AIRAdoc Privacy Policy | How We Protect Your Data

Privacy

On this page you will find all relevant documents regarding the use of your data and your patients' data. These are:

"Personal data" (Art. 4 No. 1 GDPR)

Information on the processing of personal data that we carry out as the data controller.

Download

Patient information

Information for patients about the doctor's use of our product

Download

Article 26 Contract

The agreement on joint responsibility for data processing between AIRAdoc GmbH and physicians

Download

TOMs

Technische und organisatorische Maßnahmen der AIRAdoc GmbH zur Gewährleistung der Datensicherheit

Download

Subcontractor

List of subcontractors used by AIRAdoc GmbH for data processing

Download

Introduction

AIRAdoc GmbH, Am BioPark 13, 93053 Regensburg, Germany, including its subsidiaries (hereinafter collectively referred to as "the Company," "we," or "us"), takes the protection of your personal data very seriously.

Insofar as we act as the controller within the meaning of the GDPR, we would like to provide you with comprehensive information about our data protection practices in this privacy policy in accordance with Art. 13 GDPR. This includes any processing of personal data on our marketing websites as well as the processing of user data within our AIRAdoc product. These processing operations are listed in detail in sections B and C. For processing activities in which we act solely as a processor, our data processing agreement with the customer pursuant to Art. 28 GDPR applies.

With the implementation of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter "GDPR"), we, as the data controller, have been assigned additional obligations to ensure the protection of the personal data of the data subjects. In the following, we also refer to you as the data subject as "user," "customer," "you," or "data subject." Furthermore, we are subject to the additional provisions of the Federal Data Protection Act (hereinafter "BDSG"), which specifies and expands the requirements of the GDPR.

In cases where we decide alone or jointly with others on the purposes and means of data processing, we are particularly obliged to inform you transparently about the nature, scope, purpose, duration, and legal basis of the processing (in accordance with Articles 13 and 14 of the GDPR). With this statement (hereinafter referred to as the "Privacy Policy"), we inform you about how we process your personal data.

This privacy policy is divided into three parts. Part A (General Provisions) informs you about the legal basis of data protection. Part B (Marketing Websites) provides specific information about data protection issues that are relevant when using our marketing websites. Part C (AIRAdoc) provides specific information on data protection issues relevant to the use of the AIRAdoc software provided by us. Appendix 1 provides information on the processors from third countries used for certain processing activities. Appendix 2 provides information on our processors within the EEA

A. General Provisions

1. Definitions

In accordance with Art. 4 GDPR, this privacy policy is based on the following definitions:

"Personenbezogene Daten" (Art. 4 Nr. 1 DSGVO)

Any information relating to an identified or identifiable natural person ("data subject"). A person is considered identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific characteristics that express the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person. Identifiability may also result from linking different pieces of information or through additional knowledge. The form of the information (photos, videos, audio recordings, etc.) is irrelevant.

"Processing" (Art. 4 No. 2 GDPR)

Refers to any operation related to personal data, whether or not carried out by automated means. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure, or destruction of data, as well as changing the original intended purpose.

"Controller" (Art. 4 No. 7 GDPR)

Refers to the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Processor" (Art. 4 No. 8 GDPR)

Refers to a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller, in particular under the controller’s instructions (e.g., IT service providers). In the data protection law context, a processor is not considered a third party.

"Third party" (Art. 4 No. 10 GDPR)

Means a natural or legal person, public authority, agency, or other body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data. This includes other legal entities within the same corporate group.

"Consent" (Art. 4 No. 11 GDPR)

The data subject’s consent means any freely given, specific, informed, and unambiguous indication of their wishes, provided in the form of a statement or another clear affirmative action, by which the data subject indicates that they agree to the processing of personal data relating to them.

"Special categories of personal data" (Art. 9(1) GDPR)

Such data are data revealing racial and ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data or biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person’s sex life or sexual orientation. Different laws apply to the processing of such data; these are explained in more detail at the relevant points in this privacy policy with explicit reference to these categories.

2. Information about the controller

We are the controller responsible for processing your personal data within the meaning of Art. 4 No. 7 GDPR:

AIRAdoc GmbH
Am BioPark 13
93053 Regensburg

Management: Prof. Dr. Thomas Bolz

Email: info@airadoc.com

For further information about our company, please refer to the legal notice on our website.

We are the controller responsible for processing your personal data within the meaning of Art. 4 No. 7 GDPR:

AIRAdoc GmbH
Am BioPark 13
93053 Regensburg

Management: Prof. Dr. Thomas Bolz

Email: info@airadoc.com

For further information about our company, please refer to the legal notice on our website.

3. Data Protection Officer

If you have any questions about data protection, our data protection officer is always available to assist you:

Jonathan Bollig

Am BioPark 13

93053 Regensburg

Email: datenschutz@airadoc.com

If you have any questions about data protection, our data protection officer is always available to assist you:

Jonathan Bollig

Am BioPark 13

93053 Regensburg

Email: datenschutz@airadoc.com

If you have any questions about data protection, our data protection officer is available to you at any time:

Jonathan Bollig

Am BioPark 13

93053 Regensburg

Email: datenschutz@airadoc.com

4. Legal bases for data processing

In principle, any processing of personal data is prohibited by law and is only permitted if one of the following legal justifications applies:

Art. 6 para. 1 sentence 1 lit. a GDPR ("Consent"):

The data subject has voluntarily, informedly, and unambiguously given their consent to a specific processing activity.

Art. 6 para. 1 sentence 1 lit. b GDPR:

Processing is necessary for the performance of a contract or for pre-contractual measures.

Art. 6 para. 1 sentence 1 lit. c GDPR:

Processing is necessary for compliance with a legal obligation of the controller.

Art. 6 para. 1 sentence 1 lit. d GDPR:

Processing is necessary to protect vital interests.

Art. 6 para. 1 sentence 1 lit. e GDPR:

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Art. 6 para. 1 sentence 1 lit. f GDPR ("Legitimate interests"):

Processing is necessary for safeguarding the legitimate interests of the controller or of a third party, unless the interests or fundamental rights of the data subject prevail.

Art. 6 para. 1 sentence 1 lit. a GDPR ("Consent"):

The data subject has voluntarily, informedly, and unambiguously given their consent to a specific processing activity.

Art. 6 para. 1 sentence 1 lit. b GDPR:

Processing is necessary for the performance of a contract or for pre-contractual measures.

Art. 6 para. 1 sentence 1 lit. c GDPR:

Processing is necessary for compliance with a legal obligation of the controller.

Art. 6 para. 1 sentence 1 lit. d GDPR:

Processing is necessary to protect vital interests.

Art. 6 para. 1 sentence 1 lit. e GDPR:

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Art. 6 para. 1 sentence 1 lit. f GDPR ("Legitimate interests"):

Processing is necessary for safeguarding the legitimate interests of the controller or of a third party, unless the interests or fundamental rights of the data subject prevail.

Art. 6 para. 1 sentence 1 lit. a GDPR ("Consent"):

The data subject has voluntarily, informedly, and unambiguously given their consent to a specific processing activity.

Art. 6 para. 1 sentence 1 lit. b GDPR:

Processing is necessary for the performance of a contract or for pre-contractual measures.

Art. 6 para. 1 sentence 1 lit. c GDPR:

Processing is necessary for compliance with a legal obligation of the controller.

Art. 6 para. 1 sentence 1 lit. d GDPR:

Processing is necessary to protect vital interests.

Art. 6 para. 1 sentence 1 lit. e GDPR:

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Art. 6 para. 1 sentence 1 lit. f GDPR ("Legitimate interests"):

Processing is necessary for safeguarding the legitimate interests of the controller or of a third party, unless the interests or fundamental rights of the data subject prevail.

For each of the processing activities we carry out, we specify the applicable legal basis below. Processing may be based on multiple legal bases.

5. Data Deletion and Storage Duration

Unless an explicit storage period is specified, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage no longer applies. Your data is generally stored on our servers in Germany, subject to disclosure in accordance with the provisions in A.7 and A.8. Storage beyond the purposes and legal bases set out in this privacy policy may be necessary in the event of (threatened) legal disputes or if storage is required by statutory provisions (e.g., Section 257 of the German Commercial Code (HGB), Section 147 of the German Fiscal Code (AO)). In this case, the legal basis for data processing is Article 6(1), sentence 1, lit. f GDPR or Article 6(1), sentence 1, lit. c GDPR, respectively.

6. Data security

We implement appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or unauthorized access (e.g., TLS encryption for our website). In accordance with Art. 25(1) GDPR, we take into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons. Our security measures are continuously adapted to technological progress. Further information is available upon request from our Data Protection Officer (A.3), or can be found in the document on our technical and organizational measures on the marketing websites.

7. Cooperation with Data Processors

Like any larger company, we also use external domestic and foreign service providers (e.g., in the areas of IT, logistics, telecommunications, and marketing). They act solely on our instructions and have been contractually obligated, in accordance with Art. 28 GDPR, to comply with data protection regulations.

8. Data transfer to third countries

As part of our business relationships, your personal data may be transferred to third-party companies that may also be located outside the European Economic Area (EEA), i.e., in third countries. Such processing is carried out exclusively for the fulfillment of contractual and business obligations and for maintaining our business relationship. Details of the respective transfer are explained at the relevant points in this statement.

For some third countries, the European Commission certifies a level of data protection comparable to that of the EEA by means of so-called adequacy decisions in accordance with Art. 45 GDPR. A list of these countries and copies of the decisions can be found at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html. In other third countries to which personal data is transferred, there may be no comparable level of data protection. In such cases, we ensure that data protection is adequately guaranteed, for example through binding corporate rules, EU standard contractual clauses, certificates, or recognized codes of conduct. For more information, please contact our Data Protection Officer (A.3).

9. Automated decision-making and profiling

If we carry out automated decision-making, including profiling, we will inform you separately about this as well as about the underlying logic, scope, and intended effects for the data subject.

As a rule, we do not use your personal data for automated decision-making or profiling.

If we carry out automated decision-making, including profiling, we will inform you separately about this as well as about the underlying logic, scope, and intended effects for the data subject.

As a rule, we do not use your personal data for automated decision-making or profiling.

10. No obligation to provide personal data

We do not make the conclusion of contracts dependent on you providing us with personal data in advance. In principle, there is no legal or contractual obligation to provide us with your personal data. However, it may be that we can only provide certain services to a limited extent or not at all if you do not provide the required data.

11. Legal disclosure obligations

Under certain circumstances, we may be subject to statutory or legal obligations to provide lawfully processed personal data to third parties, in particular public authorities (in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR).

12. Your rights

As a data subject, you have the following rights regarding your processed personal data, which you can exercise at any time using the contact details provided under A.2:

Right of access (Art. 15 GDPR):

You may request information about your processed data, the purposes of processing, categories of data, recipients, storage period, your rights, etc.

Right to rectification (Art. 16 GDPR):

You may request the immediate correction of inaccurate data or completion of your data.

Right to erasure (Art. 17 GDPR):

Under certain conditions, you may request the erasure of your data.

Right to restriction of processing (Art. 18 GDPR):

Under certain conditions, you may request the restriction of processing of your data.

Right to data portability (Art. 20 GDPR):

You may request to receive your data in a structured, commonly used, and machine-readable format or to have it transmitted to another controller.

Right to object (Art. 21 GDPR):

You may object to the processing of your data insofar as it is based on Art. 6(1) sentence 1 lit. e or f GDPR.

Right to withdraw consent (Art. 7(3) GDPR):

You may withdraw consent that has been given at any time, with the result that processing based on this consent is prohibited for the future. The lawfulness of processing up to the time of withdrawal remains unaffected.

Right to lodge a complaint (Art. 77 GDPR):

You may lodge a complaint with a data protection supervisory authority, e.g., the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, email: poststelle@datenschutz-bayern.de.

Right of access (Art. 15 GDPR):

You may request information about your processed data, the purposes of processing, categories of data, recipients, storage period, your rights, etc.

Right to rectification (Art. 16 GDPR):

You may request the immediate correction of inaccurate data or completion of your data.

Right to erasure (Art. 17 GDPR):

Under certain conditions, you may request the erasure of your data.

Right to restriction of processing (Art. 18 GDPR):

Under certain conditions, you may request the restriction of processing of your data.

Right to data portability (Art. 20 GDPR):

You may request to receive your data in a structured, commonly used, and machine-readable format or to have it transmitted to another controller.

Right to object (Art. 21 GDPR):

You may object to the processing of your data insofar as it is based on Art. 6(1) sentence 1 lit. e or f GDPR.

Right to withdraw consent (Art. 7(3) GDPR):

Right to lodge a complaint (Art. 77 GDPR):

Right of access (Art. 15 GDPR):

You may request information about your processed data, the purposes of processing, categories of data, recipients, storage period, your rights, etc.

Right to rectification (Art. 16 GDPR):

You may request the immediate correction of inaccurate data or completion of your data.

Right to erasure (Art. 17 GDPR):

Under certain conditions, you may request the erasure of your data.

Right to restriction of processing (Art. 18 GDPR):

Under certain conditions, you may request the restriction of processing of your data.

Right to data portability (Art. 20 GDPR):

You may request to receive your data in a structured, commonly used, and machine-readable format or to have it transmitted to another controller.

Right to object (Art. 21 GDPR):

You may object to the processing of your data insofar as it is based on Art. 6(1) sentence 1 lit. e or f GDPR.

Right to withdraw consent (Art. 7(3) GDPR):

Right to lodge a complaint (Art. 77 GDPR):

13. Cookies

Cookies are small text files that are stored on your device by the browser you use, linked to a specific character string. Through this storage, the entity that sets the cookie receives certain information. Cookies are technically not capable of executing programs or transmitting malware to your device, which is why they do not pose any danger. Their use serves to improve the user-friendliness and efficiency of our online services. Cookies may contain information that enables identification of the device used. Other cookies only store non-personal configuration settings. Direct identification of the user through cookies is not possible.

Cookies are classified according to their storage duration (temporary session cookies vs. permanent cookies) as well as their functionality:

Technical cookies:

These are essential for the navigation and basic functionalities of our website and ensure its security. They neither collect marketing information nor log your browsing history.

Performance cookies:

These collect pseudonymous data about your use of our website, visited subpages, and any malfunctions. They are used exclusively to optimize our offering and analyze user interests.

Advertising and targeting cookies:

These enable the provision of personalized advertising on our website or by third-party providers, as well as the measurement of the success of such offers. The maximum storage period is 13 months.

Interaction cookies:

These improve the communication of our website with external services (for example, social networks). Here too, the maximum storage period is 13 months.

Technical cookies:

These are essential for the navigation and basic functionalities of our website and ensure its security. They neither collect marketing information nor log your browsing history.

Performance cookies:

These collect pseudonymous data about your use of our website, visited subpages, and any malfunctions. They are used exclusively to optimize our offering and analyze user interests.

Advertising and targeting cookies:

These enable the provision of personalized advertising on our website or by third-party providers, as well as the measurement of the success of such offers. The maximum storage period is 13 months.

Interaction cookies:

These improve the communication of our website with external services (for example, social networks). Here too, the maximum storage period is 13 months.

Technical cookies:

These are essential for the navigation and basic functionalities of our website and ensure its security. They neither collect marketing information nor log your browsing history.

Performance cookies:

These collect pseudonymous data about your use of our website, visited subpages, and any malfunctions. They are used exclusively to optimize our offering and analyze user interests.

Advertising and targeting cookies:

These enable the provision of personalized advertising on our website or by third-party providers, as well as the measurement of the success of such offers. The maximum storage period is 13 months.

Interaction cookies:

These improve the communication of our website with external services (for example, social networks). Here too, the maximum storage period is 13 months.

Any cookie use that is not technically strictly necessary constitutes a data processing operation relevant under data protection law, which is permissible only with your explicit and active consent in accordance with Art. 6(1) sentence 1 lit. a GDPR. This applies in particular to advertising, targeting, and interaction cookies. Any transfer of personal data processed through cookies to third parties also takes place only after your explicit consent in accordance with Art. 6(1) sentence 1 lit. a GDPR. You can revoke this consent at any time via our cookie management system.

Rare exceptions are cookies whose use is otherwise justified under Art. 6(1) sentence 1 lit. b–f.

14. Update to the Privacy Policy

In the course of the ongoing development of data protection law, as well as technological or organizational changes, we regularly review our privacy policy to determine whether adjustments are needed. Changes are announced in particular on our website at www.airadoc.de. This privacy policy is current as of September 2025.

As part of the ongoing development of data protection law as well as technological or organizational changes, we regularly review our privacy policy to determine whether adjustments are needed. Changes are announced in particular on our website at www.airadoc.de. This privacy policy is current as of September 2025.

B. Marketing websites

1. Functional description

Information about our company and the services we offer can be found in particular at www.airadoc.com and the associated subpages (hereinafter collectively referred to as "marketing websites"). When you visit our marketing websites, your personal data may be processed.

2. Processed personal data

Insofar as the processing referred to below is based on Art. 6 para. 1 sentence 1 lit. f GDPR, the stated purposes also constitute our legitimate interests.

a. Informatorische Nutzung

When using our marketing websites purely for informational purposes, the following processing of personal data takes place.

LOG DATA

Context and scope:

Each time our marketing websites are accessed, a temporary and pseudonymized log data record (so-called server log files) is stored, containing the following information:

Referrer URL (the page from which the request originated)
Name and URL of the requested page
Date and time of access
Description of the type, language, and version of the browser used
Shortened IP address of the requesting computer (pseudonymized)
Amount of data transferred
Operating system
Access status/HTTP status code
GMT time zone difference

Purpose and legal basis:

The processing of log data serves statistical purposes and the improvement of our website, in particular its stability and security (legal basis: Art. 6(1) sentence 1 lit. f GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Service providers for operating our website and processing the stored data (e.g., data centers, IT security). In addition, A.11 applies.

Transfer to third countries:

The data may be transferred to Hotjar's sub-processors for analysis purposes and to Framer for hosting. More detailed information and the legal classification of the transfer can be found in Annex 2.

When using our marketing websites purely for informational purposes, the following processing of personal data takes place.

LOG DATA

Context and scope:

Each time our marketing websites are accessed, a temporary and pseudonymized log data record (so-called server log files) is stored, containing the following information:

Referrer URL (the page from which the request originated)
Name and URL of the requested page
Date and time of access
Description of the type, language, and version of the browser used
Shortened IP address of the requesting computer (pseudonymized)
Amount of data transferred
Operating system
Access status/HTTP status code
GMT time zone difference

Purpose and legal basis:

The processing of log data serves statistical purposes and the improvement of our website, in particular its stability and security (legal basis: Art. 6(1) sentence 1 lit. f GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Service providers for operating our website and processing the stored data (e.g., data centers, IT security). In addition, A.11 applies.

Transfer to third countries:

The data may be transferred to Hotjar's sub-processors for analysis purposes and to Framer for hosting. More detailed information and the legal classification of the transfer can be found in Annex 2.

When using our marketing websites purely for informational purposes, the following processing of personal data takes place.

LOG DATA

Context and scope:

Each time our marketing websites are accessed, a temporary and pseudonymized log data record (so-called server log files) is stored, containing the following information:

Referrer URL (the page from which the request originated)
Name and URL of the requested page
Date and time of access
Description of the type, language, and version of the browser used
Shortened IP address of the requesting computer (pseudonymized)
Amount of data transferred
Operating system
Access status/HTTP status code
GMT time zone difference

Purpose and legal basis:

The processing of log data serves statistical purposes and the improvement of our website, in particular its stability and security (legal basis: Art. 6(1) sentence 1 lit. f GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Service providers for operating our website and processing the stored data (e.g., data centers, IT security). In addition, A.11 applies.

Transfer to third countries:

The data may be transferred to Hotjar's sub-processors for analysis purposes and to Framer for hosting. More detailed information and the legal classification of the transfer can be found in Annex 2.

Kekse

Context and Scope:

Name

_hjSessionUser_

_ga

ga_<property_id >

fs-consent-*

Domain

airadoc.com

Retention period

12 months

13 months

1 month

Kategorie

Service

Performance

Technically necessary

Beschreibung

Associating the user with an ID (Hotjar)

Linking the user to an ID (Google Analytics)

Assigning the user to a Property ID (Google Analytics)

Storage of cookie preferences

Purpose and legal basis:

Data may be transferred, where applicable, to Hotjar’s subprocessors for analysis purposes and to Framer for hosting. More detailed information and the legal classification of the transfer can be found in Annex 2.

Duration of processing:

A.5 and A.12 apply.

Categories of recipients:

For performance cookies, our processors are used for analytics. For the "_hjSessionUser_" cookie, these are Hotjar and its processors. For the "_ga" and "_ga_<property_id>" cookies, these are Google and its processors. More detailed information and the legal classification of the transfer can be found in Appendix 1.

Transfer to third countries:

The transfer of personal data to third countries takes place for the cookies "_hjSessionUser_", "_ga" and "_ga_<property_id>" to Google (Analytics) and, where applicable, to Hotjar’s subprocessors. More detailed information and the legal classification of the transfer can be found in Annexes 1 and 2. Data may be transferred to Hotjar’s subcontractors for analysis purposes and to Framer for hosting. More detailed information and the legal classification of the transfer can be found in Annex 2.

Purpose and legal basis:

Duration of processing:

A.5 and A.12 apply.

Categories of recipients:

Transfer to third countries:

Purpose and legal basis:

Duration of processing:

A.5 and A.12 apply.

Categories of recipients:

Transfer to third countries:

b. Contact

As soon as you use our contact form for a contact request, the following processing of personal data takes place.

Contact form data

Context and scope:

The data may be transferred to Hotjar's subprocessors for analysis purposes and to Framer for hosting. More detailed information and the legal classification of the transfer can be found in Annex 2.

Purpose and legal basis:

Contact form data is processed for the purpose of handling your inquiries (legal basis: Art. 6 (1) (b) or (f) GDPR). We process all optional (special) personal data provided in your message on the basis of implied consent in accordance with Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR.

Duration of processing:

A.5 applies.

Categories of recipients:

Service providers for the operation of our website and the processing of the stored data (e.g., data centers, IT security). In addition, A.11 applies.

Transfer to third countries:

The data may be transferred to Framer's subcontractors for storage. More detailed information and the legal classification of the transfer can be found in Annex 2. In addition, data is transferred to Google (email communication) and its processors. More detailed information and the legal classification of the transfer can be found in Annex 1.

As soon as you use our contact form for a contact request, the following processing of personal data takes place.

Contact form data

Context and scope:

The data may be transferred to Hotjar's subprocessors for analysis purposes and to Framer for hosting. More detailed information and the legal classification of the transfer can be found in Annex 2.

Purpose and legal basis:

Duration of processing:

A.5 applies.

Categories of recipients:

Service providers for the operation of our website and the processing of the stored data (e.g., data centers, IT security). In addition, A.11 applies.

Transfer to third countries:

As soon as you use our contact form for a contact request, the following processing of personal data takes place.

Contact form data

Context and scope:

The data may be transferred to Hotjar's subprocessors for analysis purposes and to Framer for hosting. More detailed information and the legal classification of the transfer can be found in Annex 2.

Purpose and legal basis:

Duration of processing:

A.5 applies.

Categories of recipients:

Service providers for the operation of our website and the processing of the stored data (e.g., data centers, IT security). In addition, A.11 applies.

Transfer to third countries:

3. Concluding Remarks

a. Use of social media

We do not implement any direct social media plugins on our websites. If symbols of social media platforms (such as Facebook, Instagram, or similar services) appear on our web presence, they function solely as passive links to the respective providers’ pages.

C. AIRAdoc

1. Functional description

Our AIRAdoc software includes AI-powered features designed to improve everyday professional life as a physician. Please refer to the currently applicable General Terms and Conditions for the specific scope of functions, which is also determined by the configuration you choose.

2. Processed personal data

To the extent that the processing described below is based on Art. 6(1) sentence 1 lit. f GDPR, the stated purposes also constitute our legitimate interests. No special categories of personal data are processed. In anonymized form, usage data may be aggregated and used for marketing purposes.

a. Basic usage

Any use of AIRAdoc involves the following processing of personal data.

Log data

Context and scope:

Each time AIRAdoc is accessed, a temporary and anonymized log data record (so-called server log files) is stored, which contains the following information:

Referrer URL (the page from which the request originated)
Name and URL of the requested page
Date and time of access
Description of the type, language, and version of the browser used
Shortened IP address of the requesting computer (anonymized)
Amount of data transferred
Operating system
Access status/HTTP status code
GMT time zone difference

Purpose and legal basis:

The processing of log data serves statistical purposes and the improvement of our website, in particular its stability and security (legal basis: Art. 6 para. 1 sentence 1 lit. f GDPR).

Duration of processing

A.5 applies.

Categories of recipients:

Service providers for operating our website and processing the stored data (e.g., data centers, IT security). In addition, A.11 applies.

Transfer to third countries:

None.

Any use of AIRAdoc involves the following processing of personal data.

Log data

Context and scope:

Each time AIRAdoc is accessed, a temporary and anonymized log data record (so-called server log files) is stored, which contains the following information:

Referrer URL (the page from which the request originated)
Name and URL of the requested page
Date and time of access
Description of the type, language, and version of the browser used
Shortened IP address of the requesting computer (anonymized)
Amount of data transferred
Operating system
Access status/HTTP status code
GMT time zone difference

Purpose and legal basis:

The processing of log data serves statistical purposes and the improvement of our website, in particular its stability and security (legal basis: Art. 6 para. 1 sentence 1 lit. f GDPR).

Duration of processing

A.5 applies.

Categories of recipients:

Service providers for operating our website and processing the stored data (e.g., data centers, IT security). In addition, A.11 applies.

Transfer to third countries:

None.

Any use of AIRAdoc involves the following processing of personal data.

Log data

Context and scope:

Each time AIRAdoc is accessed, a temporary and anonymized log data record (so-called server log files) is stored, which contains the following information:

Referrer URL (the page from which the request originated)
Name and URL of the requested page
Date and time of access
Description of the type, language, and version of the browser used
Shortened IP address of the requesting computer (anonymized)
Amount of data transferred
Operating system
Access status/HTTP status code
GMT time zone difference

Purpose and legal basis:

The processing of log data serves statistical purposes and the improvement of our website, in particular its stability and security (legal basis: Art. 6 para. 1 sentence 1 lit. f GDPR).

Duration of processing

A.5 applies.

Categories of recipients:

Service providers for operating our website and processing the stored data (e.g., data centers, IT security). In addition, A.11 applies.

Transfer to third countries:

None.

Kekse

Context and scope:

Name

i18next

Domain

airadoc.com

Retention period

Session

Description

Storage of language preferences

Purpose and legal basis:

Data may be transferred to Hotjar’s subprocessors for analysis purposes and to Framer for hosting. More detailed information and the legal classification of the transfer can be found in Annex 2.

Duration of processing:

A.5 and A.12 apply.

Categories of recipients:

Processors for hosting.

Transfer to third countries:

None.

Purpose and legal basis:

Data may be transferred to Hotjar’s subprocessors for analysis purposes and to Framer for hosting. More detailed information and the legal classification of the transfer can be found in Annex 2.

Duration of processing:

A.5 and A.12 apply.

Categories of recipients:

Processors for hosting.

Transfer to third countries:

None.

Purpose and legal basis:

Data may be transferred to Hotjar’s subprocessors for analysis purposes and to Framer for hosting. More detailed information and the legal classification of the transfer can be found in Annex 2.

Duration of processing:

A.5 and A.12 apply.

Categories of recipients:

Processors for hosting.

Transfer to third countries:

None.

b. Management of accounts and settings

User profile and user settings

Context and scope:

We request some basic information in order to create and manage your user account. This includes:

First and last name
Email
Specialty
Language
Closing formula for physician letters

Purpose and legal basis:

This data is processed to register users and fulfill product functions (legal basis: Art. 6 para. 1 lit. b GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Marketing and product information

Context and scope:

We require some personal data from you in order to send you product information such as usage instructions and tutorials, as well as for advertising purposes. This includes:

First and last name
Email
Field of study
Language setting

Purpose and legal basis:

This data is processed for advertising purposes and to send optional product information, and is based on your explicit consent during the registration process (legal basis: Art. 6 (1) (a) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Payment Process

Context and scope:

We require your payment information for payment processing.

Purpose and legal basis:

This data is processed exclusively for payment processing (legal basis: Art. 6 para. 1 lit. b GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for AIRAdoc payment processing. In addition, A.11 applies.

Transfer to third countries:

Transfers to third countries are carried out exclusively in connection with transfers to the payment service provider Stripe and its payment service providers for payment processing. More detailed information and the legal classification of the transfer can be found in Annex 1.

Organizations

Context and scope:

In order to map organizational structures within AIRAdoc, we process the affiliation of various users to an organization and the identification of users as administrators of this organization.

Purpose and legal basis:

This data is processed to fulfill product functions (legal basis: Art. 6 (1) (b) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Context and scope:

We request some basic information in order to create and manage your user account. This includes:

First and last name
Email
Specialty
Language
Closing formula for physician letters

Purpose and legal basis:

This data is processed to register users and fulfill product functions (legal basis: Art. 6 para. 1 lit. b GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Marketing and product information

Context and scope:

We require some personal data from you in order to send you product information such as usage instructions and tutorials, as well as for advertising purposes. This includes:

First and last name
Email
Field of study
Language setting

Purpose and legal basis:

This data is processed for advertising purposes and to send optional product information, and is based on your explicit consent during the registration process (legal basis: Art. 6 (1) (a) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Payment Process

Context and scope:

We require your payment information for payment processing.

Purpose and legal basis:

This data is processed exclusively for payment processing (legal basis: Art. 6 para. 1 lit. b GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for AIRAdoc payment processing. In addition, A.11 applies.

Transfer to third countries:

Organizations

Context and scope:

In order to map organizational structures within AIRAdoc, we process the affiliation of various users to an organization and the identification of users as administrators of this organization.

Purpose and legal basis:

This data is processed to fulfill product functions (legal basis: Art. 6 (1) (b) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Context and scope:

We request some basic information in order to create and manage your user account. This includes:

First and last name
Email
Specialty
Language
Closing formula for physician letters

Purpose and legal basis:

This data is processed to register users and fulfill product functions (legal basis: Art. 6 para. 1 lit. b GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Marketing and product information

Context and scope:

We require some personal data from you in order to send you product information such as usage instructions and tutorials, as well as for advertising purposes. This includes:

First and last name
Email
Field of study
Language setting

Purpose and legal basis:

This data is processed for advertising purposes and to send optional product information, and is based on your explicit consent during the registration process (legal basis: Art. 6 (1) (a) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Payment Process

Context and scope:

We require your payment information for payment processing.

Purpose and legal basis:

This data is processed exclusively for payment processing (legal basis: Art. 6 para. 1 lit. b GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for AIRAdoc payment processing. In addition, A.11 applies.

Transfer to third countries:

Organizations

Context and scope:

In order to map organizational structures within AIRAdoc, we process the affiliation of various users to an organization and the identification of users as administrators of this organization.

Purpose and legal basis:

This data is processed to fulfill product functions (legal basis: Art. 6 (1) (b) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

c. Use of the software functions

Feedback feature

Context and scope:

You have the option to voluntarily evaluate the quality of the documentation provided. This includes a simple selection (positive or negative) and the option to enter text.

Purpose and legal basis:

This data is processed to improve our product (legal basis: Art. 6 (1) (f) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Creation and use of audio recordings, documents, and templates

Context and scope:

As part of the intended use of AIRAdoc, the user regularly shares personal data that is absolutely necessary to fulfill the product functions. This includes, among other things:

Audio recordings
Documents
Creating, retrieving, and sharing templates
Information about the use of and access to documents and templates

This may apply at both the user and organization level.

Purpose and legal basis:

This data is processed to fulfill the product functions (legal basis: Art. 6 (1) (b) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Use of the PV module

Context and scope:

As part of the intended use of the AIRAdoc PV module, the user regularly shares personal data. This includes, among other things:

Information about usage
Saving and commenting on references
Creating search queries and chat histories

Purpose and legal basis:

This data is processed to fulfill the product functions of the PV module (legal basis: Art. 6 (1) (b) GDPR) and for certification and security checks for the cooperation partner Prof. Valmed® - zertifizierte medizinische Informationen GmbH (legal basis: Art. 6 (1) (f) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc and the cooperation partner Prof. Valmed® - zertifizierte medizinische Informationen GmbH. In addition, A.11 applies.

Transfer to third countries:

For transfers to third countries by our cooperation partner Prof. Valmed® - zertifizierte medizinische Informationen GmbH, see Annex 3. More detailed information and the legal classification of the transfer can be found in Annex 1.

Joint responsibility

Within the scope of the "PV" module, there is joint responsibility between us and Prof. Valmed® - zertifizierte medizinische Informationen GmbH. For further information, see Annex 3.

Context and scope:

You have the option to voluntarily evaluate the quality of the documentation provided. This includes a simple selection (positive or negative) and the option to enter text.

Purpose and legal basis:

This data is processed to improve our product (legal basis: Art. 6 (1) (f) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Creation and use of audio recordings, documents, and templates

Context and scope:

As part of the intended use of AIRAdoc, the user regularly shares personal data that is absolutely necessary to fulfill the product functions. This includes, among other things:

Audio recordings
Documents
Creating, retrieving, and sharing templates
Information about the use of and access to documents and templates

This may apply at both the user and organization level.

Purpose and legal basis:

This data is processed to fulfill the product functions (legal basis: Art. 6 (1) (b) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Use of the PV module

Context and scope:

As part of the intended use of the AIRAdoc PV module, the user regularly shares personal data. This includes, among other things:

Information about usage
Saving and commenting on references
Creating search queries and chat histories

Purpose and legal basis:

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc and the cooperation partner Prof. Valmed® - zertifizierte medizinische Informationen GmbH. In addition, A.11 applies.

Transfer to third countries:

Joint responsibility

Within the scope of the "PV" module, there is joint responsibility between us and Prof. Valmed® - zertifizierte medizinische Informationen GmbH. For further information, see Annex 3.

Context and scope:

You have the option to voluntarily evaluate the quality of the documentation provided. This includes a simple selection (positive or negative) and the option to enter text.

Purpose and legal basis:

This data is processed to improve our product (legal basis: Art. 6 (1) (f) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Creation and use of audio recordings, documents, and templates

Context and scope:

As part of the intended use of AIRAdoc, the user regularly shares personal data that is absolutely necessary to fulfill the product functions. This includes, among other things:

Audio recordings
Documents
Creating, retrieving, and sharing templates
Information about the use of and access to documents and templates

This may apply at both the user and organization level.

Purpose and legal basis:

This data is processed to fulfill the product functions (legal basis: Art. 6 (1) (b) GDPR).

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Use of the PV module

Context and scope:

As part of the intended use of the AIRAdoc PV module, the user regularly shares personal data. This includes, among other things:

Information about usage
Saving and commenting on references
Creating search queries and chat histories

Purpose and legal basis:

Duration of processing:

A.5 applies.

Categories of recipients:

Processors for hosting AIRAdoc and the cooperation partner Prof. Valmed® - zertifizierte medizinische Informationen GmbH. In addition, A.11 applies.

Transfer to third countries:

Joint responsibility

Within the scope of the "PV" module, there is joint responsibility between us and Prof. Valmed® - zertifizierte medizinische Informationen GmbH. For further information, see Annex 3.

d. Data processing for certification and security audits

Context and scope:

The certification of AIRAdoc in accordance with the Medical Device Regulation (EU) 2017/745 requires the processing of your personal data. The data processed are:

Purpose and legal basis:

These data are processed for the certification of AIRAdoc and thus for its clinical applicability (legal basis: Art. 6(1)(f) GDPR).

Duration of processing:

Legally prescribed processing times for certification.

Categories of recipients:

Processors for the hosting of AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Context and scope:

The certification of AIRAdoc in accordance with the Medical Device Regulation (EU) 2017/745 requires the processing of your personal data. The data processed are:

Purpose and legal basis:

These data are processed for the certification of AIRAdoc and thus for its clinical applicability (legal basis: Art. 6(1)(f) GDPR).

Duration of processing:

Legally prescribed processing times for certification.

Categories of recipients:

Processors for the hosting of AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Context and scope:

The certification of AIRAdoc in accordance with the Medical Device Regulation (EU) 2017/745 requires the processing of your personal data. The data processed are:

Purpose and legal basis:

These data are processed for the certification of AIRAdoc and thus for its clinical applicability (legal basis: Art. 6(1)(f) GDPR).

Duration of processing:

Legally prescribed processing times for certification.

Categories of recipients:

Processors for the hosting of AIRAdoc. In addition, A.11 applies.

Transfer to third countries:

None.

Appendix 1 – Overview of processors outside the EEA

Below you will find a list of all processors outside the EEA, their location, and the legal basis for the transfer of personal data to this processor. If the legal basis for a processor is an adequacy decision, you will find it at

http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html.

The list also includes all processors whose services are used by the processors. Corresponding cross-references can be found in the entries for the individual processors.

http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html.

The list also includes all processors whose services are used by the processors. Corresponding cross-references can be found in the entries for the individual processors.

http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html.

The list also includes all processors whose services are used by the processors. Corresponding cross-references can be found in the entries for the individual processors.

Company name: Google LLC
Company headquarters: Mountain View, California, USA
Processing activities used: Email delivery
Legal basis: Certification in accordance with Art. 45 (1) GDPR within the framework of the Data Privacy Framework. For more information on certification, see Data Privacy Framework.

Company name: Google LLC
Company headquarters: Mountain View, California, USA
Processing activities used: Email delivery
Legal basis: Certification in accordance with Art. 45 (1) GDPR within the framework of the Data Privacy Framework. For more information on certification, see Data Privacy Framework.

Name of the company: Stripe, Inc.
Company headquarters: South San Francisco, California, USA and Dublin, Ireland
Processing activities used: Payment processing
Legal basis: Certification pursuant to Article 45(1) GDPR within the framework of the Data Privacy Framework. For more information on certification, see Data Privacy Framework.

Name of the company: Stripe, Inc.
Company headquarters: South San Francisco, California, USA and Dublin, Ireland
Processing activities used: Payment processing
Legal basis: Certification pursuant to Article 45(1) GDPR within the framework of the Data Privacy Framework. For more information on certification, see Data Privacy Framework.

Appendix 2 – Overview of processors within the EEA

Below you will find a list of all processors within the EEA. These processors may use subprocessors in third countries. In such cases, this is contractually safeguarded in accordance with Article 28 GDPR.