Controller and Data Protection Officer
Gustav-Heinemann-Ufer 88a, 50968 Cologne Phone: +49 221 99 53 00 Fax: +49 221 99 53 08 00 E-mail: info@fpz.de
Dr. Ralf W. Schadowski E-mail: datenschutz@fpz.de
The legally binding definitions are those in Articles 4 and 9 GDPR; the following short definitions serve clarity.
We process personal data when you visit our website, use forms, contact us, book appointments, make payments or use digital health services (e.g., Mein FPZ).
Processing only with explicit consent (Art. 9(2)(a) GDPR) and/or if necessary to provide health services (Art. 9(2)(h) GDPR).
We delete or block personal data once the purpose ceases to apply or statutory retention periods expire.
Specific storage periods may result from special legal requirements (e.g., health/occupational law).
For purely informational use we automatically collect: IP address, date/time, time zone, URL/referrer, HTTP status, transferred data volume, browser/OS, language settings. Purpose: technical provision, stability, IT security (abuse/attack detection). Legal basis: Art. 6(1)(f) GDPR.
We use cookies and similar technologies (e.g., local storage) for operation, statistics and marketing. Non-essential technologies are only set with consent.
Our cookie consent manager always shows you the current, dynamic list of all cookies used, including their purpose, provider, and storage period; there you can change or revoke your consent at any time.
When you contact us (via email, form, chat), enter into online contracts, register for therapy, or use the Mein FPZ patient platform, we process the data you provide (e.g. name, email, telephone number, address, health insurance company, insurance number, program/appointment). Purpose: Processing your request, contract initiation/fulfillment, customer communication. Legal basis: Art. 6(1)(b) or (f) GDPR; for health data, Art. 9 GDPR (see above).
We use selected tools for communication, forms, booking, payments, CRM and patient services as described below.
For fast customer communication we use Simpli (web chat and optional WhatsApp integration). Data: chat content, communication metadata (IP, timestamps, browser), possibly phone number/WhatsApp ID. Purpose: support, handling requests. Legal basis: Art. 6(1)(a) (consent in banner/chat) and/or Art. 6(1)(f) (legitimate interest in efficient support). Note: WhatsApp may carry out its own transfers; please see WhatsApp privacy info in the chat UI. Privacy:https://www.simpli.io/de/privacy
For digital applications/contracts we use Jotform. Data: form contents (e.g., name, address, contact, contract data/uploads). Legal basis: Art. 6(1)(b) GDPR (contract/pre-contract) and/or Art. 6(1)(a) (consent, if required). Privacy:https://www.jotform.com/privacy/
For online appointment scheduling we use Calendly. Data: name, e‑mail, phone number, appointment details, free text. Legal basis: Art. 6(1)(b) GDPR; transfers to third countries see section 10. Privacy:https://calendly.com/privacy
For paid services we use Stripe. Data: payment/card and transaction data. Purpose: payment processing, fulfilment of contractual and legal obligations. Legal basis: Art. 6(1)(b) (payment), Art. 6(1)(c) (legal obligations). Privacy:https://stripe.com/de/privacy
We use Zoho CRM (EU storage). Data: contact data, interactions, notes, documents where applicable. Legal basis: Art. 6(1)(b) (customer relationship) and Art. 6(1)(f) (efficient customer management). Privacy:https://www.zoho.com/privacy.html
Own protected platform for digital health courses and therapy programmes. Data: registration/login data, course/therapy data; health data where required. Legal basis: Art. 6(1)(b) GDPR; Art. 9(2)(a) (explicit consent) and, where applicable, Art. 9(2)(h). Storage: servers in Germany; access only for authorised staff and processors.
We use analytics and marketing tools as described here.
We use GA4 for reach measurement and website optimisation. IP anonymisation is applied. Data: e.g., device/browser info, interactions, approximate location (no precise geolocation). Legal basis: Art. 6(1)(a) GDPR (only after consent via consent banner). Privacy:https://policies.google.com/privacy
GTM manages tags/scripts. GTM sets no own cookies and does not process personal data beyond firing tags. Legal basis: Art. 6(1)(f) GDPR (efficient management); tags themselves follow their own legal basis (e.g., consent). Privacy:https://marketingplatform.google.com/about/tag-manager/
Google Web Fonts are integrated to ensure uniform display. When accessed, your IP address may be transmitted to Google. Legal basis: Art. 6 (1) lit. f GDPR (appropriate presentation). Note: Where possible, we use local integration for further data economy. Info:https://developers.google.com/fonts/faq
Videos load only after your activation (2-click/consent). Legal basis: Art. 6(1)(a) GDPR (consent). When playing, data (e.g., IP, device info, referrer) is sent to the provider. Privacy: Google/YouTube:https://policies.google.com/privacy
We use the Meta Pixel and, where applicable, the Conversion API to measure the effectiveness of our advertisements and to form target groups (custom audiences). Data: e.g., page views, events (lead/complete registration), IP, device/browser data, hashed email address if applicable. Legal basis: Art. 6(1)(f) GDPR i.v.m. § 25(1) TTDSG (only with consent). Note: The provider is Meta Platforms; data may be transferred to the USA. Opt-out:https://www.facebook.com/settings/?tab=ads
Data protection:https://www.facebook.com/privacy/policy
Cookies/pixels may be set to measure the reach/optimize digital campaigns. Legal basis: Art. 6 (1) (a) GDPR i.V.M. § 25 (1) TTDSG (only with consent). Opt-out:https://adssettings.google.com/
Collects aggregated performance data (e.g., load times, error codes) for troubleshooting and stability. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable website); where cookies/similar tech are used, only after consent. Privacy:https://newrelic.com/termsandconditions/privacy
When subscribing we store your e‑mail address, optionally your name, and IP/timestamps for proof. Legal basis: Art. 6(1)(a) GDPR (consent). Withdrawal: possible at any time via the unsubscribe link in every e‑mail.
We use processors (e.g., hosting, IT support, tools) under Art. 28 GDPR, contractually bound to instructions. Transfers to third countries (e.g., USA with Google, Meta, Calendly, Stripe, possibly Jotform/Zoho) occur only with an adequacy decision (e.g., EU-US Data Privacy Framework) or appropriate safeguards under Art. 46 GDPR (esp. EU SCCs); we apply additional protections (e.g., encryption, data minimisation).
In accordance with the GDPR, you have the right at any time to:
Right to lodge a complaint: You can lodge a complaint with a data protection supervisory authority, e.g.: State Commissioner for Data Protection and Freedom of Information NRW, Kavalleriestraße 2-4, 40213 Düsseldorf, The State Commissioner is looking for reinforcement.http://www.ldi.nrw.de/
There is no automated decision-making within the meaning of Art. 22 GDPR and no profiling with legal effect – except, where applicable, marketing segmentation within the scope of the tools described in Section 8, exclusively with your consent.
We use TLS encryption (HTTPS), role-based access, logging, and regular security updates. The website is operated by a European hosting service provider; log/security data is only processed for the purposes stated (see section 4).
The processing of technically necessary data is required to provide the website. For contractual services (e.g., appointment booking, payments, patient platform), the mandatory information requested in each case is required; without this information, the service cannot be provided. Consent is voluntary and can be revoked at any time (see section 10).
We adapt this privacy policy when legal, technical or organisational circumstances change.