Legal

Privacy Policy

Note: This draft describes the data processing on vivam.io and within the scope of the VIVAM GUIDE purchase and usage agreement. It should be reviewed before publication by a data protection officer or a law firm specialised in IT and healthcare law.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is:

VIVAM GmbH
Jülicher Straße 209 Q–S, 52070 Aachen, Germany
Email: info@vivam.io
Managing Directors: Annika Reitz, Ahmed Hallawa, Jonathan Wirtz

2. Data Protection Officer

Mike Peter (mpP Group / yourprivacyfirst)
Landeckring 19, 76831 Impflingen
Requests may also be addressed to datenschutz@vivam.io.

3. General Information on Data Processing

As a matter of principle, we process the personal data of our users and customers only insofar as this is necessary to provide a functional website as well as our content and services, or where express consent has been given.

The legal bases for the processing are in particular Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (performance of a contract), Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (legitimate interest).

4. Hosting and Provision of the Website

Our website is operated on servers located within the European Union. Each time the website is accessed, the server automatically stores information in server log files:

  • IP address of the requesting device (anonymised)
  • date and time of access
  • name and URL of the file retrieved
  • amount of data transferred and notification of successful retrieval
  • browser and operating system used, referrer URL

Legal basis: Art. 6(1)(f) GDPR (ensuring trouble-free operation and the security of our systems). The data is deleted or anonymised after no more than 7 days.

5. Cookies and Comparable Technologies

When you access our website, cookies or comparable technologies (e.g. localStorage) are used on your device. We distinguish here between technically necessary categories and those requiring consent.

5.1 Technically Necessary Cookies

These cookies are absolutely necessary for the operation of the website (e.g. session ID, load balancing, security, storage of your cookie selection). Without them, the website cannot be provided.
Legal basis: § 25 Abs. 2 Nr. 2 TDDDG as well as Art. 6(1)(f) GDPR (legitimate interest in a functional, secure offering).

5.2 Cookies and Tracking Requiring Consent

We use cookies and technologies that are used for statistical or marketing purposes exclusively after your express consent (Art. 6(1)(a) GDPR, § 25 Abs. 1 TDDDG). A cookie banner appears for this purpose when you first access the website. Without your consent, no non-necessary cookies are set and no personal data is transmitted to tracking services. Tracking scripts (in particular the Google tag) are already loaded, but are in the status "Consent denied" and in this state transmit exclusively anonymised cookieless pings without device identifiers (Google Consent Mode v2, see section 5.6).

  • Necessary: indispensable, always active (storage period: session up to 12 months).
  • Statistics: pseudonymised reach measurement to improve our content. Google Analytics 4 is used (see 5.4). Storage period: up to 14 months.
  • Marketing: measurement of the effectiveness of our advertising campaigns (conversion tracking). Google Ads is used (see 5.5). Storage period: up to 90 days per conversion cookie.

5.3 Withdrawal of Consent

You can withdraw or adjust your consent at any time with effect for the future. To do so, open the (also linked in the footer of every page). The withdrawal does not affect the lawfulness of the processing carried out up to the point of withdrawal.

Our consent solution stores a versioned record of your selection (timestamp, selected categories, version of the consent) in your browser in order to be able to demonstrate which processing operations were authorised at which point in time (Art. 7(1) GDPR).

5.4 Reach Measurement with Google Analytics 4

On our website we use the web analytics tool Google Analytics 4 (GA4). The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (within the corporate group of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

GA4 uses cookies and similar technologies (in particular a randomised device identifier, the so-called client ID) to analyse the use of our website. The following are collected in particular:

  • shortened IP address (anonymised before storage)
  • device information (browser, operating system, screen resolution, language)
  • referring URL and pages visited within the session
  • approximate location (city level)
  • a randomised device identifier (client ID)
  • events triggered by us (e.g. form submit, newsletter sign-up, order completion) without the contents of the form

Purpose: reach measurement, understanding user interaction with our offering, optimisation of website content as well as provision of the conversion signals to Google Ads (see 5.5).
Legal basis: Art. 6(1)(a) GDPR in conjunction with § 25 Abs. 1 TDDDG (consent). We obtain consent via our cookie banner. Until you give your consent, GA4 transmits exclusively anonymised pings without device identifiers (Google Consent Mode v2, see 5.6).
Storage period: The standard storage period of the GA4 event data is 14 months; the data is then automatically deleted. Aggregated reach data may be retained for longer.
Third-country transfer: Data is transferred to the USA. The transfer takes place on the basis of the EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023; Google LLC is certified under the Framework) as well as supplementary EU standard contractual clauses pursuant to Art. 46(2)(c) GDPR.

There is a data processing agreement with Google pursuant to Art. 28 GDPR. Further information on data processing by Google: policies.google.com/privacy.

5.5 Conversion Tracking with Google Ads

We use Google Ads to place online advertising and to measure the success of our advertising campaigns (conversion tracking). The provider is Google Ireland Limited (address see 5.4).

If you reach our website via one of our Google ads, a cookie is set for conversion measurement. If you subsequently carry out a previously defined action on the website — order completion, demo or quote request, contact form, newsletter sign-up —, we recognise that this action results from a click on our ad. The contents of the respective form are not transmitted to Google; only the conversion type, a timestamp and technical identifiers (click ID "gclid", anonymised cookie ID) are transmitted.

Purpose: measuring the success of advertising campaigns, automatic optimisation of bids (Smart Bidding).
Legal basis: Art. 6(1)(a) GDPR in conjunction with § 25 Abs. 1 TDDDG (consent).
Storage period: conversion cookie max. 90 days. Aggregated conversion data in Google Ads in accordance with Google's specifications (reporting periods of up to 540 days).
Third-country transfer: USA, on the basis of the EU-US Data Privacy Framework and supplementary EU standard contractual clauses (see 5.4).

There is a data processing agreement with Google pursuant to Art. 28 GDPR. Further information: policies.google.com/technologies/ads.

5.6 Google Consent Mode v2

In order for our cookie banner to communicate with the Google services, we use the Google Consent Mode v2. As long as you have not granted consent, all marketing and statistics signals (ad_storage, ad_user_data, ad_personalization, analytics_storage) are in the status "denied". In this mode, no identifying cookies are set, no device identifiers (client ID) are transmitted and exclusively anonymised "cookieless pings" are sent, which enable statistical modelling without any personal reference. Only after your consent do the respective signals switch to the status "granted", whereupon the regular data processing described in sections 5.4 and 5.5 begins. You can change your consent status at any time via the cookie settings (see 5.3).

6. Obligation to Provide Personal Data

You do not have to provide any personal data in order to access our website. However, for the use of certain functions we require information from you:

  • Contact and demo forms: The information marked as mandatory fields (name, email) is required in order to process your request and to be able to contact you. Without this information, processing is not possible.
  • Checkout / conclusion of contract: The data requested in the order process is required for the performance of the contract (Art. 6(1)(b) GDPR) and for the fulfilment of legal obligations (Art. 6(1)(c) GDPR, in particular §§ 14, 14a UStG). Without this information, the contract cannot be concluded.

There is no statutory obligation to provide the data. You are not obliged to enter personal data; the only consequence is that the respective service cannot be used, or only to a limited extent.

7. Contact and Demo Requests (HubSpot)

If you contact us via a form (demo booking, quote request, contact), your information (name, email, practice name, message, number of treatment rooms) as well as technical information (IP address, timestamp) is stored in our CRM at HubSpot. The provider is HubSpot Ireland Limited, 2nd Floor, 30 North Wall Quay, Dublin 1, Ireland.

Purpose: processing of the request, scheduling of appointments, initiation of a contract.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (efficient customer management).
Storage period: until the request has been dealt with, then deletion after no later than 3 years, unless statutory retention obligations preclude this.

There is a data processing agreement with HubSpot pursuant to Art. 28 GDPR. Data transfers to third countries take place only on the basis of EU standard contractual clauses.

To confirm your request (e.g. "Your demo request has been received by VIVAM"), we send you an acknowledgement of receipt by email. These transactional emails are sent via our service provider Scaleway Transactional Email (see section 8). In doing so, your email address, your name and the information required for the confirmation are transmitted to Scaleway. The legal basis is Art. 6(1)(b) GDPR (pre-contractual measure).

In order to be able to demonstrate the dispatch of our transactional emails (acknowledgement, order, installation and appointment confirmations) and to document it in the customer history, we log the dispatch that has taken place in the CRM (HubSpot). In doing so, the subject, sender, recipient, time as well as the complete content of the respective email are stored and assigned to the associated contact or business transaction. The processing takes place for the performance of the contract or pre-contractual communication (Art. 6(1)(b) GDPR) and to ensure a complete, audit-proof communication history (Art. 6(1)(f) GDPR).

8. Newsletter (Double Opt-In)

On our website we offer the subscription to a newsletter in which we provide information about news, product updates and events. Your email address is required to receive the newsletter; providing a first name is voluntary and serves exclusively for personal address.

For the registration we use the so-called double opt-in procedure. This means: after your entry, we send you an email to the address provided, in which we ask you to confirm the registration by clicking on a link. In this way, we ensure that only the holder of the email address subscribes to the newsletter.

For evidentiary purposes (§ 7 Abs. 2 UWG, Art. 7(1) GDPR), we log the time of registration, the time of confirmation as well as the IP address used in each case. We store this data for as long as you are subscribed to the newsletter, as well as for the duration of statutory verification obligations (usually 3 years from withdrawal).

Legal basis for sending the newsletter: Art. 6(1)(a) GDPR (express consent) in conjunction with § 7 Abs. 2 UWG.

8.1 Distribution Platform (Mailchimp)

After your confirmation, we transfer your email address and — if provided — your first name to our newsletter distribution platform Mailchimp. The operator is Rocket Science Group LLC d/b/a Mailchimp, 405 N Angier Ave NE, Atlanta, GA 30308, USA (a subsidiary of Intuit Inc.). As part of the dispatch, Mailchimp additionally processes technical data for delivery monitoring (including open and click events per campaign), insofar as this is necessary for the provision of the service.

The transfer to the USA takes place on the basis of the EU standard contractual clauses (Art. 46(2)(c) GDPR) as well as — where certified — the EU-US Data Privacy Framework; Intuit Inc. is certified under the Framework. There is a data processing agreement with Mailchimp pursuant to Art. 28 GDPR. Further information: intuit.com/privacy/statement.

8.2 Storage in the CRM and Lead Management (HubSpot)

In parallel with the inclusion in the Mailchimp distribution list, we store your newsletter registration in our CRM at HubSpot (see section 7). There, your record is marked as a potential prospect (lead); for internal follow-up, we additionally create a linked sales transaction (deal) with the source "Newsletter". In addition to the email address and first name, the timestamps and IP addresses of the registration and confirmation, the origin URL as well as the status of your consent are stored.

The purpose is the central, traceable support of potential customers and the avoidance of duplicate contact via different channels.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient customer management and in the structured support of potential customers). You can object to this processing at any time pursuant to Art. 21 GDPR — informally by email to datenschutz@vivam.io. The objection is independent of a newsletter unsubscription: you can either object only to the CRM entry as a lead, only unsubscribe from the newsletter, or withdraw both at the same time.

8.3 Unsubscribing

You can unsubscribe from the newsletter at any time with effect for the future. Most conveniently via the unsubscribe link at the end of each newsletter email; alternatively by informal email to info@vivam.io. The lawfulness of the processing carried out up to the point of withdrawal remains unaffected. After unsubscribing, we remove your email address from the active Mailchimp distribution list; in the CRM (HubSpot), the status is set to unsubscribed and the record is deleted after the statutory verification periods have expired.

8.4 Sending of Double Opt-In and System Emails

The confirmation email (DOI), the welcome email as well as other system emails relating to the newsletter subscription (e.g. for unsubscribing) as well as all transactional emails of our shop (order, installation and appointment confirmations) are sent via the service provider Scaleway Transactional Email(Scaleway SAS, 8 rue de la Ville l'Évêque, 75008 Paris, France). The ongoing dispatch of the newsletter campaigns themselves takes place exclusively via Mailchimp (see section 8.1).

The technical dispatch via Scaleway takes place via a dedicated sending domain; replies to our emails are forwarded back to our regular mailbox (Google Workspace, see below) via a Reply-To header set in the mail header. In doing so, your email address, your name and the contents required for the respective email are transmitted to Scaleway. Processing and storage take place exclusively in data centres within the European Union (France). There is a data processing agreement with Scaleway pursuant to Art. 28 GDPR; no transfer to third countries takes place.

9. Appointment Booking (Preferred Dates for Demo and Installation)

For the selection of a preferred appointment (demo meeting or appointment for the remote installation), we use an appointment selection operated on our own website. No data is transferred to external appointment booking services.

The times selected in the picker are transferred together with your contact data to our CRM (HubSpot) and linked there with the respective business transaction, so that we can confirm the appointment internally or offer an alternative if necessary. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measure or performance of a contract).

10. Payment Processing (Mollie)

For the processing of subscriptions and SEPA direct debits, we use Mollie. The provider is Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands. The data required for the payment is transmitted: name, email, IBAN, where applicable practice name, plan details.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Retention in accordance with commercial and tax law obligations (§ 147 AO), as a rule 10 years.
There is a data processing agreement with Mollie. Further information: https://www.mollie.com/privacy.

As part of the order processing, we send you transactional emails (including order confirmation, information on installation and invoicing). The dispatch takes place via our service provider Scaleway Transactional Email (see section 8). In doing so, your email address, your name and the contract details required for the respective email are transmitted to Scaleway. The legal basis is Art. 6(1)(b) GDPR (performance of a contract).

11. VIVAM GUIDE Software and LoRA Adaptations

The VIVAM GUIDE software and the associated language model (VIVAM LLM) are operated locally on the hardware used by the customer (Apple Mac Mini). The processing of health-related data of the patients takes place exclusively locally in the practice.

As part of regular software updates, exclusively anonymised or aggregated model parameters and LoRA adaptations are transmitted to VIVAM GmbH via an encrypted connection. Personal data or health data is not transmitted in the process. Details are governed by the data processing agreement (DPA) concluded between provider and customer pursuant to Art. 28 GDPR.

12. Recipients and Processors

We pass on personal data only to the following categories of recipients. With all the processors mentioned, there are data processing agreements pursuant to Art. 28 GDPR:

  • Hosting service provider (EU data centre) – provision of the website and the functions based on it
  • HubSpot Ireland Limited (Dublin, Ireland) – CRM, contact and deal management, logging of email dispatch. Data transfer to the USA within the corporate group on the basis of the EU standard contractual clauses and, where certified, the EU-US Data Privacy Framework (HubSpot Inc.).
  • Scaleway SAS (Paris, France) – dispatch of transactional emails (Scaleway Transactional Email). Processing exclusively within the EU.
  • The Rocket Science Group LLC d/b/a Mailchimp (Atlanta, USA; part of Intuit Inc.) – dispatch of newsletter campaigns as well as management of the distribution list, including technical delivery data (open and click events). Data transfer to the USA on the basis of the EU standard contractual clauses and, where certified, the EU-US Data Privacy Framework (Intuit Inc.).
  • Mollie B.V. (Amsterdam, Netherlands) – payment processing, SEPA direct debit mandate.
  • Google Workspace (Google Ireland Limited, Dublin, Ireland) – incoming email traffic (Reply-To replies to our transactional emails). Data transfer to the USA on the basis of the EU standard contractual clauses and, where certified, the EU-US Data Privacy Framework (Google LLC).
  • Google Analytics 4 and Google Ads (Google Ireland Limited, Dublin, Ireland) – reach measurement and conversion tracking after consent; for details see sections 5.4 and 5.5. Data transfer to the USA on the basis of the EU-US Data Privacy Framework and supplementary EU standard contractual clauses (Google LLC).
  • Tax advice, legal advice, accounting service providers
  • Authorities, where required by law

13. Storage Period

We store personal data only for as long as this is necessary for the fulfilment of the purposes mentioned or as long as statutory retention obligations (in particular §§ 147 AO, 257 HGB) exist.

14. Automated Decision-Making and Profiling

Automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you does not take place on this website. Profiling for marketing or evaluation purposes also does not take place.

Note on VIVAM GUIDE: The VIVAM LLM supports the specialists working in the practice with the documentation and the structuring of conversation contents. All diagnostic, therapeutic and billing-relevant decisions are made exclusively by the treating licensed psychotherapists. The AI model does not make any autonomous decisions with legal effect vis-à-vis patients.

15. Your Rights

Under the GDPR, you have the following rights:

  • access to processed data (Art. 15 GDPR)
  • rectification of inaccurate data (Art. 16 GDPR)
  • erasure ("right to be forgotten") (Art. 17 GDPR)
  • restriction of processing (Art. 18 GDPR)
  • data portability (Art. 20 GDPR)
  • objection to the processing (Art. 21 GDPR)
  • withdrawal of consent given with effect for the future (Art. 7(3) GDPR)
  • complaint to a supervisory authority (Art. 77 GDPR). The competent authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW).

16. Validity and Amendment of this Privacy Policy

This privacy policy is currently valid and is dated May 2026. Due to the further development of our offering, it may become necessary to amend this privacy policy. The respective current version can always be accessed at vivam.io/datenschutz.