Privacy policy
§ 1 Information on the collection of personal data and provider identification
In the following, we provide information about the collection of personal data when using this website. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behavior.
The controller pursuant to Art. 4 No. 7 of the EU General Data Protection Regulation (GDPR) is Avimed Ltd Themistokli Dervi, 41 HAWAII NICOSIA TOWER, 8th floor 1066, Nicosia, Cyprus, kontakt@cannazen.de (see our legal notice). Our data protection officer is Ms. Nicole Motiee Tehrani, attorney at law, dsb@ap-datenschutz.de.
Data types
For settlement:
– Personal details
– Address data
– Payment information
– Contract data
For account use:
– User name/e-mail address
– password
In-App (Security & Technical N.):
– IP address
– Date and time of the request
– Time zone difference to Greenwich Mean Time (GMT)
– Content of the request (specific website)
– Access status/HTTP status code
– Amount of data transferred in each case
– Website from which the request comes
– Browser
– Operating system and its interface
– Language and version of the browser software
Forwarding of data:
– Cooperation doctor
– Cooperation mail order pharmacy
Tracking:
– Google Analytics
Advertising:
– Only within the legal framework for updates and similar products by e-mail
If we use contracted service providers for individual functions of our offer or would like to use your data for advertising purposes, we will inform you in detail below about the respective processes. We will also state the specified criteria for the storage period.
§ 2 Rights, in particular to information and revocation
You have the following rights vis-à-vis us with regard to your personal data:
– Right to information,
– Right to rectification or erasure,
– Right to restriction of processing,
– Right to object to the processing,
– Right to data portability.
If you have given your consent to the use of data, you can withdraw this at any time. If the lawfulness of the processing is based on consent, this remains valid until the revocation is exercised.
Please send all requests for information, requests for information or objections to data processing by e-mail to kontakt@cannazen.de or to the address stated under § 1 para. 2.
You can ask us to delete your data at any time. There may be statutory retention periods that allow us to keep your data until the deadline expires.
If your data is incorrect, you have the right to ask us to correct it. We will comply with this request without delay.
You have the right to receive the personal data you have provided to us in a readable format, where technically feasible, in order to make it available to another company (right to data portability).
You have the right to lodge a complaint with the supervisory authority responsible for you. A list of data protection officers and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
§ 3 Data security
We maintain up-to-date technical measures to ensure data security, in particular to protect your personal data from risks during data transmission and from third parties gaining knowledge of it. These are adapted to the current state of the art.
§ 4 Collection of personal data for informational use and contacting
If you only use the website for informational purposes, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure its stability and security (legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR):
-IP address
-Date and time of the request
-Time zone difference to Greenwich Mean Time (GMT)
-Content of the request (specific website)
-Access status/HTTP status code
-Volume of data transferred in each case
-Website from which the request comes
-Browser
-operating system and its interface
-Language and version of the browser software
When you contact us by e-mail, we will store your e-mail address, your name and, if you provide it, your telephone number. The purpose of this storage is merely to contact you in order to answer your questions.
The legal basis for the collection of data when contacting us is the consent that you have given by your contact request (Art. 6 para. 1 sentence 1 lit. a GDPR).
We will only use your data for advertising purposes to the extent permitted by law. In particular, we will only use your e-mail address for direct advertising for our own similar goods or services. You can object to the use of your data for advertising purposes at any time in writing or in text form (e-mail to kontakt@cannazen.de). In doing so, we rely on your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR.
In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard disk, assigned to the browser you are using, and through which certain information flows to the body that sets the cookie (in this case us). Cookies cannot execute programs or transmit viruses to your computer. They are used to make the website more user-friendly and effective overall.
§ 5 Cookies
We use cookies on our website. These cookies are necessary to enable you to move around the website and use its features, including accessing secure areas of the website. Cookies allow us to track who has visited the website(s) and to deduce how often certain web pages are visited and which parts of the site are particularly popular. Session cookies store information about your activities on our website.
This website uses the following types of cookies, the scope and function of which are explained below:
– Transient cookies (temporary use)
– Persistent cookies (time-limited use)
– Third party cookies
Transient cookies are automatically deleted when you close the browser. These include session cookies in particular. These store a so-called session ID, with which various requests from your browser can be assigned to the joint session. This allows your computer to be recognized when you return to the website. The session cookies are deleted when you log out or close the browser.
Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. You can delete cookies at any time in your browser’s security settings.
You can configure your browser settings according to your wishes and, for example, refuse to accept third-party cookies or all cookies. We would like to point out that you may not be able to use all functions of this website.
We use cookies to identify you for subsequent visits if you have an account with us. Otherwise you would have to log in again for each visit.
Here you can find all the information in detail:
Cookies
§ 6 Data transfer for the maintenance of the website
We will not pass on your personal data to third parties unless we inform you that we will do so.
Our IT service providers have access to our stored data in order to rectify errors and to enable us to implement the required technical and organizational measures. In doing so, we rely on our legitimate interest in securing our IT in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR or on the fulfillment of legal obligations in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR.
The IT service provider(s) have been carefully selected by us and commissioned in writing. They are bound by our instructions and are regularly monitored by us. The service providers will not pass this data on to third parties.
Your data will not be passed on outside the EU/EEA.
§ 7 Use of our platform
In order to use the services offered on our platform, you must register a patient account on our platform, into which you can log in with your access data, which you manage independently and through which we and the cooperating doctor can communicate with you.
To do so, you must register by entering your e-mail address, a password of your choice, your name, telephone number, address and date of birth. We use the so-called double opt-in procedure for registration, i.e. your registration is only complete once you have confirmed your registration by clicking on the link contained in a confirmation e-mail sent to you for this purpose. If you do not confirm your registration within 24 hours, your registration will be automatically deleted from our database. The provision of the aforementioned data is mandatory; you can provide all other information voluntarily when using our portal.
If you use our platform, we store your data required for the fulfillment of the contract until you finally delete your access. We also store the voluntary data you provide for the duration of your use of the platform, unless you delete it beforehand. You can manage and change all information in the customer area. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR.
If you use the portal, your data may be made available to the cooperation doctors or cooperation pharmacies you have selected in accordance with the contractual service. In this respect, it is necessary for the medical history that we request health data, which you can answer by questionnaire or video. The purpose of this data processing is to arrange remote treatment or the purchase of a remote treatment voucher. Further information on our services can be found in our General Terms and Conditions. The legal basis for health data processing is your consent, which you give by providing the information, Art. 9 para. 2 lit. a GDPR
To prevent unauthorized access by third parties to your personal data, especially financial data, the connection is encrypted using TLS technology.
§ 8 Payments
We delete your contract data after the contract has been processed and the retention obligations under tax and commercial law have expired. The legal basis for the stated collection is your consent, which you have given by creating the customer account or by concluding the contract, and the necessity for contract processing (Art. 6 para. 1 sentence 1 lit. a, b GDPR).
You can pay for our vouchers by credit card or EC card using the Truevo or Paystrax payment services. You can find more details in our GTC. Payment and contract data required for payment may be passed on to the respective payment service providers.
§ 9 Social media
We provide links to various social media on our website. However, these are merely links to external websites of third-party social media providers and not plugins. Consequently, no links are created or personal data transmitted to the third-party providers when you visit our website. By clicking on the respective button marked with the symbol of the provider, you will be redirected to the website of this provider. At this point, you will leave our website. If you have any questions about data collection by third-party providers, please read the privacy policies provided by the third-party providers. We refer to the following social media:
Our website links via the “f” button to the social network facebook.com, whose operator for users outside the USA and Canada is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland. You can find information on data protection here: https://de-de.facebook.com/about/privacy/
The Facebook service processes your data outside the European Union and the European Economic Area to its parent company Meta Platforms, Inc. The transfer of personal data to a so-called third country requires that the provisions of Sections 44 et seq. GDPR are complied with in order to guarantee the level of protection guaranteed in the EU.
The transfer of personal data to the USA is based on an adequacy decision of the EU Commission (Adequacy decision for the EU-US Data Privacy Framework of 10.07.2023) pursuant to Art. 45 para. 1 GDPR, the so-called EU-US Data Privacy Framework (DPF). Meta Platforms, Inc. can only base the processing of personal data on Art. 45 para. 1 GDPR if it is registered in the list of participating organizations in accordance with Article 1 DPF (list available at: https://www.dataprivacyframework.gov/). Meta Platforms, Inc. is registered in the list of participating organizations. The registration [includes / does not include] non-personal data of employees (category HR). This data processing can therefore be based on Art. 45.
Twitter / X
By clicking on the button with the bird symbol, you will be taken to the microblogging service of Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland; Twitter ensures a comparable level of data protection when transferring data to the parent company in the USA by concluding so-called standard data protection clauses (SDC) in accordance with Art. 46 Para. 2 GDPR. Further information can be found at: https://gdpr.twitter.com/en/controller-to-controller-transfers.html, information on data protection can be found here: https://twitter.com/de/privacy
Instagram is a service of Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA.
Further information can be found in Instagram’s privacy policy: http://instagram.com/about/legal/privacy/.
The Instagram service processes your data outside the European Union and the European Economic Area to its parent company Meta Platforms, Inc. The transfer of personal data to a so-called third country requires that the provisions of Sections 44 et seq. GDPR are complied with in order to guarantee the level of protection ensured in the EU.
The transfer of personal data to the USA is based on an adequacy decision of the EU Commission (Adequacy decision for the EU-US Data Privacy Framework of 10.07.2023) pursuant to Art. 45 para. 1 GDPR, the so-called EU-US Data Privacy Framework (DPF). Meta Platforms, Inc. can only base the processing of personal data on Art. 45 para. 1 GDPR if it is registered in the list of participating organizations in accordance with Article 1 DPF (list available at: https://www.dataprivacyframework.gov/). Meta Platforms, Inc. is registered in the list of participating organizations. The registration [includes / does not include] non-personal data of employees (category HR). This data processing can therefore be based on Art. 45.
LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA. LinkedIn ensures a comparable level of data protection when transferring data to the parent company in the USA by concluding so-called standard data protection clauses (SDC) in accordance with Art. 46 Para. 2 GDPR. You can find further information at: http://www.linkedin.com/legal/privacy-policy
§ 10 Newsletter
With your consent, you can subscribe to our newsletter, with which we inform you about our current interesting offers and updates.
We use the so-called double opt-in procedure to subscribe to our newsletter. This means that after you have registered, we will send you an e-mail to the e-mail address you have provided in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store the IP addresses you use and the times of registration and confirmation. The purpose of the procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR.
The only mandatory information for sending the newsletter is your e-mail address. After your confirmation, we will save your e-mail address for the purpose of sending you the newsletter. The legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR.
You can revoke your consent to the sending of the newsletter at any time and unsubscribe from the newsletter. You can declare your revocation by clicking on the link provided in every newsletter e-mail, by e-mail to kontakt@cannazen.de or by sending a message to the contact details given in the imprint.
We would like to point out that we evaluate your user behavior when sending the newsletter. For this evaluation, the e-mails sent contain so-called web beacons, also known as tracking pixels. These are one-pixel image files that link to our website and thus enable us to evaluate your user behavior. This is done by collecting the data mentioned in § 4 of this declaration as well as web beacons that are assigned to your e-mail address and linked to a unique ID. We use the data obtained in this way to create a user profile in order to provide you with the newsletter tailored to your interests. We record when you read our newsletters, which links you click on in them and deduce your personal interests from this. We link this data to the actions you take on our website.
You can object to this tracking at any time by clicking on the separate link provided in each e-mail or by informing us at kontakt@cannazen.de.
§ 11 Newsletter service provider MailChimp
This website uses the services of MailChimp to send newsletters. The provider is Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. MailChimp is a service with which, among other things, the sending of newsletters can be organized and analyzed. If you enter data for the purpose of subscribing to the newsletter (e.g. e-mail address), this data is stored on MailChimp’s servers in the USA.
The Mailchimp service processes your data outside the European Union and the European Economic Area to its parent company Intuit Inc. 2700 Coast Ave
Mountain View, California 94043. The transfer of personal data to a so-called third country requires that the provisions of Sections 44 et seq. GDPR are complied with in order to guarantee the level of protection guaranteed in the EU.
The transfer of personal data to the USA is based on an adequacy decision of the EU Commission (Adequacy decision for the EU-US Data Privacy Framework of 10.07.2023) pursuant to Art. 45 para. 1 GDPR, the so-called EU-US Data Privacy Framework (DPF). Intuit Inc. can only base the processing of personal data on Art. 45 para. 1 GDPR if it is registered in the list of participating organizations in accordance with Article 1 DPF (list available at: https://www.dataprivacyframework.gov/). Intuit Inc. is registered in the list of participating organizations. The registration does not include personal data of employees (HR category). This data processing can therefore be based on Art. 45, further information can be found at: https://mailchimp.com/legal/data-processing-addendum/
With the help of MailChimp, we can analyze our newsletter campaigns. When you open an email sent with MailChimp, a file contained in the email (known as a web beacon) connects to MailChimp’s servers in the USA. This makes it possible to determine whether a newsletter message has been opened and which links, if any, have been clicked on. Technical information is also collected (e.g. time of access, IP address, browser type and operating system). This information cannot be assigned to the respective newsletter recipient. It is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better tailor future newsletters to the interests of the recipients.
The data you provide us with for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from both our servers and MailChimp’s servers after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. e-mail addresses for the member area) remain unaffected by this.
We base the use of MailChimp on our legitimate interest in the application and efficient administration of our services, which in turn is based on professional and entrepreneurial freedom in accordance with Art. 15 para. 1 and Art. 16 GDPR. Since we inform you about this processing and no special data other than the e-mail address is transmitted, we base our processing on the legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.
For more information, please refer to MailChimp’s privacy policy at: https://mailchimp.com/legal/privacy/.
§ 12 Web tracking – Google Analytics
If you have given your consent, this website uses Google Analytics, a web analysis service of Google Ireland Limited (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of this website is usually transmitted to a Google LLC server in the USA and stored there. However, if IP anonymization is activated on this website, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area beforehand. Only in exceptional cases will the full IP address be transmitted to a Google LLC server in the USA and truncated there. Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator.
The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
This website uses Google Analytics with the extension “_anonymizeIp()”. This means that IP addresses are further processed in abbreviated form, so that they cannot be linked to a specific person. If the data collected about you is personally identifiable, it is immediately excluded and the personal data is deleted immediately.
We use Google Analytics to analyze the use of our website and thus regularly improve it. We can use the statistics obtained to improve our offer and make it more interesting for you as a user.
The Google service processes your data outside the European Union and the European Economic Area to its parent company Google LLC. The transfer of personal data to a so-called third country requires that the provisions of Sections 44 et seq. GDPR are complied with in order to guarantee the level of protection guaranteed in the EU.
The transfer of personal data to the USA takes place on the basis of an adequacy decision of the EU Commission (Adequacy decision for the EU-US Data Privacy Framework of 10.07.2023) pursuant to Art. 45 para. 1 GDPR, the so-called EU-US Data Privacy Framework (DPF). Google can only base the processing of personal data on Art. 45 para. 1 GDPR if it is registered in the list of participating organizations in accordance with Article 1 DPF (list available at: https://www.dataprivacyframework.gov/). Google LLC is registered in the list of participating organizations. The registration includes personal data of employees (category HR). This data processing can therefore be based on Art. 45.
Further information is available at: https://privacy.google.com/businesses/compliance/#!#gdpr
The legal basis for the use of Google Analytics is your consent, i.e. Art. 6 para. 1 sentence 1 lit. a GDPR.
Information from the third-party provider: Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland,
User conditions: http://www.google.com/analytics/terms/de.html,
The privacy policy: https://policies.google.com/privacy?hl=de&gl=de.
This website also uses Google Analytics for a cross-device analysis of visitor flows, which is carried out via a user ID. You can deactivate the cross-device analysis of your usage in your customer account under “My data”, “Personal data”.
§ 13 Use of the Google Tag Manager:
Google Tag Manager is a tool that allows marketers to manage website tags via an interface. The provider is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).
The Tool Tag Manager itself (which implements the tags) is a cookie-less domain and does not collect any personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager. For more information, see:
https://www.google.de/analytics/terms/tag-manager/.
The legal basis for the transfer of personal data to Google is your consent, i.e. Art. 6 para. 1 sentence 1 lit. a GDPR.
The Google service processes your data outside the European Union and the European Economic Area to its parent company Google LLC. The transfer of personal data to a so-called third country requires that the provisions of Sections 44 et seq. GDPR are complied with in order to guarantee the level of protection guaranteed in the EU.
The transfer of personal data to the USA is based on an adequacy decision of the EU Commission (Adequacy decision for the EU-US Data Privacy Framework of 10.07.2023) pursuant to Art. 45 para. 1 GDPR, the so-called EU-US Data Privacy Framework (DPF). Meta Platforms, Inc. can only base the processing of personal data on Art. 45 para. 1 GDPR if it is registered in the list of participating organizations in accordance with Article 1 DPF (list available at: https://www.dataprivacyframework.gov/). Google LLC is registered in the list of participating organizations. The registration includes personal data of employees (category HR). This data processing can therefore be based on Art. 45.
Further information is available at: https://privacy.google.com/businesses/compliance/#!#gdpr
§ 14 Use of jQuery
Our website uses the Java script extension jQuery, which is downloaded from the website code.jquery.com. In this regard, program libraries are called from StackPath servers. The provider is The OpenJS Foundation, 1 Letterman Drive, Building D, Suite D4700, San Francisco, CA 94129, USA.
When you access a website, your browser loads the required program libraries into your browser cache. For this purpose, the browser you are using must establish a connection to the jQuery servers located in the USA. The use of jQuery is in the interest of an optimized and appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR.
jQuery ensures a comparable level of data protection when transferring data to the USA by concluding so-called standard data protection clauses (SDC) in accordance with Art. 46 para. 2 lit. c GDPR.
Further information on jQuery can be found at www.jquery.com.
§ 15 Data collection for the purpose of the application
We occasionally offer vacancies on our homepage. If you apply for a position, we will store your application documents received by post or e-mail until the application process has been completed.
If we do not decide in your favor, we will destroy your application documents no later than six months after the end of the application process. We rely here on our legitimate interest in an efficient legal defense pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in conjunction with § 21 para. 5 AGG. The preclusion period for such actions is 2 months.
The processing of your applicant data is based on Section 26 (1) BDSG, as it is necessary to establish an employment relationship.