Privacy Policy

We are pleased that you are visiting our website. We take the protection of your personal data very seriously.

In the following, you will find information on the type and scope of the processing of your personal data in accordance with Art. 13 of the GDPR by Biologische Heilmittel Heel GmbH (hereinafter: “we” or “us”), which we are happy to provide you with in this data protection declaration.

1. Name and contact information of the controller; data protection officer’s contact

(1) The name and contact information of the controller: 

 Biologische Heilmittel Heel GmbH
Dr.-Reckeweg-Str. 2-4
76532 Baden-Baden, Germany
E-mail: info@heel.com

You can find more information in the Legal notice.

(2) Contact details of the Data Protection Officer: 

Biologische Heilmittel Heel GmbH
Data Protection Officer
Dr.-Reckeweg-Str. 2-4
76532 Baden-Baden, Germany
E-mail: dataprotection@heel.com

2. Processing of personal data when using our website

2.1 Accessing the website 

(1) When you visit our website, we inform you about various third-party services and content via our cookie banner. You can find this information again in Section 5 of this privacy policy below. In this case, the type and scope of data processing depends in part on which "privacy settings" you make within the cookie banner.        

In addition, we process the data from you described below in this Section 2. The type and scope of data processing here depends in particular on which functions of the website you use or how you communicate with us:

In this context, we collect the following data, which is technically necessary for us to display our website and to ensure its stability and security:                

  • IP address of the requesting processor
  • Date and time of the request
  • Name and URL of the file retrieved
  • Operating system information and its access status/HTTP status code
  • The volume of data transmitted in each case
  • Website from which our site was accessed 
  • Browser and language and version of the browser software

(2) If this data constitutes personal data, we process it on the basis of our overriding legitimate interests (Art. 6 Para. 1(1) Letter f) of the GDPR). 

The aforementioned data is processed by us for the following purposes:

  • Ensuring a problem-free connection setup of the website
  • Evaluation of system security and stability.
  • Analysis of unauthorised access or attempts to access the system

(3) The listed data are automatically deleted after a period of seven days.

2.2 Use of our contact options

(1) If you have any questions, you can contact us using a form provided on our website. In addition to your query (including content and subject), you are required to enter your salutation, name, country and valid E-mail address so that we know who the query is coming from and will be able to respond to it personally. Other information can be entered voluntarily.

In addition to using the above-mentioned contact form, you are also welcome to contact us directly by E-mail. 

Please note that data cannot always be transmitted securely on the internet. Protection cannot be guaranteed when exchanging data, especially in E-mail correspondence. Please do not send sensitive data (including health-related aspects) to us via E-mail.

We also offer you the option of contacting us by telephone using the published telephone numbers (such as the customer hotline). Other communication channels (such as post and fax) can also be used.

Last name, first name and other data depending on the selected medium (e.g. telephone numbers provided, address, notes on the content of the call) are regularly processed when this is done.

(2) The legal basis for the processing of personal data is Art. 6 Para. 1 (1) Letter b of the GDPR. According to it, we are allowed to process data if the processing is required for the fulfilment of a contract which you party to or for the performance of pre-contractual measures. Otherwise, if you are not a customer of ours and no customer relationship is being formed, we base the data processing on our overriding legitimate interests (Art. 6 Para. 1 (1) Letter f) of the GDPR). We process the data listed for the following purposes:

  • Getting in touch
  • Responding to specific questions

(3) The personal data we collect will only be stored for as long as is necessary to achieve the purpose for which the data was collected. We may be obliged to store data beyond this due to retention duties under the provisions of fiscal and commercial law.

3. Notes on consent for provision of the personal data  

If you have given your consent to the processing of your data, you can withdraw it at any time free of charge. Such a withdrawal will affect the admissibility of the processing of your personal data after you have given it to us. 

You can easily declare the withdrawal of your consent. Depending on the processing operation, the following options are available to you:

  • Insofar as you have given your consent via the cookie banner (cf. the explanations under Section 5 below), you can declare your withdrawal via the settings in the cookie banner here. To do so, move the slider for individual or multiple services so that the grayed-out "x" is visible in the selection.
  • Insofar as you have given your consent to a newsletter (for example, by registering on the website), you can withdraw your consent by clicking on the unsubscribe link within the newsletter.
  • Insofar as you have given your consent in another way, you can declare your withdrawal by informal declaration to us via a contact option specified in the Legal notice.

4. Use of cookies

(1) General information 

We use cookies to make our website attractive and user friendly, to improve it and to make access faster.

These are small text files that are saved on your computer and which store certain settings and data for exchange with our system via your browser. Cookies cannot damage your computer and do not contain malicious software such as viruses.

You have the option to change your browser settings so that cookies are not saved or are erased at the end of your Internet session.

However, please note that in this case you may not be able to use all functions of our website.                

(2) Technically essential cookies (category "essential"). 
We use cookies that are necessary for operating the website. These enable functions without which the website cannot be used as intended. We have explained the essential cookies individually in the cookie banner.

The storage of the information or access to this information in your end device is absolutely necessary in order to provide you with a functional website and thus a service expressly requested by you within the meaning of § 25 (2) No. 2 TTDSG.

Insofar as personal data is processed when essential cookies are used, this is done on the basis of Art. 6 Para. 1 (1) Letter f of the GDPR ("legitimate interest"). Our interests are to provide you with a pleasant user experience.

(3) Optional cookies (category "functional" or "marketing")

Furthermore, we use optional cookies for the purpose of website analysis and tracking. In Section 5, we describe the analytics and tracking tools used on this website and the optional cookies associated with them in detail.

We only use optional cookies with your consent (Art. 6 Para. 1 (1) Letter a of the GDPR). If you are visiting our website for the first time, a banner is displayed which we use to ask you for your consent to the use of optional cookies.

If you give your consent, we save a cookie on your computer and the banner will not be displayed again for the lifetime of the cookie. After this, or if you actively delete the cookie prior to this, the banner will be displayed again on your next visit to our website to obtain your consent again. You can also find a description and your settings options for this by clicking on the "Privacy settings" link at the bottom of our website.

5. Services on the website (Information from cookie banner)

We use third-party services on our website, such as analytics and marketing technologies. The providers of these technologies may also store information on your end device (e.g. cookies) and/or access information located on your end device (e.g. browser used, operating system, etc.). Personal data can also be processed in the process.

To give you a better overview of these services, we have divided them into the following categories:                

  • Essential: These technologies are required for the core functionality of the website.
  • Functional: These technologies allow us to analyse website usage in order to measure and improve performance.
  • Marketing: These technologies are used by advertisers to serve ads that are relevant to your interests.

In some cases, technologies also serve multiple purposes. This applies, for example, to analytics technologies, some of which are also used to display marketing content. The same applies to technical solutions to integrate marketing technologies more easily. In these cases, we have assigned the technology within the cookie banner as a whole to the purpose category that we believe is the main focus. 

The third-party services and content used are described in this Section. You can also find a description and your settings options for these by clicking on the "Privacy settings" link at the end of our website. If you require further information on the services, please contact us using the contact options specified in Section 1.

Technoligies Used

Description of Service

This is a consent management service. Usercentrics GmbH is used on websites and apps as a processor for the purpose of consent management.

Processing Company

Usercentrics GmbH

Sendlinger Str. 7, 80331 Munich, Germany

Data Protection Officer of Processing Company

Below you can find the email address of the data protection officer of the processing company.

datenschutz@usercentrics.com

Data Purposes

This list represents the purposes of the data collection and processing.

  • Compliance with legal obligations
  • Consent storage

Technologies Used

This list represents all technologies this service uses to collect data. Typical technologies are Cookies and Pixels that are placed in the browser.

  • Local storage
  • Pixel

Data Collected

This list represents all (personal) data that is collected by or through the use of this service.

  • Opt-in and opt-out data
  • Referrer URL
  • User agent
  • User settings
  • Consent ID
  • Time of consent
  • Consent type
  • Template version
  • Banner language
  • IP address
  • Geographic location

Legal Basis

In the following the required legal basis for the processing of data is listed.

  • Art. 6 para. 1 s. 1 lit. c GDPR

Location of Processing

This is the primary location where the collected data is being processed. If the data is also processed in other countries, you are informed separately.

European Union

Retention Period

The retention period is the time span the collected data is saved for the processing purposes. The data needs to be deleted as soon as it is no longer needed for the stated processing purposes.

The consent data (given consent and revocation of consent) are stored for one year. The data will then be deleted immediately.

Data Recipients

In the following the recipients of the data collected are listed.

  • Usercentrics GmbH

Click here to read the privacy policy of the data processor

https://usercentrics.com/privacy-policy/

Stored Information

  • Name: uc_settings and/or ucString; This holds the ControllerID and SettingsID, the language, settings version and services with their consent history.; Type: web; Domain: usercentrics.com;
  • Name: uc_user_interaction; This is used to signal whether a user has already given consent.; Type: web;
  • Name: ucData (optional); This holds information about the Google Consent Mode.; Type: web;
  • Name: uc_ui_version; This key states the UI version used by the clients; Type: web;
  • Name: uc_user_country; This is used to recognize the location of the user and show the correct version of the CMP.; Type: web;

Description of Service

This is a web analytics service. With this, the user can measure the advertising return on investment "ROI" as well as track user behavior with flash, video, websites and applications.

Processing Company

Google Ireland Limited

Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Data Protection Officer of Processing Company

Below you can find the email address of the data protection officer of the processing company.

https://support.google.com/policies/contact/general_privacy_form

Data Purposes

This list represents the purposes of the data collection and processing.

  • Marketing
  • Analytics

Technologies Used

This list represents all technologies this service uses to collect data. Typical technologies are Cookies and Pixels that are placed in the browser.

  • Cookies
  • Pixel
  • JavaScript

Data Collected

This list represents all (personal) data that is collected by or through the use of this service.

  • Click path
  • Date and time of visit
  • Device information
  • Location information
  • IP address
  • Pages visited
  • Referrer URL
  • Browser information
  • Hostname
  • Browser language
  • Browser type
  • Screen resolution
  • Device operating system
  • Interaction data
  • User behaviour
  • Visited URL
  • Cookie ID

Legal Basis

In the following the required legal basis for the processing of data is listed.

  • Art. 6 para. 1 s. 1 lit. a GDPR

Location of Processing

This is the primary location where the collected data is being processed. If the data is also processed in other countries, you are informed separately.

European Union

Retention Period

The retention period is the time span the collected data is saved for the processing purposes. The data needs to be deleted as soon as it is no longer needed for the stated processing purposes.

The Retention Period depends on the type of the saved data. Each user can choose how long Google Analytics retains data before automatically deleting it.

Transfer to Third Countries

This service may forward the collected data to a different country. Please note that this service might transfer the data to a country without the required data protection standards. Below you can find a list of countries to which the data is being transferred. For more information regarding safeguards please refer to the provider's privacy policy or contact the provider directly.

  • United States of America
  • Singapore
  • Chile
  • Taiwan

Data Recipients

In the following the recipients of the data collected are listed.

  • Google Ireland Limited, Alphabet Inc., Google LLC

Click here to read the privacy policy of the data processor

https://business.safety.google/privacy/?hl=en

Click here to read the cookie policy of the data processor

https://policies.google.com/technologies/cookies?hl=en

Click here to opt out from this processor across all domains

https://tools.google.com/dlpage/gaoptout?hl=de

Storage Information

  • Maximum age of cookie storage: 2 years

Stored Information

  • Name: __utmb; This cookie is used to track the time of the visit.; Type: cookie; Duration: Session;
  • Name: _ga; This cookie is used to distinguish between users.; Type: cookie; Duration: 2 years;
  • Name: _gid; This cookie is used to identify the user.; Type: cookie; Duration: 1 day;
  • Name: __utma; This cookie is used to record the time and date of the first visit, the total number of visits and the start time of the current visit. ; Type: cookie; Duration: Session;
  • Name: __utmz; This cookie is used to record where the visitor came from. ; Type: cookie; Duration: Session;
  • Name: IDE; This is used to show personalised ads. ; Type: cookie; Duration: 1 year, 1 month;
  • Name: CONSENT; This is used to store the consent choices of the user. ; Type: cookie; Duration: 2 years;
  • Name: __utmt; This is used to throttle the request rate. ; Type: cookie; Duration: 10 minutes;
  • Name: _gat; This is used to read and filter requests from bots.; Type: cookie; Duration: 1 minute;
  • Name: __utmc; This is used to store the time of the visit.; Type: cookie; Duration: 30 minutes;
  • Name: FPID; This is used to store a value used for setting the Client ID in the request to Google's servers.; Type: cookie; Duration: 2 years;
  • Name: FPLC; This is used to register a unique ID that is used to generate statistical data about how the visitor uses the website.; Type: cookie; Duration: 20 hours;

Description of Service

This is an analytics service. The service makes it possible to measure traffic and engagement on websites and mobile apps across devices using customizable reports.

Processing Company

Google Ireland Limited

Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Data Protection Officer of Processing Company

Below you can find the email address of the data protection officer of the processing company.

https://support.google.com/policies/contact/general_privacy_form

Data Purposes

This list represents the purposes of the data collection and processing.

  • Marketing
  • Analytics

Technologies Used

This list represents all technologies this service uses to collect data. Typical technologies are Cookies and Pixels that are placed in the browser.

  • Tracking code
  • Cookies

Data Collected

This list represents all (personal) data that is collected by or through the use of this service.

  • Device information
  • Geographic location
  • Browser information
  • Device operating system
  • Screen resolution
  • Referrer URL
  • Interaction data
  • Date and time of visit
  • User behaviour
  • Pages visited
  • Online identifiers
  • Shortened IP Address
  • User ID
  • Advertising identifier
  • Purchase information

Legal Basis

In the following the required legal basis for the processing of data is listed.

  • Art. 6 para. 1 s. 1 lit. a GDPR

Location of Processing

This is the primary location where the collected data is being processed. If the data is also processed in other countries, you are informed separately.

European Union

Retention Period

The retention period is the time span the collected data is saved for the processing purposes. The data needs to be deleted as soon as it is no longer needed for the stated processing purposes.

The client can choose how long Google Analytics retains data. The maximum amount of retention period is 14 months.

Transfer to Third Countries

This service may forward the collected data to a different country. Please note that this service might transfer the data to a country without the required data protection standards. Below you can find a list of countries to which the data is being transferred. For more information regarding safeguards please refer to the provider's privacy policy or contact the provider directly.

  • Singapore
  • Taiwan
  • Chile
  • United States of America

Data Recipients

In the following the recipients of the data collected are listed.

  • Alphabet Inc., Google LLC, Google Ireland Limited

Click here to read the privacy policy of the data processor

https://business.safety.google/privacy/?hl=en

Click here to read the cookie policy of the data processor

https://policies.google.com/technologies/cookies?hl=en

Click here to opt out from this processor across all domains

https://tools.google.com/dlpage/gaoptout?hl=de

Storage Information

  • Maximum age of cookie storage: 2 years

Stored Information

  • Name: Google; Used to distinguish users.; Type: cookie; Duration: 2 years;
  • Name: Google; Used to persist session state.; Type: cookie; Duration: 2 years;

Description of Service

This is a tag management system. Via Google Tag Manager, tags can be integrated centrally via a user interface. Tags are small sections of code that can track activities. Script codes of other tools are integrated via the Google Tag Manager. The Tag Manager allows to control when a particular tag is triggered.

Processing Company

Google Ireland Limited

Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Data Protection Officer of Processing Company

Below you can find the email address of the data protection officer of the processing company.

https://support.google.com/policies/contact/general_privacy_form

Data Purposes

This list represents the purposes of the data collection and processing.

  • Tag Management

Technologies Used

This list represents all technologies this service uses to collect data. Typical technologies are Cookies and Pixels that are placed in the browser.

  • Website tags

Data Collected

This list represents all (personal) data that is collected by or through the use of this service.

  • Aggregated data about tag firing

Legal Basis

In the following the required legal basis for the processing of data is listed.

  • Art. 6 para. 1 s. 1 lit. a GDPR

Location of Processing

This is the primary location where the collected data is being processed. If the data is also processed in other countries, you are informed separately.

European Union

Retention Period

The retention period is the time span the collected data is saved for the processing purposes. The data needs to be deleted as soon as it is no longer needed for the stated processing purposes.

The data will be deleted as soon as they are no longer needed for the processing purposes.

Transfer to Third Countries

This service may forward the collected data to a different country. Please note that this service might transfer the data to a country without the required data protection standards. Below you can find a list of countries to which the data is being transferred. For more information regarding safeguards please refer to the provider's privacy policy or contact the provider directly.

  • Singapore
  • Taiwan
  • Chile
  • United States of America

Data Recipients

In the following the recipients of the data collected are listed.

  • Alphabet Inc., Google LLC, Google Ireland Limited

Click here to read the privacy policy of the data processor

https://business.safety.google/privacy/?hl=en

Click here to read the cookie policy of the data processor

https://policies.google.com/technologies/cookies?hl=en

6. Recipient of the personal data; transfer to EU third countries

As a rule, your data will not be transferred to third parties unless explicitly described under Section 2 or 5. In particular, we do not transfer your data to recipients based outside the European Union or the European Economic Area, with the exception of the processing operations described under Section 2 and 5. 

In some cases, we use external service providers to process personal data in the context of third-party processing as per Art. 28 of the GDPR (such as IT service providers). We have selected and commissioned them carefully, and they are bound by our instructions and inspected on a regular basis.

Your data will only be transferred to bodies such as supervisory authorities and law enforcement agencies within the scope of statutory provisions if doing so is necessary to prevent and detect fraud and other criminal offences or to ensure the security of our data processing systems. 

The legal basis for this is Art. 6 Para. 1 (1) Letter c (“fulfilment of legal obligations”) and Letter f of the GDPR (“protection of legitimate interests”).

If personal data are processed in a third country, a comparable level of data protection shall be ensured by means of appropriate guarantees in accordance with Art. 44 et seq. of the GDPR. In this case, you will find further information on data transmission in Section 2 or 5. 

As a general rule, when transferring data outside the European Union and the European Economic Area to a country for which an up-to-date adequacy decision is in place as assessed by the European Commission (see listing under https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en), we base our actions on this adequacy decision (see Art. 45 of the GDPR). For a possible data transfer to other countries, we generally base our actions on standard data protection clauses (see Art. 46 Para. 2 Letter c of the GDPR).

7. Notes on reporting side effects

If you intend to report suspected side effects or insufficient efficacy of a medicinal product, medication errors, improper or off-label use or other aspects related to the safety of a Heel product, please contact your physician, pharmacist or naturopathic practitioner, the local health authority or use the direct contact to Heel.

If you report side effects or other safety-related aspects of our Heel products, we are under legal obligation to process your notification. We may also contact you for clarification for this purpose. We may subsequently need to report the notifications you make to the relevant health authorities, but we will only transfer your information in pseudonymous form so that no information directly identifying you will be transferred. We may also have to transfer these pseudonymous notifications to our subsidiaries and partners if they are obligated to make reports to their competent health authorities.

More information on data protection and the reporting of side effects can be found in Heel Data protection statement for pharmacovigilance data

8. Your rights

(1) You have the following rights with respect to your personal data:

  • Right of access (Art. 15 of the GDPR) You can request information about whether we are processing personal data about you. If this is the case, you have a right of access to this personal data as well as to further information related to the processing (see Art. 15 of the GDPR). Please keep in mind that this right to information may be restricted or ruled out in certain cases.
  • Right to rectification (Art. 16 of the GDPR) In case personal data about you is incomplete or is not (or is no longer) accurate, you may request this data to be corrected and, if necessary, completed (see Art. 16 of the GDPR).
  • Right to deletion or restriction (Art. 17 and 18 of the GDPR) If the legal requirements are met, you can request the deletion of your personal data (see Art. 17 of the GDPR) or the restriction of the processing of this data (Art. 18 of the GDPR) if, for instance, the processing of this personal data is no longer necessary for the purposes for which we collected it.
  • Right to data portability (Art. 20 of the GDPR) Under certain conditions, you have the right to receive the personal data about you that you have provided to us in a specific format or to transfer this data to another data controller (see Art. 20 of the GDPR).

Certain legal requirements must be met in order for you to exercise your aforementioned rights, and in certain cases your rights may be limited due to legal exceptions, in particular those under Art. 17(3) and Art. 22(2) of the GDPR, or under national legislation. 

(2) Right to Objection (Art. 21 of the GDPR)

Moreover, you have the right to object to our processing of your personal data at any time (i) in the case of direct marketing or (ii) in other cases on grounds relating to your particular situation if we are processing your personal data to protect our legitimate interests on the basis of Art. 6 Para. 1 (1) Letter f of the GDPR (Art. 21 Para. 1 and Para. 2 of the GDPR). Should you raise an objection, we will cease to process your personal data for the purpose of direct advertising in any case, and, in the case of data processing for other reasons, we will normally cease the processing unless we can demonstrate urgent reasons for the processing which are worthy of protection and override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

(3) You may file a complaint against our processing of your personal data with a data protection authority, in particular in the EU member state in which your habitual residence or place of work is located or if a breach of the applicable data protection laws is believed to have taken place (see Art. 77 of the GDPR). 

(4) There is no automated decision-making including profiling as per Art. 22 Paragraphs 1 and 4 of the GDPR.

9. External links

Our offer contains links to external websites of third parties whose content we have no influence over. For that reason, we are also unable to assume any responsibility for this third-party content. The respective provider or operator of the websites in question assume responsibility for the contents of the linked websites at all times. The linked sites were checked for possible legal violations at the time the links were made. No unlawful content could be detected at the time of linking. 

However, continuous inspection of the contents of the linked pages without specific indications of a legal violation cannot reasonably be expected. Should we gain knowledge of any legal violations, we will remove the links in question without delay. If you notice that the contents of the external providers violate applicable law, please let us know. This data privacy policy only applies to the content on our websites.

10. Amendments to this data privacy policy

We will revise this data privacy policy from time to time to adapt it to the state-of-the-art or to revised legal frameworks. 

Therefore, we recommend that you regularly inform yourself about changes to this webpage. 

Status as of: September 2022