Privacy Policy

This privacy policy informs you about the nature, scope and purpose of the processing of personal data in the context of our website, our medical services and online payment processing.

1. Controller

Dr. Beata Lutomska-Kaufmann
Liebiggasse 4, TOP 6
1010 Vienna
Austria
Phone: +43 664 5163145
E-mail: ordination@reaging-medicine.at

2. Types of data processed

We process the following categories of personal data:

  • Master data (name, address)
  • Contact data (email address, telephone number)
  • Payment data (e.g. credit card details, payment status)
  • Health data in the context of medical services
  • Usage data (e.g. access times, IP address)
  • Meta and communication data (e.g. device information)

3. Categories of data subjects

  • Patients
  • Website visitors
  • Interested parties and users of telemedical services

4. Purposes of processing

The processing is carried out for the following purposes:

  • Provision of medical services
  • Telemedical consultation and treatment
  • Processing of online payments
  • Communication with patients
  • Organisation and administration of the medical practice
  • Security and prevention of misuse
  • Compliance with legal retention obligations

5. Legal bases for processing

The processing is based on the following legal grounds:

  • Art. 6(1)(b) GDPR (performance of a contract)
  • Art. 6(1)(c) GDPR (legal obligation)
  • Art. 6(1)(f) GDPR (legitimate interests)
  • Art. 9(2)(h) GDPR (processing of health data for medical purposes)

6. Processing of health data (Telemedicine)

In the course of our medical services, in particular telemedical consultations, we process health data within the meaning of Art. 9 GDPR.
This processing is carried out for medical diagnosis, treatment, documentation and billing in accordance with Art. 9(2)(h) GDPR and the relevant professional regulations.
Health data is subject to medical confidentiality obligations.

7. Payment processing via Stripe

For the processing of online payments we use the payment service provider:

Stripe Payments Europe Ltd.
1 Grand Canal Street Lower
Grand Canal Dock
Dublin, Ireland

Stripe processes personal data such as name, email address, payment data, IP address and technical data for the purpose of processing the payment and preventing fraud.
The processing is based on Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in secure payment processing).

Further information can be found in Stripe’s privacy policy:
https://stripe.com/privacy

8. Advance payments and contract processing

For certain medical services, in particular online consultations and administrative services (e.g. prescription requests), advance payment may be required.
Payment data is processed for the purpose of performing the treatment contract.

9. Transfer of data to third countries

In the context of using Stripe, personal data may be transferred to third countries (in particular the USA).
The transfer is based on appropriate safeguards in accordance with Art. 46 GDPR, in particular Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework.

10. Cooperation with processors

We use external service providers (e.g. hosting providers, payment service providers) as processors in accordance with Art. 28 GDPR.

11. Data retention

Personal data is stored only as long as necessary for the respective purposes or as required by law.
Relevant retention periods include:

  • Accounting records: at least 7 years (§ 132 Austrian Federal Fiscal Code)
  • Medical documentation: in accordance with professional legal requirements

12. Rights of data subjects

You have the following rights:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to lodge a complaint with a supervisory authority

Austrian Data Protection Authority:
https://www.dsb.gv.at

13. Right to withdraw consent

You may withdraw your consent at any time with effect for the future.

14. Cookies and server logs

When visiting our website, server log files (e.g. IP address, time of access, browser type) are processed to ensure the secure operation of the website.
Cookies may be used to ensure the functionality of the website.

15. Contact

If you contact us by email or telephone, the transmitted data will be processed to handle your request.

16. Data security

We implement technical and organisational security measures in accordance with Art. 32 GDPR to protect your data against loss, misuse and unauthorised access.