1. Name and Address of the Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states, as well as other data protection regulations, is:
68723 Schwetzingen, Germany
2. Access Data in Server Log Files
When you visit our platform, access data is automatically stored in so-called server log files. This includes the date and time of access and, if applicable, the entered search term.
The temporary storage of the IP address by the system is necessary to enable the delivery of the platform and its content to your device. For this purpose, your IP address must be stored for the duration of the session.
The legal basis for the temporary storage of your data and log files is Art. 6(1)(b) GDPR. These data are evaluated solely to ensure the permanent and trouble-free operation of the platform and to improve the content of our platform, ensuring the security of our information technology systems. No evaluation of your personal data for marketing purposes takes place in this context.
The collection of data for the provision of the platform and the storage of data in log files are necessary for the operation of our platform. There is, therefore, no possibility of objection.
To make the use of our platform attractive and enable the use of certain functions, we use so-called “cookies.” These are small text files that are placed and stored on your device via a browser.
Cookies can contain a so-called cookie ID. It consists of a character string through which platforms and servers can be assigned to a specific browser in which the respective cookie was stored.
The following data is stored and transmitted in the cookies: language settings, entered search terms, frequency of page views, use of platform functions, user origin, operating system used, end device used, browser used, resolution of the end device.
Your data collected on our platform is anonymized through technical measures. Therefore, an assignment of the data to you is no longer possible. The data is not stored together with any other of your personal data.
The legal basis for the processing of personal data using cookies is Art. 6(1)(a) GDPR.
4. Data Processing for Payment Processing via Stripe
If a user opts for credit card payment, we will, to ensure smooth payment processing and based on Article 6(1)(b) GDPR, transmit the payment data provided by the customer, such as name, address, account number, bank code, possibly credit card number, invoice amount, currency, and transaction number, to the respective payment service provider, such as Stripe, The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland (hereinafter “Stripe”), or PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg (hereinafter “PayPal”). The payment service providers use the data for the execution and realization of the respective payment transaction and transmit it securely via the “SSL” encryption method. The payment service providers reserve the right to conduct a credit check based on mathematical-statistical procedures to safeguard the legitimate interest in determining the user’s creditworthiness. The payment service providers may transmit the personal data necessary for a credit check, obtained as part of the payment processing, to selected credit agencies, which the payment service providers disclose to users upon request. The credit report may contain probability values (so-called score values). If score values are included in the result of the credit report, they are based on a scientifically recognized mathematical-statistical method. The calculation of score values includes, among other things, but not exclusively, address data. Stripe uses the result of the credit check regarding the statistical probability of default for the purpose of deciding on the eligibility to use the selected payment method. You can object to the processing of your data at any time by sending a message to Stripe or the contracted credit agencies. However, Stripe may still be entitled to process your personal data if this is necessary for the contractual processing of payments.
5. Google Analytics
We use Google Analytics, a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google Analytics”) on our website. The information generated by your use of this website is usually transmitted to a Google server in the USA and stored there. The USA is considered an insecure third country.
The legal basis for the processing of personal data is Art. 6(1)(a) GDPR.
We have concluded a contract with Google for order processing in accordance with the EU Standard Contractual Clauses under Art. 28 GDPR to ensure the security of this data processing. We also fully implement the strict requirements of the German data protection authorities when using Google Analytics.
By activating IP anonymization on our website, the IP address is shortened before transmission within the member states of the European Union or other contracting parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server and shortened there. The anonymized IP address transmitted by your browser within the framework of Google Analytics is not merged with other data from Google.
Google will use this information on our behalf to evaluate the use of our website by users, to compile reports on the activities within this website, and to provide us with further services related to the use of this website and internet usage.
Google may also transfer this information to third parties if required by law or if third parties process this data on behalf of Google. Pseudonymous user profiles can be created from the processed data.
You can prevent Google from collecting and processing data related to your use of our website (including your IP address) by downloading and installing the browser add-on available at this link: http://tools.google.com/dlpage/gaoptout?hl=en. The installation of the browser add-on is considered a contradiction by Google.
The data generated by the cookie is stored for 365 days in accordance with our cookie configuration and then automatically deleted.
You can revoke your consent to data processing by Google at any time by clicking this link. An opt-out cookie will be stored on your device. If you delete your cookies, you must click the link again.
6. Email and Contact Form
On our website, we provide information under “Imprint” due to legal regulations that enables quick electronic contact with us and direct communication via email. When you contact us by email, the personal data you transmit is automatically stored.
The legal basis for processing data transmitted via email is Art. 6(1)(b) GDPR. We use the personal data you provide exclusively to process your specific inquiry. The information you provide is treated confidentially.
The data is deleted as soon as it is no longer necessary to achieve the purpose of its collection. For personal data sent by email, this occurs when the respective conversation with you is concluded. The conversation is considered concluded when it can be inferred from the circumstances that the matter in question has been conclusively resolved.
If you contact us, you can object to the storage of your personal data at any time. In such a case, the conversation cannot be continued.
7. Data Processing for Student Discount Validation
We offer students the opportunity to claim discounts on our content. To verify if a user is eligible for the student discount, we need to check if the user is enrolled at an accredited university for the program of human, dental, or veterinary medicine at the time of ordering. For this purpose, users can upload proof documents via our platform. We process the data provided on the legal basis of Art. 6(1)(b) GDPR.
We store this data for as long as necessary to achieve the intended purpose.
8. Data Security
We secure our platform and other systems through various technical and organizational measures against loss, destruction, access, modification, or distribution of your data by unauthorized persons. Despite regular checks, complete protection against all risks is not possible and cannot be guaranteed by us. For this reason, you are free at any time to transmit your personal data to us through other means, such as by telephone or post.
9. Data Deletion and Storage Period
Your personal data is deleted or blocked as soon as the purpose of storage ceases to apply or you revoke your consent. Storage may also occur if this has been provided for by the European or national legislator in union regulations, laws, or other provisions to which the data controller is subject. When the storage purpose ceases, you revoke your consent, or a storage period prescribed by the European legislator or another competent legislator expires, the personal data is routinely blocked or deleted in accordance with legal requirements, unless further storage of the data is necessary for a contract conclusion or fulfillment.
10. Right to Information
You also have the right to obtain from us free information at any time about your stored personal data and a copy of this information. You also have the right to information about the following:
- the purposes of processing,
- the categories of personal data being processed,
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly recipients in third countries or international organizations, if possible,
- the planned duration for which the personal data will be stored, or, if this is not possible, the criteria for determining this duration,
- the existence of a right to rectification or erasure of personal data concerning you or restriction of processing by the controller or a right to object to such processing,
- the existence of a right to lodge a complaint with a supervisory authority, if the personal data was not collected from you: all available information about the origin of the data,
- and the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Furthermore, you have the right to be informed whether personal data has been transferred to a third country or to an international organization. If this is the case, you also have the right to obtain information about the appropriate guarantees in connection with the transfer.
11. Right to Rectification
You have the right to request the immediate correction and/or completion of personal data concerning you that is incorrect or incomplete. We are obliged to make the correction without delay.
12. Right to Restriction of Processing
You have the right to request us to restrict the processing of your personal data if one of the following conditions is met:
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of its use instead.
- The controller no longer needs the personal data for the purposes of the processing, but the data subject requires it for the establishment, exercise, or defense of legal claims.
- The data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If the processing of the personal data concerning you has been restricted, these data may be processed, with the exception of their storage, only with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
You will be informed by us before the restriction is lifted if the processing has been restricted under the above conditions.
13. Right to Deletion
You have the right to request the immediate deletion of personal data concerning you if one of the following reasons applies and to the extent that processing is not necessary:
- The personal data has been collected or otherwise processed for purposes for which it is no longer necessary.
- The data subject withdraws consent on which the processing is based according to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
- The data subject objects to the processing pursuant to Article 21(1) GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.
- The personal data has been unlawfully processed.
- Deletion of the personal data is necessary to comply with a legal obligation under Union or Member State law to which the controller is subject.
- The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
If we have made personal data public and we are obliged to delete it pursuant to Art. 17(1) GDPR, we shall, taking into account available technology and implementation costs, take reasonable steps, including technical measures, to inform other data controllers processing the published personal data that the data subject has requested the erasure of all links to this personal data or copies or replications of this personal data from those other data controllers, unless the processing is necessary.
The right to erasure does not exist to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation that requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health according to Art. 9(2)(h) and (i) and Art. 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes according to Art. 89(1) GDPR, to the extent that the right referred to in Section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
- for the establishment, exercise, or defense of legal claims.
14. Right to Information
If you have asserted your right to rectification, erasure, or restriction of processing against us, we are obliged to inform all recipients to whom the personal data concerning you has been disclosed about this rectification or erasure of data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed about these recipients vis-à-vis us.
15. Right to Data Portability
You have the right to receive the personal data concerning you that you provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, provided that the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Furthermore, when exercising your right to data portability pursuant to Art. 20(1) GDPR, you have the right to have the personal data transmitted directly from us to another controller, where technically feasible and provided it does not adversely affect the rights and freedoms of others.
The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
16. Right to Object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.
We shall no longer process the personal data in the event of the objection unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.
If we process personal data for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
17. Right to Withdraw Consent
You have the right to withdraw your consent to the processing of personal data at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
18. Right to Automated Individual Decision-Making, Including Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless the decision:
- is necessary for the conclusion or performance of a contract between you and us,
- is authorized by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
- is based on your explicit consent.
However, these decisions must not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless Art. 9(2)(a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in points (1) and (3), we shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on our part, to express your point of view, and to contest the decision.
19. Existence of Automated Decision-Making
We do not carry out automated decision-making or profiling.
20. Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR. The supervisory authority competent for us is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg, Dr. Stefan Brink, Königstrasse 10a, 70173 Stuttgart, Germany.