Data privacy website

Status: September 2023

If you are visiting our website from the UK, please visit our Oviva UK Privacy Policy.

Si vous visitez notre site Web depuis la France, veuillez consulter notre politique de confidentialité Oviva FR.

Falls Sie unsere Webseite aus Deutschland nutzen, bitte besuchen sie unsere deutsche Datenschutzerklärung

As Oviva AG and operator of the website www.oviva.com, we take the protection of your data very seriously. In the following, we would like to inform you about the extent to which and the purpose for which we collect and process personal data from you on our website www.oviva.com (hereinafter “website”).

1. General; Definitions

We use the following terms, among others, in this Privacy Policy:

Personal data means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Health data are personal data relating to the physical or mental health of a natural person, including the provision of health care services, and revealing information about that person’s state of health.

Processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller or person responsible for processing is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Third-party means any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.

Consent shall mean any freely given specific and informed indication of the wishes of the data subject, in the form of a declaration or other unambiguous affirmative act, by which the data subject signifies his agreement to the processing of personal data relating to him.

2. Responsibility and contact

The controller of the processing of personal data is the:

Oviva AG (hereinafter “Oviva”, “we”, “us”),

a company under Swiss law with its registered office at the

Zürcherstrasse 64
CH-8852 Altendorf
Handelsregisternummer CH-130.3.019.905-3

If you wish to inspect and update your personal data or if you have any questions regarding data protection on our website, please contact us at any time via our helpcenter or by post at the address given above.

You can reach our data protection officer

by e-mail: datenschutz@oviva.com or

by post: at the postal address of the data controller, with the addition of “for the attention of the data protection officer”.

3. Processing of your personal data

The scope and nature of the processing of your personal data differ depending on whether you wish to contact us via our website, use our functionalities offered on the website or merely use our website for information purposes. With regard to the data processing procedures described below, you can assert your data subject rights (see section 8) at any time.

3.1 Collect data with your participation

We collect and store your personal data in connection with the use of this website if you provide it to us of your own accord, e.g. in the context of registration for nutritional counselling or for psychological psychotherapy. It is always your free decision whether you provide us with your data for the purposes in question.

3.1.1 Inquiries via e-mail

If you send us an e-mail, your e-mail address and any personal content contained in the message will be stored by us and processed to answer the request (legal basis is Art. 6 Para. 1 f) or Art. 6 Para. 1 b) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland). Insofar as special categories of personal data are included, the processing takes place on the basis of your consent in accordance with Article 6 Paragraph 1 a), Article 9 Paragraph 2 a) GDPR or Article 30 in conjunction with Article 31 DSG/Switzerland. We only do this in order to be able to process your request, to provide the services you have requested or to manage your digital patient file. Depending on the email address, we may process it through our Freshdesk application. Freshdesk is a helpdesk system from Freshworks Inc, 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA (hereinafter “Freshworks”). For this purpose, requests are stored on the Freshworks servers in the EU or outside the EU. To ensure a data protection level corresponding to that of the EU, we have concluded a contract with Freshworks for order processing with EU standard contractual clauses (Art. 46 Para. 2 c) DSGVO or Art. 16 Para. 2 lit. d DSG/Switzerland), according to which Freshworks obliged to comply with European data protection regulations. These EU standard contractual clauses also include an order processing contract. For further details on this, please feel free to contact us.

We would like to point out that data transmission during communication by e-mail can have security gaps. Complete protection of data against access by third parties is not possible. Please take this into account in particular before you send us health data by email.

If the purpose of the data processing no longer applies, we will delete the relevant data. With regard to this data processing, you can also assert your data subject rights at any time (see section 9), in particular object to the corresponding data processing.

3.1.2 Registration on the website

3.1.2.1 Registration for nutritional counselling or for psychological psychotherapy is not required for browsing the website. However, if you wish to use our services, you must register for this in advance via the website.

3.1.2.2 We use the personal data provided by you during registration to the extent necessary for the initiation or implementation of the contractual relationship. During the initial registration, the following personal data is usually collected and stored:

First and last name*,
Date of birth*,
E-mail address*,
Mobile number*,

Registration without providing the data marked with an * sign in the registration mask is not possible. This data is used exclusively for the initiation or implementation of the contractual relationship, in particular for contacting you.

In addition, we use your personal data to obtain a medical prescription from your attending physician (see section 3.1.3) and to contact you via SMS (see section 3.1.4.4).

3.1.2.3 By register for nutritional counselling or for psychological psychotherapy on our website, the e-mail address you send to us via this channel may also be used by us to send advertising emails. In such a case, we will use the email to send direct advertising for our own similar goods or services. If you do not wish to receive promotional emails, you can unsubscribe at any time. To do so, follow the unsubscribe link in the respective promotional email.

3.1.3 Physician prescription for nutritional counselling or for psychological psychotherapy

Your nutritional consultation or for psychological psychotherapy will be covered by your statutory health insurance if you have a physician’s prescription. In order to be able to check such cost coverage, it is necessary to collect and process the following sensitive personal data, depending on which link you use to access our website.

3.1.3.1 If you have not yet been prescribed a nutritional consultation or for psychological psychotherapy by a physician, we will be happy to contact your attending physician to obtain a prescription for you. For this purpose, the following sensitive personal data will be collected and processed in addition to the personal master data mentioned under 3.1.2.2:

Name and address of the attending physician*.

The transmission of the name and address of the attending physician to us and the subsequent transmission of your data mentioned under 3.1.2.2 to the physician named by you will only take place if you have given your consent for this.

In order to document your consent to the processing of your sensitive personal data, we store your IP address and the time of sending when you send the data for transmission.

3.1.3.2 We also process the transmitted sensitive data for the purpose of billing you for the services you have used.

You can also make use of our programmes as a self-payer. In this case, no prescription from your physician is required.

3.1.4 Oviva Coaching Suite and appointment for nutritional counselling or for psychological psychotherapy

3.1.4.1 If you have registered with us on our website, we will check your registration and create a profile for you in the Oviva Coaching Suite. The Oviva Coaching Suite is an electronic patient file and is used for the documentation and administration as well as the billing of the services you have used. In addition, you can use the Oviva Coaching Suite to communicate with the consultant assigned to you and share information about your health and lifestyle habits.

3.1.4.2 You can access the functions of the Oviva Coaching Suite via our Oviva App. We will automatically send you the login data required for this via SMS to the mobile phone number or email address you have provided after you have registered for the nutritional consultation. For further information on data processing in the context of using the Oviva Coaching Suite, please refer to our privacy policy of the Oviva App.

3.1.4.3 In order to make an appointment with you for nutritional counselling or for psychological psychotherapy, we will contact you by SMS, email or telephone following your registration. In order to book an appointment and then carry out the nutritional counselling or for psychological psychotherapy, it is necessary for us to assign one of our Coaches or one of our psychotherapists to you. Your consultant or psychotherapist will then be able to access and view the information you have stored in the Oviva Coaching Suite. Your consultant or psychotherapist is bound to confidentiality and will treat your personal data accordingly.

3.1.4.4 If you wish to be contacted by SMS (e.g. for an appointment confirmation and reminder as well as other reminders from your coach), we will also use your personal data according to section 3.1.2.2 (first and last name, mobile phone number as well as treatment date) for this purpose.

In order to document your consent to the processing of your sensitive personal data, we store your IP address and the time of sending when you send the data for transmission.

To contact you via SMS, we use the Twilio service provided by Twilio Inc. and WebSMS provided by sms.at mobile internet services GmbH. For further information on how your data is processed by the service providers, see section 4.1.2 of this privacy policy.

3.1.5 Nutritional counselling

If you make use of our nutritional counselling, we collect, store and use sensitive personal data on your state of health and your lifestyle (e.g. height, weight, age, nutritional and eating habits, diagnoses, comorbidities), chronologically recorded measurement data on your sporting activities (number of steps, weight, energy burn, training etc.) as well as information on the content and course of the therapy, as discussed between you and the nutritionist appointed by Oviva AG or exchanged electronically (in particular via the app), in order to be able to offer you our therapeutic nutritional counselling in full in accordance with our General Terms and Conditions. It is your free decision whether you provide us with this data for the aforementioned purpose. However, should you not expressly declare your consent to the use of this data, a contractual relationship cannot be established.

This data is collected and used exclusively in order to be able to offer you the contractual services of therapeutic nutrition counselling. In the case of a physician prescription, the health data contained in the referral will be transmitted to the health insurance company for billing purposes (see also section 3.1.3.2). After completion of the nutritional counselling, the referring physician receives a final report summarising the results of the counselling.

For correspondence with you, we use, in addition to the other services mentioned in this privacy policy, the services of Google Workplace, which are offered by Google Cloud EMEA Ltd, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland. Your data are processed on servers in the EU. An appropriate level of data protection in accordance with the requirements of the European Union is maintained at all times. If personal data is transferred to a third country outside of Switzerland and the European Economic Area for which there is no adequacy decision, this is done on the basis of EU standard contractual clauses in accordance with Art. 44, Art. 46 Para. 2 c) GDPR or Art. 16 paragraph 2 lit. d DSG/Switzerland. For further details on this, please feel free to contact us.

We only process your sensitive personal data if you give your express consent.

3.1.6 Psychological Psychotherapy

If you make use of our psychological psychotherapy, we collect, store and use sensitive personal data on your state of health (diagnosis and reason for referral, comorbidities, anamnesis, psychological status, therapy goals and procedures, results of diagnostic test procedures) as well as information on the content and Course of the therapy, as discussed between you and the psychotherapist employed by Oviva AG or exchanged electronically (in particular via the app) in order to be able to offer you our psychological psychotherapy in full in accordance with our General Terms and Conditions. It is your free decision whether you provide us with this data for the stated purpose. However, if you do not expressly declare your consent to the use of this data, a contractual relationship cannot come about.

This data is only collected and used in order to be able to offer you the contractual services of psychological psychotherapy. In the case of a medical referral, the health data contained in the referral will be sent to the health insurance company for billing purposes (see also Section 3.1.3.2).

In addition to the other services mentioned in this data protection declaration, we use the services of Google Workplace, which are offered by Google Cloud EMEA Ltd., 70 Sir John Rogerson’s Quay, Dublin 2, Ireland, to correspond with you. Your data will be processed on servers in the EU. An appropriate level of data protection in accordance with the requirements of the European Union is maintained at all times. If personal data is transferred to a third country outside of Switzerland and the European Economic Area for which there is no adequacy decision, this is done on the basis of EU standard contractual clauses in accordance with Art. 44, Art. 46 Para. 2 c) GDPR or Art. 16 paragraph 2 lit. d DSG/Switzerland. For further details on this, please feel free to contact us.

We use the SaaS service PSYFILE Schweiz AG, Schanzeneggstrasse 1, 8002 Zurich to bill for psychological psychotherapy. By using this SaaS service, personal data required for billing, including health data, are passed on to the service provider.

We only process your sensitive personal data if you give your express consent.

3.1.7 Subscription to the newsletter

Irrespective of Section 3.1.2.3, if you give your consent, we will store your email address and your first and last name and use this data to send you email newsletters or advertising emails. The legal basis for this is Article 6 Paragraph 1 Clause 1 a), Article 9 Paragraph 2 a) GDPR (consent) or Article 30 in conjunction with Article 31 DSG/Switzerland. A corresponding consent also includes the consent to receive corresponding e-mails (cf. § 7 Para. 2 No. 2 UWG or Art. 30 in conjunction with Art. 31 DSG/Switzerland).

On the basis of the consent, we analyze whether you open the e-mails and Links may click and use this information to decide whether to contact you further about a particular topic. We also use this data to design future e-mail newsletters or other e-mails or to improve our e-mail newsletter.

We use so-called web beacons to analyze usage. This establishes a connection between your end device and the server of our service provider salesforce.com Germany GmbH when you call up our e-mails (see more about this service provider below). Technical information, such as the browser and your system as well as your IP address and the time of retrieval, are then transmitted to our service provider. We can then use this information to carry out the analysis described above. The corresponding use of web beacons and the corresponding processing takes place on the basis of your consent in accordance with Article 6 Paragraph 1 Clause 1 a), Article 9 Paragraph 2 a) GDPR or Article 30 in conjunction with Article 31 DSG/Switzerland .

We use the Salesforce Marketing Cloud, which is made available to us by our service provider (salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich), to store the data, send the e-mails and analyze usage. who also has access to this data accordingly. Salesforce is part of an international group of companies. It is therefore conceivable that salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, personal data can also be transmitted to countries outside the EU or the EEA without an adequacy decision. This group of companies has committed itself to binding internal data protection regulations in accordance with Article 46 Paragraph 2 b) and Article 47 EU-DSGVO and Article 16 Paragraph 2 lit. e DSG/Switzerland (so-called binding corporate rules). Data processing outside the European Union to maintain an appropriate level of data protection. We also use the Wisepops tool from Simplified Limited Liability Company, 49 rue Jean De La Fontaine, 75016 Paris, France, especially in test phases to collect and store data; This also gives them access to your data.

If you no longer want your data to be processed, corresponding e-mails to be sent or a corresponding usage analysis, you can unsubscribe from the newsletter or other mailings in the future at any time without affecting the legality of the consent processing carried out until the revocation is affected. You can do this, for example, by clicking on the unsubscribe link in an e-mail you have received or by contacting us via our helpcenter.

3.1.8 Contacting for Studies

On the basis of the personal data you have provided, we will check whether you are a suitable participant (m/f/d) in one of our studies and, if necessary, will contact you to inform you of this possibility or to provide you with further information on this if you are interested, a (telephone) interview to discuss how to proceed and to check whether you are actually a suitable participant (m/f/d).

The processing of your personal data for these purposes is based on your consent in accordance with Article 6 Paragraph 1 a), Article 9 Paragraph 2 a) GDPR or Article 30 in conjunction with Article 31 DSG/Switzerland.

3.2 Collection without your participation

When you visit our website, our servers temporarily record the IP address of your computer, the file request of the client (file name and URL) and the http status code as well as the website from which you visit us in so-called log files. For the detection of abuse (spam, viruses, etc.) and for the detection and elimination of faults, we store your IP address. Your IP address will also be processed in order to provide you with the content you have requested. The processing of personal data takes place insofar as the processing is necessary to fulfill a contract with you or to carry out pre-contractual measures in accordance with Art. 6 Para. 1 b) DSGVO or Art. 30 in conjunction with Art legitimate interests in accordance with Art. 6 Para. 1 f) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland. Insofar as special categories of personal data are concerned, your consent (Art. 6 Para. 1 a), Art. 9 Para. 2 a) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland) is the legal basis for processing.

3.2.1 Necessary cookies and necessary similar technologies and related ones tools

In addition, our website uses “cookies” in several places, which serve to make our offer more user-friendly and effective. Cookies are small text files that our website wants to place on your computer or other internet-enabled devices such as tablets or smartphones. If your browser settings accept cookies, your browser adds the text in a small file.

Unless otherwise stated in this privacy policy, the cookies we use are necessary for the functionality and performance of our website. These include, for example, cookies that allow you to log in to the secure area of our website. Most cookies are deleted from your device at the end of your browsing session (session cookies). We use the information stored in the necessary cookies exclusively to provide you with the requested services and functions.

In addition to cookies, we also use similar technologies.

The legal basis for the use of cookies and similar technologies as well as further processing takes place, insofar as this is necessary to fulfill a contract with you or to carry out pre-contractual measures, in accordance with Art. 6 Para. 1 b) DSGVO and otherwise due to our interest in the provision of our online offer as well as due to the other legitimate interests described above in accordance with Article 6 Paragraph 1 f) GDPR or Article 30 in conjunction with Article 31 DSG/Switzerland.

Cookies do not cause any damage to your computer per se and do not contain viruses. You have the option of setting your browser so that these cookies are not stored in the first place or so that the cookies are deleted at the end of your Internet session. Please note, however, that in this case you may not be able to use all the functions of our website.

You can find more information about the necessary cookies and similar technologies and the tools used behind them in the Cookie Consent Tool Usercentrics under “Essential”. You can open the Cookie Consent Tool Usercentrics via the fingerprint symbol at the bottom left.

3.2.2 Non-essential cookies and similar technologies and third-party tools

The non-essential cookies and similar technologies and the corresponding services mentioned in the Cookie Consent Tool Usercentrics under “Analytics” and “Marketing” are used provided you give your consent to this via the Cookie Consent Tool Usercentrics. You can open the Cookie Consent Tool Usercentrics using the fingerprint symbol at the bottom left. You can also revoke any consent you may have given.

The processing of non-essential cookies and similar technologies and the (further) processing of personal data is based on your consent in accordance with Art. 6 Para. 1 a) and, to the extent that special categories of personal data are affected, in addition Art. 9 Para. 2 a) GDPR or according to Art. 30 in conjunction with Art. 31 DSG/Switzerland . Details about processing can be found in the following sections.

3.2.2.2 Google tracking and marketing tools

We also use various tracking and marketing tools from Google on our website.

We use various tracking and marketing tools from Google on our website. For users with a habitual residence in the European Economic Area or Switzerland, the responsible Google company is Google Ireland Limited, with its registered office in Gordon House, Barrow Street, Dublin 4, Ireland, for users with a different habitual residence it is Google LLC, with its registered office in 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. The company responsible for the respective user is hereinafter referred to as “Google”. The latter company is also the parent company of Google Ireland Limited, to which reference is also made below.

If you have expressly consented to the respective data processing described in Section 3.2.2.2 (1) – (4) (Art. 6 Para. 1 a), Art. 9 Para. 2 a) GDPR or Art. 30 in conjunction with Art . 31 DSG/Switzerland), by agreeing to the processing of the services “Google AdServices” and “Google Analytics” specified in the cookie consent tool, Google generates the information about the use of cookies required for its service. These are usually transferred to a Google server in the EU and stored there. For all of the services listed below, Google may transfer personal data to countries outside the EU and the EEA without an adequacy decision, in particular to Google’s parent company. Google relies on the standard contractual clauses approved by the European Commission as a means of ensuring adequate protection. For further details, please feel free to contact us.

You can prevent the installation of cookies in various ways:

by setting your browser software accordingly, in particular by suppressing third-party cookies, this means that you will not receive any advertisements from third-party providers;
by installing the plug-in provided by Google under the following link: https://www.google.com/settings/ads/plugin ;
by deactivating the interest-based ads of providers that are part of the self-regulatory campaign “About Ads” via the link http://www.aboutads.info/choices , although this setting will be deleted when you delete your cookies;
by permanently deactivating it in your browsers Firefox, Internet Explorer or Google Chrome under the link http://www.google.com/settings/ads/plugin ;
using the appropriate cookie setting. We would like to point out that in this case you may not be able to fully use all of the functions of this offer.

Further information that Google provides on data protection can be found here: http://www.google.com/intl/de/policies/privacy and https://services.google.com/sitestats/de.html .

(1) Google Analytics 4 and Google Signals

We use Google Analytics 4 from Google. If you agree to the corresponding processing in the Usercentrics consent management system, we process the data in accordance with the information provided there on the basis of consent. If you also consent to the use of Google Signals in the Consent Management System Usercentrics, we also use this function on the basis of consent as described in the Consent Management System Usercentrics.

As far as data is transferred from the European Google company specified in the Consent Management System Usercentrics to unsafe third countries, this is done on the basis of EU standard contractual clauses. For further details, please feel free to contact us.

The legal basis for the corresponding processing is your consent in accordance with Art. 6 Para. 1 a), Art. 9 Para. 2 a) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland.

(2) Google Ads Conversion and Conversion Linker

We use the “Google Ads Conversion” offer to draw attention to our attractive offers on external websites using advertising materials (so-called Google Ads). We can determine how successful the individual advertising measures are in relation to the data from the advertising campaigns. Our interest is to show you advertising that is of interest to you, to make our website more interesting for you and to achieve a fair calculation of advertising costs.

These advertising materials are delivered by Google via so-called “ad servers”. To do this, we use ad server cookies, through which certain parameters can be measured to measure success, such as display of ads or clicks by users. If you reach our website via a Google ad, Google Ads will store a cookie on your device. These cookies typically expire after 180 days and are not intended to be used to identify you personally. This cookie is usually used as analysis values

Unique cookie ID,
Number of ad impressions per placement (frequency),
last impression (relevant for post-view conversions) as well
Opt-out information (marking that the user no longer wants to be addressed)

saved. These cookies enable Google to recognize your internet browser. If a user visits certain pages of an Ads customer’s website and the cookie stored on their computer has not yet expired, Google and the customer can recognize that the user clicked on the ad and was redirected to this page. Each Ads customer is assigned a different cookie. Cookies cannot therefore be tracked via the websites of Ads customers.

The Conversion Linker stores click data in order to effectively measure conversions.

We ourselves do not collect or process any personal data in the advertising measures mentioned. We only receive statistical evaluations from Google. Based on these evaluations, we can identify which of the advertising measures used are particularly effective. We do not receive any further data from the use of advertising materials; in particular, we cannot identify users based on this information.

If you have expressly consented to the data processing described (Art. 6 Para. 1 a) GDPR, Art. 9 Para. 2 a) GDPR) or Art. 30 in conjunction with Art. 31 DSG/Switzerland), your browser is based on the data processing used Marketing tools automatically establish a direct connection to Google’s server. We have no influence on the extent and further use of the data collected by Google through the use of this tool and therefore inform you according to our knowledge: By integrating Ads Conversion, Google receives the information that you have used the corresponding part of our website accessed our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider will find out and store your IP address.

(3) Google Ads Remarketing

Within Google Ads, if you have given your express consent (Art. 6 Para. 1 a), Art. 9 Para. 2 a) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland), we also use the Remarketing function. With the remarketing function, we can present users of our website with advertisements based on their interests on other websites within the Google advertising network (in Google Search or on YouTube, so-called “Google Ads” or on other websites). For this purpose, the interaction of users on our website is analyzed, for example which offers the user was interested in, in order to be able to show users targeted advertising on other pages even after they have visited our website. For this purpose, Google stores cookies on the devices of users who visit certain Google services or websites in the Google display network. These cookies usually expire after 30 days (this only applies to cookies set via this website). These cookies are used to record the visits of these users. The cookies are used to uniquely identify a web browser on a specific device and not to identify a person.

(4) Google DoubleClick

We use “DoubleClick”, another online marketing tool from Google, on our website. We use DoubleClick for marketing and optimization purposes, particularly to show ads that are relevant and interesting to you, to improve campaign performance reporting, or to prevent you from seeing the same ads more than once.

If you have given your consent for this (Art. 6 Para. 1 a), Art. 9 Para. 2 a) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland), Google uses a cookie ID to record which advertisements in which web browser is used. This can prevent ads from appearing multiple times. DoubleClick can also use cookie IDs to record so-called conversions that are related to ad requests. This is the case, for example, if you see a DoubleClick ad and later use the same web browser to go to the advertiser’s website and make a purchase.

The cookies do not contain any personal data. By using DoubleClick, your browser automatically establishes a direct connection with the Google server. We have no influence on the extent and further use of the data collected through the use of DoubleClick by Google. Google receives the information that you have accessed the relevant part of our website or clicked on an advertisement from us. If you have a user account with Google and are registered, Google can assign the visit to your user account. Even if you are not registered with Google or have not logged in, there is a possibility that Google will find out and store your IP address.

3.2.2.3 Facebook Pixel

For further analysis and optimization and the economic operation of our offer, we also use “Facebook Pixel” from the social network Facebook, which is operated by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Facebook”).

Facebook may transfer personal data to countries outside the EU and the EEA without an adequacy decision, in particular to the parent company or other group companies in the USA. Facebook relies on the standard contractual clauses that the European Commission and the FDPIC have approved as a means of ensuring adequate protection. For further details, please feel free to contact us.

Facebook Pixel is directly integrated into our website through Facebook and can store a cookie on your device, provided you have given your express consent to do so (Art. 6 Para. 1 a), Art. 9 Para. 2 a) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland). If you then log in to Facebook or visit Facebook while logged in, your visit to our online offering will be noted in your profile. The data collected about you is anonymous to us, so it does not allow us to draw any conclusions about the identity of the user. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and can be used by Facebook and for its own market research and advertising purposes. If we transmit data to Facebook for comparison purposes, it will be encrypted locally on the browser and only then sent to Facebook via a secure https connection. This is done solely for the purpose of comparing data with the same data encrypted by Facebook.

With the help of the Facebook pixel, Facebook is also able to determine visitors to our website as a target group for displaying advertisements (so-called “Facebook Ads”). Accordingly, we use the Facebook pixel to only show the Facebook ads we place to those Facebook users who have shown an interest in our online offering or who have certain characteristics (e.g. interest in certain topics or products) based on the information they visit websites) that we transmit to Facebook (so-called “Custom Audiences”). With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interest of the users and do not appear annoying. With the help of the Facebook pixel, we can also track the effectiveness of Facebook advertisements for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook advertisement (so-called “conversion”).

Furthermore, when using the Facebook pixel, we use the additional “extended comparison” function. Here, data to form target groups (“Custom Audiences” or “Look Alike Audiences”) is transmitted to Facebook in encrypted form.

We only use Facebook Pixel on our website if you consent to this processing of your personal data (Art. 6 Para. 1 a), Art. 9 Para. 2 a) GDPR GDPR or Art. 30 in conjunction with Art. 31 DSG /Switzerland). You can of course revoke your consent at any time in the future. The revocation does not affect the lawfulness of the processing (until revocation).

Further information on the collection and use of data by Facebook as well as your rights in this regard and options for protecting your privacy can be found in Facebook’s data protection information at https://www.facebook.com/about/privacy/ .

Alternatively, you can deactivate the “Custom Audiences” remarketing function at https://www.facebook.com/settings/?tab=ads#_=_ . To do this you must be logged in to Facebook.

To set which types of advertisements are shown to you within Facebook, you can visit the page set up by Facebook and follow the instructions there on the settings for usage-based advertising . The settings are platform-independent, meaning they are applied to all devices such as desktop computers or mobile devices. You can also object to the use of cookies that are used to measure reach and for advertising purposes via the deactivation page of the Network Advertising Initiative and also the US website aboutads.info or the European website youronlinechoices.com .

3.2.2.4 Hotjar

We use Hotjar, Hotjar Limited, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141, Malta, to better understand the needs of our users and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experiences (e.g. how much time they spend on which pages, what links they click, what users like and don’t like, etc.) and that helps us in enables us to build and maintain our service based on user feedback. Hotjar uses cookies and other technologies to collect data about the behavior of our users and their devices. This includes a device’s IP address (which is processed during your session and stored in an anonymized form), the device’s screen size, device type (unique device identifiers), browser information, geographical location (country only) and preferred language in which our website is displayed. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually prohibited from selling the data collected on our behalf.

For more details, see the ‘About Hotjar’ section on the Hotjar support page .

Processing only takes place in the event of consent. The legal basis in such cases is Art. 6 Para. 1 1 a), Art. 9 Para. 2 a) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland . You declare such consent by agreeing to the “Hotjar” service in the cookie consent tool.

3.2.2.5 Microsoft Advertising

On our pages we use Microsoft Advertising, Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (Microsoft). Microsoft stores a cookie on your computer if you came to our website via a Microsoft ad. In this way, Microsoft and we can recognize that someone clicked on an ad, was redirected to our website and reached a predetermined target page (conversion page). We only find out the total number of users who clicked on a Microsoft ad and were then redirected to the conversion page.

Further information about data protection and the cookies used at Microsoft can be found on the Microsoft website at https://privacy.microsoft.com/de-de/privacystatement

3.2.2.6 Wisepops

We use the pop-up solution Weispops, the Simplified Limited Liability Company, 49 rue Jean De La Fontaine, 75016 Paris, France (Wisepops) to implement pop-ups. Wisepops data is also used for statistical and analytical purposes. Data processing takes place in Ireland/EU/EEA. Further information and current contact details can be found in the data protection declaration of the service provider.

3.2.2.7 YouTube

Content (YouTube videos) from Google (see section 4.2.2.1 for the respective company and corresponding transfers of personal data to third countries) is integrated into our website in order to be able to provide you with relevant content.

When you view a YouTube video, a connection is established to the Google servers and your IP address is transferred. This also transmits to the Google server which of our websites you have visited. Furthermore, your interactions with regard to the video content are transmitted to Google.

Google may transfer personal data to countries outside the EU and the EEA without an adequacy decision, in particular to Google’s parent company. Google relies on the standard contractual clauses approved by the European Commission as a means of ensuring adequate protection. For further details, please feel free to contact us.

Processing only takes place in the event of consent. The legal basis in such cases is Art. 6 Para. 1 a), Art. 9 Para. 2 a) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland . You declare such consent by agreeing to the “YouTube Video” service in the cookie consent tool.

3.2.2.8 LinkedIn Insight Tag

To place target group-specific ads on LinkedIn and to measure conversions, we use the “LinkedIn Insight Tag” from LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (LinkedIn).

This tool processes IP addresses, device and browser information, referrer URL and timestamps. IP addresses are shortened or hashed (if used to reach members across multiple devices). This tool can be used to track user behavior after a user clicks on a LinkedIn ad and is redirected to the ad or the company’s website. Conversion measurement enables us to measure, evaluate and optimize the effectiveness of LinkedIn advertising for statistical and market research purposes.

The personal data collected is transmitted to LinkedIn via the LinkedIn Insights tag and processed by LinkedIn for the purpose of conversion measurement. We receive reports from LinkedIn for conversion measurement in anonymized form. We cannot rule out that LinkedIn links the transmitted personal data with other personal data (e.g. an existing LinkedIn account). LinkedIn also uses data that does not identify you to make our ads more relevant and reach members across devices. It cannot be ruled out that LinkedIn will use the relevant data for its own additional purposes.

By incorporating the LinkedIn Insights tag, we can display targeted ads on LinkedIn and receive real-time information about our website visitors’ professional goals and preferred content.

The LinkedIn Insights tag is also used to show LinkedIn ads to people we are already in contact with (so-called retargeting). If you click on an ad placed via LinkedIn, a cookie for conversion tracking will be placed on your computer. If you visit a particular website whose cookie has not yet expired, we can recognize that you clicked on an ad that redirected you to our site. LinkedIn, as a service provider, also receives this information.

We cannot rule out that LinkedIn transfers personal data to unsafe third countries such as the United States.

Processing in connection with the LinkedIn Insights Tag only takes place if you give your consent. The legal basis in such cases is Art. 6 Para. 1 a), Art. 9 Para. 2 a) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland . You declare such consent by agreeing to the “LinkedIn Insight Tag” service in the cookie consent tool.

In addition to the options to revoke your consent, you can also deactivate the LinkedIn Insight tag on our website using this link .

Further information about LinkedIn Insight Tag can be found in the relevant information on LinkedIn and LinkedIn’s data protection information.

3.2.2.9 TV Squared

(Headquarters: Great Britain): Service provider for measuring the effectiveness of television advertising. The purpose of data processing is to provide personalized advertising. Data processing takes place in Great Britain/EU/EEA. Further information and current contact details can be found in the data protection declaration of the service provider.

3.2.2.10 Instapage

Some pages on our website are hosted on servers of Instapage Inc., 18 King Street, Suite 450, San Francisco, CA 94107, USA (“Instapage”). If you access a corresponding page, the information in section 4.2. The data mentioned above, which is stored in log files, is transmitted to Instapage.

If you give your consent via the User Centrics cookie consent tool, cookies and other technologies will also be used to record and evaluate your usage behavior on our website. The legal basis in such cases is Art. 6 Para. 1 a), Art. 9 Para. 2 a) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland . You declare such consent by agreeing to the “Instapage” service in the cookie consent tool.

We have concluded an order processing contract with Instapage.

Since personal data is transferred to the USA, we have concluded Instapage EU standard contractual clauses (Art. 46 Para. 2 c) GDPR or Art. 16 Para. 2 lit. d DSG/Switzerland) to ensure a level of data protection that corresponds to the EU , according to which Instapage is committed to complying with European data protection. For further details, please feel free to contact us.

With Instapage, it may happen that fonts are loaded from the Google servers and your IP address and other data mentioned in Section 4.2 are transmitted to Google (see Section 4.2.2.1 for the respective company and corresponding transfers of personal data to third countries). .

Further information about data protection at Instapage can be found at https://instapage.com/privacy-policy

3.2.3 Linking to social media presences

On our website you will find links to our social media services. Only when you consciously use the link will data about your visit to our website (e.g. IP address, time, URL) or data existing on your device (e.g. cookie information) be transmitted to the respective provider. Below we would like to inform you about how your data is processed when you use our social media presence.

3.2.3.1 Facebook

We operate a Facebook page to draw attention to our offerings, to provide information there and to get in touch with you as a visitor and user of our Facebook page. As the operator of this Facebook page, we are responsible together with the operator of the platform, Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (hereinafter “Facebook”).

When you use and access our Facebook page, your personal data will be processed by Oviva and also by Facebook. Oviva and Facebook are jointly responsible for the processing of Insights data (Art. 26 GDPR and Art. 5 lit. j DSG/Switzerland). The respective responsibilities of Oviva and Facebook with regard to the processing of Insights data are set out in the Page Insights Supplement, available at https://www.facebook.com/legal/terms/page_controller_addendum .

Below we will inform you about what data this is and how it is processed.

We would like to point out that you use the Facebook platform and its functions at your own responsibility. This applies in particular to the use of interactive functions (e.g. sharing, liking, etc.).

It is possible to contact us via our Facebook page either through a private message or through a comment under a picture. You can contact us with questions about Oviva, our Facebook page or other inquiries. When you contact us, we will in particular be provided with your user name, the text of the request and, if applicable, other personal data. This data is stored and used exclusively for the purpose of answering your request or for contacting you and the associated technical administration. Comments are public and visible to all other Facebook users.

In many cases, the legal basis for the processing of personal data is Art. 6 Para. 1 b) GDPR (fulfillment of the contract or pre-contractual measures) and, if this legal basis is not relevant, Art. 6 Para. 1 f) GDPR on the basis of the legitimate interests arising from the stated purposes or Art. 30 in conjunction with Art. 31 DSG/Switzerland. Your data will be deleted after your request has been processed, provided there are no legal retention requirements. We assume final processing if the circumstances indicate that the matter in question has been conclusively clarified. You must delete public comments yourself.

We also analyze the views and interactions on our Facebook page. For this purpose, Facebook creates usage profiles and only provides us with anonymous data in the form of page insights (“Page Insights”): https://www.facebook.com/business/a/page/page-insights .

This is aggregated data that helps us understand how people interact with our site. Page Insights may be based on personal information collected in connection with a person’s visit to or interaction with our Site and its content. According to Art. 6 Para. 1 f) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland, this serves to protect our legitimate interests, which predominate in the context of a balancing of interests, in an optimized presentation of our offer and effective communication with visitors.

How Facebook uses Insights data from visits to Facebook pages for its own purposes, to what extent activities on the Facebook page are assigned to individual users, how long Facebook stores this data and whether data from a visit to the Facebook page If data is passed on to third parties, it is the responsibility of Facebook.

With regard to data processing via our Facebook page, you have the opportunity to assert your data subject rights (see section 9 below) not only against Oviva but also against Facebook. Further information can be found in Facebook’s data usage policy at http://de-de.facebook.com/about/privacy .

In addition to the processing described above, Facebook also processes your data for analysis and advertising purposes or to display personalized advertising. Facebook also uses cookies, pixels or other technologies that store your usage behavior (including across different devices). This allows Facebook to display targeted advertising on its own platform and on third-party sites. The data collected about you in this context will also be transferred by Facebook to the USA and other countries outside the European Union. What information Facebook receives and how it is used is described in general terms in its data usage guidelines. There you will also find information about contact options for Facebook and the setting options for advertisements. The data usage guidelines are available at the following link: http://de-de.facebook.com/about/privacy . Facebook’s full data policy can be found here: https://de-de.facebook.com/full_data_use_policy .

Facebook also offers Facebook members the opportunity to object to certain data processing. Information on this and opt-out options can be found at https://www.facebook.com/settings?tab=ads .

You can contact Facebook’s data protection officer using the online contact form provided by Facebook at https://www.facebook.com/help/contact/540977946302970 .

The relevant supervisory authority for Meta Platforms Ireland Limited is: Data Protection Commission Canal House Station Road Portarlington Co. Laois R32 AP23, Ireland ( https://www.dataprotection.ie ).

3.2.3.2 Instagram

We also use the technical platform and services of Instagram for our offering. The Instagram service is one of the Facebook products provided by Facebook (see 3.2.3.1).

As operators of this Instagram page, we are jointly responsible with Facebook. When you visit our Instagram page, personal data is processed by those responsible. As the person responsible for this site, we have entered into agreements with Facebook which, among other things, regulate the conditions for using the Instagram site. The Instagram terms of use https://help.instagram.com/581066165581870 ) as well as the other conditions and guidelines listed at the end are decisive.

Below we will inform you about what data this is and how it is processed.

We generally only collect and use personal data from our users to the extent that this is necessary or appropriate to provide the functional Instagram company page or a website linked to Instagram as well as for our content and services, for example when participating in promotions, competitions, etc. published via Instagram etc.

It is possible to contact us via our Instagram page either through a private message or through a comment under a picture. You can contact us with questions about Oviva, our Instagram page or other inquiries. When you contact us, we will in particular be provided with your user name, the text of the request and, if applicable, other personal data. This data is stored and used exclusively for the purpose of answering your request or for contacting you and the associated technical administration. Comments are public and visible to all other Instagram users.

Depending on the users’ respective privacy settings on Instagram, we may also see if you have liked, shared or subscribed to one of our Instagram pages/posts/comments. We can also assign comments on our Instagram pages to you as an Instagram user. The legal basis for this data processing is Art. 6 Para. 1 f) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland. Our legitimate interest lies in communicating and interacting with you via Instagram.

The type and extent of collection of personal data when you visit an Instagram page also depends on your behavior and can be influenced by you. It is possible to visit our Instagram page at any time without leaving comments or clicking “Like”. Please note that the interactive functions of Instagram are only possible after registration. Related data can also be processed by Facebook.

We also receive statistical data about visitors to our Instagram pages from Facebook via the “Insights” function. This is aggregated data that helps us understand how people interact with our site. Page Insights may be based on personal information collected in connection with a person’s visit to or interaction with our Site and its content. This function allows us to better analyze our site and adapt it to the interests of our users. Our legitimate interest in accordance with Art. 6 Para. 1 f) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland in operating our Instagram page and using the insights lies in conducting effective marketing via a widely used platform. Further information about the “Insights” function can be found here: https://www.facebook.com/iq/tools-resources/audience-insights/ .

We expressly point out that Facebook stores its users’ data (e.g. personal information, IP address, etc.) and may also use it for business purposes. How Facebook uses data from visits to Instagram pages for its own purposes, to what extent activities on the Instagram page are assigned to individual users, how long Facebook stores this data and whether data from a visit to the Facebook page is passed on to third parties is the responsibility of Facebook. Further information on Facebook’s data processing can be found in Facebook’s data protection policy at https://de-de.facebook.com/policy.php .

If you would like to avoid Facebook processing personal data you have provided to us, please contact us by means other than Instagram. You can find our complete contact details in our legal notice on this website or on our Facebook page.

You can contact Facebook’s data protection officer using the online contact form provided by Facebook at https://www.facebook.com/help/contact/540977946302970.

Competent supervisory authority for Meta Platforms Ireland Limited: Data Protection Commission Canal House Station Road Portarlington Co. Laois R32 AP23, Ireland ( https://www.dataprotection.ie ).

3.2.3.3 LinkedIn and YouTube

We also operate social media presences on LinkedIn (operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) and YouTube (operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) in order to access our Aware of, communicate with and improve products, services and career opportunities.

The processing of personal data is generally carried out on the basis of Art. 6 Para. 1 lit. f GDPR due to our legitimate interests in public relations, communication and product improvement or Art. 30 in conjunction with Art. 31 DSG/Switzerland, unless otherwise stated.

We may view your posts and similar interactions on social media sites and, depending on your privacy settings, your public profile. We may use this data to improve our information and products, particularly in relation to our social media presence.

If you contact us via our social media presence, we will process the personal data you provide to process your request, in particular to answer your request. We can then respond to your request via our respective social media presences. In many cases, the legal basis for the processing of personal data is Art. 6 Para. 1 b) GDPR (fulfillment of the contract or pre-contractual measures) and, if this legal basis is not relevant, Art. 6 Para. 1 f) GDPR on the basis of the legitimate interests arising from the stated purposes or Art. 30 in conjunction with Art. 31 DSG/Switzerland.

As a precautionary measure, we would like to point out that communication via social media presences can be unsafe. You can contact us at any time through other communication channels and receive a response through these other channels.

We also receive aggregated usage statistics from the Platforms. This serves to evaluate usage and improve our information offering. Usage statistics may also be generated by the Platform based on your personal usage data. You can find further information regarding YouTube at https://policies.google.com/privacy?hl=de and regarding LinkedIn at https://de.linkedin.com/legal/privacy-policy?trk=homepage-basic_join- form-privacy-policy .

We have no influence on the processing of your personal data by the respective providers. Rather, platform operators can control data processing as part of the use of their respective services. This includes, for example, storing and using cookies on your device and analyzing your behavior on social networks.

3.2.4 Additional tool: Fivetran

We use Fivetran from Fivetran Inc. (USA) to support the analysis of information. The purpose is to transfer data to database systems. Data processing takes place in the EU/EEA. Further information can be found in the data protection declaration of the service provider. The legal basis for the processing purposes mentioned is, on the one hand, the implementation of the joint contractual relationship and the associated provision of our offer (Art. 6 Para. 1 b) GDPR) as well as the consent (Art. 6 Para. 1 a), Art. 9 Para. 2 a) GDPR), the latter in particular if health data is processed or Art. 30 in conjunction with Art. 31 DSG/Switzerland.

The data will only be transferred by Fivetran Inc. to third countries if there is an adequacy decision by the EU Commission for the relevant country, if EU standard contractual clauses are implemented, other suitable guarantees in accordance with Art. 46 GDPR or Art. 16 para. 1 and 2 DSG/Switzerland or exceptions according to Art. 49 DS-GVO or Art. 17 DSG/Switzerland are relevant. For further details and copies of the appropriate, appropriate guarantees, please feel free to contact us.

4. Transfer of data to other third parties

4.1 Disclosure to external service providers

We must pass on some data to external third parties in strict compliance with applicable data protection law. This transfer of data is in addition to the transfers already explained in other sections, in particular in connection with the tools and features used.

In this context, we forward your data to the following service providers:

4.1.1 To send emails

We use the “Sendgrid” service to send emails that are generated from our website. Sendgrid is an offer from Twilio Inc. 357 Beale Street, Suite 300, San Francisco, CA 94105 USA (hereinafter “Twilio”).

The following data, among others, is collected and transmitted to Sendgrid for order processing:

Your email address,
Your complete name,
Your Address.

Only transactionally necessary information that is necessary to understand and classify the email is transmitted.

For statistical purposes, Twilio via Sendgrid carries out anonymized link tracking on our behalf (or personalized only with your express permission). You can view Twilio’s current privacy policy at https://www.twilio.com/legal/privacy .

You can object to the use of Sendgrid as a processor. In this case, however, we can no longer send you emails for technical and organizational reasons.

4.1.2 To send SMS

4.1.2.1 Twilio

In order to be able to contact you via SMS (e.g. to send 1-time codes in the Oviva app, for appointment confirmations and appointment reminders via SMS), we use Twilio, a service tool from Twilio Inc., 357 Beale Street, Suite 300, San Francisco, CA 94105 USA (hereinafter “Twilio”). Twilio also processes your personal data on servers in the USA. For this reason, in order to ensure a level of data protection that complies with the EU, we have concluded EU standard contractual clauses with Twilio, according to which Twilio commits to complying with European data protection. For further details, please feel free to contact us.

For order processing, we transmit your mobile phone number to Twilio in encrypted form, where it is stored.

For more information about Twilio’s data processing, please see Twilio’s privacy policy at https://www.twilio.com/legal/privacy .

You can object to the use of Twilio as a processor. In this case, however, we can no longer send you an SMS for technical and organizational reasons.

4.1.2.2 WebSMS

In addition, we use the WebSMS service tool from sms.at mobile internet services GmbH, Brauquartier 5/13, 8055 Graz, Austria (hereinafter “WebSMS”) to contact your coach with you.

For order processing, we transmit your mobile phone number to WebSMS in encrypted form. No further customer data will be transmitted to WebSMS.

You can object to the use of WebSMS as a processor. In this case, however, we can no longer send you an SMS for technical and organizational reasons.

4.1.2.3 Salesforce

Salesforce is also used to send SMS. See section 4.1.4 below.

4.1.3 Technical implementation of the registration process

For the technical implementation of the registration process, we use forms from the services Formstack LLC, 8604 Allisonville Rd., Ste. 300 Indianapolis, IN 46250 and FormAssembly Inc., 885 S College Mall Rd, #399, Bloomington, Indiana, 47401, USA.

You send the data entered in the form directly to Formstack in the USA, and Formstack sends us the data you entered. At FormAssembly, hosting takes place within the EU, but transfers to the USA may also occur. For these reasons, in order to ensure a level of data protection that complies with the EU, we have concluded EU standard contractual clauses with Formstack and FormAssembly, according to which Formstack undertakes to comply with European data protection

For further information, please see the privacy policies of Formstack ( https://www.formstack.com/privacy ) and FormAssembly (https://www.formassembly.com/privacy-policy/). For further details, please feel free to contact us.

For technical reasons, registering for nutritional advice via our website is not possible without the use of Formstack and FormAssembly.

4.1.4 Use of Salesforce Sales Cloud and Marketing Cloud

Data that you provide to us via our website (e.g. personal data when you register for nutritional advice) is stored on servers in the Salesforce Sales Cloud (salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich). Germany and France stored and used for customer management.

We use the Salesforce Marketing Cloud to send transactional and newsletter emails and push notifications. To do this, your data is transferred from the Sales Cloud to the Marketing Cloud. The Salesforce Marketing Cloud data is also stored on servers in Germany and France.

Salesforce is part of an international group of companies. It is therefore conceivable that personal data may also be transferred to countries outside the EU or EEA without an adequacy decision. This group of companies has committed itself to binding internal data protection regulations in accordance with Article 46 Paragraph 2 b) and Article 47 EU GDPR (so-called binding corporate rules) or Article 16 Paragraph 2 lit. e DSG/Switzerland, also with the Data processing outside the European Union, the European Economic Area and Switzerland must ensure an appropriate level of data protection. Please contact us if you would like to receive a copy of the Binding Corporate Rules.

The data in the Salesforce Sales Cloud and in the Salesforce Marketing Cloud is used exclusively by us. To ensure a data protection level with Salesforce that complies with the EU, we have concluded an order processing contract.

4.1.5 External hosting of the website

Our website is hosted by ALL-INKL.COM – Neue Medien Münnich, owner: René Münnich, Hauptstraße 68, D-02742 Friedersdorf. The information in section 3.2 will be sent to this host. The data mentioned above, which is stored in log files, is transmitted when the website is accessed.

4.1.6 Use of IT service providers

When it comes to the content and technical support and design of our online presence, it may be necessary for external service providers to have access to personal data on our website (e.g. IT service providers). In this case, your personal data will be handled exclusively in accordance with our express instructions and on the basis of an agreement on order processing in accordance with Article 28 of the GDPR. 9 DSG/Switzerland. With this agreement, the service provider guarantees us that the service provision is in accordance with applicable data protection law. In this case, we remain responsible for protecting your data.

4.1.7 External hosting company

We use the Google Cloud Platform, GCP, to host the data. An offer from Google Cloud EMEA Ltd., 70 Sir John Rogerson’s Quay, Dublin 2, Ireland. Your data will be processed on servers in Germany. Google Cloud EMEA Ltd. is part of an international group of companies. Therefore, it cannot be ruled out that this personal data will be transferred to third countries. As far as personal data is collected from Google Cloud EMEA Ltd. are transferred to a third country outside the European Economic Area for which there is no adequacy decision, this is done on the basis of EU standard contractual clauses in accordance with Art. 44, Art. 46 Para. 2 c) GDPR or Art. 16 Para. 2 lit. d DSG/Switzerland. For further details, please feel free to contact us.

Further information can be found in Google’s privacy policy (https://www.google.com/policies/privacy) and the security information for Google Cloud services ( https://cloud.google.com/security/privacy/ ).

4.1.8 Use of the Oviva app while taking prescription weight loss medication

When using medication, monitoring the possible undesirable effects of these remedies is required by law.

If the Oviva services are used in conjunction with taking prescription medication for weight loss, we (including your Oviva coach) are therefore obliged to pass on information about any undesirable effects that could be related to taking the medication (so-called safety information).

The security information may contain personal data. We will only pass on the safety information to the responsible marketing authorization holder for the medication (the “MZI”) or the reporting agency commissioned by him.

In the interest of patient safety and in accordance with applicable law, the safety information is entered into the marketing authorization holder’s safety database, analyzed and regularly assessed to identify general patterns. For this purpose, the security information is retained by MZI for at least 12 years or longer in accordance with applicable law.

If personal data contained in the safety information is essential for the assessment of undesirable effects, the MZI may also, in accordance with applicable law and for the purpose of protecting the health of patients and improving the safety of the medication, use this personal data together with the Pass on safety information to health authorities, to companies affiliated with the MZI (e.g. subsidiaries, partner companies, license partners, consultants, IT service providers) and to other pharmaceutical companies at home and abroad.

4.1.9 Telephone system

For the technical operation of our telephone system and the provision of telecommunications services, we also use service providers who may also have access to personal data from telephone calls.

4.2 Disclosure due to legal obligation

We reserve the right to disclose your personal data if we are legally obliged to do so or if the authorities or law enforcement bodies request that we do so. The legal basis for this is Art. 6 Para. 1 c) GDPR or the corresponding standard of Swiss law in conjunction with the respective legal obligation and, in the case of special categories of personal data affected, the respective variant of Art. 9 Para. 2 GDPR or Art. 31 Para. 1 DSG/Switzerland in conjunction with the respective legal obligation.

5. Evaluation of anonymized data for validation

In order to meet our quality standards and to improve and further develop our services, we evaluate the services we provide to you from the consulting relationship. To do this, we remove any personal reference to you and, even after the consulting relationship has ended, we use this anonymized data for the purpose of validation and quality management (improving and further developing our services and offers).

The data is anonymized based on your consent in accordance with Art. 6 Para. 1 a), Art. 9 Para. 2 a) GDPR or Art. 30 in conjunction with Art. 31 DSG/Switzerland.

In addition, we analyze your anonymized data and use it to create statistics on different patient groups in order to better understand our patient structure and thereby improve and develop ourselves further. Under certain circumstances, these statistics can also be used for research purposes in collaboration with institutes or published. At no time can any conclusions be drawn about individual people from the statistics used in this way.

6. Data security measures and location of data processing

We protect your personal data according to the state of the art with appropriate technical and organizational measures. All employees and contracted professionals of Oviva AG (such as your consultant) who have access to your data are obliged to process personal data exclusively on the instructions of Oviva and in a manner that provides an appropriate level of protection for the security of the data, in particular their integrity and confidentiality are guaranteed and they are not to be disclosed to third parties without authorization. The employees involved in processing operations are sensitized and trained with regard to data protection requirements. Third parties will not have access to your personal data without your express consent.

Your data is stored in a data center in Germany. We also require our external service provider to use your personal data exclusively in accordance with our specifications and in accordance with this data protection declaration and the legal requirements for order processing.

7. Duration of storage of your personal data

The personal data you provide will only be stored by us for as long as is necessary to fulfill the respective purpose for which you provided us with your data, to comply with legal provisions or official requirements, or to assert or defend against claims is necessary in connection with the contractual relationship. In the latter case, your data will be pseudonymized and blocked for any other form of data processing until it is actually used to assert or defend against claims.

8. Transfer to third countries

To the extent that it is stated in this data protection declaration or elsewhere, such as in our consent management system (also known as the cookie banner), that we transfer data to countries outside the EU and the EEA, such transfer usually takes place Basis of consent according to Art. 49 Para. 1 a GDPR or Art. 17 DSG/Switzerland, on the basis of EU standard contractual clauses (Art. 46 Para. 2 c) GDPR or Art. 16 Para. 2 lit. d DSG/ Switzerland or on the basis of Binding Corporate Rules (Art. 46 Para. 2 b), Art. 47 GDPR) or Art. 16 Para. 2 lit. e DSG/Switzerland. If you would like a copy of this, please feel free to contact us.

9. Rights of those affected

Under certain circumstances, applicable data protection law grants you the right to object to the processing of your data, in particular those for the purposes of direct marketing, profiling for direct advertising and other legitimate interests in processing. To make it easier for you to control the processing of your personal data, you also have the following rights in connection with our data processing, depending on the applicable data protection law:

The right to request information from us as to whether and what data we process about you;
the right for us to correct data if it is inaccurate;
the right to request deletion of data;
the right to request that we release certain personal data in a common electronic format or to transfer it to another person responsible;
the right to withdraw consent to the extent that our processing is based on your consent;
the right to request further information necessary to exercise these rights;
the right to express your point of view in the case of automated individual decisions and to request that the decision be reviewed by a natural person.

If you wish to exercise the above rights against us (or against any of our group companies), please contact us in writing, at our location or, unless otherwise stated or agreed, by email; Our contact details can be found in Section 2. In order for us to rule out misuse, we must identify you (e.g. with a copy of your ID, unless this is possible otherwise).

The easiest way to request data deletion is via the app.

You also have these rights towards other bodies that work with us on their own responsibility – please contact them directly if you want to exercise your rights in connection with their processing. Information about our important cooperation partners and service providers can be found in Section 4.

Please note that these rights are subject to requirements, exceptions or restrictions under applicable data protection law (e.g. to protect third parties or trade secrets). We will inform you accordingly if necessary.

In particular, we may need to further process and store your personal data in order to fulfill a contract with you, to protect our own legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent legally permissible, in particular to protect the rights and freedoms of other data subjects and to protect legitimate interests, we can therefore reject a data subject’s request in whole or in part (e.g. by blacking out certain content that concerns third parties or our business secrets).

If you do not agree with our handling of your rights or data protection, please let us know or our data protection officer (Section 2). In particular, if you are located in the EEA, the UK or Switzerland, you also have the right to complain to your country’s data protection supervisory authority. A list of authorities in the EEA can be found here: https://edpb.europa.eu/about-edpb/board/members_de. The UK regulator can be contacted here: https://ico.org.uk/global/contact-us/. You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/de/home/adresse.html.

10. Different language versions

In the event of any conflict or difference in interpretation between the different language versions of this Privacy Policy, the German version shall prevail.

11. Updating and changes

Parts of this Privacy Policy may be changed or updated by us without prior notice to you. Please review the Privacy Policy before using our services to be aware of any changes or updates.