Privacy Policy
How we protect your medical data and personal information
📋Table of Contents
1. Introduction
Derm4Hair is committed to protecting your privacy and personal data in accordance with the General Data Protection Regulation (GDPR) and German Federal Data Protection Act (BDSG). This privacy policy explains how we collect, use, store, and protect your personal information when you use our telemedicine platform for dermatological hair and scalp treatments.
🏥 Medical Note: As a healthcare provider, we handle sensitive medical data that requires special protection under applicable data protection laws. Your trust is essential to our service, and we are committed to maintaining the highest standards of data privacy and security.
2. Data Controller
The data controller for your personal data is:
Company Information
Name: Derm4Hair GmbH
Address: Lehmweg 6
Location: Hamburg, Germany
Email:contact@derm4hair.com
Phone: +49 (0) 40 123 456 789
Data Protection Officer:
Name: Dr.med Nesrine Ben Anaya
Email:contact@derm4hair.com
3. Data We Collect
We collect and process the following categories of personal data:
Account Information
- •Name, email address, phone number
- •Date of birth and gender
- •Account preferences and settings
- •Authentication credentials
Medical Information
- •Medical history and current conditions
- •Treatment preferences and allergies
- •Photographs of affected areas (with consent)
- •Consultation notes and treatment plans
- •Progress tracking and treatment outcomes
Technical Information
- •IP address and device information
- •Browser type and version
- •Operating system and device identifiers
- •Usage data and platform interactions
Communication Data
- •Messages with healthcare providers
- •Support inquiries and feedback
- •Email communications and preferences
- •Appointment scheduling information
4. How We Use Your Data
We process your personal data for the following purposes:
Medical Treatment and Care
- ✓Providing telemedicine consultations
- ✓Developing personalized treatment plans
- ✓Monitoring treatment progress and outcomes
- ✓Coordinating care with other healthcare providers
Platform Operation
- ✓Creating and managing your account
- ✓Processing payments and billing
- ✓Providing customer support
- ✓Improving our services and platform functionality
Legal and Compliance
- ✓Complying with medical documentation requirements
- ✓Meeting regulatory obligations
- ✓Protecting against fraud and misuse
- ✓Enforcing our terms of service
Medical Research (with consent)
- ✓Conducting anonymized clinical research
- ✓Improving treatment methodologies
- ✓Contributing to dermatological studies
- ✓Developing AI-supported diagnostic tools
5. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR:
Consent (Article 6(1)(a) GDPR)
For processing medical photographs, research participation, and marketing communications.
Contract Performance (Article 6(1)(b) GDPR)
For providing medical services, account management, and platform functionality.
Legal Obligation (Article 6(1)(c) GDPR)
For medical documentation, regulatory compliance, and tax obligations.
Vital Interests (Article 6(1)(d) GDPR)
For emergency medical situations and patient safety.
Legitimate Interests (Article 6(1)(f) GDPR)
For fraud prevention, security measures, and service improvement (balanced against your rights).
Special Categories of Data (Article 9 GDPR)
Medical data is processed based on explicit consent and necessity for healthcare provision.
6. Data Sharing
We may share your data with the following parties:
Healthcare Partners
Licensed dermatologists, medical specialists, and healthcare institutions for treatment purposes.
Service Providers
Technical service providers, payment processors, and cloud storage providers (under strict data processing agreements).
Legal Authorities
When required by law, court order, or to protect vital interests.
Research Partners
Anonymized data may be shared with research institutions (only with explicit consent).
🚫 We never sell your personal data to third parties.
7. Data Retention
We retain your data for the following periods:
Medical Records
30 years from last treatment (German medical documentation requirements)
Account Data
Until account deletion or 7 years after last activity
Technical Data
12 months for security and fraud prevention purposes
Marketing Data
Until consent withdrawal or 3 years of inactivity
🔒 Secure Deletion: Data is securely deleted when retention periods expire, unless longer retention is required by law.
8. Your Rights Under GDPR
You have the following rights regarding your personal data:
Right of Access (Article 15)
Request information about personal data we process about you.
Right to Rectification (Article 16)
Correct inaccurate or incomplete personal data.
Right to Erasure (Article 17)
Request deletion of your personal data (subject to legal retention requirements).
Right to Restriction (Article 18)
Limit the processing of your personal data in certain circumstances.
Right to Data Portability (Article 20)
Receive your data in a structured, machine-readable format.
Right to Object (Article 21)
Object to processing based on legitimate interests or for marketing purposes.
Right to Withdraw Consent
Withdraw consent for processing at any time (does not affect lawfulness of prior processing).
📞 How to Exercise Your Rights: To exercise your rights, contact us at contact@derm4hair.com. We will respond within 30 days.
Supervisory Authority: You have the right to lodge a complaint with a supervisory authority (in Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit).
9. Data Protection Measures
We implement comprehensive security measures to protect your data:
Technical Safeguards
- 🔒End-to-end encryption for all data transmission
- 🔒AES-256 encryption for data at rest
- 🔒Multi-factor authentication
- 🔒Regular security audits and penetration testing
- 🔒Secure cloud infrastructure with ISO 27001 certification
Organizational Measures
- 🔒Staff training on data protection and medical confidentiality
- 🔒Access controls and need-to-know principles
- 🔒Data processing agreements with all service providers
- 🔒Regular review of data protection practices
- 🔒Incident response and breach notification procedures
Medical Data Protection
- 🔒HIPAA-compliant data handling procedures
- 🔒Medical professional confidentiality standards
- 🔒Separate storage for particularly sensitive data
- 🔒Audit trails for all medical data access
10. Cookies and Tracking Technologies
We use cookies and similar technologies for:
Essential Cookies
Required for platform functionality, security, and user authentication.
Analytics Cookies
To understand how you use our platform and improve our services (with consent).
Preference Cookies
To remember your settings and language preferences.
Cookie Management: You can manage cookie preferences through your browser settings or our cookie consent manager.
Third-Party Policy: We do not use third-party advertising cookies or tracking pixels.
15. Contact Information
For questions about this privacy policy or to exercise your rights, contact us:
Data Protection Officer
Phone
+49 (0) 40 123 456 789
Postal Address
Derm4Hair GmbH, Data Protection Office, Lehmweg 6, Hamburg, Germany
⏰ Response Time: We will respond to your inquiry within 30 days as required by GDPR.
Supervisory Authority
If you have concerns about our data processing practices, you can contact the German data protection authority:
Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
Address: Graurheindorfer Str. 153, 53117 Bonn, Germany
Phone: +49 (0) 228 997799-0
Email:poststelle@bfdi.bund.de
Website:https://www.bfdi.bund.de
This privacy policy is designed to meet the requirements of the GDPR, German BDSG, and medical data protection standards. For questions about specific privacy provisions, please contact our Data Protection Officer.