sent to us.

• email address
• name
• First name
• Date and time of registration

There is no transfer of data to third parties in connection with data processing for sending newsletters. The data is used exclusively for sending the newsletter.

2. Purpose of data processing

The purpose of collecting the user's email address is to deliver the newsletter.

The collection of other personal data as part of the registration process serves to prevent misuse of the services or the email address used.

3. Legal basis for data processing

The legal basis for the processing of data after registration for the newsletter by the user is Art. 6 (1) (a) GDPR if the user has given his consent.

4. Storage period

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected and do not require receipt of corresponding data subject to statutory storage requirements.

5. Objection and removal option

The subscription to the newsletter can be cancelled by the affected user at any time. For this purpose, there is a corresponding link in every newsletter.

This also makes it possible to withdraw consent to the storage of personal data collected during the registration process.

VIII. Hosting

The app is hosted on servers by a service provider commissioned by us.

Our service provider is:

Telekom Deutschland GmbH (Open Telekom Cloud), Landgrabenweg 151, 53227 Bonn.

The servers automatically collect and store information in so-called server log files, which your mobile phone automatically transmits when you visit the app. The information stored is:

• The user's operating system
• The user's IP address
• date and time of access

This data is not combined with other data sources. This data is collected on the basis of Art. 6 para. 1lit. f DSGVO. The app operator has a legitimate interest in the technically error-free presentation and optimization of its app — for this purpose, the server log files must be collected.

The app's server is geographically located within the EU or the EEA.

IX. Plug-ins used

We use plugins for various purposes. The plugins used are listed below. When using our plugins, some personal data is transferred to the USA. Health data and other special categories of personal data under Article 9 GDPR are excluded; these are only processed in the EU. In order to ensure appropriate guarantees to protect the transfer and processing of personal data outside the EU, data transmission to and data processing by appropriate processors is carried out on the basis of appropriate guarantees in accordance with Art. 46 et seq. GDPR, in particular through the conclusion of so-called standard data protection clauses in accordance with Art. 46 para. 2 lit. c GDPR. A copy of the appropriate guarantees can be requested by sending us an informal email.

The following plugins are used:

Using RED connect

1. Scope of processing of personal data

We use functionalities of the RED connect video consultation system from RED Medical Systems GmbH, Lutzstraße 2, 80687 Munich, Bavaria, Germany (hereinafter referred to as RED Medical).

With the help of RED connect, we conduct video consultations between doctors and patients. A doctor and a patient can make appointments and make them in the form of encrypted video calls. All data collected during the video consultation is encrypted end-to-end. As a patient, you are completely anonymous, only your doctor knows your identity.

As a result, RED Medical processes the following personal data:

• customer data
• Content of the video consultations

In addition, we process the following special categories of personal data within the meaning of Article 9 (1) GDPR:

• Voluntarily communicated data about your health

Other recipients of the data may be:

• AWS EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg
• noris network AG, Thomas-Mann-Strasse 16-20, 90471 Nuremberg

Further information on the processing of data by RED Medical is available here:

2. Purpose of data processing

The use of RED connect enables us to conduct video consultations between doctor and patient.

3. Legal basis for processing personal data

When processing special categories of personal data in accordance with Article 9 (1) GDPR, the legal basis is express consent in accordance with Article 6 (1) (a) GDPR in conjunction with Article 9 (2) (a) GDPR.

4. Storage period

Your personal information will be stored for as long as is necessary to fulfill the purposes described in this privacy policy or as required by law, e.g. for tax and accounting purposes.

5. Withdrawal and removal option

You have the right to withdraw your data protection consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent up to the withdrawal.

Further information on objection and removal options against RED Medical can be found at:

Using Zammad [TF3]

1. Scope of processing of personal data

We use functionalities of the Zammad helpdesk system from Zammad GmbH, Marienstraße 18, 10117 Berlin (ww.zammad.com). We use these in particular to provide the chat functionality in our app.

With the chat functionalities, patients can exchange documents, ask medical questions or clarify questions for technical support or appointment coordination. By using Zammad, only the exact personal data that you voluntarily communicate is processed. There is no obligation to use Zammad to use our services.

You can find more information about Zammad here: https://zammad.com/de/unternehmen/datenschutz

2. Purpose of data processing

The use of Zammad enables effective and efficient patient communication. Patient use is always voluntary.

3. Legal basis for processing personal data

When processing special categories of personal data in accordance with Article 9 (1) GDPR, the legal basis is express consent in accordance with Article 6 (1) (a) GDPR in conjunction with Article 9 (2) (a) GDPR.

4. Storage period

Your personal information will be stored for as long as is necessary to fulfill the purposes described in this privacy policy or as required by law, e.g. for tax and accounting purposes.

5. Withdrawal and removal option

You have the right to withdraw your data protection consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of consent up to the withdrawal.

X. Using SDK's

1. Describe how to use SDKs

We use SDKs (Software Development Kits) to provide functional modules. To do this, the code used is embedded in the SDKs.

Third-party libraries used:

• Mapbox

The Mapbox SDK is an offer from Mapbox, Inc. (https://www.mapbox.com/)

Through Mapbox, we provide an interactive map in our app to show users distances to the nearest practice using location (GPS).

The purpose of processing is an appealing design of the app and location functionality based on our legitimate interest in displaying an interactive map in accordance with Art. 6 para. 1 lit. f DSGVO.

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected and do not require receipt of corresponding data subject to statutory storage requirements.

By using the SDK, personal data can be transferred to US servers.

In order to ensure appropriate guarantees to protect the transfer and processing of personal data outside the EU, data transmission to and data processing by appropriate processors is carried out on the basis of appropriate guarantees in accordance with Art. 46 et seq. GDPR, in particular through the conclusion of so-called standard data protection clauses in accordance with Art. 46 para. 2 lit. c GDPR. A copy of the appropriate guarantees can be requested by sending us an informal email.

XI. Device permissions

1. Description and scope of data processing

In order to provide specific functionalities, device permissions for your device are requested while using the app. Without these, we cannot provide certain services, such as our location services. Device permissions always require your explicit consent.

2. Information about app permissions

The following permissions are required to implement the functions in the app:

• iOS: location services
• Android: location

Authorization is necessary to use certain functionalities of our app. Before explicit authorization is granted by the user, the app does not have access to device functions. You can change the permissions on your device at any time. In addition, meta information can be collected to monitor our application and identify errors.

3. Purpose of data processing

The data is processed for the following purposes:

• Application monitoring
• troubleshooting
• Infrastructure monitoring
• resource optimization
• Log analysis
• Provision of app functionalities

4. Legal basis for data processing

Meta information is collected on the basis of Art. 6 para. 1lit. f DSGVO. The app operator has a legitimate interest in the technically error-free presentation and optimization of its app. Authorization and processing of internal data from the device takes place through your explicit approval and therefore through your consent in accordance with Article 6 (1) (a) GDPR.

5. Storage period

Your personal information will be stored for as long as is necessary to fulfill the purposes described in this privacy policy or as required by law.

6. Objection and removal options

You can object to processing or withdraw your consent at any time by sending us an informal email. You can prevent the use of device functions yourself at any time by making appropriate settings on your device.

XII. Data protection information on the use of our web application on the website

1. Scope of processing

On our website, you can use limited mobile app functionalities to book appointments with your doctor. The processing of personal data in this case is limited to the use of the following data to book appointments and to prepare the respective doctor:

• Reasons to visit a doctor's appointment
• Symptoms of acute symptoms

For further processing purposes, please note the corresponding privacy policy on our website:

2. Purpose of processing

The personal data provided is collected and used to make it possible to schedule appointments without errors.

3. Legal basis for processing personal data

The legal basis for processing personal data is the user's consent in accordance with Article 6 (1) (a) GDPR in conjunction with Article 9 (2) (a) GDPR.

4. Storage period

The personal data will be deleted after the appointment has been completed, unless their receipt is necessary to fulfill legal storage obligations.

5. Withdrawal and removal option

You can withdraw your consent to data processing at any time informally by sending an e-mail to .

This privacy statement was created with assistance from DataGuard.XIII. Use of Google Gemini

As part of our medical services, we use Google Gemini, provided by Google Cloud EMEA Ltd., with servers located in Brussels, Belgium. Google Gemini is used to create automated summaries of laboratory findings. The aim is to provide treating physicians with a structured overview of the findings, which can be transmitted to patients via a "one-click" function. No medical findings or diagnoses are made by the AI. Processing is carried out exclusively to support medical communication.

Health data in accordance with Art. 9 Para. 1 GDPR is also processed. Processing is carried out on the basis of consent in accordance with Art. 6 Para. 1 lit. a and Art. 9 Para. 2 lit. a GDPR.

Data processed by Google Gemini is not permanently stored by Google. The summaries are deleted after transmission, unless there is a legal retention obligation.

We use Braze for personalized push notifications and in-app communication, provided by Braze Inc., based in New York, USA. Braze processes personal data such as device information, usage behavior, and communication content exclusively to support our customer communication.

Processing is carried out on the basis of consent in accordance with Art. 6 Para. 1 lit. a GDPR.

Braze is an active participant in the Data Privacy Framework, which regulates the secure and legally compliant transfer of personal data to the USA. In addition, Braze uses standard contractual clauses. Through this, Braze has committed to maintaining a level of data protection when processing your personal data that corresponds to the level of data protection in the EU.

The data is stored only as long as necessary for communication and then deleted, unless there is a legal retention obligation.

As part of our communication services, we use Twilio, provided by Twilio Inc. based in the USA. Twilio is used for transmitting SMS, voice messages, and other forms of communication. Processing is carried out exclusively to support communication with patients and customers.

Personal data, and possibly special categories of personal data in accordance with Art. 9 Para. 1 GDPR, are also processed. Processing is carried out on the basis of consent in accordance with Art. 6 Para. 1 lit. a and possibly Art. 9 Para. 2 lit. a GDPR, and possibly for the fulfillment of a contract or on the basis of pre-contractual measures in accordance with Art. 6 Para. 1 lit. b GDPR.

Twilio is an active participant in the Data Privacy Framework, which regulates the secure and legally compliant transfer of personal data to the USA. In addition, Twilio uses standard contractual clauses. Through this, Twilio has committed to maintaining a level of data protection when processing your personal data that corresponds to the level of data protection in the EU.

Twilio stores the data only as long as necessary for communication, unless there is a legal retention obligation.

‍XVI. Use of SendGrid

For sending appointment changes and reminders, messages, and other functional communications, we use SendGrid, a service of Twilio Inc., hosted in the USA. SendGrid processes personal data such as email addresses and message content exclusively on our behalf.

Processing is carried out on the basis of your consent in accordance with Art. 6 Para. 1 lit. a GDPR.

Twilio, the operator of the SendGrid service, is an active participant in the Data Privacy Framework, which regulates the secure and legally compliant transfer of personal data to the USA. In addition, Twilio uses standard contractual clauses. Through this, Twilio has committed to maintaining a level of data protection when processing your personal data that corresponds to the level of data protection in the EU.

‍
SendGrid or Twilio stores the data only for the duration of the communication and then deletes it, unless there is a legal retention obligation.