Privacy Policy

Scope/ Person responsible

Cross4Channel — Society for digital healthcare marketing mbH
Prinzessinnenstr. 19/20
10969 Berlin, Germany
Commercial register number: HRB 164531 B
Management: Petra Dökel
+49 (0)30–74689509

Contact details of the external data protection officer

PROLIANCE GmbH / www.datenschutzexperte.de
Data Protection Officer
Leopoldstr. 21
80802 Munich

www.datenschutzexperte.de

Status: May 15, 2025

This privacy policy informs users about the nature, scope and purpose of the collection and use of personal data by the responsible provider Cross4Channel — Gesellschaft für digitales Healthcare Marketing mbH (hereinafter referred to as “provider”) on this website. 

The term "user" includes all categories of persons affected by data processing. These include our business partners, customers, interested parties and other visitors to our online offering. The terms used, such as "user", are to be understood as gender-neutral. 

The legal basis for data protection can be found in the Federal Data Protection Act (BDSG-NEU), the EU General Data Protection Regulation (GDPR) and the Digital Services Act (DDG).  

Basic information on data processing and legal bases

This privacy policy informs you about the nature, scope, and purpose of the processing of personal data within our online offering and the associated websites, functions, and content (hereinafter collectively referred to as the "online offering" or "website"). This privacy policy applies regardless of the domains, systems, platforms, and devices (e.g., desktop or mobile) on which the online offering is executed. 

For the terms used, such as “personal data” or their “processing”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR). 

Visit the website 

The personal data of users processed within the scope of this online offering include inventory data (e.g. names and addresses of customers), contract data (e.g. services used, names of clerks, payment information), usage data (e.g. the websites visited on our online offering, interest in our products) and content data (e.g. entries in the contact form). 

We only process users' personal data in compliance with the relevant data protection regulations. This means that user data is only processed if there is legal permission. This means, in particular, if data processing is necessary to provide our contractual services (e.g., processing orders) and online services, or is required by law, if the user's consent has been obtained, or if it is based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation and security of our online offering within the meaning of Art. 6 (1) (f) GDPR, particularly in the measurement of reach, creation of profiles for advertising and marketing purposes, as well as the collection of access data and use of third-party services). 

We would like to point out that the legal basis for consent is Art. 6 (1) (a) and Art. 7 GDPR, the legal basis for processing to fulfill our services and implement contractual measures is Art. 6 (1) (b) GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6 (1) (c) GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 (1) (f) GDPR. 

Safety measures

We take organizational, contractual and technical security measures in line with the state of the art to ensure that the provisions of data protection laws are complied with and to protect the data we process against accidental or intentional manipulation, loss, destruction or access by unauthorized persons. 

To increase the security of our website and to prevent automated abuse by bots, we use so-called honeypot technologies. A honeypot is a method used to detect automated access by setting a trap that is invisible to human users but can be triggered by automatic scripts. The purpose of this technology is solely to keep our website secure. Honeypot technology helps us identify and block spam, fraud attempts, and other types of automated abuse. The use of this technology is based on our legitimate interest in the security of our website in accordance with Article 6 (1) (f) of the GDPR. The information collected by honeypots is only stored for as long as is necessary for the purpose for which it was collected and is then deleted. No personal data is collected. 

contact

When you contact us (via contact form or email), the user's information will be processed to process the contact request and its handling in accordance with Art. 6 (1) (b) GDPR. 

User information may be stored in our customer relationship management system (“CRM system”) or comparable inquiry organization. 

Collection of access data and log files

Based on our legitimate interests in accordance with Art. 6 (1) (f) GDPR, we collect data about every access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider. 

Log file information is stored for security reasons (e.g. to investigate misuse or fraud) for a maximum of seven days and then deleted. Data that needs to be retained for evidentiary purposes is exempt from deletion until the respective incident has been finally resolved. 

Cookies & reach measurement

Cookies are pieces of information that are transferred from our web server or third-party web servers to users' web browsers and stored there for later retrieval. Cookies can be small files or other types of information storage. 

The following cookies are used on our website: 

  • _pk_id – Stores some details about the user such as the unique visitor ID (13 months) 
  • _pk_ref – Stores the attribution information, the referrer that was originally used to visit the website (6 months) 
  • _pk_ses, _pk_cvar, _pk_hsr – Short-lived cookies used to temporarily store data for the visit (30 minutes) 
  • borlabs-cookie –Saves settings made in the cookie banner (essential) 

If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online service. 

You can object to the use of cookies that are used for reach measurement and advertising purposes via the deactivation page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and additionally via the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/). 

In some cases, cookies are used to simplify website processes by storing settings (e.g. by retaining options that have already been selected). If personal data is also processed by individual cookies implemented by us, the processing takes place in accordance with Art. 6 Para. 1 lit. b GDPR either to execute the contract or in accordance with Art. 6 Para. 1 lit. f GDPR to protect our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the site visit. 

You can adjust your cookie settings for this website by clicking on this link: Cookie settings 

Integration of third-party services and content 

Based on our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offering within the meaning of Art. 6 Para. 1 lit. f. GDPR), we use content or service offers from third parties in order to integrate their content and services such as videos or fonts (hereinafter referred to uniformly as "content"). This always presupposes that the third-party providers of this content perceive the IP address of the users, since without the IP address they would not be able to send the content to their browser. The IP address is therefore necessary for the display of this content. We endeavor to only use content whose respective providers only use the IP address to deliver the content. Third-party providers can also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as be linked to such information from other sources. 

Matomo Analytics 

We use the Matomo analytics tool. This is an open-source tool provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand. We only use this tool with the user's consent. 

With Matomo, data is transmitted exclusively to servers operated by us (AWS), and the information generated is not shared with third parties. A shortened IP address is stored in the log files for a maximum of six months. Personal data is processed in an anonymized form. 

We collect this data to improve the website and analyze user behavior. 

In particular, the following data is collected: shortened IP address, IP address in the log files, visit to the website, time spent on the website 

The legal basis for the aforementioned data processing is Art. 6 (1) lit. a GDPR. 

Further details on the privacy policy can be found at 

https://matomo.org/privacy-policy/ 

Google Maps 

On our website we use Google Maps (API) from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”). Google Maps is a web service for displaying maps. 
When used, personal data (such as your IP address or, if applicable, your location) is transferred to Google servers and stored there. We cannot rule out that this data will also be transmitted to Google LLC servers in the USA. This occurs regardless of whether Google provides a user account through which you are logged in or whether a user account exists. Google stores your data (even for users who are not logged in) as usage profiles and evaluates them. The collection, storage and evaluation are carried out in accordance with Art. 6 Paragraph 1 Letter f of GDPR on the basis of Google's legitimate interest in displaying personalized advertising, market research and/or the needs-based design of Google websites. You have the right to object to the creation of these user profiles; you must contact Google to exercise this right. If you do not agree to the future transmission of your data to Google when using Google Maps, you also have the option of deactivating the Google Maps web service completely. Google Maps and thus also the map display on this website cannot then be used. 
To the extent legally required, we have obtained your consent in accordance with Art. 6 (1) lit. a GDPR for the processing of your data as described above, which you can revoke at any time with effect for the future. Further information can be found at  
https://www.google.de/intl/de/policies/terms/regional.html,  
https://www.google.com/intl/de_US/help/terms_maps.html and 
https://www.google.de/intl/de/policies/privacy/ 

Users’ rights 

Users have the right to request information free of charge about the personal data we have stored about them. 

In addition, users have the right to rectify inaccurate data, restrict processing and delete their personal data, where applicable, exercise their rights to data portability and, in the event of suspected unlawful data processing, lodge a complaint with the competent supervisory authority. 

Users can also revoke their consent, generally with effect for the future. 

Deletion of data 

The data stored by us is deleted as soon as it is no longer required for its intended purpose and there are no statutory retention periods that prevent deletion. If the user data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to user data that must be retained for commercial or tax law reasons. 

According to legal requirements, records must be retained for 6 years in accordance with Section 257 (1) of the German Commercial Code (HGB) (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.) and for 10 years in accordance with Section 147 (1) of the German Fiscal Code (AO) (books, records, management reports, accounting documents, commercial and business letters, documents relevant for taxation, etc.). 

Right to object 

Users can object to the future processing of their personal data at any time in accordance with the statutory provisions. The objection can be made in particular against processing for direct marketing purposes. 

 

Contact via WhatsApp 

Users have the option of contacting us via WhatsApp. For this purpose, we use the WhatsApp Business API, a service provided by WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, a subsidiary of Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. 

Legal basis 

Communication via WhatsApp, as well as the sending of broadcast messages and the associated processing of personal data, takes place exclusively on the basis of the express consent of the user in accordance with Art. 6 (1) (a) GDPR. Consent can be revoked at any time with future effect, e.g., by sending a message with the text "Stop" or "Stopp" to our WhatsApp channel. 

Processed data 

Following the opt-in procedure and consent granted, the following personal data will be processed: 

  • Metadata (e.g. timestamp, meta ID, telephone number, technical data for transmission), 
  • Message content and histories, 
  • Response to the opt-in procedure (data protection notice). 

Processing purposes 

We use WhatsApp to process support requests and send broadcast messages. Whether you receive broadcast messages depends on your individual WhatsApp settings, over which we have no control. By giving your consent, you also consent to your messages being answered by our support team or the expert system. Only trained and authorized employees are granted access to the system; the content is not shared with third parties. 

Data processing by WhatsApp 

With your consent, WhatsApp's privacy policy continues to apply. We have no influence on how WhatsApp processes your data. Further information on how WhatsApp processes personal data can be found in WhatsApp's privacy policy: https://www.whatsapp.com/privacy. 

Hosting and technical implementation 

The content of the communication (messages, history), the phone number in pseudonymized form (without the last digits), and the confirmation of the privacy policy are stored on Amazon Web Services (AWS) servers in Frankfurt am Main. The address book is not synchronized via the WhatsApp Business API. We do not receive any information about other contacts or message content.  

Data transmission is SSL-encrypted. Messages are cached on the servers until they are sent and deleted within a short period of time after sending.  

The data, i.e. metadata and message content or chat histories, are stored for a maximum of 365 days, with the telephone number being stored only in pseudonymized form. The response to the privacy policy is stored for three years.  

The user has the right to information about the data being processed, the right to withdraw consent, and the right to request the deletion of the data. Upon request to delete the data, the chat history and all other data will be deleted within three business days. It may happen that messages are sent during this time, i.e., between the deletion request and the deletion. You will not receive confirmation of successful deletion from us.  

Changes to the privacy policy 

We reserve the right to change the privacy policy in order to adapt it to changes in the legal situation or in the event of changes to the service or data processing. However, this only applies to statements on data processing. If the consent of the users is required or if parts of the privacy policy contain provisions of the contractual relationship with the users, the changes will only be made with the consent of the users. 

Users are asked to regularly inform themselves about the content of the privacy policy. 

 

en_USEnglish
de_DEDeutsch en_USEnglish