Datenschutzerklärung

Name

Type of data

Purpose

Legal basis

Cookiebot

IP address, date, time

Manages cookie consent

Art. 6 Abs. 1 lit. f DSGVO

Webflow

For details, please see Webflow’s privacy policy: https://webflow.com/legal/eu-privacy-policy.

Creating and hosting websites. Webflow stores cookies or other recognition technologies that are required to display the page, provide certain website functions, and ensure security (necessary cookies).

Art. 6 Abs. 1 lit. f DSGVO

Typeform

The following data may be processed: name and email address, if this data is requested in our surveys and provided voluntarily by the participant, responses to surveys, IP address, browser type and version, time zone and operating system of the user

Typeform is an online tool for creating and conducting surveys to collect feedback

Art. 6 Abs. 1 lit. f DSGVO

Stripe

The following data may be processed: (Cardholder name, email address, address, payment method, card information, expiration date, CVC code, date, time, and amount of the transaction. Further information: https://stripe.com/de/privacy

Carrying out payment processing and providing available payment options

Art. 9 Abs. 2 lit. h DSGVO, Art. 6 Abs. 1 lit. b DSGVO

Cloudflare

The following data may be processed: All data traffic between the browser and our server (IP address, security certificates, DNS log-in data, website performance data from the browser (however, no analysis of the content, e.g., transmitted messages, is carried out). Specific processing of health data does not take place. Further information: https://www.cloudflare.com/privacypolicy/

Analysis of data traffic and protection of the platform against cyber attacks (DDoS, etc.).

Art. 6 Abs. 1 lit. f DSGVO

Google Tag Manager

The following data may be processed: Cookie ID, Date and time of visit, IP address, Usage behavior, Website content displayed

Google Tag Manager is a service for dynamically loading HTML and JavaScript content on the website

Art. 6 Abs. 1 lit. a DSGVO

Semble

Basic data (name, address, email address)

Manages embedded appointment booking sessions; may set session cookies to maintain booking flow and preferences.

Art. 6 Abs. 1 lit. f DSGVO

We also use Google Analytics in the anonymized version:

google analytics anonymize

In order to further improve our offering, we also collect statistical data on the use of our website. For this purpose, we use the Google Analytics service provided by Google Inc., headquartered in the USA, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics is a web analysis service provided by Google Inc. ("Google"). Google Inc. is a US company certified for the EU-U.S. Data Privacy Framework. You can find the certificate here:

https://www.dataprivacyframework.gov/list

The EU-U.S. Data Privacy Framework regulates the secure exchange of data between EU member states and the USA. Google Analytics uses so-called "cookies", text files that are stored on your computer and that enable an analysis of your use of the website. The information generated by the cookie about your use of the website is usually transferred to a Google server in the USA and stored there. However, if IP anonymisation is activated on this website, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data held by Google. You can prevent cookies from being saved by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all the functions of this website to their full extent. In addition, you can prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available under the following link (http://tools.google.com/dlpage/gaoptout?hl=de). Further information on terms of use and data protection can be found at http://www.google.com/analytics/terms/de.html or at https://www.google.de/intl/de/policies/. We also use the "anonymizeIP" extension. This is an IP masking feature provided by Google. Because we use this, the last four digits of your IP address are removed before it is saved, so that no personal reference can be made to the IP address. The analytical evaluation by Google is therefore anonymized.

3. Appointment request

The user can request an appointment for a video consultation within an available time slot via the platform. The request is displayed anonymously to the doctors on the platform for processing. In order for Montu Therapeutics to provide users with the appointment request service, the following personal data may be processed: first name, last name, date of birth, gender, telephone number, payment details, desired time slot for the appointment, time of the request, and status of the request. The data is processed under the sole responsibility of Montu Therapeutics. The processing of the data is necessary in order to provide the desired service, appointment request for a video consultation, in accordance with the terms of use. The legal basis for the processing of the data is the consent granted, Art. 9 (2) a GDPR, Art. 6 (1) b GDPR.

4. Recording the concern and transmitting it to the doctor
‍
To record the request, the user answers questions, particularly regarding their health status. Recording the request serves to provide the platform to the user in accordance with the terms of use. The following personal data may be processed: information on general health, complaints and other questions related to the request, and, if applicable, a request for a prescription. The information is initially displayed anonymously to the doctors on the platform. Once the request has been accepted by a doctor, the data is transmitted to them. Montu Therapeutics is responsible for processing the data during collection and transmission. The legal basis for processing is the consent granted, Art. 9 (2) a GDPR, Art. 6 (1) b GDPR.

5. Appointment management

When a doctor accepts a request, a treatment contract is concluded between the user/patient and the doctor. Within the framework of this treatment contract, the doctor organizes the appointment. The doctor determines the specific appointment time within the time window selected by the user and the user receives an appointment confirmation. It is also possible to postpone or cancel the appointment. The following personal data may be processed: last name, first name, telephone number, email address, appointment status. The doctor is responsible for processing the data within the scope of appointment management within the meaning of the GDPR. Montu Therapeutics provides the technical means for appointment management and therefore processes the data as a processor in accordance with instructions. The legal basis for processing the data for the doctor is the treatment contract, Art. 9 (2) h, Art. 6 (1) b GDPR. Monu Therapeutics processes the data on the basis of a contract processing agreement in accordance with Art. 28 GDPR.

6. Billing of medical services

Currently, only private medical services can be provided on the platform. The platform offers the available payment options and handles payment processing. The following data may be processed: cardholder name, email address, address, payment method, card information, expiration date, CVC code, date, time, and amount of the transaction. The data is processed on behalf of the physician solely for the purpose of payment processing, so that the physician can bill the medical services provided in accordance with the German Medical Fee Schedule (Art. 9 (2) (h) GDPR or Art. 6 (1) (b) GDPR). A corresponding data processing agreement has been concluded with the physician in accordance with Art. 28 GDPR. Payment processing, including the review of possible fraud cases, is carried out via certified external payment service providers. A data processing agreement (Art. 28 GDPR) has been concluded for this purpose. Your data will only be stored for as long as necessary to process your request or as required by statutory retention periods.

7. Electronic private prescriptions

The patient is free to decide how to redeem an electronic prescription. The patient who has received an electronic private prescription can use the platform's functions to select their electronic private prescription from the mail-order pharmacies connected to the platform. If the patient has consented to processing of their location, local pharmacies can also be displayed and the electronic private prescription can be redeemed there. The patient is free to choose which pharmacy they would like to redeem their prescription at. Montu Therapeutics then transmits the electronic private prescription and the associated personal data to the pharmacy selected by the patient on behalf of the patient. This function is voluntary. The patient decides whether they wish to use it and which of the possible pharmacies they would like to select. Before the personal data is transmitted to the selected pharmacy, the patient must consent to this processing. Only the prescription issued by the doctor, the date of birth and the patient's first and last name are transmitted for the purpose of redeeming the prescription at the selected pharmacy. If the patient chooses a mail-order pharmacy, their email address, telephone number, and a delivery address are also required. No further data processing takes place.

8. Contact form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions. We will not pass this data on without your consent. This data will be processed on the basis of Art. 6 (1) (b) GDPR if your inquiry is related to the fulfillment of a contract or is necessary to carry out pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 (1) (f) GDPR) or on your consent (Art. 6 (1) (a) GDPR), if this consent was requested; this consent can be revoked at any time. The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to storage, or the purpose for storing the data no longer applies (e.g. after your inquiry has been processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.
‍
9. Facebook, Instagram, Youtube
‍
Our site does not incorporate any plugins provided by social networks. User data is not automatically transferred to the operators of these platforms on our site. The logos are merely links to the individual pages.n.
‍
10. Newsletter registration

Our website also offers the option of signing up for a regular newsletter. The newsletter contains general information on the topic of epilepsy. For this, we only need an email address. Upon registration, you will first receive an email containing a link you must click to confirm your registration (double opt-in). This allows us to prevent the misuse of email addresses. You also have the option of being addressed by your real name in the newsletter (personalized newsletter). For this, you only need to provide your first and last name. We process both your email address and your name solely for the purpose of sending you the newsletter.

Revocation:

Consent to the newsletter is voluntary and can be revoked at any time. You can do so by using the unsubscribe link in the newsletter email, sending us an email to info@montugroup.de, or sending a written message to Montu Therapeutics GmbH, Schaperstr. 18, 10719 Berlin. In the event of a revocation, the processing of the data remains legally effective until that point in time. Revocation of consent to data processing is therefore only possible for the future.
‍
11. Data transfer to the USA or third countries

Some of the listed service providers transfer personal data to third countries, such as the USA. Data transferred to the USA carries the risk that this data may be processed by US authorities for control and monitoring purposes, without you possibly having any legal recourse. If Montu Therapeutics transfers personal data to the USA, it does so on the basis of the EU-U.S. Data Privacy Framework or on the basis of standard contractual clauses concluded with the respective service providers. These are contracts specified by the EU Commission under which the respective parties undertake to comply with appropriate data protection standards when transferring data. The service provider thus provides specific guarantees for the protection of the data. In addition, an adequate level of data protection may also exist on the basis of suitable guarantees pursuant to Art. 46 (2) GDPR or an adequacy decision pursuant to Art. 45 GDPR.
‍
The following processors transfer data to third countries:
‍‍

• Google Analytics & Google Tag Manager –  Google LLC (USA)
• Typeform – provided by Typeform S.L. (Spain); possible data transfer to the USA
• Semble – provided by Semble Ltd (UK);
• Stripe – provided by Stripe Inc. (USA);
• Webflow – provided by Webflow, Inc. (USA);
• Cloudflare – provided by Cloudflare, Inc. (USA);
• Cookiebot (Usercentrics A/S)

12. Transfer of data to processors

We commission service providers for specialized tasks (e.g., IT service for our system, IT maintenance, etc.). These service providers could also gain access to the data. We have concluded data processing agreements with these service providers (Art. 28 GDPR) to ensure the best possible data protection. We have carefully selected these service providers. They process personal data only on our behalf and strictly in accordance with our instructions on the basis of corresponding contracts.

13. Legal Basis for Storage

The legal basis for storing the above-mentioned data is Art. 6 (1) (a) and (f) GDPR. The legitimate interest stated in (f) arises from the need to present the website and the functions described above and to make them accessible to users. The legitimate interest in using Google Analytics in the anonymous version lies in the continuous development of our website. Neither we nor Google can draw conclusions about a person based on this user data.
When you log in to the restricted access area, we process the data you provide for logging in based on Art. 6 (1a) GDPR.

14. Secure Data Transfer

Our website is SSL encrypted. This can be identified by the "HTTPS" address bar. SSL encryption is transport encryption to prevent third parties from viewing the data.

15. Communication

When users send us an email, we use the email address and the personal data and information contained in the email exclusively for the relevant request. For sensitive content, we recommend sending the email exclusively in encrypted form.

16. Your Rights
a. Information, Art. 15 GDPR
Data subjects have the right to receive information about the personal data we store at any time. This information is provided free of charge. You will receive the following information about the personal data we store:

• the purposes of processing;
• the categories of personal data being processed;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or restriction of processing of personal data concerning the data subject or to object to such processing;
• the existence of a right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

b. Correction of data, Art. 16 GDPR

You can also request the correction and completion of personal data if it is incorrect or incomplete.

c. Right to erasure ("right to be forgotten"), Art. 17 GDPR

You can also request the erasure of the personal data we store if one of the following reasons applies:

• The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
• You withdraw your consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2), and there is no other legal ground for the processing.
• You object to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2).
• The personal data were processed unlawfully.
• The erasure of the personal data is necessary to fulfill a legal obligation under Union or Member State law to which the controller is subject.
• The personal data were collected in relation to the offer of information society services pursuant to Article 8(1).

If retention obligations prevent deletion, the data will be blocked for this purpose. Deletion of the data ("right to be forgotten"), where possible, can be requested at any time; as can rectification and information.

d. Right to restriction of processing, Art. 18 GDPR

You also have the right to request restriction of processing if one of the following conditions applies:‍

• the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data,
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
• we no longer need the personal data for the purposes of the processing, but you or we require this data to assert, exercise or defend legal claims; or
• If you have objected to processing pursuant to Article 21(1), pending the verification whether our legitimate grounds override yours.

e. Right to data portability, Art. 20 GDPR

You also have the option of receiving the voluntarily provided data in a machine-readable format upon request or having it transmitted to a third party (data portability). This right does not apply to all other data that was not processed on the basis of Art. 6 (1) (a) or (b) or Art. 9 (2) (a) GDPR or was not processed using automated procedures.

f. Right of objection, Art. 21 GDPR

You have the right to object at any time to the processing of your personal data collected and processed on the basis of Art. 6 (1) (e) or (f) GDPR. In this case, we will no longer process your personal data unless there are compelling legitimate grounds for the processing that we can demonstrate and that outweigh your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.

g. Right to Complain

Any data subject is also entitled to lodge a complaint about data processing with a data protection supervisory authority at any time. The data protection supervisory authority responsible for us is:

17. Currentness and Amendments to this Privacy Policy

This Privacy Policy is currently valid and is dated April 2025. Due to the further development of our website or due to changes in legal or regulatory requirements, it may become necessary to adapt this Privacy Policy accordingly. You can access and print the current Privacy Policy on the website at any time.

18. Data Protection Officer

For inquiries or to assert claims, please contact our Data Protection Officer:
Last updated May 2025