Privacy Policy
The protection of your personal data is important to us. In this privacy policy, we inform you about the processing of your data when using deinrezept.de.
1. Data Controller
MEDICARE HEALTH GROUP LTD
First Floor Office, 3 Hornton Place, London, W8 4LZ, United Kingdom
Represented by: the Director
Company Number: 17089430 (England and Wales)
Data Protection Officer: Currently not appointed; legal requirements under Art. 37 GDPR are being reviewed.
2. What data do we process?
- •Account and contact data (e.g. email, phone number if applicable) for verification (OTP), communication and status updates.
- •Order/contract data (treatment, shopping cart, billing data, delivery address).
- •Health data (questionnaire responses) exclusively for medical review/processing and only to the extent necessary.
- •Technical data (log files, security events) for stability, abuse prevention and error analysis.
3. Purposes & Legal Bases
- •Contract fulfillment (Art. 6(1)(b) GDPR) — Processing of orders, prescription requests, communication.
- •Security/abuse prevention (Art. 6(1)(f) GDPR) — Protection against fraud, rate limiting, logging.
- •Fulfillment of legal obligations (Art. 6(1)(c) GDPR) — Tax retention, pharmaceutical documentation.
- •Health data (Art. 9(2)(h) GDPR) — Processing for healthcare purposes based on the treatment contract. Questionnaire responses are processed exclusively for the medical suitability assessment and stored in pseudonymized form.
Note:Health data is subject to medical confidentiality and is transmitted in encrypted form (TLS 1.3) and stored in EU infrastructure.
4. Recipients / Data Processors
- •Hetzner Online GmbH (Hosting, Industriestr. 25, 91710 Gunzenhausen, Germany) — Server operations and data storage within the EU. DPA concluded.
- •Resend Inc. (Email delivery for OTP and notifications) — Data processing, data processed within the EU.
- •Stripe Inc. (Payment processing, 354 Oyster Point Blvd, South San Francisco, CA, USA) — Credit card, PayPal, Klarna and Amazon Pay payments. Third-country transfer to USA based on EU Standard Contractual Clauses (SCCs). Details see Section 7.
- •Cloudflare Inc. / Turnstile (Bot protection) — Processing of technical data to distinguish humans from bots. No tracking, GDPR-compliant.
- •Cooperating physicians / partner pharmacy — Medical review and prescription issuance or dispensing of medications. Processing based on the treatment contract.
5. Storage Period
We store personal data only as long as necessary for the respective purpose or as required by statutory retention periods:
- •Account data: Until account deletion + 30-day grace period.
- •Orders and billing data: 10 years (Section 257 HGB, Section 147 AO).
- •Health data (questionnaires): 10 years after end of treatment (Section 10(3) MBO-A).
- •Server log files: 90 days.
- •Cookies: Between 1 hour (session) and 365 days (consent preference), depending on the cookie.
6. Your Rights
You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21 GDPR), among others. You may revoke any given consent at any time. You also have the right to lodge a complaint with a supervisory authority.
7. Third-Country Transfers
Stripe Inc. as payment service provider processes data in the USA. The transfer is based on EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Stripe is also certified under the EU-US Data Privacy Framework. All other data processors process data exclusively within the EU/EEA.
8. Automated Decision-Making
The evaluation of your health questionnaire serves to structure the information for medical review. No fully automated decision-making within the meaning of Art. 22 GDPR takes place — every prescription decision is made individually by a licensed physician. You have the right to human review at any time.
9. SSL/TLS & Security Measures
This website uses SSL/TLS encryption (indicated by the lock icon in your browser). All data is transmitted in encrypted form. In addition, we employ extensive technical and organizational measures: Content Security Policy (CSP), rate limiting, CSRF protection, encrypted data storage, and regular security audits.
10. Cookies
We currently use only technically necessary cookies. An overview:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| dr_session | Session management (login) | 24 hours | Essential |
| dr_csrf | CSRF protection | Session | Essential |
| dr_cookie_consent | Storage of your cookie preferences | 365 days | Essential |
| dr_locale | Language setting | 365 days | Essential |
| dr_theme | Color scheme preference | 365 days | Essential |
| dr_country | Country selection | 365 days | Essential |