DoctorBox Service GmbH

Effective date: November 3, 2022

This privacy policy was last updated on November 3, 2022 .

1. Introduction

This privacy policy applies to the website heymacy.de and all products offered through it. The responsible party within the meaning of the GDPR is DoctorBox Service GmbH, Alt Moabit 91b, 10559 Berlin. DoctorBox Service GmbH respects your privacy and protects your personal data. Read here how DoctorBox Service GmbH uses your personal data when you visit our website or interact with us—for example, by subscribing to our newsletter, using our products and services, or participating in a competition.

Here you will also learn about your data protection rights and what protection the law provides for you.

2. About DoctorBox Service GmbH

DoctorBox Service GmbH (" DB Service " or " we ") sells home tests for self-administration via the website shop.doctorbox.de (" Website ") and arranges for sample analysis through partner laboratories. Following laboratory analysis, the test results are made available via the DoctorBox app of DoctorBox GmbH .

Therefore, you must install the DoctorBox app on your mobile device and register (create a user account). Results can only be retrieved via the DoctorBox app. You will need the PIN and barcode included with the home test.
The separate privacy policy of DoctorBox GmbH applies to the use of the DoctorBox app. You can find it here .

The exact data flow among the actors involved in home testing can be seen in Chapter 4.5.2.

DoctorBox Service GmbH is responsible for processing your personal data within the meaning of Art. 4 No. 7 of the EU General Data Protection Regulation 2016/679 (" GDPR ") in the context of the sale of home tests for self-use and the operation of the website. As such, it is your direct contact for questions related to data protection. You can reach us here:

Postal address: DoctorBox Service GmbH, Alt Moabit 91b 10559 Berlin
By phone: 030-54453898
By email: info@doctorbox.de
Data Protection Officer: info@dsbplus.de

3. Collection of personal data

3.1 What are personal data?

Personal data is any information about an individual from which that individual can be identified. This does not include data from which the identity has been removed (anonymous data).

We collect various personal information about our customers and visitors to the DoctorBox Service GmbH webshop:

• Identity data such as title, gender, first name, maiden name, last name, date of birth, username or similar and your login/password.
  If you interact with us via social media, this may include your social media username
• Contact details such as billing address, delivery address, email address and telephone numbers
• Financial data such as payment card and direct debit/bank account details
• Transaction data such as information about payments from or to you and other details of products and services you have purchased from us
• Profile data such as your username and password, your purchases or orders, your interests, preferences, feedback and survey responses, and any profile data added by us (e.g., through analysis and profiling)
• Technical data such as Internet Protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website
• Usage data , which includes information about how you use our website, products and services
• Tracking data , which includes information we or others collect using cookies and similar tracking technologies such as web beacons, pixels, and mobile identifiers
• Marketing and communications data such as your preferences regarding receiving direct marketing from us and our affiliated third parties and your communication preferences.

We do not knowingly collect sensitive personal data from you. Sensitive personal data includes data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, health or medical condition, criminal background, or trade union membership. Should this be necessary in individual cases, we will ensure that we obtain your explicit consent to this processing beforehand and treat this information securely.

Please note: If you choose not to provide us with personal information or decline certain contact permissions, we may not be able to provide you with the products and services you have requested.

3.2 How do we collect personal data?

There are many different ways we may receive data from you:

Directly from you (online and offline): You may provide us with information when you fill out forms or correspond with us by mail, phone, email, chat, or social media. This includes information you provide to us when:

• You register to receive our newsletter.
• You have a question for us or request information from us.
• You order our home tests.
• You request that direct marketing be sent to you.
• You communicate with us via social media.
• You participate in a competition, promotion or survey.
• You contact customer service.
• You provide comments or reviews about our products or services.
• You fill out our contact form.

Automatic Data : When you interact with us, including through the DoctorBox Service GmbH website, we may automatically collect data about your technical setup, your searches, and your browsing patterns. We may also collect data when you click on one of our ads (including on third-party websites or via social media).

Data from third parties:

• Service providers that enable our e-commerce activities, including e-commerce platforms, payment services, and anti-fraud services
• Analytics providers, advertising networks and search information providers, business partners, vicarious agents and claims adjusters

Third parties who are legally authorized to do so or who share personal data with us with your consent, e.g. via social media or review sites

3.3 Explanation of the legal basis for the use of personal data

We only use your personal data if the law allows it (basis of Art. 6 Para. 1 GDPR) and usually use it in the following cases:

• if we need to perform the contract we are entering into or have entered into with you (Article 6(1)(b) GDPR). For example, when you purchase our products, this is a contract between you and us under which we supply the products to you.
• if it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override these interests (Article 6(1)(f) GDPR). An example of this is fraud monitoring during the payment process or the security of our website.
• if we are required to comply with a legal or regulatory obligation (Article 6(1)(c) GDPR). This includes, for example, maintaining records of our sales for tax compliance purposes.
• If you have previously given us your express consent to process your data (Art. 6(1)(a) GDPR). This may be the case for user tracking or the display of behavioral advertising. You can revoke your consent at any time.

3.4 How and why we use personal data?

The following table provides an overview of how we use personal data, which types of personal data this applies to and what the respective legal basis is.

When explaining the legal basis, we will refer to the relevant category from the "Explanation of the legal bases for the use of personal data" above (4.3). If we use the data based on a legitimate interest, we will indicate what that legitimate interest is.

How do we use your personal data,

What types of personal data do we use for this purpose?

Legal basis

to register you as a new customer

Identity, contact

Fulfillment of a contract concluded with you or initiation of a contract

to manage a potential sale to you

Identity, contact

Finance, transactions, marketing and communications

Necessary for our legitimate interests (including the ability to process our customers' product purchases)

to process and deliver your order, including managing payments and debt collection

Identity, contact

Finance, transactions, marketing and communications

Fulfillment of a contract concluded with you

Necessary for our legitimate interests (including debt collection)

to manage our business relationship with you, including notifying you of changes to our terms and conditions or privacy policy

Identity, contact, profile, marketing and communication

Fulfillment of a contract concluded with you

Necessary to fulfill a legal obligation

Necessary for our legitimate interests (to update our records)

to ask you to leave a review or take part in a survey

Identity, contact, profile, marketing and communication

Necessary for our legitimate interests (to investigate how customers use our products/services)

to enable you to participate in a prize draw or competition

Identity, contact, profile, usage, marketing and communication

Necessary for our legitimate interests (to investigate how customers use our products/services in order to develop them and grow our business)

to provide you with direct marketing

Identity, contact, profile, usage, marketing and communication, technology, tracking

Your consent

Administering and protecting our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and data hosting)

Identity, contact, technology, tracking

Necessary for our legitimate interests (to run our business, provide administrative and IT services, network security, to prevent fraud)

Necessary to fulfill a legal obligation

to provide you with relevant website content and to learn about and measure how effective the content on our website is

Identity, contact, profile, usage, marketing and communication, technology

Tracking

Necessary for our legitimate interests (to investigate how customers use our products/services in order to develop them, grow our business and use this information in our marketing strategy)

Your consent

to provide you with relevant advertising and to learn about and measure how effective the advertising we show you is

Identity, contact, profile, usage, marketing and communication, technology

Tracking

Your consent

to use data analytics to improve our website, products/services, marketing, customer relationships, and experiences

Technology, use

Necessary for our legitimate interests (to define customer types for our products/services, to keep our website up-to-date and relevant, to grow our business and to use this information in our product and marketing strategy)

to provide you with suggestions and recommendations on products/services that may be of interest to you

Identity, contact, technology, use, profile

Necessary for our legitimate interests (to develop our products/services and grow our business)

Your consent

to prevent and detect illegal activities

Identity, Contact, Finance, Transaction, Technology, Tracking

Necessary for our legitimate interests (to protect our business and our customers through fraud detection and suspicious transaction monitoring)

Necessary to fulfill a legal obligation to disclose personal data for law enforcement purposes

to manage our business and keep proper records

All relevant data categories

Necessary to fulfill a legal obligation

Necessary for our legitimate interests (to administer our business and keep proper records)

to resolve legal disputes involving you or us

All relevant data categories, depending on the nature of the claim or demand

Necessary for our legitimate interests (to bring or defend a legal claim, whether in or out of court, to protect or enforce our rights, your rights or the rights of third parties)

3.5 With whom do we share the data?

3.5.1 Foreword

The contract data will only be passed on to our service providers whom we use to fulfil the contract, in particular the technical operators of the website platform we use (Shopify), the payment service provider you have selected (e.g. PayPal) and shipping companies, as well as, if applicable, to debt collection companies, and only to the extent necessary to fulfil the contract with you or if we have concluded a data processing agreement with the respective service provider within the meaning of Art. 28 GDPR.

We require our service providers to ensure the security of your personal data and to process it in accordance with the law. We do not permit our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

If we are legally obliged to do so, we may also disclose personal data to authorities, courts or other third parties.

3.5.2 The data flows of home testing

• Provision of order data for shipping service providers

When you make a purchase in our online shop, we collect your name, email address, delivery and billing addresses, payment details, and other data related to the purchase (e.g., telephone number, amount of sales, etc.). To fulfill the contract, we share your address and contact information with our shipping service providers and manufacturers.

• Tracking of home tests and submitted samples

In order to track the receipt of the ordered test kit by you or the laboratory, we can also retrieve the delivery status of your test kit using a tracking number from the shipping company.

• Creating a user account and registering the test ID in the DoctorBox app (DoctorBox GmbH)

By creating a user account in the DoctorBox app, DoctorBox GmbH receives your personal data. You can find the link to the privacy policy here .

By registering the enclosed test ID in the DoctorBox app, demographic data (age range and gender) will be requested and provided to the laboratory via end-to-end encryption under your test ID, as this may be relevant for the evaluation of the home test.

• Analysis and evaluation by partner laboratories

The partner laboratory receives the sample you sent, which is provided with a test ID. By registering the customer's test ID, the partner laboratory may receive demographic data (age range and gender) to better contextualize the results.

However, the laboratory does not receive any personal data from you; you are simply recorded in the laboratory system as a test ID. The barcode contains your personal data only in a strictly pseudonymized form. Even when used in conjunction with a test name, the pseudonymization of the test is guaranteed. The test result is stored behind the test ID.

The partner laboratory will not collect any further personal data from you.

• Transmission via DoctorBox (DoctorBox GmbH) infrastructure to you

After analysis, the partner laboratory will assign the test result to the barcode and make it available to you immediately via the DoctorBox app interface. This requires that the data be sent via the DoctorBox GmbH IT infrastructure. For security reasons, retrieval is only possible via the DoctorBox GmbH app using the PIN included with the home test.

4. Advertising and direct marketing

Advertising for Doctorbox Service GmbH may be shown to you in a variety of ways, even without using your personal information. Sometimes we purchase physical advertising space or place advertisements on websites and social media. When you see ads from Doctorbox Service GmbH on websites and social media, they are not necessarily specifically targeted to you. It may also be that we have simply purchased that advertising space. We may also use "lookalike" products from a search engine or social media platform that are not targeted to you and that you can control through the privacy settings of a search engine or social media platform.

We may use your identity, contact, technical, tracking, usage, and profile data to understand what we think you want, need, or might be of interest to you. This helps us decide which products, services, and offers may be relevant to you and communicate these to you. We may conduct direct marketing by email, telephone, SMS, and post.

We clearly display the direct marketing preferences you can choose on our website. You can opt in to receive our newsletter or do so as part of creating a DoctorBox health account. We may also send our customers relevant direct marketing about our own products and services, unless they opt out during the shopping process or later. We may also provide you with a small notification during the order process if you have added products to your shopping cart without proceeding to checkout.

You can opt out of direct marketing at any time. The easiest way to do this is to use the unsubscribe link at the bottom of the message or send an email to heimtests@doctorbox.eu.

We will obtain your explicit consent before we share your personal information with companies outside DoctorBox Service GmbH for direct marketing purposes.

We also work with partners to improve the reach of our ads, using analytics and retargeting. We use tracking data to deliver relevant online advertising, including on websites and social media.

Tracking data, especially cookies, help us deliver website advertising and social media marketing that is most relevant to you and potential new DoctorBox Service GmbH customers. The cookies used for this purpose are often placed on our website by specialized companies. This is also the reason why you may see content from our website again after your visit to the DoctorBox Service GmbH website. This is known as retargeting or remarketing.

Cookies can tell us whether you've seen a particular ad and how long ago you saw it. This is helpful because it allows us to monitor the effectiveness of our ads and control the frequency with which they're shown. Cookies also allow us to know whether you've opened a marketing email. After all, we don't want to send you information you won't read.

For more information about tracking data, especially cookies, see the “Cookies” section below.

5. Cookies and plug-ins

5.1 What are cookies?

A cookie is a small file of letters and numbers that we store using your browser. Our website uses cookies to distinguish you from other users of our website. This helps us make our website more attractive and improve it.

5.2 Which cookies do we use?

Strictly necessary cookies : These are cookies that are required for the website to function properly. These include, for example, cookies that enable you to log in, use a shopping cart, or make secure payments. These cookies do not require your consent and will therefore be set even if you refuse consent.

Analytics and performance cookies: These cookies allow us to count the number of visitors and understand which website elements they access. This helps us improve the way our website works, for example, by ensuring that users can easily find what they're looking for. These cookies are only set with your explicit consent. You can change your choices at any time using our consent tool.

Functional cookies: These cookies are used so that we can recognize you when you return to our website. They allow us to personalize our content for you, greet you by name, and remember your preferences (e.g., your language or region selection). And they allow us to determine whether there are still products in your shopping cart if you leave the website without checking out. These cookies are only set with your explicit consent. You can change your choices at any time using our consent tool.

Targeting cookies : These cookies store your visit to our website, the web pages you visited, and the links you followed. We use this information to make our website relevant to your interests and for advertising and retargeting purposes. We may also share this information with third parties for this purpose. These cookies are only set with your explicit consent. You can change your choices at any time using our consent tool.

Information and adjustments to your cookie settings

You can find more information about the specific cookies we use in our consent tool, which you can open in the bottom right corner of the footer under Cookie Settings . You can use this cookie tool to adjust your preferences at any time and learn about which cookies we use.

Blocking or deleting cookies

You can block cookies by accessing the settings in your browser that allow you to refuse all or some cookies. If you block cookies (including essential cookies), you may not be able to access all or parts of our website. For more information about blocking cookies, see your browser's help function or visit the All About Cookies website.

Please note that when you delete cookies, two things happen:

• We will no longer know if you have opted out of online behavioral advertising, so you will see our ads on other websites.

We will no longer be able to automatically recognize the website settings you have chosen.

5.3 Plug-ins

We may also integrate third-party content (e.g., YouTube videos) to enhance the usability of the website. In order to use this content, it may be necessary to share your device data (especially your IP address) with the provider of the respective content. This only happens if you click on the respective content. Further information on the collection of your data when using third-party content can be found here:

• Youtube: https://policies.google.com/privacy?hl=de
• Vimeo: https://vimeo.com/cookie_policy

Yoast SEO

We use plugins from Yoast SEO on our website. This is an offer from Yoast BV, Don Emanuelstraat 3, 6602 GX Wijchen, The Netherlands, Tel: +31 (0)24 82 00 337 (Chamber of Commerce / KvK: 55404367, VAT Number: NL851692540B01). This plugin handles the complete technical optimization of our web pages for search engines. It also supports content development. For more information, please see Yoast BV's privacy policy, which you can view at https://yoast.com/privacy-policy/ . You can prevent cookies from being saved by setting your browser accordingly; however, we would like to point out that if you do this, you may not be able to use all of the functions of this website to their full extent.

Matomo

We use the web analysis tool Matomo to tailor our website to meet your needs. Matomo creates user profiles based on pseudonyms. For this purpose, permanent cookies are stored on your device and read by us. This enables us to recognise and count recurring visitors. We also use the Heatmap & Session Recording modules. Matomo's heatmap service shows us the areas of our website where the mouse is moved most frequently or which are clicked most frequently. The Session Recording service records individual user sessions. We can play back recorded sessions and thus analyse the use of our website. Data entered into forms is not recorded and is never visible.

Data processing is based on your consent in accordance with Section 25 (1) TTDSG and Article 6 (1) (a) GDPR, provided you have given your consent via our consent banner. You can revoke your consent at any time. Please make the appropriate settings using our cookie tool.

Further information on Matomo's terms of use and data protection regulations can be found at: https://matomo.org/privacy/

Plausible.io

The legal basis for data processing is Art. 6 (1) (f) GDPR.

Purpose: Analysis tool that does not store any personal data and does not use cookies.

Data collected is:

• Pages visited
• Browsers used
• Devices
• source
• Length of stay
• Bounce rate
• Origin (city, state, country)
• Browser
• Operating system

Recipient: The recipient of the analysis data is DoctorBox Service GmbH

Transfer to third countries: Personal data will not be transferred.

Duration: No collection of personal data.

Right of revocation: No collection of personal data.

Further data protection information: https://plausible.io/data-policy

Google Analytics

Description of the service We use Google Analytics to analyze website usage. The data obtained is used to optimize our website and advertising measures. Purpose of data collection: Marketing & Analysis Processing company: Google Ireland Limited, Google Building: Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Analytics is provided to us by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google processes the data relating to website usage on our behalf and is contractually obligated to take measures to ensure the security and confidentiality of the processed data. Data protection officer of the processing company You can find the email address of the data protection officer of the processing company under the following link: https://support.google.com/policies/contact/general_privacy_form Data collected During your visit to the website, the following data is recorded, among others:

• Pages visited
• Orders including sales and ordered products
• The achievement of "website goals" (e.g. contact requests and newsletter registrations)
• Your behavior on the pages (e.g., time spent, clicks, scrolling behavior)
• Your approximate location (country and city)
• Your IP address (in abbreviated form so that no clear assignment is possible)
• Technical information such as browser, internet provider, device and screen resolution
• Source of your visit (i.e. which website or advertising medium you came to us from)

Personal data such as name, address, or contact details are never transferred to Google Analytics. Technologies

• This service uses the following technologies to collect data:
• Cookies
• pixel
• JavaScript
• Device fingerprint

Stored information This data is transferred to Google servers in the USA. We would like to point out that the same level of data protection cannot be guaranteed in the USA as within the EU. Google Analytics stores cookies in your web browser for a period of two years from your last visit. These cookies contain a randomly generated user ID that can be used to recognize you on future website visits. The recorded data is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. This user-related data is automatically deleted after 14 months. Other data remains stored in aggregated form indefinitely. If you do not agree to the collection of data, you can prevent it by installing the browser add-on to deactivate Google Analytics once or by rejecting cookies via our cookie settings dialog. Storage information Maximum limit for storing cookies: 2 years Use of Google Remarketing We also use the remarketing function from Google. This allows us to display personalized advertising on suitable advertising spaces on other websites, based on the interests you have shown on our website. This option is limited to a maximum of 18 months. Further information can be found in Google's privacy policy. You can prevent interest-based advertising by installing this browser plug-in. Data recipients : Google Ireland Limited, Alphabet Inc., Google LLC are the recipients of the collected data.

• The following link will take you to the data processor's privacy policy: https://policies.google.com/privacy?hl=de
• The following link will take you to the data processor's cookie policy: https://policies.google.com/technologies/cookies?hl=de
• To revoke your consent on all domains of the processing company, please click on the following link: https://tools.google.com/dlpage/gaoptout?hl=de

Facebook Pixel

We use Facebook Pixel from Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, to create so-called custom audiences, i.e., to segment visitor groups to our online offering, determine conversion rates, and subsequently optimize them. This happens especially when you interact with advertisements we have placed with Meta Platforms Ireland Limited.

The use of Facebook Pixel is based on your consent in accordance with Art. 6 (1) (a) GDPR and Section 25 (1) TTDSG. The legal basis is supplemented by Art. 45 (1) GDPR, the adequacy decision between the USA and Europe. Further information can be found at https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active . Furthermore, before such a third country transfer, we will obtain your consent in accordance with Art. 49 (1) (a) GDPR, which you grant via the consent in the Consent Manager (or other forms, registrations, etc.). We would like to point out that transfers to third countries may involve risks unknown in detail (e.g., data processing by security authorities in the third country, the exact scope of which and the consequences for you are unknown to us, over which we have no influence, and of which you may not be aware). The specific storage period of the processed data is beyond our control; it is determined by Meta Platforms Ireland Limited. Further information can be found in the privacy policy for Facebook Pixel: https://www.facebook.com/privacy/explanation .

TikTok Pixels

When you visit this website, personal data is processed. Categories of data processed: data about the use of the website and the logging of clicks on individual elements. Purpose of processing: Investigation of user behavior, analysis of the impact of online marketing measures and selection of online advertising on other platforms that are automatically selected based on user behavior using real-time bidding. The legal basis for processing: Your consent in accordance with Art. 6 (1) a GDPR. Data is transmitted to: the independent controller TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (https://www.tiktok.com). The legal basis for the data transmission to TikTok Technology Limited is your consent in accordance with Art. 6 (1) a GDPR. This may also mean the transmission of personal data to a country outside the European Union. The data is transmitted on the basis of your consent in accordance with Art. 6 (1) lit a in conjunction with Art. 49 (1) lit a GDPR. For email contact with the data protection officer of TikTok Technology LimitedFor email contact with the data protection officer of TikTok Technology Limited: For email contact with the data protection officer of TikTok Technology LimitedFor email contact with the data protection officer of TikTok Technology Limited: https://www.tiktok.com/legal/report/DPO . For email contact with the data protection officer of TikTok Technology Limited: https://www.tiktok.com/legal/privacy-policy-eea?lang=de . Duration of processing: is variable and ends when the purpose of processing no longer applies.

6. Data security

We have put in place appropriate security measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. We also limit access to personal data to employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

7. Data storage and deletion

We will only retain your personal data for as long as necessary for the purposes for which it was collected or in accordance with legal and customary periods, unless further retention is necessary to comply with a legal obligation or to establish, exercise or defend legal claims, or a specific period has been communicated.

We will only retain a limited amount of your personal information necessary for marketing purposes until you withdraw your consent, but in no event for longer than 10 years after your last completed service or delivery of the product.

Our partner laboratories will delete your anonymized test results after the statutory retention period for laboratories has expired.

8. Contact DoctorBox Service GmbH regarding data protection

If you have any questions about this privacy policy or would like to exercise your rights, please send an email to kontakt@doctorbox.eu or a letter to the following address: Data Protection Officer, Doctorbox Service GmbH, Alt Moabit 91b 10559 Berlin.

If you need help with our products and services or with this website in general, please contact us at info@doctorbox.eu.

You have the right to lodge a complaint with your local data protection authority at any time. However, we would appreciate it if you contacted us first with your concerns so we can seek a resolution.

9. Third-party links

This website may contain links to third-party websites and services. Clicking on these links or activating these connections may enable third parties to collect or share information about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our website, we encourage you to read the privacy policy of each website you visit. No data will be shared with the third-party provider before you click on the respective link or service.

10. If you do not provide personal data

If we need to collect personal data to comply with a law or as part of a contract we have with you and you fail to provide that data, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). Accordingly, we may need to cancel a product or service. However, if we do, we will notify you.