Back

Privacy Policy

1. Who We Are

Vantis is a digital health provider focused on modern, technology-supported care solutions, especially in the area of chronic cardiovascular diseases.

2. How to Reach Us

Responsible for Data Processing

Vantis GmbH Widenmayerstraße 18 80538 Munich, Germany Email for data protection inquiries: datenschutz@vantis-praxis.de

Data Protection Officer

Christian Wolff Schierholzstraße 27 30655 Hanover Telephone: 089 – 1250 1375-6 Email: datenschutz@vantis-praxis.de

For the exercise of your rights under Section 13, you can contact us at any time using the contact information provided above.

3. How We Process Data

We process personal data only to the necessary extent and exclusively on the basis of the legal requirements of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). You can find all processing activities, their purposes, legal bases, and recipients in the following section.

4. Our Processing Activities

4.1 Hosting the Website

Purpose of Processing: External hosting and technical provision of the website, including ensuring stability and IT security.

Data Subjects: Visitors to our website.

Processed Data: We primarily process the following personal data:

IP Address
User-Agent (e.g., browser type and version, operating system)
Technical usage data (e.g., pages accessed, timestamps, interactions, access logs) in anonymized or pseudonymized form

Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the secure and technical provision of the website).

Recipients / Service Providers: Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands (hosting service provider). The service provider acts for us as a processor in accordance with Art. 28 GDPR.

Storage Duration: The storage duration is generally 90 days. In addition, data may be stored in anonymized form for a longer period as long as no personal reference exists and thus no personal data is available.

Source of Data: From the end device or browser of the affected persons when visiting the website.

4.2 Cookie Management via Usercentrics

Purpose of Processing: Management and documentation of the cookies and other tracking technologies we use, including capturing, storing, and proving consent as well as its revocation.

Data Subjects: Visitors to our website.

Processed Data: We primarily process the following personal data:

Consent status (granted consents or revocations)
IP Address
Information about the browser
Information about the end device
Time of the website visit
Geolocation data (if collected by Usercentrics)

Legal Basis: Art. 6 para. 1 lit. c GDPR (fulfillment of legal obligations for managing consents) and Art. 6 para. 1 lit. f GDPR (legitimate interest in documenting and proving consents).

Recipients / Service Providers: Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany. The service provider acts for us as a processor in accordance with Art. 28 GDPR.

Storage Duration: The storage duration is generally the duration of your consent decision. The data stored in connection with the Usercentrics cookie will be retained until you request us to delete it, the Usercentrics cookie itself is deleted, or the purpose of data storage no longer applies. Mandatory legal retention obligations remain unaffected.

Source of Data: Directly from the affected persons through their interaction with the consent banner as well as from the end device or browser when visiting the website.

4.3 Contact via Email

Purpose of Processing: Processing and responding to inquiries directed to us via email.

Data Subjects: Persons who contact us via email (especially visitors to the website and interested parties).

Processed Data: We primarily process the following personal data:

Contact details (e.g., name, email address)
Content data of the message (email text, subject, attachments)
Any further information voluntarily provided by the affected persons

Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in processing inquiries and communication with interested parties and users).

Recipients / Service Providers: Microsoft 365 / Outlook, Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Hornetsecurity GmbH, Am Listholze 78, 30177 Hanover, Germany (email security service). The service providers involved act for us as processors in accordance with Art. 28 GDPR. When using Microsoft services, the transfer of personal data to third countries (especially the USA) may take place (see section 10).

Storage Duration: The storage duration generally corresponds to the time required to process the request and any follow-up questions. Subsequently, the data will be deleted or anonymized unless there are legal retention obligations (e.g., under commercial or tax law) to the contrary.

Source of Data: Directly from the affected persons who contact us via email.

4.4 Use of Company Presences in Professional Networks

Purpose of Processing: Public relations, corporate presentation, communication with users, and active sourcing through professional networks (e.g., LinkedIn).

Data Subjects: Users who visit our company presences on professional networks, interact with us there (e.g., messages, comments, reactions), or access our content.

Processed Data: We primarily process the following personal data:

User profile data (e.g., name, professional information, publicly visible profile information)
Communication content (e.g., messages, comments, reactions)
Usage and interaction data regarding our company profile (e.g., visits to our page, clicks, reach and statistics data, as provided by the platform operator)

Legal Basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in public relations, corporate presentation, communication, and active sourcing).

Recipients / Service Providers: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (platform operator). To the extent we jointly determine purposes and means of processing with LinkedIn, there is joint responsibility according to Art. 26 GDPR. Further information can be found in LinkedIn's privacy notices. Due to the global structure of the service, processing may also occur in third countries (e.g., USA) (see section 10).

Storage Duration: The storage duration is primarily determined by the guidelines of the respective network in accordance with its privacy policy. We store our own communication data resulting from the company profile only as long as necessary for our public relations and communication or as required by legal retention obligations.

Source of Data: Directly from the affected persons via their social media profiles and interactions with our company presences on the respective platforms, as well as from the usage and statistics data provided by the platform operator.

4.5 Applications via Email or Application Form

Purpose of Processing: Conducting, deciding, and documenting application procedures as well as possibly inclusion in a candidate pool for future job placements.

Data Subjects: Applicants.

Processed Data: We primarily process the following personal data:

Master data (salutation, first name, last name, address)
Contact details (telephone number, mobile number, email address)
Information on education and qualifications
Professional career (CV)
Certificates
Salary expectations
Work permit status
Portfolios, licenses, certificates
Preferred start date
Communication and process data in the application process (e.g., notes from conversations, correspondence)

Legal Basis: Art. 6 para. 1 lit. b GDPR in conjunction with § 26 BDSG (conducting the application process) as well as Art. 6 para. 1 lit. a GDPR (consent to longer storage for future job placements).

Recipients / Service Providers: Personio GmbH, Rundfunkplatz 4, 80335 Munich, Germany (application and HR system). The service provider acts for us as a processor in accordance with Art. 28 GDPR.

Storage Duration: The storage duration is generally 180 days after the completion of the application procedure. If applicants explicitly consent, the application data will be stored for future job placements for up to 18 months. This consent can be revoked at any time with future effect, e.g., by email to talent@vantis-health.com. In addition, legal retention obligations apply as appropriate.

Source of Data: Directly from the applicants during the application process as well as from the documents they submit and any further information they voluntarily provide.

4.6 Online Reception docmedico

Purpose of Processing: Receiving and processing patient concerns and communicating with patients through the online reception.

Data Subjects: Patients.

Processed Data: We primarily process the following personal data:

Patient data (first name, last name, date of birth, contact details such as telephone and mobile number, email address, information on visit status)
Inquiry data (description of the reason for the visit, information regarding prescription, referral or finding inquiries including any uploaded documents)
Health data (e.g., information about complaints, findings, prescription or referral requests, as far as transmitted in the request)

Legal Basis: Art. 6 para. 1 lit. b GDPR (fulfillment of the treatment or doctor-patient relationship) and Art. 9 para. 2 lit. h GDPR in conjunction with § 22 BDSG (processing of health data in the context of medical care).

Recipients / Service Providers: Practice staff of the Vantis practice and Docmedico GmbH, Ehrengutstraße 7, 80469 Munich, Germany. The service provider acts for us as a processor in accordance with Art. 28 GDPR.

Storage Duration: The storage duration is generally 30 days, and the data is then deleted or anonymized, provided that no longer legal retention obligations (particularly from medical, professional, commercial, or tax law) exist.

Source of Data: Directly from the patients using the online reception and from the resulting communication with our practice staff.

4.7 Telephone Assistant docmedico

Purpose of Processing: Receiving and processing patient concerns and communicating with patients via an automated telephone assistant.

Data Subjects: Patients.

Processed Data: We primarily process the following personal data:

Patient data (first name, last name, date of birth, contact details such as telephone and mobile number, email address, information on visit status)
Inquiry data (description of the reason for the visit, information regarding prescription, referral or finding inquiries, possibly uploaded or transmitted documents)
Information on existing appointments (date, time) in case of appointment changes
Health data (e.g., information about complaints, prescription or finding inquiries, as far as transmitted in the request)

Storage Duration: The storage duration is generally 30 days, and the data is then deleted or anonymized, provided that no longer legal retention obligations exist.

Source of Data: Directly from the patients using the telephone assistant and from the subsequent processing by our practice staff.

4.8 Online Appointment Booking via medatixx x.webtermin

Purpose of Processing: Online appointment booking, where the booked appointments are directly entered into the practice calendar (medatixx).

Data Subjects: Patients.

Processed Data: We primarily process the following personal data:

Patient data (first name, last name, date of birth, contact details, information on insurance type)
Information on visit status
Inquiry data (description of the reason for the visit or information on required vaccinations, applications or prescriptions)
Health data (e.g., information on treatment reasons, vaccination or prescription wishes, as far as transmitted in the booking)

Legal Basis: Art. 6 para. 1 lit. b GDPR (appointment scheduling in the context of the treatment contract) and Art. 9 para. 2 lit. h GDPR in conjunction with § 22 BDSG (processing of health data in the context of medical care).

Recipients / Service Providers: Practice staff of the Vantis practice and medatixx GmbH & Co. KG, Im Kappelhof 1, 65343 Eltville/Rhine, Germany. The service provider acts for us as a processor in accordance with Art. 28 GDPR.

Storage Duration: The data are processed for the purpose of online appointment booking and deleted from the service provider's servers after confirmation or completion of the booking process. Furthermore, we retain those data necessary for appointment management, documentation of treatment, and compliance with legal retention obligations for their respective retention periods.

Source of Data: Directly from the patients using online appointment booking.

4.9 Vantis Prescription Agent (Website)

Purpose of Processing: Preparation of follow-up prescriptions, structured collection of the necessary information and assignment of requests to the practice staff.

Data Subjects: Patients.

Processed Data: We primarily process the following personal data:

Patient master data (name, first name, date of birth, contact details)
Information on medication (name of the medication, therapy information, information on previous intake)
Confirmation of data protection consent, if requested
Health data (particularly information on existing therapies and medications)

Recipients / Service Providers: Practice staff of the Vantis practice and Open Telekom Cloud / T-Systems International GmbH, Hahnstraße 43d, 60528 Frankfurt am Main, Germany (hosting infrastructure). The service provider acts for us as a processor in accordance with Art. 28 GDPR.

Storage Duration: The storage duration is generally 7 days to process follow-up prescription requests. Subsequently, the data will be deleted or anonymized, provided that no longer legal retention obligations exist.

Source of Data: Directly from the patients using the Vantis Prescription Agent on the website.

5. Processing of Special Categories of Personal Data (Health Data)

In the context of certain processing activities, we also process health data and thus special categories of personal data in the sense of Art. 9 GDPR. The respective purposes, data categories, and legal bases result from the processing activities described in Section 4. The processing of this data occurs only as far as it is necessary for medical care, the settlement of the respective services, or the fulfillment of legal obligations and is based on the legal bases specified in Section 4.

6. Cookies & Consent

Our website uses the external consent manager Usercentrics, through which all cookies, tracking technologies, and their legal bases can be transparently presented and managed. All details about the purpose, storage duration, and legal basis of the cookies used can be found in our consent management tool:

Open Cookie Settings

We use technically necessary cookies based on Art. 6 para. 1 lit. f GDPR (legitimate interest in a functional and secure website) or Art. 6 para. 1 lit. c GDPR, provided there is a legal obligation for logging or consent documentation. Non-technically necessary cookies (e.g., for statistics and marketing) are only set after your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent at any time with future effect via the consent tool.

7. Technical Provision of the Website

For the operation and provision of this website, we use external hosting service providers. The technical connection data (e.g., IP address, time of access, browser information) generated in the process are processed to deliver the content of the website and ensure stability and security. You can find detailed information in the corresponding processing activity in Section 4. If service providers with a location outside the European Union (EU) or the European Economic Area (EEA) are involved, data transfer to third countries may also occur. More information can be found in Section 10.

8. Contact

If you contact us, for example via email or through a contact form, we process the information you provide to handle your inquiry. The purposes, processed data, legal bases, storage durations, and service providers involved can be found in detail in the corresponding processing activities in Section 4.

9. Our Social Media Profiles

We maintain publicly accessible company profiles on social media platforms (e.g., professional networks). If you visit our profiles, personal data is processed by us and by the respective platform operator. To the extent that we jointly decide with the platform operator on the purposes and means of processing, there is joint responsibility in the sense of Art. 26 GDPR. The essential contents of the respective agreement as well as further information on data processing can be found in the privacy notices of the respective platform operator. Details about our own processing activities in connection with social media can be found in the respective processing activities in Section 4.

10. Data Transfer to Third Countries

As far as we use services from providers located outside the European Union (EU) or the European Economic Area (EEA) or data is transmitted to such providers, the processing of your data may also take place in so-called third countries. If there is no adequacy decision by the EU Commission for the respective third country, we generally base such transfers on suitable safeguards as defined by Art. 46 GDPR, particularly the conclusion of EU standard contractual clauses or participation in the EU-US Data Privacy Framework, as appropriate. Further information can be found in the processing activities described in Section 4 and in the privacy notices of the respective service providers.

11. Obligation to Provide Data and Consequences of Non-Disclosure

In the context of our website, you are generally not obliged to provide personal data. However, the provision of certain data may be necessary to use individual functions or services. For example, we cannot respond to contact requests without the necessary contact data or provide certain online services (e.g., appointment booking, prescription requests). The respective processing activities in Section 4 indicate which data are required.

12. Security Measures

We implement technical and organizational security measures to protect your personal data against accidental or unlawful deletion, alteration, loss, unauthorized disclosure, or unauthorized access. This includes, in particular, the use of encryption technologies (e.g., TLS/SSL) when transmitting data and a role-based authorization concept.

13. Your Rights under the GDPR

You have the following rights under the General Data Protection Regulation:

Right to Access (Art. 15 GDPR)
Right to Rectification (Art. 16 GDPR)
Right to Erasure (Art. 17 GDPR)
Right to Restriction of Processing (Art. 18 GDPR)
Right to Data Portability (Art. 20 GDPR)
Right to Object to Certain Processing (Art. 21 GDPR)

You can revoke granted consents at any time with future effect, e.g., via email to the contact information specified in Section 2 or through the consent tool described in Section 6.

To exercise your rights, you can contact us at any time using the contact details mentioned in Section 2. Please note that we may require additional information to confirm your identity in individual cases in order to safeguard your rights and prevent unauthorized disclosure.

14. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority regarding the processing of your personal data. The responsible authority is primarily the data protection authority of your place of residence, your workplace, or the location of our company. For us, this is usually the Bavarian State Office for Data Protection Supervision.

15. Automated Decisions

We do not use automated decision-making procedures within the meaning of Art. 22 GDPR.

16. Current Status and Changes to This Privacy Policy

We reserve the right to adapt this privacy policy to align it with changed legal situations or new processing activities. Please review this privacy policy regularly.

Status: December 20