Datenschutz
Privacy Policy
As of May 1, 2026 | Vianova eHealth GmbH
1. Responsible Party
The responsible party in the sense of the General Data Protection Regulation (GDPR) for the processing of personal data on this platform is:
Vianova eHealth GmbH
Hebbelstraße 20, 14469 Potsdam
Represented by: Yvonne Mengeringhaus, Cristina Cretulescu
2. Data Protection Officer
We have appointed an external Data Protection Officer in accordance with Art. 37 GDPR. If you have any questions regarding data protection and the exercise of your rights, you can contact him at any time:
DATENDO GmbH
Hohenzollernring 55, 50672 Cologne
Email:datenschutz-644@anfragen.datendo.de
Web:www.datendo.de
3. Scope of Application
This privacy policy applies to the processing of personal data in the context of using the Vianova eHealth platform and the website www.vianova-ehealth.com. The platform is a password-protected web application that enables secure digital exchange between therapists and patients.
All processing operations related to accessing the website, using publicly available website functions, registration, login, using platform features, and communication via the platform are recorded.
Supplementary contractual regulations may arise from the General Terms and Conditions (GTC) of Vianova eHealth GmbH. In case of contradictions, the stricter data protection regulation always applies.
4. Registration, Login, and User Account Management
Access to the platform is exclusively through a secure, personalized login area. Registration is required to use the platform. We process the following data:
|
Data category |
Purpose |
Legal basis |
|
Name, email address, username |
Setup and management of the user account; authentication |
Art. 6 para. 1 lit. b GDPR |
|
Password (stored encrypted) |
Access security; protection against unauthorized access |
Art. 6 para. 1 lit. b GDPR |
|
Login timestamp, IP address, session tokens |
Security monitoring; logging of accesses; abuse detection |
Art. 6 para. 1 lit. f GDPR |
|
Access rights and roles (therapist / patient) |
Role-based access control; ensuring the need-to-know principle |
Art. 6 para. 1 lit. b and f GDPR |
|
Change and log notes |
Traceability of account changes; auditability |
Art. 6 para. 1 lit. c and f GDPR |
Access to systems with personal data is secured by multi-factor authentication (MFA). Access rights are granted according to the least privilege principle and are regularly reviewed. Upon termination of the user relationship, user accounts are immediately deactivated.
5. Platform use – Patients
Patients gain access to a personal area through the secure login, where therapeutic support is digitally assisted. We process the following personal data:
|
Data category |
Purpose |
Legal basis |
|
Basic and contact data (name, address, date of birth, phone, email) |
Patient management; availability; identification |
Art. 6 para. 1 lit. b GDPR; Art. 9 para. 2 lit. h GDPR |
|
Health data, therapy content, documentation notes |
Provision of therapeutic services; documentation of the therapy process |
Art. 9 para. 2 lit. h GDPR in conjunction with national health regulations |
|
Communication content via the platform |
Therapeutic communication; appointment organization; follow-up |
Art. 6 para. 1 lit. b GDPR; Art. 9 para. 2 lit. h GDPR |
|
Appointment and organizational data |
Appointment management; reminder functions |
Art. 6 para. 1 lit. b GDPR |
|
Usage logs (accesses, session data) |
Security monitoring; troubleshooting |
Art. 6 para. 1 lit. f GDPR |
Note on health data:Health data are special categories of personal data according to Art. 9 GDPR. They are processed with enhanced technical and organizational protective measures and are accessible only to authorized therapists and authorized internal parties.
6. Platform use – Therapists
For authorized therapists who use the platform as part of their professional activities, we process the following personal data:
|
Data category |
Purpose |
Legal basis |
|
Name, professional contact details, qualifications |
Registration and verification as an approved therapist |
Art. 6 para. 1 lit. b GDPR |
|
Access data and user role rights |
Access control; Need-to-know assurance |
Art. 6 para. 1 lit. b GDPR |
|
Service and documentation data |
Proof of services rendered; billing; quality assurance |
Art. 6 para. 1 lit. b and c GDPR |
|
Communication and correspondence content |
Processing of the contractual relationship; customer support |
Art. 6 para. 1 lit. b GDPR |
|
Log and access notes |
Security monitoring; compliance evidence |
Art. 6 para. 1 lit. c and f GDPR |
Therapists are contractually obligated to confidentiality and may only access those patient data that are necessary for their work.
7. Processing of special categories of personal data
In the context of platform use, health data is regularly processed. According to Art. 9 GDPR, these belong to the special categories of personal data and are subject to increased protection.
The processing of such data occurs exclusively on the basis of:
- Art. 9 para. 2 lit. h GDPR (purposes of health care and health services)
- Art. 9 para. 2 lit. a GDPR (explicit consent of the data subject), unless another basis applies
- Supplementary provisions of national law (§ 22 BDSG)
Health data is stored and transmitted in an encrypted form. Access is limited to a narrowly defined group of authorized individuals. Automated decision-making or profiling does not take place. Processing is restricted to the minimum necessary for the respective therapeutic purpose. Where possible, data is processed in a pseudonymized manner.
8. Server operation, hosting, and log files
The platform is operated on servers of a hosting company certified according to ISO 27001, which has implemented multi-layered physical and technical security measures. The servers are located within the European Union.
Technical data is automatically recorded in server log files with each access to the platform:
|
Log data |
Purpose |
Storage duration |
|
IP address (pseudonymized) |
Security monitoring; abuse detection |
7 days |
|
Timestamp, accessed URL, HTTP status code |
Error diagnosis; performance monitoring |
7 days |
|
Browser type, operating system (User-Agent) |
Technical compatibility; security analysis |
7 days |
|
Transferred data volume |
Capacity planning; system security |
7 days |
The legal basis for logging is Article 6(1)(f) of the GDPR (legitimate interest in IT security and the proper operation of the platform).
9. Cookies and similar technologies
The platform only uses technically necessary cookies and session tokens, without which secure operation is not possible:
|
Type |
Purpose |
Legal basis |
Duration |
|
Session cookie (technically necessary) |
Maintaining the login session; CSRF protection |
Art. 6 para. 1 lit. b GDPR |
End of session |
|
Authentication token |
Secure access; MFA validation |
Art. 6 para. 1 lit. b GDPR |
End of session |
|
Security cookies |
Protection against Cross-Site Request Forgery; attack detection |
Art. 6 para. 1 lit. f GDPR |
End of session |
Analysis, marketing, or tracking cookies are not used in the password-protected area of the platform. If external services are integrated on the publicly accessible website, we will inform you about this in Section 10.
10. Processing operations on the website www.vianova-ehealth.com
In addition to the password-protected platform, we provide various functions, content, and external services on the publicly accessible website www.vianova-ehealth.com. The following information additionally applies to these processing operations.
10.1 Contact Form
On our website, we provide you with a contact form through which you can send us a message. In the context of using the contact form, we collect and process the personal data you provide, in particular your name, your email address, your phone number, and the content of your message.
The processing of this data is carried out for the purpose of handling your contact request and the resulting communication with you. The legal basis is Article 6(1)(b) of the GDPR, insofar as your request is aimed at the conclusion or fulfillment of a contract; otherwise, the processing is based on our legitimate interest in the proper handling of inquiries directed to us in accordance with Article 6(1)(f) of the GDPR.
If we use service providers to provide and operate the contact form or to process your request, this is done within the framework of order processing in accordance with Article 28 of the GDPR based on corresponding contracts. A transfer of your data to third parties beyond this only takes place to the extent necessary for processing your request or if there is a legal obligation.
Your personal data will only be stored as long as necessary to process your contact request and the associated communication; beyond that, storage will only occur as required by legal retention obligations, particularly commercial or tax-related retention periods. To the extent that processing is based on our legitimate interest, you have the right under Art. 21 para. 1 GDPR to object to the processing at any time for reasons arising from your particular situation. If the processing is based on consent, you can revoke it at any time with effect for the future.
10.2 Online Appointment Booking
On our website, we offer you the opportunity to schedule an appointment with Vianova eHealth through an online appointment booking function. In the context of using this function, personal data is collected, particularly your name, your email address, your phone number, as well as the desired appointment time and information regarding your request.
The processing of this data is carried out for the purpose of receiving, processing, and confirming your appointment request, as well as for conducting the associated communication. The legal basis is Art. 6 para. 1 lit. b GDPR, insofar as the data processing is necessary for the implementation of pre-contractual measures at your request; additionally, the processing may be based on our legitimate interest in efficient appointment organization according to Art. 6 para. 1 lit. f GDPR.
For the technical provision of appointment booking, an external calendar or booking service may be integrated, which acts as a processor on our behalf and technically handles the appointment management. With such a service provider, we conclude a data processing agreement in accordance with Art. 28 GDPR, as required. If, in the context of using the external service, a transfer of personal data to a third country outside the European Economic Area should occur, we ensure that appropriate safeguards are in place in accordance with Art. 44 et seq. GDPR.
Your personal data will only be stored as long as necessary to fulfill the purpose pursued with the appointment booking or as long as legal retention obligations prevent deletion. To the extent that the processing is based on Art. 6 para. 1 lit. f GDPR, you have the right to object to the processing at any time for reasons arising from your particular situation in accordance with Art. 21 GDPR.
10.3 Online Shop (Booking of Diagnostic Services)
Through our online shop at www.vianova-ehealth.com, you have the opportunity to book and pay for diagnostic services such as ADHD diagnostics, ASD diagnostics, or combination diagnostics. In the context of order processing, we collect and process personal data, in particular your name, contact details, billing address, and payment information.
The processing of this data is carried out for the purpose of fulfilling the contract, billing for the booked diagnostic services, and related communication, such as confirming your booking, sending invoices, or clarifying inquiries related to the booked service. The legal basis is Article 6(1)(b) GDPR; to the extent that the processing is necessary for the fulfillment of legal storage obligations, particularly tax and commercial law requirements, the legal basis is Article 6(1)(c) GDPR.
Your personal data will only be shared to the extent necessary for the fulfillment of the contract, for example, with payment service providers for processing the payment transaction or with IT service providers who technically support us in operating the online shop. With these recipients, we have, where necessary, concluded data processing agreements in accordance with Article 28 GDPR. Should a transfer of personal data to a third country outside the European Economic Area occur in individual cases, we ensure that appropriate safeguards in accordance with Articles 44 et seq. GDPR are in place.
Your personal data will only be stored as long as necessary to fulfill the respective contractual purpose; after the complete processing of the contractual relationship, the data will be deleted unless legal storage obligations, particularly from commercial and tax law, require a longer storage period. You have the right to object to the processing of your personal data under the conditions of Article 21 GDPR; if the processing is based on consent, you can revoke this at any time with effect for the future.
10.4 External Diagnostic Procedures (Hogrefe)
As part of our offering on www.vianova-ehealth.com, we use an external testing procedure from the provider Hogrefe for diagnostic purposes. During the execution of this diagnostic process, personal data as well as health-related data, which are special categories of personal data within the meaning of Art. 9 para. 1 GDPR, are transmitted to Hogrefe or processed by Hogrefe on our behalf.
The processed data may include, in particular, information about the person, test results, response behavior, and technical usage data in connection with the execution of the testing procedure. The purpose of the processing is to conduct and evaluate diagnostic procedures as part of the services offered through our platform and website.
The processing of personal data is based on your explicit consent in accordance with Art. 6 para. 1 lit. a GDPR. If health-related data is involved, the processing is additionally based on your explicit consent in accordance with Art. 9 para. 2 lit. a GDPR. The recipient of the data is the external service provider Hogrefe, which provides the testing procedures and carries out the associated data processing.
If, in the context of the data transmission to Hogrefe, a transfer of personal data to a third country outside the European Economic Area should take place, we ensure that appropriate safeguards in accordance with Art. 44 et seq. GDPR are in place, such as through standard contractual clauses of the European Commission or an adequacy decision. The data collected in the context of the diagnostic procedure will only be stored as long as necessary to achieve the respective processing purpose or as required by legal retention obligations.
You have the right to revoke any consent given at any time with effect for the future, without affecting the legality of the processing carried out based on the consent until the revocation; you can direct the revocation to Vianova eHealth GmbH as the responsible entity.
10.5 Online Self-Tests (ADHD and Autism Spectrum Disorders)
On our website, we offer online self-tests on the topics of ADHD and autism spectrum disorders. When conducting these tests, all inputs and evaluations are processed exclusively locally in your browser; there is no transmission of the data you enter to our servers or to third parties.
As part of the tests themselves, no personal data is collected, stored, or otherwise processed by Vianova eHealth GmbH. To the extent that personal data is technically processed due to the mere access of the website where the self-tests are provided, such as your IP address, browser type, operating system, or time of access, this is done on the basis of our legitimate interest in the technically error-free provision and security of our website in accordance with Art. 6 para. 1 lit. f GDPR.
Our legitimate interest lies in ensuring a stable and secure website operation. The access data generated in this process will not be merged with other data sources. Any transfer of this technical access data to third parties will only occur to the extent that it is technically necessary for the operation of the website, such as to the hosting service provider; in this case, it is a processing on behalf in accordance with Art. 28 GDPR.
The transmission of personal data to third countries does not take place in connection with the online self-tests to the best of our knowledge. The storage of technical access data occurs only as long as necessary to achieve the stated purpose or as required by legal retention obligations. As far as the processing is based on our legitimate interest, you have the right under Art. 21 para. 1 GDPR to object to the processing at any time for reasons arising from your particular situation.
10.6 Google Tag Manager, Google Fonts and Google CDN
On our website, we use various services from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This includes, in particular, the Google Tag Manager for managing website tags, as well as Google Fonts and Google CDN for providing fonts and static content via the domains fonts.googleapis.com, fonts.gstatic.com, googletagmanager.com, and google.com.
In the context of using these services, personal data is processed, in particular the IP address of the requesting device, information about the browser and operating system used, the referrer URL, the time of the page view, and other technical connection data that is automatically transmitted when establishing a connection to Google's servers.
The processing is carried out for the purpose of technically flawless provision and presentation of our website, in particular for the correct integration of fonts, for the efficient delivery of content via a Content Delivery Network, and for managing embedded scripts via the Tag Manager. The legal basis is Article 6(1)(f) GDPR; our legitimate interest lies in the technically reliable, high-performance, and user-friendly design of our online presence.
We do not set any persistent cookies in connection with these services; processed technical data is generally only processed for the duration of the session, unless legal obligations or independent processing by Google oppose this. The recipient of the data is Google Ireland Limited as the service provider. To the extent that the processing may involve the transfer of personal data to a third country, the statements in Section 12 apply.
You have the right under Article 21 GDPR to object at any time, for reasons arising from your particular situation, to the processing of your personal data based on Article 6(1)(f) GDPR. More information on how Google handles personal data can be found in Google's privacy policy at https://policies.google.com/privacy.
10.7 Embedded Maps (Google Maps)
On our website, we use the Google Maps service to display interactive map content as embedded content, for example, to show locations or directions. The provider of this service is Google Ireland Limited, located in Ireland, Gordon House, Barrow Street, Dublin 4, Ireland.
When accessing a page that contains Google Maps, a connection is established to Google's servers under the domain maps.google.com. Personal data such as your IP address, information about the browser and operating system used, the page accessed on our website, as well as the date and time of access may be transmitted to Google.
The purpose of the processing is to provide a user-friendly presentation of geographical information and to offer a convenient map function on our website. The legal basis is Article 6(1)(f) GDPR; our legitimate interest lies in the appealing and functional presentation of our location information for visitors to our website.
We do not set persistent cookies in connection with Google Maps; processed technical data is generally only processed for the duration of the session, unless legal obligations or independent processing by Google oppose this. The recipient of the data is Google Ireland Limited as the provider of the mapping service. To the extent that the processing may involve the transfer of personal data to a third country, the provisions in Section 12 apply.
You have the right to object to the processing based on Article 6(1)(f) GDPR in accordance with Article 21 GDPR. You can prevent the integration of Google Maps by adjusting the settings in your browser, particularly by blocking content from the domain maps.google.com. More information on how Google handles user data can be found in Google's privacy policy at https://policies.google.com/privacy.
10. Recipients and processors
Your personal data will only be shared with carefully selected parties when this is necessary and legally permissible for the respective purpose:
|
Recipient category |
Processing context |
|
Internal departments (according to the need-to-know principle) |
Contract processing; support cases; quality assurance |
|
External IT service providers / hosting providers |
Operation of the platform infrastructure (as a processor with a processing agreement) |
|
Cloud service providers |
Data storage and processing (exclusively EU hosting) |
|
Software providers |
Operation of deployed applications in a processing relationship |
|
Legal advisors / authorities |
Only in case of legal necessity (e.g. statutory disclosure obligations) |
|
Payment service provider |
Processing of payments in the online shop, as far as necessary for the fulfillment of the contract |
|
External diagnostic service providers (Hogrefe) |
Provision, execution, and evaluation of diagnostic testing procedures |
|
Calendar and booking service providers |
Technical provision and management of online appointment booking |
|
Providers of integrated website services (e.g., Google Ireland Limited) |
Provision of fonts, CDN content, tag management, and map content |
All external service providers who gain access to personal data on behalf of the company are contractually bound under Art. 28 GDPR by a data processing agreement (DPA). They may only process data according to our instructions.
We do not share personal data with third parties unless there is a legal basis for doing so or you have given your explicit consent.
11. Transfer to third countries
Currently, no transmission of platform data from the password-protected area to countries outside the European Union or the European Economic Area is planned. All servers and services used for the platform are located within the EU. For certain website functions or external services, the transmission of personal data to a third country cannot be completely ruled out in individual cases. In these cases, we ensure that appropriate safeguards are in place in accordance with Art. 44 et seq. GDPR, particularly an adequacy decision by the European Commission, EU standard contractual clauses, or other permissible transfer mechanisms.
Automated decision-making or profiling does not take place for either patients or therapists.
12. Storage duration and deletion
We only store personal data as long as necessary for the respective processing purposes. After the purpose has ceased and any statutory retention periods have expired, the data will be systematically deleted or anonymized.
|
Data category |
Storage duration |
Legal basis |
|
User account data (active) |
Duration of the user relationship |
Art. 6 para. 1 lit. b GDPR |
|
Therapist and client data after contract termination |
3 years after termination (§ 195 BGB) |
Art. 6 para. 1 lit. c GDPR |
|
Tax and commercial law relevant documents |
10 years from creation (§ 147 AO; § 257 HGB) |
Article 6(1)(c) GDPR |
|
Server log files |
7 days, then deletion / anonymization |
Article 6(1)(f) GDPR |
|
Health data / therapy documentation |
In accordance with professional and legal retention obligations (usually 10 years) |
Health law regulations |
|
Contact inquiries |
For the duration of processing and subsequent communication; beyond that only in case of legal retention obligations |
Art. 6 para. 1 lit. b or f GDPR; Art. 6 para. 1 lit. c GDPR |
|
Appointment booking data |
Until the purpose of appointment organization is achieved; longer only in case of legal retention obligations |
Art. 6 para. 1 lit. b or f GDPR; Art. 6 para. 1 lit. c GDPR |
|
Order, invoice, and payment data |
According to tax and commercial law retention periods, usually 10 years |
Art. 6 para. 1 lit. b and c GDPR |
|
Diagnostic data from external testing procedures |
Only as long as necessary for execution and evaluation; longer only in case of statutory retention obligations |
Art. 6 para. 1 lit. a GDPR; Art. 9 para. 2 lit. a GDPR |
Deletion is carried out automatically or manually by the responsible organizational units. Deletion processes are documented. Our deletion concept is reviewed at least once a year as part of an internal audit.
13. Technical and organizational protection measures (TOM)
We have implemented appropriate technical and organizational measures in accordance with Article 32 GDPR to ensure a protection level commensurate with the risk. The measures are regularly reviewed for effectiveness and adjusted as necessary. Key measures include:
- End-to-end encryption of data transmission (TLS/HTTPS)
- Encrypted storage of data (at rest)
- Multi-factor authentication (MFA) for all user accounts
- Role-based access management (RBAC) according to the need-to-know principle
- Automatic screen locks and session timeouts during inactivity
- Logging and auditing of all system accesses
- Regular automated backups at an external, geo-redundant location
- Firewall, intrusion detection systems, and up-to-date antivirus protection
- Pseudonymization and anonymization where technically possible
- Strict separation of production and testing environments
- Hosting at a data center certified according to ISO 27001 (EU)
- Regular data protection training for all employees
- Documented process for data breaches according to Art. 33 GDPR (72-hour notification obligation)
14. Your rights as a data subject
You have the following rights regarding the processing of your personal data under the GDPR:
Right of Access (Art. 15 GDPR)
You can request information at any time about all data stored about you, their purposes, recipients, and storage duration.
Right to Rectification (Art. 16 GDPR)
You can have inaccurate or incomplete data rectified at any time.
Right to Erasure (Art. 17 GDPR)
You can request the deletion of your data, provided that there are no legal retention obligations or other legitimate reasons to the contrary.
Right to Restriction of Processing (Art. 18 GDPR)
Under certain conditions, you can request that your data be processed only in a restricted manner, e.g., if you contest the accuracy of the data.
Right to Data Portability (Art. 20 GDPR)
You can receive your data in a structured, commonly used, and machine-readable format and have it transmitted to another controller.
Right to Object (Art. 21 GDPR)
You can object to processing based on legitimate interests, provided that there are corresponding reasons arising from your particular situation.
Withdrawal of Consent
If processing is based on your consent, you can revoke it at any time with effect for the future. The processing that occurred prior to the revocation remains lawful.
To assert your rights, please contact our data protection officer in writing or by email (see section 2). We generally respond to inquiries within one month.
15. Right to Complain to the Supervisory Authority
If you believe that the processing of your personal data violates data protection regulations, you have the right to complain to the competent data protection supervisory authority:
The State Commissioner for Data Protection Brandenburg
Stahnsdorfer Damm 77, 14532 Kleinmachnow
Tel.: +49 33203 356-0
E-Mail:poststelle@lda.brandenburg.de
Web: www.lda.brandenburg.de
The right to complain does not affect other legal remedies. You may also contact the data protection supervisory authority of your residence.
16. Changes to this Privacy Policy
We reserve the right to update this privacy policy in response to changed legal requirements, changes in our processing activities, or for other reasons. The current version is always accessible on the platform.
In the case of significant changes that affect your rights, we will inform you separately.