Privacy Policy

Information on data protection

With this data protection information, we inform you about our handling of your personal data and about your rights under the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Vayamed GmbH (hereinafter referred to as "we" or "us") is responsible for data processing.

Contents

  1. I General information
    1. contact
    2. legal basis
    3. duration of storage
    4. categories of recipients of the data
    5. data transfer to third countries
    6. processing in the exercise of your rights
    7. your rights
    8. right to object
    9. data protection officer
  2. II Data processing on our website
    1. processing of server log files
    2. contact options and enquiries
    3. chat via Intercom
    4. newsletter
    5. cookies
    6. consent management tool
    7. google tag manager
    8. google analytics
    9. external media and third-party services
      1. Google Maps
      2. Google reCAPTCHA
      3. Cloudflare
      4. YouTube
      5. Vimeo
  3. III Data processing on our social media pages
    1. visit to a social media page
      1. Facebook and Instagram
      2. LinkedIn
    2. comments and direct messages
  4. Further data processing
    1. contact by e-mail
    2. data processing when using WhatsApp

I. General information

How to contact us

If you have any questions or suggestions regarding this information or would like to contact us to assert your rights, please send your enquiry to

Vayamed GmbH
Jägerstr. 28-31

10117 Berlin, Germany

E-mail: info@vayamed.com

Phone: +49 (0)30 6794 7944

Legal basis

The data protection term "personal data" refers to all information relating to an identified or identifiable person. We process personal data in compliance with the relevant data protection regulations, in particular the GDPR and the BDSG. We only process data on the basis of legal authorisation. We only process personal data with your consent (Section 25 (1) TTDSG or Art. 6 (1) (a) GDPR), for the fulfilment of a contract to which you are a party or at your request for the implementation of pre-contractual measures (Art. 6 (1) (b) GDPR), for the fulfilment of a legal obligation (Art. 6(1)(c) GDPR) or if processing is necessary for the purposes of our legitimate interests or the legitimate interests of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6(1)(f) GDPR).

If you apply for a vacant position in our company, we will also process your personal data to decide on the establishment of an employment relationship (Section 26 (1) sentence 1 BDSG).

Duration of storage

Unless otherwise stated in the following information, we only store the data for as long as is necessary to achieve the purpose of processing or to fulfil our contractual or legal obligations. Such statutory retention obligations may arise in particular from commercial or tax law regulations. From the end of the calendar year in which the data was collected, we will retain such personal data contained in our accounting data for ten years and retain personal data contained in commercial letters and contracts for six years. In addition, we will retain data in connection with consents requiring proof and with complaints and claims for the duration of the statutory limitation periods. We will delete data stored for advertising purposes if you object to processing for this purpose.

Categories of recipients of the data

We use processors in the context of processing your data. The processing operations carried out by such processors include, for example, hosting, e-mail dispatch, maintenance and support of IT systems, accounting and billing, marketing measures or file and data carrier destruction. A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller. Processors do not use the data for their own purposes, but carry out the data processing exclusively for the controller and are contractually obliged to guarantee suitable technical and organisational measures for data protection. We may also transfer your personal data to organisations such as postal and delivery services, your bank, tax consultants/auditors or the tax authorities. Further recipients may result from the following information.

Data transfer to third countries

Our data processing may involve the transfer of certain personal data to third countries, i.e. countries in which the GDPR is not applicable law. Such a transfer is permitted if the European Commission has determined that an adequate level of data protection is required in such a third country. If such an adequacy decision by the European Commission does not exist, personal data will only be transferred to a third country if suitable guarantees pursuant to Art. 46 GDPR are in place or if one of the requirements of Art. 49 GDPR is met.

Unless otherwise stated below, we use the EU standard data protection clauses as suitable guarantees for the transfer of personal data to third countries. You have the option of obtaining or viewing a copy of these EU standard data protection clauses. Please contact us at the address given under Contact.

If you consent to the transfer of personal data to third countries, the transfer takes place on the legal basis of Art. 49 para. 1 letter a GDPR.

Processing when exercising your rights

If you exercise your rights in accordance with Art. 15 to 22 GDPR, we process the personal data transmitted for the purpose of implementing these rights by us and to be able to provide proof of this. We will only process data stored for the purpose of providing and preparing information for this purpose and for the purposes of data protection monitoring and will otherwise restrict processing in accordance with Art. 18 GDPR.

This processing is based on the legal basis of Art. 6 para. 1 lit. c GDPR in conjunction with. Art. 15 to 22 GDPR and § 34 para. 2 BDSG.

Your rights

As a data subject, you have the right to assert your data subject rights against us. In particular, you have the following rights:

In accordance with Art. 15 GDPR and Section 34 BDSG, you have the right to request information as to whether or not we process personal data relating to you and, if so, to what extent.

You have the right to request that we rectify your data in accordance with Art. 16 GDPR.

You have the right to demand that we erase your personal data in accordance with Art. 17 GDPR and Section 35 BDSG.

You have the right to have the processing of your personal data restricted in accordance with Art. 18 GDPR.

In accordance with Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller.

If you have given us separate consent to data processing, you can revoke this consent at any time in accordance with Art. 7 para. 3 GDPR. Such a revocation does not affect the legality of the processing that was carried out on the basis of the consent until the revocation.

If you are of the opinion that the processing of your personal data violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.

Right to object

In accordance with Art. 21 (1) GDPR, you have the right to object to processing based on the legal basis of Art. 6 (1) (e) or (f) GDPR on grounds relating to your particular situation. If we process personal data about you for the purpose of direct marketing, you can object to this processing in accordance with Art. 21 (2) and (3) GDPR.

Data protection officer

You can reach our data protection officer at the following contact details

Email: dsb@vayamed.com

Herting Oberbeck Datenschutz GmbH

Hallerstr. 76, 20146 Hamburg

II Data processing on our website

When you use the website, we collect information that you provide yourself. We also automatically collect certain information about your use of the website during your visit. Under data protection law, the IP address is also considered personal data. An IP address is assigned to every device connected to the Internet by the Internet provider so that it can send and receive data.

Processing of server log files

When using our website for purely informational purposes, general information that your browser transmits to our server is initially stored automatically (i.e. not via registration). By default, this includes: browser type/version, operating system used, page accessed, the previously visited page (referrer URL), IP address, date and time of the server request and HTTP status code.

The processing is carried out to protect our legitimate interests and is based on the legal basis of Art. 6 para. 1 letter f GDPR. This processing serves the technical administration and security of the website. The stored data will be deleted after 12 months unless there is a justified suspicion of unlawful use based on concrete evidence and further examination and processing of the information is necessary for this reason. We are not in a position to identify you as a data subject on the basis of the stored information. Art. 15 to 22 GDPR therefore do not apply pursuant to Art. 11 para. 2 GDPR unless you provide additional information that enables your identification in order to exercise your rights set out in these articles.

Contact options and enquiries

Our website contains contact forms and a chat function that you can use to send us messages. The transfer of your data is encrypted (recognisable by the "https" in the address line of the browser). All data fields marked as mandatory are required to process your request. If you do not provide this data, we will not be able to process your request. The provision of further data is voluntary. Alternatively, you can also send us a message via the contact e-mail. We process the data for the purpose of answering your enquiry.

If your enquiry relates to the conclusion or performance of a contract with us, Art. 6 para. 1 letter b GDPR is the legal basis for data processing. Otherwise, we process the data on the basis of our legitimate interest in contacting enquiring persons. The legal basis for data processing is then Art. 6 para. 1 letter f GDPR.

Chat via Intercom

We have integrated a chat function into our website, which is provided by the provider Intercom R&D Unlimited Company ("Intercom" - Ireland/EU). To integrate the chat function, the IP address used must be transmitted to Intercom. Messages and data transmitted when using the chat function are processed by Intercom on our behalf.

The chat function is only integrated with your consent. The legal basis for the processing of personal data in the context of the integration of the chat function is Art. 6 para. 1 lit. a GDPR.

Further information on data protection at Intercom can be found at https://www.intercom.com/de/legal/privacy

Newsletter

We offer the option of subscribing to our newsletter on our website. After registration, we will inform you regularly about the latest news on our offers. A valid e-mail address is required to register for the newsletter. To verify your e-mail address, you will first receive a registration e-mail, which you must confirm via a link (double opt-in). If you subscribe to the newsletter on our website, we process personal data such as your e-mail address and your name on the basis of the consent you have given. The processing is based on the legal basis of Art. 6 para. 1 letter a GDPR. You can revoke your consent at any time with effect for the future, for example via the "unsubscribe" link in the newsletter or by contacting us via the channels mentioned above. The legality of the data processing operations that have already taken place remains unaffected by the cancellation.

When you register for the newsletter, we also store your IP address and the date and time of registration. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis arises from our legal obligation to document your consent (Art. 6 para. 1 letter c in conjunction with Art. 7 para. 1 GDPR).

We also analyse the reading behaviour and opening rates of our newsletter. We evaluate the data generated when our emails are delivered and retrieved in aggregated and anonymised form (delivery rate, opening rate, click rates, unsubscribe rate, bounce rate, visits, completions) in order to measure the use and success of the emails. The legal basis for the analysis of our newsletter is Art. 6 para. 1 letter f GDPR and the processing serves our legitimate interest in optimising our newsletter. You can object to this at any time by contacting one of the above-mentioned contact channels.

On the other hand, we also evaluate the data generated when you access and use these emails (time of opening, hyperlinks clicked on, documents downloaded) as well as transaction data on downstream websites in connection with your email address in order to provide you with personalised information on this basis in the future, which takes your interests and needs into account in the best possible way. We use the anonymous and personal data collected to provide you with personalised content and individualised information in our advertising emails and downstream websites. The legal basis for data processing in the context of e-mails is Art. 6 para. 1 letter a GDPR. You can revoke your consent at any time with effect for the future, for example via the "unsubscribe" link in the newsletter or by contacting us via the above-mentioned channels.

We use the Klaviyo service from Klaviyo, Inc. (USA) to manage subscriptions, send the newsletter and analyse it. Your e-mail address is therefore transmitted by us to the service provider. If you do not want your data to be processed by this service provider, you should not subscribe to the newsletter or unsubscribe from it.

Please note the information in the section "Data transfer to third countries".

Cookies

We use cookies and similar technologies ("cookies") on our website. Cookies are small data records that are stored by your browser when you visit a website. This identifies the browser used and can be recognised by web servers. You have full control over the use of cookies through your browser. You can delete cookies at any time in the security settings of your browser. You can object to the use of cookies through your browser settings in principle or for certain cases.

The use of cookies is in part technically necessary for the operation of our website and is therefore permitted without the user's consent. We may also use cookies to offer special functions and content and for analysis and marketing purposes. These may also include cookies from third-party providers (so-called third-party cookies). We only use such technically unnecessary cookies with your consent in accordance with Section 25 (1) TTDSG and, if applicable, Art. 6 (1) (a) GDPR. Information on the purposes, providers, technologies used, stored data and the storage duration of individual cookies can be found in the cookie settings of our Consent Management Tool.

Consent management tool

This website uses the consent management tool Usercentrics from the provider Usercentrics GmbH (Germany/EU) to control cookies and the processing of personal data.

The consent banner enables users of our website to give their consent to certain data processing operations or to withdraw their consent. By confirming the "I accept" button or by saving individual cookie settings, you consent to the use of the associated cookies.

The legal basis under data protection law is your consent within the meaning of Art. 6 para. 1 letter a GDPR.

The banner also helps us to provide evidence of the declaration of consent. For this purpose, we process information about the declaration of consent and other log data relating to this declaration. Cookies are also used to collect this data. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis arises from our legal obligation to document your consent (Art. 6 para. 1 letter c in conjunction with Art. 7 para. 1 GDPR).

You can revoke your consent for cookies here: (…)

Google Tag Manager

We use the Google Tag Manager of the provider Google Ireland Limited (Ireland, EU) on our website. Google Tag Manager is used to manage our website tags via an interface. The Google Tag Manager is a cookie-free domain to which the IP address is transmitted for technical reasons. The Google Tag Manager merely triggers other tags, which in turn may collect data without accessing this data themselves. If deactivation has been carried out at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager.

We only use Google Tag Manager with your consent. The legal basis for the transmission of the IP address is Article 6(1)(a) GDPR. The purpose of Google Tag Manager is to manage our website services and trigger other tags.

Further information on data processing can be found at: https://support.google.com/tagmanager/answer/7157428

Google Analytics

We use the Google Analytics service provided by Google Ireland Limited (Google Ireland/EU) on our website.

Google Analytics is a web analysis service that enables us to collect and analyse data about the behaviour of visitors to our website. Google Analytics uses cookies for this purpose, which enable us to analyse the use of our website. This involves processing personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about interaction with our website.

Some of this data is information that is stored on the device you are using. In addition, further information is also stored on your device via the cookies used. Such storage of information by Google Analytics or access to information that is already stored on your device only takes place with your consent.

Google Ireland will process the data collected in this way on our behalf in order to analyse the use of our website by users, to compile reports on the activities within our website and to provide us with further services associated with the use of our website and the use of the Internet. Pseudonymised user profiles can be created from the processed data.

The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for data processing in connection with the Google Analytics service is therefore Article 6(1)(a) GDPR. You can revoke this consent at any time via our Consent Management Tool with effect for the future.

The personal data processed on our behalf for the provision of Google Analytics may be transferred to any country in which Google Ireland or Google Ireland's sub-processors maintain facilities. Please refer to the information in the section "Data transfer to third countries".

We only use Google Analytics with activated IP anonymisation. This means that the IP address of users is truncated by Google Ireland within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. The IP address transmitted by the user's browser is not merged with other data. Further information on the use of data for advertising purposes can be found in Google's privacy policy at: www.google.com/policies/technologies/ads/.

We use the Google Universal Analytics variant. This enables us to assign interaction data from different devices and from different sessions to a unique user ID. This allows us to contextualise individual user actions and analyse long-term relationships.

The data on user actions is stored for a period of 14 months and then automatically deleted. Data whose storage period has expired is automatically deleted once a month.

We also use the Google Analytics 4 variant, which allows us to track interaction data from different devices and different sessions. This allows us to contextualise individual user actions and analyse long-term relationships.

The data on user actions is stored for a period of 14 months and then automatically deleted. All other event data is stored for 2 months and then automatically deleted. Data whose retention period has expired is automatically deleted once a month.

External media and third-party services

Google Maps

We use Google Maps from Google Ireland Limited (Ireland, EU) on our website to display maps and for virtual tours. For such integration, it is technically necessary to process your IP address so that the content can be sent to your browser. Your IP address is therefore transmitted to Google and Google may set its own cookies.

Your data is processed on the basis of your consent in accordance with Art. 6 (1) (a) GDPR.

When using the service, a transfer of your data to the USA cannot be ruled out. Please also note the information in the section "Data transfer to third countries". Further information on data protection at Google can be found in Google's privacy policy at https://www.google.com/policies/privacy

Google reCAPTCHA

We use the Google reCAPTCHA service (hereinafter referred to as "reCAPTCHA") from the provider Google Ireland Limited (Google Ireland/EU).

The purpose of reCAPTCHA is to check whether the data input on this website (e.g. in a contact form) is made by a human or by an automated programme. For this purpose, reCAPTCHA analyses the behaviour of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. The reCAPTCHA analyses run completely in the background. Website visitors are not informed that an analysis is taking place.

To analyse this, reCAPTCHA evaluates various information (e.g. IP address, time spent on the website by the website visitor or mouse movements made by the user). In this way, automated access attempts and attacks can be recognised and warded off. We are legally obliged to take appropriate technical and economic measures to ensure the security of the portal.

We are legally obliged to take appropriate technical and economic measures to ensure the security of the portal.

Your data is processed on the basis of Art. 6 para. 1 lit. c GDPR in conjunction with. Art. 32 GDPR and § 19 para. 4 TTDSG.

For more information about Google reCAPTCHA, please refer to the Google Privacy Policy and the Google Terms of Service at the following links: https://policies.google.com/privacy?hl=de and https://policies.google.com/terms?hl=de.

YouTube

We use the YouTube service of Google Ireland Limited (Ireland, EU) on our website to integrate videos. For such integration, it is technically necessary to process your IP address so that the content can be sent to your browser. Your IP address is therefore transmitted to Google and Google may set its own cookies. We use YouTube in "extended data protection mode" so that YouTube does not set any cookies to analyse user behaviour.

Your data is processed on the basis of your consent in accordance with Art. 6 (1) (a) GDPR. Your consent is managed via our Consent Management and can be revoked at any time.

Vimeo

We use the Vimeo service of Vimeo, Inc (USA) on our website to integrate videos. For such integration, it is technically necessary to process your IP address so that the content can be sent to your browser. Your IP address is therefore transmitted to Vimeo and Vimeo may set its own cookies.

Your data is processed on the basis of Art. 6 para. 1 letter f GDPR and is based on our legitimate interest in the optimisation and economic operation of our website.

When using the service, a transfer of your data to the USA cannot be ruled out. Please note the information in the section "Data transfer to third countries". Further information on data protection at Vimeo can be found in Vimeo's privacy policy at https://vimeo.com/privacy.

III Data processing on our social media pages

We are represented on several social media platforms with a company page. In this way, we would like to offer further opportunities for information about our company and for dialogue. Our company has company pages on the following social media platforms

  • Facebook
  • Instagram
  • LinkedIn

When you visit or interact with a profile on a social media platform, personal data about you may be processed. The information associated with a social media profile used also regularly constitutes personal data. This also includes messages and statements made using the profile. In addition, certain information is often automatically collected during your visit to a social media profile, which may also constitute personal data.

Visiting a social media page

Facebook and Instagram

When you visit our Facebook or Instagram page, which we use to present our company or individual products from our range, certain information about you is processed. The sole controller for this processing of personal data is Meta Platforms Ireland Limited (Ireland, EU - "Meta"). For more information about Meta's processing of personal data, please visit https://www.facebook.com/privacy/explanation. Meta offers the option of objecting to certain data processing; information and opt-out options can be found at https://www.facebook.com/settings?tab=ads.

Meta provides us with anonymised statistics and insights for our Facebook and Instagram pages, which help us to gain knowledge about the types of actions people take on our site (so-called "page insights"). These Page Insights are created on the basis of certain information about people who have visited our page. This processing of personal data is carried out by Meta and us as joint controllers. The processing serves our legitimate interest in analysing the types of actions taken on our site and improving our site based on these findings. The legal basis for this processing is Article 6(1)(f) GDPR.

We cannot assign the information obtained via Page Insights to individual user profiles that interact with our Facebook and Instagram pages. We have entered into a joint controllership agreement with Meta, which sets out the allocation of data protection obligations between us and Meta. Details of the processing of personal data for the creation of Page Insights and the agreement concluded between us and Meta can be found at https://www.facebook.com/legal/terms/information_about_page_insights_data. With regard to this data processing, you have the option of asserting your data subject rights (see "Your rights") against Meta. Further information on this can be found in Meta's privacy policy at https://www.facebook.com/privacy/explanation.

Please note that, in accordance with Meta's privacy policy, user data is also processed in the USA or other third countries. Meta only transfers user data to countries for which an adequacy decision has been issued by the European Commission in accordance with Art. 45 GDPR or on the basis of suitable guarantees in accordance with Art. 46 GDPR.

LinkedIn

LinkedIn Ireland Unlimited Company (Ireland, EU - "LinkedIn") is the sole controller for the processing of personal data when you visit our LinkedIn page. Further information on the processing of personal data by LinkedIn can be found at https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.

When you visit our LinkedIn company page, follow this page or engage with the page, LinkedIn processes personal data to provide us with statistics and insights in anonymised form. This gives us insights into the types of actions that people take on our site (so-called page insights). In particular, LinkedIn processes data that you have already provided to LinkedIn via the information in your profile, such as data on function, country, industry, seniority, company size and employment status. In addition, LinkedIn will process information about how you interact with our LinkedIn company page, e.g. whether you are a follower of our LinkedIn company page. With the Page Insights, LinkedIn does not provide us with any personal data about you. We only have access to the summarised Page Insights. It is also not possible for us to draw conclusions about individual members from the information in the Page Insights. This processing of personal data in the context of Page Insights is carried out by LinkedIn and us as joint controllers. The processing serves our legitimate interest in analysing the types of actions taken on our LinkedIn company page and improving our company page based on these findings. The legal basis for this processing is Article 6(1)(f) GDPR.

We have entered into an agreement with LinkedIn on processing as joint controllers, which sets out the distribution of data protection obligations between us and LinkedIn. The agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum. The following applies:

LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights under the GDPR. You can contact LinkedIn online via the following link (https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or reach LinkedIn via the contact details in the privacy policy. You can contact the Data Protection Officer at LinkedIn Ireland via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You can also contact us using the contact details provided to exercise your rights in connection with the processing of personal data in the context of Page Insights. In such a case, we will forward your request to LinkedIn.

LinkedIn and we have agreed that the Irish Data Protection Commission is the lead supervisory authority overseeing the processing for Page Insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or any other supervisory authority.

Please note that according to the LinkedIn Privacy Policy, personal data is also processed by LinkedIn in the USA or other third countries. LinkedIn only transfers personal data to countries for which the European Commission has issued an adequacy decision in accordance with Art. 45 GDPR or on the basis of suitable guarantees in accordance with Art. 46 GDPR.

Comments and direct messages

We also process information that you have made available to us via our company page on the respective social media platform. Such information may include the username used, contact details or a message to us. This processing is carried out by us as the sole controller. We process this data on the basis of our legitimate interest in contacting enquiring persons. The legal basis for data processing is Article 6(1)(f) GDPR. Further data processing may take place if you have given your consent (Art. 6 para. 1 letter a GDPR) or if this is necessary to fulfil a legal obligation (Art. 6 para. 1 letter c GDPR).

IV. Further data processing

Contacting us by email

If you send us a message via the contact email provided, we will process the data transmitted for the purpose of responding to your enquiry. We process this data on the basis of our legitimate interest in contacting enquirers.

The legal basis for data processing is Art. 6 para. 1 letter f GDPR.

Data processing when using WhatsApp

You can contact us via the WhatsApp Business service of WhatsApp Ireland Limited (Ireland, EU) to place an order. In this case, we process the telephone number you use and the other information you provide in order to fulfil your order or answer your questions.

Your data is processed on the basis of Article 6(1)(a) GDPR.

When using the service, a transfer of your data to the USA cannot be ruled out. Please note the information in the section "Data transfer to third countries". Further information on data protection at WhatsApp can be found in the data processing conditions of WhatsApp https://www.whatsapp.com/legal/business-data-processing-terms

Version: 1.0, January 2023

© 2023 Vayamed GmbH. All rights reserved