Datenschutz­erklärung

Privacy Notice

DEMECAN Hessen GmbH (hereinafter: „DEMECAN“ or „we“) takes the protection of your personal data seriously and would like to inform you at this point about the manner in which your personal data is processed in connection with the visit to our website www.herbscare.de and the use of our platform services.

1. Controller

The controller within the meaning of Article 4(7) of the EU General Data Protection Regulation („GDPR“) for the processing of your personal data in connection with the use of our website and our platform services is: DEMECAN Hessen GmbH
 Paul-Ehrlich-Straße 51
 60596 Frankfurt am Main
 Email: info@demecan.de

2. Data Protection Officer

Our data protection officer is available to answer any questions you may have about data protection. He can be reached at the following email address: Dr. Constantin von der Groeben – constantin.groeben@demecan.de

3. Processing of Your Personal Data

Personal data is processed when you visit our website.

3.1 Data Processing When Contacting Us

When you contact us by email or phone, the data you provide (e.g., your email address, name, and phone number, as well as details of your request) will be stored by us to answer your questions.
 The data processing serves the purpose of handling your request.
 If the contact aims at concluding a usage contract for the use of the platform services or concerns an existing contract with you, Article 6(1)(1)(b) GDPR is the legal basis for the processing.
 In all other cases, the legal basis for processing your personal data is Article 6(1)(1)(f) GDPR. The legitimate interest arises from the necessity of processing your data to respond to your inquiry.
 We only store your data as long as necessary for the purpose, i.e., until your inquiry is fully answered or, if the inquiry is related to a contract, according to the contractual retention periods.
 There is no legal obligation to provide your personal data. If you do not wish to provide your data, it will not be possible to contact us.

3.2 Registration on the Platform and Initial Evaluation

You have the option to register on the platform to submit a digital request for therapy with medical cannabis. During an initial evaluation, a doctor checks using a questionnaire whether treatment with medical cannabis is an option. The following personal data, including health data, is collected during registration and initial evaluation:

  • First and last name
  • Address
  • Phone number
  • Date of birth
  • Image
  • Email address
  • Information on medical history, psychosocial information, complaints, diagnoses, and therapies
  • Other medically relevant questions for a potential cannabis therapy

The information you provide in the questionnaire is stored locally in the browser in the questionnaire engine and is only transmitted to the patient’s case file to the doctor after the questionnaire is fully completed. This case file is encrypted. Only the doctor and possibly medical staff working for him have access to it.
 The legal basis for the processing is your consent according to Article 9(2)(a) GDPR. Your consent is voluntary, and you can withdraw it at any time with effect for the future by email to datenschutz@herbscare.de.
 Your data will be stored until you delete your account. The data will then be deleted unless we need it to fulfill legal obligations.
 Third parties engaged by us will store your data on their systems as long as necessary in connection with the provision of services to us according to the respective order.
 There is no legal obligation to provide your data. However, if you do not provide your data, it will not be possible to use the platform.

3.3 Booking a Medical Consultation Appointment

You can book an initial medical consultation and follow-up appointments via the platform. The following personal data, including health data, is collected in connection with the booking:

  • First and last name
  • Email address
  • Address
  • Date and place of the initial consultation
  • Information on medical history
  • Information on psychosocial information
  • Information on diagnoses
  • Information on complaints
  • Information on therapies
  • Preferred pharmacy
  • Other medically relevant questions for a potential cannabis therapy

We need the data to process your booking request.
 The legal basis for the processing is your consent according to Article 9(2)(a) GDPR. Your consent is voluntary, and you can withdraw it at any time with effect for the future by email to datenschutz@herbscare.de.
 Your data will be stored until you delete your account. The data will then be deleted unless we need it to fulfill legal obligations.
 There is no legal obligation to provide your data. However, if you do not provide your data, it will not be possible to use the platform.

3.4 Use of Video Consultations

You can book and participate in a video consultation with a doctor of your choice via the platform. The following data is processed for the purpose of establishing the technical and visual connection between the doctor and the patient:

  • First and last name
  • Video signal
  • Audio signal

The data processing in connection with the video consultation is solely the responsibility of your treating doctor, who processes personal data based on the treatment contract concluded with you and therefore according to Article 6(1)(1)(b) in conjunction with Article 9(2)(h) in conjunction with Article 9(3) GDPR.
 To establish the connection between you and your treating doctor, the certified video consultation provider medityme of XPERTyme GmbH is used. The service is operated as software as a service for Demecan. Demecan does not have access to personal patient data. The communication between you and the treating doctor takes place after the connection is established in an encrypted direct connection (peer-to-peer) without the use of a service provider.
 Further information on data protection at medityme can be found at: https://www.medityme.com/de/page/privacy-policy2.

3.5 Chat Function

You have the option to chat with your treating doctor via the platform. Your first and last name and the content you enter in the chat are processed. The chat history is recorded on the platform.
 The legal basis for the data processing is your consent according to Article 9(2)(a) GDPR. Your data will be stored until you delete your account. The data will then be deleted unless we need it to fulfill legal obligations.
 There is no legal obligation to provide your data. However, if you do not provide your data, it will not be possible to use the chat function.

3.6 Payment

If you have booked an initial medical consultation, we will invoice you for the incurred costs. The following personal data, including health data, is collected for this purpose:

  • First and last name
  • Email address
  • Address
  • Date and place of treatment
  • Findings
  • Diagnoses
  • Therapy
  • Payment method

We need this data to invoice you for the medical services because the doctors assign the claims to us if you agree.
 The legal basis for the processing is your consent according to Article 9(2)(a) GDPR. Your consent is voluntary, and you can withdraw it at any time with effect for the future by email to datenschutz@herbscare.de.
 Your data will be stored until you delete your account. The data will then be deleted unless we need it to fulfill legal obligations.
 There is no legal obligation to provide your data. However, if you do not provide your data, it will not be possible to process payments through DEMECAN.

3.7 Mediation of Shipping Pharmacies and Prescription Service

You have the option to select a pharmacy for the purchase or delivery of medicines via our platform. We point out that you always have the free choice of pharmacy. At your request, we will forward your prescription to a pharmacy of your choice. The following personal data, including health data, is collected for this purpose:

  • First and last name
  • Address
  • Prescription
  • Preferred pharmacy

The legal basis for the processing is your consent according to Article 9(2)(a) GDPR. Your consent is voluntary, and you can withdraw it at any time with effect for the future by email to datenschutz@herbscare.de.
 Your data will be stored until you delete your account. The data will then be deleted unless we need it to fulfill legal obligations.
 There is no legal obligation to provide your data. However, if you do not provide your data, it will not be possible to use the prescription service.

3.8 Newsletter

You have the option to subscribe to our newsletter on our website, through which we inform you about current offers.
 We use the double opt-in procedure for newsletter registration. After registering for the newsletter, you will receive an email to the provided email address in which we ask you to confirm the subscription and that you are the owner of the corresponding email address. The link provided is valid for 24 hours. If we do not receive confirmation within this time, we will lock your information and delete it after one month. If you confirm your email address, we will store your IP address as well as the time of registration and confirmation to prove your registration and to clarify any possible misuse of your personal data.
 To send the newsletter, we need your email address, which we store for this purpose. The legal basis for data processing is your consent according to Article 6(1)(1)(a) GDPR.
 We store your data until you withdraw your consent. You can withdraw your consent by clicking the link provided in each newsletter email, by email to datenschutz@herbscare.de, or by a message to the contact details provided in the imprint.
 There is no legal obligation to provide your data. However, if you do not provide your email address, it will not be possible to subscribe to the newsletter.

3.9 Anonymized Data Evaluations

If you consent, we anonymize your personal data (prescribed quantities, products, diagnoses, complaints) to evaluate it for statistical purposes. This includes, among other things, indications, complaints, diagnoses, medications, and treatment courses and outcomes. The legal basis for data processing is your consent according to Article 6(1)(1)(a) GDPR or Article 9(2)(a) GDPR if health data is anonymized. Your consent is voluntary, and you can withdraw it at any time with effect for the future by email to datenschutz@herbscare.de.

3.10 Technical Data

3.10.1 Logfile

When you visit our website, a protocol data set (so-called server log files) is temporarily and anonymously stored on our web server. This consists of:

  • The page from which the page was requested (so-called referrer URL)
  • The name and URL of the requested page
  • The date and time of the request
  • The description of the type, language, and version of the used web browser
  • The IP address of the requesting computer, which is shortened so that a personal reference can no longer be established
  • The transmitted data volume
  • The used operating system
  • The message whether the request was successful (access status/HTTP status code)
  • Time zone difference to Coordinated Universal Time (UTC)

These data are processed for the purpose of technically providing our website and for statistical evaluations as well as for purposes of identifying and tracing unauthorized access to the web server and other crimes.
 The legal basis for data processing is Article 6(1)(1)(f) GDPR. Our legitimate interests for the temporary storage of technical access data lie in providing you with a technically functional and user-friendly website and ensuring the security of our systems.
 The storage of information on a device you use and its reading is carried out independently of the technology used (cookies, object storage, pixels, web beacons, etc.) based on your consent according to Section 25(1) TTDSG, which you declare through an opt-in. You can withdraw your declared consent at any time through the cookie settings. If the storage is absolutely necessary to provide the website, the legal basis for storage is Section 25(2)(2) TTDSG.
 Recipients of the data are our hosting service providers.
 Logfile information is stored for a maximum of 30 days from the end of your website visit and then deleted.
 Data processing is necessary for the operation of our website. If you wish to object to the data processing, you can do so by not accessing our website.
 The provision of personal data is neither legally nor contractually required, but it is necessary for the functionality of our website.

3.10.2 General Information About Cookies

We use cookies on our website. Cookies are small text files that are stored on your hard drive by the browser you use and that send certain information to the entity that sets the cookie. Cookies cannot run programs or transmit viruses to your computer and therefore cannot cause any harm. They serve to make the internet offer overall more user-friendly and effective, that is, more pleasant for you.
 Cookies can contain data that makes it possible to recognize the device being used. In some cases, however, cookies only contain information on specific settings that are not personally identifiable. Cookies cannot identify a user directly.
 There are session cookies, which are deleted once you close your browser, and persistent cookies, which are stored beyond the individual session. In terms of their function, cookies can be differentiated into:

  • Technical Cookies: These are essential for navigating the website, using basic functions, and ensuring the security of the website; they neither collect information about you for marketing purposes nor store which websites you visited;
  • Performance Cookies: These collect information about how you use our website, which pages you visit, and if any errors occur; they do not collect any information that could identify you – all collected information is anonymous and only used to improve our website and understand what interests our users;
  • Advertising Cookies/Targeting Cookies: These serve to offer the website user needs-based advertising on the website or offers from third parties and to measure the effectiveness of these offers; Advertising and Targeting Cookies are stored for a maximum of 13 months;
  • Sharing Cookies: These are used to improve the interactivity of our website with other services (e.g., social networks); Sharing Cookies are stored for a maximum of 13 months.

By using cookies, we ensure the proper functioning of our website. It also allows us to optimize the website experience. These are the purposes of data processing.
 Any use of cookies that is not technically necessary constitutes data processing, which is only permitted with your consent according to Article 6(1)(1)(a) GDPR. This applies especially to the use of Advertising, Targeting, or Sharing Cookies. In addition, we only share your personal data processed through cookies with third parties if you have given consent according to Article 6(1)(1)(a) GDPR. Below we name the legal bases in connection with the respective service.
 The storage of cookies on a device you use and their reading is carried out based on your consent according to Section 25(1) TTDSG, which you declare through an opt-in. You can withdraw your declared consent at any time through the cookie settings. If the storage is absolutely necessary to provide the website, the legal basis for storage is Section 25(2)(2) TTDSG.
 We store your data only as long as necessary to fulfill the stated purposes. The cookies are then deleted.
 If your consent according to Article 6(1)(1)(a) GDPR is the legal basis for data processing, you can withdraw it at any time. You can do this by deleting the cookies in your browser.
 The provision of your personal data is neither legally nor contractually required. However, without providing it, the functionality of our website may not be guaranteed. Furthermore, individual services or services may not be available.

3.11 Analysis and Tracking

We use the following analysis and tracking tools: Google Analytics
 We use Google Analytics to analyze and improve the use of our website.
 Google Analytics is a web analytics and tracking service of Google LLC („Google“). Google Analytics can use so-called „cookies“ if we activate the cookie function. In addition, Google Analytics uses a user ID and client ID generated by our website by default and anonymized, as well as Google signals to identify users.
 The anonymized user ID is assigned to a registered user after they have been clearly identified. Using the user ID, users can be identified independently of the device used. For example, if users access the website via both smartphones and tablets, we can analyze user paths using the user ID in a comprehensive overview of the data.
 The client ID is a unique, randomly generated string that acts as a pseudo-anonymized identifier and anonymously identifies a browser instance. It is stored in the browser cookies so that subsequent visits to the same website can be assigned to the same user.
 Google signals are session data from websites and apps that Google links with users who are signed into their Google account and have personalized ads activated. By linking data with these registered users, cross-device reports, cross-device remarketing, and the export of cross-device usage results (so-called „conversions“) to Google Ads are possible.
 The data processed by Google Analytics are personal data within the meaning of Article 4(1) GDPR. Google Analytics collects personal data in the form of user properties and event data, among others. The latter are automatically captured events (user activities, session numbers, clicks on ads, which ads are viewed, removal or deletion of login data, website or app crashes, subscription completions or cancellations, link clicks, scroll behavior, watched video ends, etc.) for analysis-optimized events (page views, scrolls, external link activations, website searches, video plays, file downloads, etc.), recommended events (purchase process on the website, travel offers, games) and user-defined events (events that are neither automatically captured nor recommended). Moreover, session data are also collected, such as multiple page views, events (as described), social interactions, and e-commerce transactions.
 User properties are attributes of users interacting with your app or website. They are used to describe user segments such as language settings or geographic location. Some user properties are automatically logged in Google Analytics.
 The information generated by the cookie, the user ID, and Google signals about your use of this website is usually transmitted to a Google server in the USA and stored there. In case of IP anonymization activation, your IP address will be shortened by Google within the member states of the European Union or other parties to the Agreement on the European Economic Area before transmission. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. Google uses this information to evaluate your use of the website, compile reports on website activities, create a forecast regarding your future web behavior, and provide other services related to website and internet use to the website operator. The user ID data collected on a website or app cannot be shared or combined with data from another website or app. However, device and activity data from different sessions on a website or app can be aggregated and combined using the user ID or Google signals. The collection and combination of data can create usage profiles about you.
 The legal basis for data processing using Google Analytics is your consent according to Article 6(1)(1)(a) GDPR. You can withdraw your consent to the processing of your personal data using Google Analytics at any time by changing your cookie settings accordingly.
 The legal basis for storing the necessary cookie is your consent according to Section 25(1) TTDSG, which you declare through an opt-in. You can also withdraw your declared consent at any time through the cookie settings.
 You can also prevent the storage of cookies by setting your browser software accordingly; however, please note that you may not be able to use all the functions of this website to their full extent. Furthermore, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plugin available under the following link:
tools.google.com/dlpage/gaoptout
 We use Google Analytics with the extension „_anonymizeIp()“. This means that IP addresses are shortened (so-called IP masking).

4. Transfer of Personal Data to External Service Providers

For some functions on our website, we use external service providers to whom we transfer personal data. All third-party providers we engage act as processors for us according to our instructions and are integrated into a data protection-compliant manner according to Article 28 GDPR. The contractual agreement includes, among other things, the obligation of processors to comply with data protection requirements, including securing your personal data through appropriate technical and organizational measures, particularly using encryption technologies.
 The following categories of recipients may have access to your personal data:

  • Service providers for the operation of our website and the processing of data stored or transmitted by the systems (e.g., for data center services, payment processing, IT security, or tool providers). The legal basis for the transfer is then Article 6(1)(1)(b) or (f) GDPR, as long as they are not processors;
  • Individuals involved in conducting our business operations (e.g., auditors, banks, insurers, legal advisors, supervisory authorities, participants in company acquisitions, or joint venture formations). The legal basis for the transfer is then Article 6(1)(1)(b) or (f) GDPR.

4.1 XPERTyme

We use a service of XPERTyme GmbH (Starnberger Feldweg 3, 82234 Wessling) to enable you to book appointments and participate in video consultations. For this purpose, it is necessary to process the name, email address, and your date of birth.
 The data processing is based on your consent according to Article 6(1)(1)(a) GDPR. Your consent is voluntary, and you can withdraw it at any time with effect for the future by email to datenschutz@herbscare.de.
 Further information on the handling of your personal data can be found in the privacy policy at the following link: www.xpertyme.com/de/page/privacy-policy.

4.2 Mangopay

We use the payment provider Mangopay of Mangopay S.A. (2 Avenue Amélie, 1125 Luxembourg) on our platform.
 You can choose between different payment methods for payment purposes. If you have selected prepayment via Mangopay, direct debit via Mangopay, credit card via Mangopay, or instant transfer via Mangopay, the following personal data will be transmitted to Mangopay for payment processing:

  • Name
  • Address
  • Country
  • Payment data (credit card number, account number)

The legal basis for the transfer of data to and processing of data by Mangopay is the treatment contract concluded between you and the doctor according to Article 9(2)(h) GDPR. Mangopay is a processor according to Article 28 GDPR, and a corresponding contract has been concluded.
 Mangopay conducts a credit check when selecting one of the above-mentioned payment methods. In this check, mathematical-statistical procedures are used to calculate a rating regarding the likelihood of a payment default. Mangopay bases its decision on providing the respective payment methods on the calculated scoring value. The scoring value calculation is carried out according to a recognized scientific method. In addition to the credit check, we also conduct a Know-Your-Customer process in cooperation with Mangopay. We actively prevent illegal activities such as money laundering and fraud to protect our company. Therefore, in addition to the necessary payment information, we also collect the following data:

  • First and last name
  • Date of birth
  • Nationality
  • Country of residence
  • Pictures of the front and back of the ID card
  • IBAN, BIC, and bank name

Further information on the handling of your personal data can be found in the privacy policy at the following link: mangopay.com/privacy-statement?tid=133154253.

5. Data Deletion and Storage Duration

We provide information on the storage duration and deletion or blocking of your data for the processing operations we carry out. Unless a specific storage duration is stated, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage ceases to apply. Your data will generally only be stored on our servers in Germany, subject to a possible transfer specified elsewhere.
 However, storage may extend beyond the specified time in the event of (imminent) legal disputes with you or other legal proceedings or if storage is required by legal provisions to which we, as the controller, are subject (e.g., Section 257 HGB, Section 147 AO). Once the statutory retention period expires, your personal data will be blocked or deleted unless further storage is required and there is a legal basis for this.

6. Data Security

We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties (e.g., TLS encryption for our website), considering the state of technology, implementation costs, and the nature, scope, context, and purpose of the processing, as well as the existing risks of a data breach (including their likelihood and impact) for the data subject. Our security measures are continuously improved according to technological development.

7. Data Transfer to a So-Called Third Country

In the context of our business relationships, your personal data may be transferred or disclosed to third parties. These may also be outside the European Economic Area (EEA), i.e., in third countries. Such processing occurs exclusively to fulfill contractual and business obligations and maintain your business relationship with us. We inform you about the details of the transfer at the relevant points.
 Some third countries have an adequate level of data protection, as confirmed by adequacy decisions of the European Commission (a list of these countries and copies of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). In other third countries, there may not be a consistently high level of data protection due to the lack of legal provisions. In such cases, we ensure that data protection is adequately guaranteed. This is possible through binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data, certificates, or recognized codes of conduct. Regarding individual services, we inform you at the appropriate place about the prerequisites for data transfer to third countries.

8. No Obligation to Provide Personal Data

We do not make the provision of offers on the platform dependent on you providing personal data to us in advance. As a customer, you are generally not legally or contractually obligated to provide us with your personal data; however, we may only be able to provide certain offers to a limited extent or not at all if you do not provide the necessary data. If this is the case, we will specifically inform you of this in these privacy notices.

9. Legal Obligation to Provide Certain Data

We may be subject to a special legal or statutory obligation to provide lawfully processed personal data to third parties, especially public authorities (Article 6(1)(1)(c) GDPR).

10. Your Rights

You can assert your rights as a data subject regarding the processing of your personal data at any time against us using the contact details provided at the beginning. As a data subject, you have the right to:

  • According to Article 15 GDPR, request information about your data processed by us. In particular, you can request information about the processing purposes, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage duration, the existence of a right to rectification, deletion, restriction of processing, or objection, the existence of a right to complain, the origin of your data if it was not collected by us, and the existence of automated decision-making, including profiling and, if applicable, meaningful information about its details;
  • According to Article 16 GDPR, request the correction of incorrect or completion of your data stored by us without delay;
  • According to Article 17 GDPR, request the deletion of your data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest, or to assert, exercise, or defend legal claims;
  • According to Article 18 GDPR, request the restriction of the processing of your data if you dispute the accuracy of the data, the processing is unlawful, but you refuse the deletion of the data, and we no longer need the data, but you need it to assert, exercise, or defend legal claims or you have objected to the processing according to Article 21 GDPR;
  • According to Article 20 GDPR, receive your data that you have provided to us in a structured, commonly used, and machine-readable format or request the transfer to another controller („data portability“);
  • According to Article 21 GDPR, object to the processing of your data, provided that the processing is based on Article 6(1)(1)(e) or (f) GDPR. This is particularly the case if the processing is not necessary to fulfill a contract with you. Unless the objection is against direct marketing, we ask you to explain why we should not process your data as we have done. In the case of your justified objection, we will examine the situation and either stop or adapt the data processing or show you our compelling legitimate reasons for continuing the processing;
  • According to Article 7(3) GDPR, withdraw your consent given to us at any time with effect for the future. This means that we will no longer continue the data processing based on this consent for the future;
  • According to Article 77 GDPR, complain to a supervisory authority about the processing of your personal data in our company.

11. Updating the Privacy Notice

Due to changes in legal or regulatory requirements and the further development of technical standards and our offer, adjustments to this privacy notice may be necessary. Therefore, it is regularly reviewed for changes or additions. The privacy notice can thus be changed at any time with effect for the future.

These privacy notices are valid as of January 2024.