Data protection

Biohealth Munich – Centre for integrative-biological dentistry Dr Fabian Schick & Dr Florian Notter (BAG)

Welcome to the website of Biohealth Munich – Centre for Integrative-Biological Dentistry Dr Fabian Schick & Dr Florian Notter. The protection of your personal data is of particular concern to us.

Below we inform you about the processing of personal data when you visit our website and about your rights as a data subject. This privacy policy has been prepared on the basis of the applicable data protection regulations of the European Union (GDPR) and the German Telecommunications Digital Services Data Protection Act (TDDDG) and corresponds to the legal status as of January 2025

1. Data protection at a glance

General information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally.

Detailed information can be found in this privacy policy.

Data collection on this website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator:

Biohealth Munich
Centre for integrative-biological dentistry (BAG)
Dr Fabian Schick & Dr Florian Notter
Tal 4
D-80331 Munich
Phone: +49 89 697 00 55
E-mail: praxis@biohealth-munich.de

How do we collect your data?

• Direct transmission by you (e.g. in the contact form)
• Automatic collection by IT systems when visiting the website (e.g. browser data, time)

What do we use your data for?

• To provide and optimise the website
• For the processing of enquiries
• For statistical analysis of user behaviour (after consent)
• For marketing measures (after consent)

What rights do you have? You have the following rights:

• Information about your stored data (Art. 15 GDPR)
• Correction of incorrect data (Art. 16 GDPR)
• Erasure (“right to be forgotten”, Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Objection to the processing (Art. 21 GDPR)
• Data portability (Art. 20 GDPR)
• Complaint to a supervisory authority (Art. 77 GDPR)

2. Hosting

External hosting

Our website is hosted by an external service provider:

STRATO AG
Otto-Ostrowski-Straße 7, 10249 Berlin, Germany
Website: https://www.strato.de

The personal data collected on this website is stored on the servers of the hosting service provider.
This may include the following data in particular:

• IP addresses
• Contact enquiries
• Meta and communication data
• Contract data
• Contact details
• Names
• Website accesses
• other data generated via a website

The hosting service provider is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR)
and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR).

Our hosting service provider will only process your data to the extent necessary to fulfil its service obligations,
and follow our instructions in relation to this data.

Conclusion of an order processing contract:

We have concluded an order processing contract (AVV) with STRATO.
This is a contract prescribed by data protection law, which guarantees
that STRATO processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Further information on data protection at STRATO can be found at
https://www.strato.de/datenschutz/

3 General notes and mandatory information

Data protection

The operators of these pages take the protection of your personal data very seriously.
We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

When you use this website, various personal data are processed. Personal data is data that can be used to identify you personally. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.

We would like to point out that data transmission over the Internet (e.g. when communicating by e-mail) can have security gaps. Complete protection of data against access by third parties is not possible.

Note on the responsible body

The controller responsible for data processing on this website is

Biohealth Munich
Centre for integrative-biological dentistry (BAG)
Dr Fabian Schick & Dr Florian Notter
Tal 4
80331 Munich
Munich, Germany

Phone: +49 89 697 00 55
E-mail: praxis@biohealth-munich.de

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

Storage duration

Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies.

If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law); in the latter case, deletion will take place after these reasons no longer apply.

General information on the legal basis for data processing on this website

If you have consented to data processing, we process your personal data on the basis of:

• Art. 6 para. 1 lit. a GDPR (consent)
• for special categories of personal data (e.g. health data) on the basis of Art. 9 para. 2 lit. a GDPR

If the processing is necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, the processing is based on Art. 6 para. 1 lit. b GDPR.

If the processing is necessary to fulfil a legal obligation, it is carried out on the basis of Art. 6 para. 1 lit. c GDPR.

In other cases, the processing is based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR.

Further information on the applicable legal bases can be found in the individual sections of this privacy policy.

Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You can withdraw your consent at any time.
The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right to object to the collection of data in special cases and to direct marketing (Art. 21 GDPR)

If the data processing is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions.

If you lodge an objection, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims (Art. 21 (1) GDPR).

If your personal data is processed for the purpose of direct marketing,
you have the right to object at any time to the processing of your personal data for the purpose of such advertising
(Art. 21 para. 2 GDPR).

If you object, your personal data will no longer be used for the purpose of direct marketing.

Right to lodge a complaint with the competent supervisory authority

In the event of infringements of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

The competent supervisory authority for our company is

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 27, 91522 Ansbach
Website: https://www.lda.bayern.de/

A complete list of supervisory authorities (with contact details) can be found here:
https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a structured, commonly used and machine-readable format.

If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as enquiries that you send to us as the site operator.

You can recognise an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

4. Data collection on this website

Cookies

Our Internet pages use so-called “cookies”.
Cookies are small text files that are stored on your end device and saved by your browser. Cookies do not cause any damage and do not contain viruses. They serve to make our website more user-friendly, effective and secure.

Types of cookies

We use both first-party cookies (cookies from our website) and third-party cookies (cookies from third-party providers).

Cookies can also be differentiated as follows:

• Technically necessary cookies: Necessary for basic functions of our website (e.g. storage of logins, shopping basket function). The website will not function properly without these cookies.
• Preference cookies: Make it possible to store information that influences the behaviour or appearance of the website (e.g. preferred language or region).
• Statistics cookies: Collect information anonymously to analyse user behaviour and improve our website.
• Marketing cookies: Used to follow visitors on websites and show them relevant adverts.

Legal basis

• Technically necessary cookies: Storage takes place on the basis of Art. 6 para. 1 lit. f GDPR (legitimate interest in the technically error-free and optimised provision of our website).
• Cookiesfor preferences, statistics and marketing: Storage only takes place with your express consent (Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TDDDG).

You can revoke or change your consent at any time via our cookie consent tool.

Management of cookies

You have various options for controlling the use of cookies:

• Via our consent management tool (Borlabs Cookie), which is displayed to you when you visit our website. borlabs-cookie type=”btn-consent-preferences” title=”Manage Cookie Settings.” element=”link”/]
• By making the appropriate settings in your browser, e.g:
  • Deactivate the storage of cookies
  • Automatically delete cookies when closing the browser
  • Receive notification each time a cookie is set

Note: Deactivating or restricting cookies may limit the functionality of this website.

Duration of storage

Cookies are either:

• temporary (session cookies): are automatically deleted at the end of your visit,
• or permanent (persistent cookies): remain stored on your end device until you delete them or they are automatically deleted by your browser.

You can find the storage duration of the individual cookies in the settings of our cookie consent tool.

Further information

Further details on the cookies used and their purposes can be viewed at any time in our cookie consent tool.

Consent with Borlabs Cookie

Our website uses the Borlabs Cookie consent technology (provider: Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany) to obtain and document your consent to the storage of certain cookies and comparable technologies.

The data is stored locally in your browser and is not transmitted to Borlabs.

Further information:
https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/

Contact form

If you send us enquiries via the contact form, we process the personal data you enter. This includes in particular

• Surname, first name
• E-mail address
• Telephone number
• Appointment requests
• Request/description of your enquiry
• Further voluntary information

This data will only be used to process your enquiry or contact you and will not be passed on to third parties without your express consent.

Legal basis for the processing:

• Art. 6 para. 1 lit. b GDPR (initiation or execution of a treatment contract)
• Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient communication)

Your data will only be stored for as long as is necessary to process your enquiry or for as long as there are statutory retention obligations.
After final processing of your enquiry, we will delete your data.

Online appointment booking

Please note: We currently do not offer the option of booking appointments directly online via our website. Please contact us by telephone or via the contact form to make an appointment.

E-mail communication and hosting

When you contact us by e-mail, we process the personal data that you send us (e.g. name, e-mail address, content of the message).
This processing is carried out for the purpose of processing your request and documenting the course of communication.

The processing is based on Art. 6 para. 1 lit. b GDPR (fulfilment of contract or implementation of pre-contractual measures) or, if no contractual relationship exists, on our legitimate interest in the efficient processing of enquiries in accordance with Art. 6 para. 1 lit. f GDPR.

We use the services of Strato AG, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany, to host our e-mail communication.
E-mails are stored and processed exclusively on servers within Germany.

A contract for order processing (AVV) was concluded with Strato AG in accordance with Art. 28 GDPR.

Further information on data processing at Strato can be found at
https://www.strato.de/datenschutz/

We only store your e-mail data for as long as is necessary to process your request or for as long as there are statutory retention obligations.

Telephone communication and hosting

If you contact us by telephone, we process personal data during the conversation (e.g. name, telephone number, content of the conversation).

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR (fulfilment of contract or implementation of pre-contractual measures) or on the basis of our legitimate interest in efficient communication in accordance with Art. 6 para. 1 lit. f GDPR.

We use the services of STARFACE GmbH, Stephanienstraße 4, 76133 Karlsruhe, Germany, for the technical processing of our telephone traffic.
The connection data is processed exclusively on servers within Germany.

A contract for order processing (AVV) was concluded with STARFACE GmbH in accordance with Art. 28 GDPR.

Further information on data processing at STARFACE can be found at
https://www.starface.com/de/datenschutz/

The data collected in the course of telephone communication will only be stored for as long as is necessary to process your request or for as long as statutory retention periods apply.

Online anamnesis with ROSE

We use the ROSE anamnesis tool from ROSE Dental GmbH to optimise our treatment processes.
We use the digital anamnesis to record the following data:

• Personal details (e.g. name, date of birth, address, contact details)
• Health data (e.g. previous illnesses, medication, allergies)
• Insurance data

The transmitted information is encrypted and sent to our practice and transferred to our practice management system.

Legal basis:

• Art. 6 para. 1 lit. b GDPR (contract initiation or execution)
• Art. 9 para. 2 lit. h GDPR (preventive healthcare, medical diagnostics)

Security:

ROSE processes the data within the framework of a data protection-compliant order processing contract in accordance with Art. 28 GDPR.
Further information about ROSE can be found at
https://www.rose.dental

5. Social media

We maintain publicly accessible profiles in social networks.
The individual networks we use are listed below.

Social networks such as Facebook, Instagram or LinkedIn can generally analyse your user behaviour comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners).
Visiting our social media presences triggers numerous data protection-relevant processing operations.

General information

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account.

In addition, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal.
In this case, data is collected, for example, via cookies that are stored on your end device or by recording your IP address.

The data collected can be used by the operators of the social media portals to create user profiles.
In this way, interest-based advertising can be displayed to you within and outside the respective platform.
If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are or were logged in.

Please note that we cannot track all processing operations on the social media portals.
Depending on the provider, further processing operations may therefore be carried out.
For details, please refer to the terms of use and privacy policies of the respective social media portals.

Legal basis

Our social media presence is intended to ensure the widest possible online presence.
This is a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

If consent to data processing has been obtained (e.g. by means of a checkbox or a banner on the respective portal), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR.
Consent can be revoked at any time.

Shared responsibility

Within the meaning of Art. 26 GDPR, we are jointly responsible with the respective operator of the social media portal for certain processing operations (so-called “joint responsibility”).

We would like to point out that, despite our joint responsibility, we have no full influence on the data processing procedures of the social media portals.
Our options are largely determined by the company policy of the respective provider.

You can view the key information on joint responsibility from the respective providers.

Individual networks at a glance

Facebook

Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland

We operate a Facebook page to present our practice, to communicate with patients and interested parties and to draw attention to our services.

Data processing:

• IP address
• Device information (e.g. browser type, operating system)
• Interactions on the page (e.g. likes, comments, messages)
• Visitor behaviour (e.g. length of stay, activities on the site)

Processing without a Facebook account:
Even if you do not have a Facebook account, Facebook collects your IP address and other technical data using cookies.

Legal basis:

• Art. 6 para. 1 lit. f GDPR (legitimate interest)
• Art. 6 para. 1 lit. a GDPR (consent for Facebook)

Shared responsibility:
https://www.facebook.com/legal/controller_addendum

Possibilities of objection:

• Facebook settings under “Advertising settings”
• Opt-out tools: https://www.youronlinechoices.com/

Facebook privacy policy:
https://de-de.facebook.com/privacy/explanation

Instagram

Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland

Instagram serves as a platform for the visual presentation of our services and communication.

Data processing:

• IP address
• Device information
• User behaviour (profile visits, interactions)
• Location data (optional, if enabled)

Processing without an Instagram account:
Instagram can evaluate your behaviour via cookies and device information even if you only visit the site.

Legal basis:

• Art. 6 para. 1 lit. f GDPR
• Art. 6 para. 1 lit. a GDPR

Shared responsibility:
https://www.facebook.com/legal/controller_addendum

Possibilities of objection:

• Settings in your Instagram account (“Privacy → Advertising”)
• Opt-out pages: https://optout.aboutads.info/

Instagram privacy policy:
https://privacycenter.instagram.com/policy/

LinkedIn

Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

LinkedIn is used for professional networking and information.

Data processing:

• IP address
• Browser data
• User behaviour (profile views, network activities)
• Device information

Processing without a LinkedIn account:
Even without being logged in, LinkedIn processes your data via cookies and tracking technologies.

Legal basis:

• Art. 6 para. 1 lit. f GDPR
• Art. 6 para. 1 lit. a GDPR

Shared responsibility:
https://legal.linkedin.com/pages-joint-controller-addendum

Possibilities of objection:

• LinkedIn account settings (“Privacy → Advertising”)
• General opt-out platforms: https://www.youronlinechoices.com/

LinkedIn privacy policy:
https://www.linkedin.com/legal/privacy-policy

6. Analysis tools and advertising

We use various services on this website to analyse user behaviour and for marketing purposes.
These services help us to optimise our website technically and in terms of content, to improve your user experience and to increase our reach.

We explain the tools used in detail below.

Google Tag Manager

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Function:
The Google Tag Manager makes it possible to manage website tags via a user interface.
The tool itself does not process any personal user data.
It merely triggers other tags, which in turn may collect data.

Legal basis:

• Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient management of tools and services)

Data transmission:
Google may transfer data to the USA.
The transfer takes place on the basis of the EU standard contractual clauses and within the framework of the EU-U.S. Data Privacy Framework.

Further information:
https://policies.google.com/privacy

Google Analytics

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Function:
Google Analytics analyses the behaviour of website visitors and enables detailed evaluations of visitor numbers, visit duration, end devices used and user origin.

Processed data:

• IP address (anonymised)
• Device data
• Location data
• Surfing behaviour

IP anonymisation:
We have activated IP anonymisation on this website.
This means that your IP address is truncated within the EU or the EEA before it is transferred to the USA.

Legal basis:

• Art. 6 para. 1 lit. a GDPR (consent)

Data transmission:
Standard Contractual Clauses and Data Privacy Framework.

Possibilities of objection:

• Browser add-on to deactivate Google Analytics:
  https://tools.google.com/dlpage/gaoptout?hl=de

Further information:
https://support.google.com/analytics/answer/6004245?hl=de

Google Ads and conversion tracking

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Function:
Google Ads enables us to advertise our offers in a targeted manner through search engine marketing.
As part of conversion tracking, we can track which actions users take after clicking on our advert (e.g. making an appointment, contacting us).

Processed data:

• IP address
• Device properties
• User behaviour on our website
• Referrer URL

Legal basis:

• Art. 6 para. 1 lit. a GDPR (consent)

Data transfer:
Standard Contractual Clauses and EU-U.S. Data Privacy Framework.

Further information:
https://policies.google.com/privacy?hl=de

7. Plugins and tools

We use various external services (plugins and tools) to ensure the technically flawless and secure provision of our online services and to optimise our website.
These services may process personal data, in particular IP addresses, browser information or user behaviour.

Below you will find an overview of the tools used as well as information on their function and data protection regulations.

Google Maps

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Function:
We use the services of Google Maps on our website to visualise geographical information (e.g. the location of our practice).

Processed data:

• IP address
• Location data (with active location sharing)
• Usage data

When you access a page in which Google Maps is integrated, your IP address is stored and generally transmitted to a Google server in the USA.

Legal basis:

• Art. 6 para. 1 lit. a GDPR (consent)

Data transfer:
The transfer takes place on the basis of the EU standard contractual clauses and within the framework of the EU-U.S. Data Privacy Framework.

Further information:
https://policies.google.com/privacy?hl=de

YouTube (video integration)

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Function:
We occasionally include videos from YouTube on our website to present content in a clear way.

Processed data:

• IP address
• Browser data
• Device data
• Usage behaviour

YouTube uses cookies and can store information about your usage behaviour – even if you do not have a YouTube account or are not logged in.

Extended data protection mode:
Videos are integrated in “extended data protection mode”.
Personal data is only transmitted to YouTube when you actively play the video.

Legal basis:

• Art. 6 para. 1 lit. a GDPR (consent)

Further information:
https://policies.google.com/privacy?hl=de

8 Rights of the data subject and timeliness of this privacy policy

Right to information (Art. 15 GDPR)

You have the right to obtain confirmation as to whether or not personal data concerning you is being processed.
If this is the case, you have a right to information about this data as well as to further information, e.g. processing purposes, categories of personal data, recipients, storage period and your rights in connection with the processing.

Right to rectification (Art. 16 GDPR)

You have the right to demand the immediate correction of incorrect or incomplete personal data stored about you.

Right to erasure (“right to be forgotten”) (Art. 17 GDPR)

You have the right to request the deletion of your personal data if one of the following reasons applies:

• The data is no longer necessary for the purposes for which it was collected.
• You withdraw your consent and there is no other legal basis.
• You object to the processing (see below).
• The data was processed unlawfully.
• The deletion is necessary to fulfil a legal obligation.

Note: The right to erasure does not exist if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of the processing of your personal data if:

• you dispute the accuracy of the data (for the duration of the review),
• the processing is unlawful and you request the restriction of processing instead of erasure,
• the data is no longer required by us, but you need it for the establishment, exercise or defence of legal claims,
• you have objected to the processing and it is not yet clear whose interests prevail.

Right to data portability (Art. 20 GDPR)

You have the right to receive personal data that you have provided to us in a structured, commonly used and machine-readable format
or to request its transmission to another controller, insofar as this is technically feasible.

Right to object (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you.

This applies in particular to processing on the basis of Art. 6 para. 1 lit. e or f GDPR (data processing in the public interest or on the basis of a legitimate interest).

If you lodge an objection, we will no longer process your personal data,
unless we can demonstrate compelling legitimate grounds for the processing or the processing serves the establishment, exercise or defence of legal claims.

Objection to direct marketing:
If we process your personal data for direct marketing purposes, you have the right to object to this at any time.

Right to withdraw consent (Art. 7 (3) GDPR)

You have the right to withdraw your consent to the processing of personal data at any time with effect for the future.

The processing carried out until the cancellation remains lawful.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular:

• in the Member State of your habitual residence,
• your workplace or
• the location of the alleged offence.

Competent supervisory authority for our practice:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 27
91522 Ansbach
Germany
Website: https://www.lda.bayern.de/

A complete list of the supervisory authorities in Germany can be found at
https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

Up-to-dateness and amendment of this privacy policy

We reserve the right to amend this privacy policy from time to time,
so that it always complies with current legal requirements or to implement changes to our services,
for example when introducing new services.

Your next visit will then be subject to the current privacy policy.

You can call up the current status at any time on our website.

Final destination

This privacy policy is currently valid and has the status May 2025.

Due to the further development of our website and our offers or due to changed legal or official requirements, it may become necessary to change this data protection declaration.
You can access and print out the current privacy policy at any time on our website at https://biohealth-munich.de/datenschutz/.