Status: June 2026
Welcome to our website and thank you for your interest in our company. We take the protection of your personal data very seriously. We process your data in accordance with the applicable legal provisions for the protection of personal data, especially the EU General Data Protection Regulation (GDPR) and the country-specific laws applicable to us. With this privacy notice, we inform you comprehensively about the processing of your personal data by myon clinic GmbH (hereinafter referred to as "myon.clinic") when you use our website and about your rights.
Personal data includes all information that enables the identification of a natural person. This includes, in particular, your name, date of birth, address, phone number, email address, and IP address. Data is considered anonymous if no personal reference to the user can be established.
Mailing Address:
Balanstraße. 71a
81541 Munich
E | sales@myon.clinic
Dr. Sebastian Kraska
Marienplatz 2
80331 München
Tel.: +49 89 18917360
E-Mail: email@iitr.de
Firstly, we would like to inform you about your rights as a data subject. These rights are set out in Articles 15 – 22 GDPR and include:
– The right of access (Art. 15 GDPR)
– The right to rectification (Art. 16 GDPR)
– The right to erasure / right to be forgotten (Art. 17 GDPR)
– The right to restriction of data processing (Art. 18 GDPR)
– The right to data portability (Art. 20 GDPR)
– The right to object to data processing (Art. 21 GDPR)
To exercise these rights, please contact: privacy@myon.clinic. The same applies if you have questions about data processing in our company or if you wish to withdraw your consent. You also have the right to lodge a complaint with the competent data protection supervisory authority.
To exercise these rights, please contact: privacy@myon.clinic. The same applies if you have questions about data processing in our company or if you wish to withdraw your consent. You also have the right to lodge a complaint with the competent data protection supervisory authority.
Please note the following in relation to your right to object: If we process your personal data for direct marketing purposes, you have the right to object to this processing at any time without stating reasons. This also applies to profiling, insofar as it is related to direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes. The objection is free of charge and can be made informally to the following address: privacy@myon.clinic. If we process your data to protect legitimate interests, you can object to this processing at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. We will then cease processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms or the processing is for the assertion, exercise, or defense of legal claims.
The processing of your personal data is carried out in accordance with the provisions of the GDPR and all other applicable data protection regulations. The legal bases for data processing arise, in particular, from Art. 6 GDPR. We use your data for business initiation, to fulfill contractual and legal obligations, to carry out the contractual relationship, to offer products and services, and to strengthen customer relationships, including marketing and direct marketing. Your consent also constitutes a permission to data processing under the Data Protection Act. In this context, we will inform you about the purpose of the data processing and your right to withdraw consent. If consent also covers the processing of special categories of personal data, we will expressly point this out to you within the consent process. Processing of special categories of personal data within the meaning of Art. 9 (1) GDPR may only occur if it is required by legal provisions and there is no reason to assume that your legitimate interests outweigh the processing or you have given your consent to the processing of these data pursuant to Art. 9 (2) GDPR.
We will only pass on your data within the scope of the legal provisions or based on your consent to third parties. In all other cases, no data will be disclosed to third parties unless we are obliged to do so due to mandatory legal provisions (disclosure to external bodies including supervisory authorities or law enforcement authorities).
Within our organization, we ensure that only those persons who need the relevant data to fulfill their contractual and legal obligations are authorized to handle personal data. In many cases, service providers support our specialist departments in fulfilling their tasks. The necessary data protection contracts have been concluded with all service providers.
Data is only transferred to third countries (outside the European Union or the European Economic Area) if this is required by law or if you have given us your consent. We transfer your personal data as follows to service providers or group companies outside the European Economic Area: United States of America. In such cases, the required level of data protection is ensured by EU standard contractual clauses and the binding corporate data protection rules of the service provider according to the established data protection contracts. Google services may transfer data to countries outside the EU/EEA (third country data transfer) as part of processing for the aforementioned purposes, e.g., to the USA. Countries outside the European Economic Area may not provide a data protection level comparable to European standards. Such countries, for which the Commission has not expressly established that they offer an adequate level of data protection, are referred to as "unsafe third countries". There is therefore an increased risk that government authorities may access this data. We have no influence on these processing activities.
We store your data as long as it is necessary for the respective processing. Please note that numerous retention periods require the storage of data for a specific period. This particularly concerns retention obligations under commercial or tax law (e.g., Commercial Code, Tax Code, etc.). The data will be routinely deleted after use unless it is necessary for further retention. We may also store data if you have given us your consent or in case of legal disputes and we use the evidence within the statutory limitation period which can be up to 30 years; the regular limitation period is 3 years.
We use appropriate technical and organizational security measures to optimally protect the data stored with us against accidental or intentional manipulation, loss, destruction, or unauthorized access by third parties. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards. Data exchange to and from our website is encrypted. We provide https as the transmission protocol for our website and always use current encryption protocols. If you use the contact form on our website to get in touch with us, the contents will be transmitted via https to a secure server from Site Ground where the data of the form is stored in an encrypted database. Site Ground employees do not have direct access to this data. It is also possible to use alternative communication channels.
For the establishment, execution, and termination of obligations and the fulfillment of the associated contractual and legal obligations, a range of personal data is required. The same applies to the use of our website and the various functions we offer. We have summarized the relevant details above. In some cases, legal provisions require data to be collected or made available. Please note that it will not be possible to process your request or fulfill the underlying contractual obligation without this information.
The data we process are defined by the respective context: They depend on whether you enter a request in our contact form, send us an application, or submit a complaint. Please note that we may also provide specific information at certain points for specific processing situations, such as when downloading our flyer or submitting a contact request.
When you visit our website, we collect and process the following data:
– Your IP address, which is immediately shortened by removing the last two digits
– The URL and title of the page you are viewing
– The browser you are using (name)
– Viewport or viewing area (the size of the browser window)
– Your screen resolution
– Whether Java is enabled or not
– The language enabled in your browser
For technical security reasons (particularly to protect against attacks on our web server), these data are stored in accordance with § 6 (1) S. 1 lit. f GDPR. Anonymization is carried out immediately by shortening the IP address so that no reference to the user can be established.
The provider is Webflow Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter Webflow). When you visit our website, Webflow collects various log files including your IP addresses. Webflow is a tool for creating and hosting websites. Webflow stores cookies or other recognition technologies necessary for the display of the site, to provide certain website functionalities, and to ensure security (necessary cookies). For details, please refer to the Webflow Privacy Policy: [Webflow Privacy Policy](https://webflow.com/legal/eu-privacy-policy).
The use of Webflow is based on Art. 6 (1) lit. f GDPR. We have a legitimate interest in the most reliable representation of our website. If appropriate consent has been requested, processing is based exclusively on Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG, insofar as the consent includes the storage of cookies or access to information on the user's device (e.g., device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time. The data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: [Webflow Privacy Policy] (https://webflow.com/legal/eu-privacy-policy)
We use Sendgrid for sending emails. The provider is Sendgrid Inc., located at 1801 CaliforniaStreet, Suite 500, Denver, CO 80202, USA. Sendgrid is a service that can organize the sending of emails. Sendgrid is used to send confirmation emails, transaction confirmations, and emails with important information related to inquiries. The data you enter for the purpose of receiving emails will be stored on Sendgrid's servers. When we send emails on your behalf via SendGrid, we use an SSL-secured connection. For all services requiring email communication, communication is received directly by SendGrid and then forwarded to our servers. For analytical purposes, the emails sent via SendGrid contain a so-called "tracking pixel" that connects to Sendgrid's servers when the email is opened. This allows us to determine whether an email message has been opened. Legal basis: Data processing is based on your consent(Art. 6 (1) lit. a GDPR). You can revoke this consent at any time. The lawfulness of the data processing operations already carried out remainsunaffected by the revocation. Storage duration: The data you provide to us forthe purpose of receiving emails will be stored by us until you unsubscribe fromthe services and will be deleted from our servers as well as from the servers of Sendgrid after you unsubscribe. Please note that your data will usually betransmitted to a SendGrid server in the USA and stored there. We have concluded a contract with Sendgrid that contains the EU standard contractual clauses.This ensures a level of protection comparable to that in the EU. SendGrid(Privacy Policy): [SendGrid Privacy Policy](https://sendgrid.com/resource/general-data-protection-regulation-2/
We use Google Fonts from Google Inc. on our website. For the European area, the company Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is responsible. We have integrated the Google fonts locally on our web server – not on Google's servers. This means there is no connection to Google servers and therefore no data transmission or storage. This is an interactive directory with over 800 fonts provided by Google for free. However, to prevent any data transmission to Google servers, we have downloaded the fonts to our server. This way, we act in compliance with data protection regulations and do not send any data to Google Fonts.
We use the consent management service Cookiebot from Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark (Usercentrics). This allows us to obtain and manage the consent of website users for data processing. The processing is necessary to fulfill a legal obligation (Art. 7 (1) GDPR) to which we are subject (Art. 6 (1) S. 1 lit. c GDPR). The following data are processed with the help of cookies:
- Your IP address (the last three digits are set to '0')
- Date and time of consent
- Browser information
- URL from which the consent was sent
- An anonymous, random, and encrypted key
- Your end-user consent status as proof of consent
The key and consent status are stored in the browser for 12 months using the cookie "CookieConsent". This keeps your cookie preference for subsequent page requests. The functionality of the website is not guaranteed without the processing. If you activate the "Bulk Consent" service feature to activate consent for multiple websites with a single end-user consent, the service will also store a separate random unique ID with your consent. If all the following criteria are met, this key is stored in the third-party cookie "CookieConsentBulkTicket" in your browser in encrypted form:
- You activate the bulk consent function in the service configuration.
- You allow third-party cookies via browser settings.
- You have disabled "Do Not Track" via browser settings.
- You accept all or at least certain types of cookies when giving consent.
Usercentrics is the recipient of your personal data and acts as a processor on our behalf. The processing takes place in the European Union. For more information on Usercentrics' objection and removal options, please visit: [Cookiebot Privacy Policy](https://www.cookiebot.com/de/privacy-policy/).
Your personal data will be continuously deleted after 12 months or immediately after the termination of the contract between us and Usercentrics. Please refer to our general instructions on the deletion and deactivation of cookies above.
On our website, you have access to a contact form that you can use to get in touch with us electronically. If you write to us via the contact form, we process the data you provide in the contact form to answer your questions and requests. We respect the principle of data minimization and data avoidance, so you only need to provide the information necessary for contacting you, namely your name, title, email address, and the nature of your request. Your IP address is also processed for technical reasons and for legal protection (and immediately shortened). All other information is voluntary and optional (e.g., for a more detailed response to your questions). If you contact us by email, we will only process the personal data provided in the email for the purpose of processing your request.
On our website, you have the option to book appointments with us. For scheduling appointments, we use the tool "Calendly". The provider is Calendly LLC, 271 17th StNW, 10th Floor, Atlanta, Georgia 30363, USA (hereinafter "Calendly").For the purpose of booking an appointment, you enter the requested data and your desired appointment in the provided form. The entered data will be used for planning, conducting, and, if necessary, for follow-up on the appointment.The appointment data will be stored for us on Calendly's servers, whose privacy policy you can view here: [Calendly Privacy Policy] https://calendly.com/de/pages/privacy
The data you enter will remain with us until you request us to delete it, revoke your consent to store it, or the purpose for data storage ceases. Mandatory statutory provisions – especially retention periods – remain unaffected. The legal basis for data processing is Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in making the appointment scheduling as uncomplicated as possible for interested parties and customers. If consent has been requested, Art. 6 (1) lit. a GDPR is the legal basis for data processing; consent can be revoked at any time. The data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here:[Calendly DPA] https://calendly.com/pages/dpa
We use "Google reCAPTCHA" (hereinafter "reCAPTCHA") on our websites. It is also integrated into Calendly by default. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). The purpose of reCAPTCHA is to check whether the data entry on our websites (e.g.,in a contact form) is done by a human or an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis starts automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g., IP address, time spent on the website, or mouse movements of the user). The data collected during the analysis are forwarded toGoogle. The reCAPTCHA analyses run entirely in the background. Website visitors are not informed that an analysis is taking place. reCAPTCHA is only loaded after you have agreed to our essential cookies. The data processing is based onArt. 6 (1) lit. f GDPR. The website operator has a legitimate interest in protecting its website from abusive automated spying and SPAM. Furtherinformation on Google reCAPTCHA and Google's privacy policy can be found at the following links:https://www.google.com/intl/de/policies/privacy/ und https://www.google.com/recaptcha/intro/android.html.
We do not use purely automated processing to make decisions.
Our website uses so-called "cookies" at various points to make our offer more user-friendly, effective, and secure. Cookies are small text files that are stored on your computer and saved by your browser (locally on your hard drive). Cookies allow us to analyze the use of our websites by users and to design the content of the website according to the needs of visitors. Cookies also allow us to measure the effectiveness of a specific advertisement and, for example, to place it based on the user's interests. When you visit our website for the first time, a pop-up (Cookiebot) opens from which you can give your consent to the use of categories of cookies that are described below and in the Cookiebot pop-up itself. The following categories of cookies are used on our website:
- Necessary Cookies: These cookies are required for the website to function and cannot be switched off in our systems. These cookies include, for example, those used by Cookiebot to manage cookies subject to your consent. You can set your browser to block or warn you about these cookies, but some parts of the website will not work. These cookies do not store any personally identifiable information.
- Performance cookies: These cookies allow us to count visits and traffic sources so that we can measure and improve the performance of our website. They help us to know which pages are the most and least popular and to see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our website and will not be able to monitor its performance.
- Targeting cookies: These cookies may be set through our website by our advertising partners. They may be used by these companies to build a profile of your interests and show you relevant advertising on other websites. They do not store any directly personal information, but are based on the unique identification of your browser and internet device. If you do not allow these cookies, you will receive less targeted advertising.
Most of the cookies we use are "session cookies", which are automatically deleted after your visit. Persistent cookies are automatically deleted from your computer when their validity period (maximum 14 months) has expired or you delete them yourself before they expire. To revoke your consent to the use of cookies (with the exception of strictly necessary cookies, which are always activated), you can navigate to the footer of the website and deactivate categories of cookies in the cookiebot pop-up via the "Cookies settings" link. Cookies are stored on the user's computer, which then transmits them to us. As a user, you therefore have full control over the use of cookies. You can change the settings in your Internet browser to deactivate or restrict the sending of cookies. In addition, cookies already stored on your computer can be deleted at any time via an Internet browser or other software programs. All this is possible in all common Internet browsers. Please note: If you deactivate the setting of cookies on your device, you may not be able to access all functions of our website.
Based on your consent (Article 6 (1) sentence 1 lit. a GDPR), we use Google Analytics, a web analytics service provided by Google LLC ("Google"). Google uses cookies. The information generated by the cookie about the use of the website by the user is usually transmitted to a Google server in the USA and stored there. Google will use this information on our behalf to evaluate the use of our online offer by the users, to compile reports on the activities within this online offer, and to provide other services related to the use of this online offer and the use of the internet for us. The processed data can be used to create pseudonymized usage profiles of the users. We use Google Analytics only with IP anonymization activated. This means that the IP address of users within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area is shortened by Google. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by the user's browser will not be merged with other data from Google. Users can prevent the storage of cookies by adjusting their browser software settings accordingly; users can also prevent the collection of data generated by the cookie related to their use of the online offer and the processing of this data by Google as described in the "Cookies" section above. For more information about Google's data usage, settings, and opt-out options, please refer to Google's privacy policy and the information for displaying advertising by Google. The personal data of users will be deleted or anonymized after 12 months.
Our website uses the conversion tool "LinkedIn Insight Tag" from LinkedIn Ireland Unlimited Company. This tool creates a cookie in your web browser that enables the collection of data such as IP address, device and browser properties, and page events (e.g., page views). LinkedIn also collects log files (URL, referrer URL, IP address, device and browser properties, and timestamp). IP addresses are shortened or pseudonymized (if used to reach LinkedIn members across devices). The direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymized data is deleted within 180 days. The data collected by LinkedIn cannot be assigned to specific individuals by us as the website operator. LinkedIn will store the collected personal data of website visitors on its servers in the USA and use it for its own advertising measures. For more information on LinkedIn's privacy policy, please refer to LinkedIn's privacy notices. The use of LinkedIn Insight is based on Article 6 (1) sentence 1 lit. f GDPR.
myon clinic GmbH maintains presences in "Social Media," specifically on Xing and LinkedIn. As far as we control the processing of your data, we ensure that the applicable data protection regulations are complied with. Below you will find the most important information on data protection law regarding our presences.
Responsible for the company appearances in the sense of the EU General Data Protection Regulation (EU-GDPR) as well as other data protection regulations are, in addition to myon clinic GmbH, LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) and Xing (New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany). However, you use these platforms and their functions on your own responsibility. This applies particularly to the use of interactive functions (e.g., commenting, sharing, rating). We also point out that your data may be processed outside the European Union.
We maintain the social media pages to communicate with the visitors of these pages and to inform them about our offers. We also collect data for statistical purposes to develop and optimize the content and make our offer more attractive. The required data (e.g., total number of page views, page activities, and data provided by visitors, interactions) are processed and made available to us by the social networks. We have no influence on the generation and presentation. Additionally, your personal data is processed by the social media providers for market research and advertising purposes. For example, usage profiles may be created based on your usage behavior and the resulting interests. This allows, among other things, advertisements to be placed within and outside the platforms that correspond to your interests. Cookies are typically stored on your device for this purpose. Regardless, data that is not directly collected on your end devices may also be stored in your usage profiles. The storage and analysis are also carried out across devices, especially if you are registered as a member and logged in to the respective platforms. Beyond that, we do not process any personal data. The processing of your personal data by myon clinic GmbH is based on our legitimate interest in effective information and communication according to Article 6 (1) sentence 1 lit. f GDPR. If you are asked for consent for data processing, i.e., if you declare your consent by confirming a button or similar (opt-in), the legal basis for the processing is Article 6 (1) sentence 1 lit. a, Article 7 GDPR.
If you are a member of a social network and do not want the network to collect data about you via our presence and link it with your stored member data on the respective network, you must log out of the network before visiting our social media page, delete the cookies on your device, and close and restart your browser. After a new login, you will be recognized by the network as a specific user again. For a detailed presentation of the respective processing and the opt-out options, we refer to the linked information below:
-LinkedIn Privacy Policy: https://www.linkedin.com/legal/privacy-policy;
- Opt-Out: https://www.linkedin.com/legal/cookie-policy and http://www.youronlinechoices.com;
In total, you have the following rights regarding the processing of your personal data: Right to information; right to correction; right to deletion; right to restriction of processing; right to object; right to data portability; right to complain about unlawful processing of your personal data to the competent data protection authority. However, since myon.clinic does not have full access to your personal data, you should contact the social media providers directly to assert your rights, as they have access to their users' personal data and can take appropriate measures and provide information. If you still need help, we will try to support you. Please contact privacy@myon.clinic.
Persons under 16 years of age may not transmit personal data to us or submit a consent declaration without the consent of their legal guardians. We encourage parents and guardians to actively participate in their children's online activities and interests.
Our website contains clearly recognizable links to the websites of other companies. Although we provide links to other providers' websites, we have no influence on their content, so we cannot assume any guarantee or liability for them. The respective provider or operator of the pages is always responsible for the content of these pages. The linked pages were checked for possible legal violations and recognizable infringements at the time of linking. Illegal content was not recognizable at the time of linking. Permanent content control of the linked pages is, however, unreasonable without concrete evidence of a violation of the law and will be removed immediately upon knowledge of any infringements.
Status: June 2026
We want you to feel safe when participating in digital patient monitoring within myon.clinic GmbH (hereinafter referred to as "myon.clinic"). That is why the protection of your personal data is particularly important to us.
We process your personal data in accordance with the applicable legal provisions on the protection of personal data, in particular the EU General Data Protection Regulation ("GDPR") and the country-specific data protection laws that apply to us. In this privacy policy, you will learn why and how your personal data that we collect from you or that you provide to us when you decide to use the myon.clinic services and content are processed. In particular, you will find a description of the personal data that we collect and process, as well as the purpose and legal basis on which we process the personal data and the rights you have in relation to the processing of your personal data by us.
We at myon.clinic and our partners take the protection of your personal data very seriously. All personal data that you transmit to us or make available to us will be treated by us as strictly confidential and processed exclusively for a specific purpose in compliance with the statutory data protection regulations.
Please read the Privacy Policy below carefully to ensure that you understand each provision.
Please note that in order to use the telemonitoring services and digital patient monitoring, you must also conclude a separate contract for the use of the myoncare portal with Oncare GmbH, which manufactures the myoncare portal. With regard to the processing of your personal data in the context of the use of the myoncare portal, we refer to the privacy policy of Oncare GmbH. You can view them under the following link: https://www.myoncare.com/de/privacy-policy/.
As a service provider, you are a controller within the meaning of Art. 4 No. 7 GDPR when using digital patient monitoring for certain processing operations that affect personal data of your patients. This applies in particular if you commission third parties such as device manufacturers, distributors of medical devices or laboratory service providers as part of a treatment order to collectpatient-related data and make it available via the myoncare platform.
In this case, you are obliged to inform your patients about the method of data collection and the transfer of data to the commissioned technical service providers. If there is no treatment relationship, explicit consent of the patients is required in accordance with Art. 6 (1) (a), Art. 9 (2) (a) GDPR.
The involvement of such technical service providers is always based on a data processing agreement in accordance with Art. 28 GDPR between the controller (e.g. MVZ, clinic) and the respective third-party provider.
"Personal data" means any information relating to an identified or identifiable natural person. In particular, this includes your name, birthday, address, telephone number, email address and IP address.
"Health data" means personal data relating to the physical ormental health of a natural person, including the provision of healthcareservices, which reveals information about his or her state of health.
"Anonymization/pseudonymization" data is considered "anonymous" if no personal connection to the person/user can be established. In contrast,"pseudonymised" data is data from which a personal reference or personally identifiable information is replaced by one or more identifiers or pseudonyms, but which can generally be re-identified by the identifier key.
"Digital patient monitoring" refers to the digital support of myon.clinic and its partners by querying health-relevant data and reading activity and vital data from connected wearables by means of the myoncare platform of the manufacturer Oncare GmbH (hereinafter referred to as "Oncare"). Oncare is a processor (subcontractor)within the meaning of the General Data Protection Regulation (GDPR) of myon.clinic. The data is automatically categorized and prioritized with the help of stored scores (specific clinical measures for assessing medical issues) or analyzed by you (healthcare professionals). Depending on the result, the user automatically or through you (health professionals) receives needs-basedcontent or measures.
"Provider" means you as a physician, clinic, healthcare facility or other healthcare professional acting alone or on behalf of you, the clinic or healthcare facility.
"Partner" includes all service providers and service providers within the healthcare sector who participate in the monitoring services.
"myoncare Portal" is Oncare's myoncare web portal, which is intended for professional use by portal users and serves as an interface between portal users and app users.
"myoncare PWA" is a website that looks and has the functionality of a mobile app. PWAs are built in such a way that they take advantage of the native functions of mobile devices without the user needing an app store. The goal of PWAs is to combine the difference between apps and the traditional web by bringing the benefits of native mobile apps into the browser. The PWA is based on the technology of "React Native for Web". "React Native for Web" is an open-source software for progressive web app applications. To use the myoncare PWA, patients need a computer or smartphone and an active internet connection. There is no need to download an app.
"Telemonitoring Services" include all services linked to digital patient monitoring that myon.clinic and its partners offer within the monitoring system in addition to the retrieval of health data.
myon.clinic GmbH
Balanstraße. 71a
81541 Munich
Data Protection Officer of myon.clinic GmbH
Dr. Sebastian Kraska
E-Mail: privacy@myon.clinic
Within the framework of myon.clinic, we process the following categories of personal data from you:
● E-mail address
● Date of birth
● Date of registration,
● Your IP address,
● pseudo-keys generated by the portal,
● Lifelong Physician Number (LANR) and Establishment Number (BSNR)
● Data required for the management of reimbursement, such as: Your contact details, patient's name, diagnosis, indications, treatment, treatment period.
If you are a contact person for the operation of the portal at your location/practice (e.g. IT administrator, appointed healthcare professional), you may provide us with certain personal data when you contact us to understand or discuss the features and use of the portal.
In the event of a service request, the following personal data can also be viewed by authorized myon.clinic employees:
Your personal data that you have provided to us for registration and/or login to our portal (e.g. name, date of birth, profile picture, contact details).
Authorized myon.clinic employees who may access your database for the purpose of processing a service request are contractually obligated to treat all personal data in the strictest confidence.
When processing operational data, myon.clinic acts as a data controller responsible for the lawful processing of your personal data.
We use the operational data to maintain the functionalities of the myoncare portal and to contact you directly if necessary or on your initiative (e.g. in the event of changes to terms of use, necessary support, technical problems, etc.). Furthermore, personal data (e-mail address) is processed within the framework of two-factor authentication every time you log in to the myoncare portal.
Justification of processing for operational purposes: The processing of operational data is justified on the basis of Art. 6 (1) (b)GDPR for the performance of the contract that you conclude with myon.clinic for the use of digital patient monitoring.
– Only applicable if you use myoncare tools for reimbursement –
The myoncare portal supports you in initiating your standard procedures for reimbursement of your healthcare services that are used by your patients via the myoncare app. In order to enable the reimbursement process, the myoncare portal supports the collection of your patients' personal(health) data from the myoncare portal in order to facilitate the transmission of this data to the patient's payer as part of the standard reimbursement processes (either your Association of Statutory Health Insurance Physicians and/or the patient's health insurance company).
For the purposes of reimbursement, we process the following types of personal data: patient's name, diagnosis, indications, treatment, treatment period, other data necessary for the management of reimbursement, such as: Your contact details, your lifelong doctor number (LANR) and your permanent establishment number (BSNR).
Processing of reimbursement data: myon.clinic, as the data controller, transmits the treatment data of your patient required for reimbursement to the payer (either your Association of Statutory Health Insurance Physicians and/or the patient's health insurance company), and the payer processes the reimbursement data in order to enable us to reimburse the patient.
Justification of the processing of the cost reimbursement data: The processing of the cost reimbursement data for billing with the cost bearer is carried out on the basis of §§ 295, 301 SGBV.
Creation of the doctor's letter: In addition to patient data, your personal data is also collected and stored in a structured manner on the myoncare platform and compiled in a doctor's letter for the creation of a doctor's letter. This doctor's letter requires a review by the doctor before it can be forwarded to the patient. For the preparation of the doctor's letter, the following personal data described above will be processed:
● E-mail address
● Date of birth
● Date of registration,
● Your IP address,
● pseudo-keys generated by the portal,
● Lifelong Physician Number (LANR) and Establishment Number (BSNR)
● Data required for the management of reimbursement, such as: Your contact details, patient's name, diagnosis, indications, treatment, treatment period.
Justification of data processing for the preparation of the doctor's letter: The data processing for the preparation of the doctor's letter is justified on the basis of Art. 6 (1) (b)GDPR for the performance of the contract that you conclude with myon.clinic for the use of digital patient monitoring.
Commercial store data: Personal data that is processed in connection with the use of the myoncare store – in particular in connection with the authorship, configuration or purchase of digital treatment plans ("pathways"). The store is operated by myon.clinic GmbH, a subsidiary of Oncare GmbH. The use of the Store requires the processing of your name, professional contact details and, if applicable, payment data (only for paid content). Oncare GmbH processes this data exclusively for the technical provision of the platform functions and not for its own commercial purposes. Depending on the specific processing, the data protection responsibility for the personal data processed in the store lies with either myon.clinic GmbH or Oncare GmbH as joint controllers within the meaning of Art. 26 GDPR. For processing for billing or support purposes, myon.coach may be the data controller or processor in accordance with Art. 28 GDPR. The distribution of roles is regulated in an internal agreement.
Justification of the processing: The processing is carried out in accordance with Art. 6 (1) (b) GDPR for the performance of a contract (e.g. acquisition of digital content) and on the basis of Art. 6 (1)(f) GDPR for the technical provision of the store, whereby the legitimate interest lies in a secure and functional platform.
To support medical care, external technical service providers such as medical device manufacturers, distributors of medical devices or laboratory service providers can collect patient-related data on behalf of the service provider and transmit it to the myoncare portal via interfaces. The processing of this data is carried out exclusively within the framework of defined medical treatment processes or – if no treatment relationship exists – on the basis of consent. Justification of the processing results from:
● Art. 6 para. 1 lit. b in conjunction with Art. 9 para. 2 lit. h GDPR (contract for medical care)
● or Art. 6 para. 1 lit. a, Art. 9 para. 2 lit. a GDPR (explicit consent of the patient)
Your personal data will also be processed in countries outside the European Union (EU) or the European Economic Area (EEA). This is only done to the extent necessary and in compliance with the legal requirements of the General Data Protection Regulation (GDPR). We transferpersonal data to the following third countries, subject to the consent of the contracting parties: Egypt. The recipient is a technical service provider engaged by us, who, within the framework of data processing on our behalf, provides support and maintenance services for our systems.
Legal basis for the transfer:
The transfer is based on standard contractual clauses concluded with the customer support service provider (in accordance with Art. 46 (2) (c) GDPR and your express consent in accordance with Art. 49 (1) (a) GDPR (if applicable).
In order to ensure compliance with the legal provisions of the GDPR, myon.clinic and its partners have taken appropriate technical and organisational measures. The data processing is carried out by means of computers or IT-based systems, following an organizational procedure and mode strictly aimed at the purposes indicated.
If you use additional medical functions such as integrated diagnostics, vital signs collection or laboratory services via the Platform, personal health data may be collected and processed by external third parties (e.g. medical device manufacturers, distributors of medical devices or laboratory service providers). This is done to support medical care and always on the basis of explicit consent or a treatment relationship.
The processing is carried out either within the framework of order processing or – depending on the provider – under its own responsibility under data protection law. Oncare GmbH only provides the technical connection for this purpose, without checking or medically evaluating content. Further information on the respective data processing can be obtained directly from the treating service provider or via the data protection information of the integrated third-party providers.
The myoncare portal offers registered service providers (e.g. doctors) the opportunity to offer and configure digital care pathways via a webshop functionality (e.g. in cooperation with myon.clinic) and to assign patients individually.
As part of the use of this functionality, personal data – in particular health data – is processed, such as information on indication, recommended duration of treatment or pathway assignment. This data processing serves the individualization and assignment of medical content and is carried out on the basis of Art. 6 (1) (b) and Art. 9 (2) (h) GDPR.
Oncare provides the technical infrastructure and processes the data concerned as a data controller within the meaning of Art. 4 No. 7 GDPR, insofar as the processing is necessary for the provision of the platform functions. However, the selection of content and medical design of the pathways is the sole responsibility of the respective service provider.
In so far as billing or data transmission is carried out to third parties (e.g. billing offices or platform partners such as myon.coach), such processing only takes place on the basis of corresponding agreements or legal regulations.
We do not use purely automated processing to make decisions.
We will only pass on your personal data to third parties within the framework of the legal provisions or on the basis of your consent. In all other cases, the information will not be disclosed to third parties, unless we are obliged to do so due to mandatory legal regulations (disclosure to external bodies, including supervisory or law enforcement authorities).
In certain cases, service providers support myon.clinic in the fulfilment of its tasks. The necessary order processing agreements in accordance with Art. 28 GDPR have been concluded with all service providers who are data processors for personal data.
These service providers are:
● Oncare as the manufacturer of the myoncare technology along with the myoncare app.
● Billing Service Providers.
In the event of misuse, the user's personal data may be used for legal purposes in legal proceedings or in the event of complaints.
You are also aware that myon.clinic and its partners may be required by competent authorities to hand over personal data.
myon.clinic and its partners adhere to the principles of data minimization. myon.clinic therefore only stores personal data for as long as is necessary to provide the services and achieve the purposes specified here, or to comply with statutory retention periods (e.g. §257 HGB or § 147 AO), unless further storage is necessary in the individual case for the assertion, exercise or defense of legal claims or another legal basis (e.g. consent) justifies further processing.
Various personal data are necessary for the establishment, implementation and termination of the contractual relationship with myon.clinic and the fulfilment of the associated contractual and legal obligations. We have summarized the details for you under the point above. In certain cases, personal data must also be collected or made available in accordance with the legal provisions. Please note that without providing this personal data, it is not possible to process your request or fulfil the underlying contractual obligation.
We would like to inform you about your rights as a data subject. These rights include, in particular:
● Right of access (Art. 15 GDPR): You have the right to request information about whether and how your personal data is being processed, including information about the purposes of processing, recipients, storage period and your rights to rectification, erasure and objection. You also have the right to receive a copy of any personal data we hold about you.
● Right to rectification (Art. 16 EU GDPR): You can request that we update or correct inaccurate personal data or complete incomplete personal data.
● Right to erasure / right to be forgotten (Art. 17 GDPR): You can demand that we delete your personal data collected and processed by us without undue delay. Please note, however, that we can only delete your personal data after the expiry of the statutory retention periods.
● Right to restriction of data processing (Art. 18 GDPR): You can ask us to "restrict" the use of your data if the accuracy of the data is contested, the processing is unlawful, the data is needed for legal claims, or an objection to the processing is being examined, so that we can only continue to use your data with restrictions.
● Right to data portability (Art. 20 GDPR): In general, you can request that we provide you with personal data that you have provided to us and that is processed by machine based on your consent or the performance of a contract with you, in amachine-readable form, so that it can be "ported" to a substitute service provider.
● Right to object to data processing (Art. 21 GDPR): You have the right to object at anytime to the processing of personal data concerning you that is carried out on the basis of Article 6 (1) (e) or (f) GDPR. In this case, the controller will no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing that outweigh the interests, rights and freedoms of the data subject, or the processing serves to establish, exercise or defend legal claims.
If you have given your consent to the processing of your personal data, you can revoke it at any time with effect for the future. The lawfulness of the data processing operations that have already taken place remains unaffected by the revocation.
● Right to lodge a complaint (Art. 77 GDPR): In addition, you have the option of contacting a data protection supervisory authority with a complaint.
To exercise these rights, please contact us at: privacy@myon.clinic. Objection and revocation of consent must be declared intext form to privacy@myon.clinic. We will require you to provide sufficient proof of your identity to ensure that your rights are protected and that your personal data will only be disclosed to you and not to third parties.
For providers and healthcare professionals located in the United States or delivering services within the US healthcare system, the processing of patient data through the myoncare platform is also governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In this context, myon.clinic may act as your “Business Associate” when processing Protected Health Information (“PHI”) on your behalf.
As a Business Associate, myon.clinic is contractually and legally obligated to:
These HIPAA obligations apply in addition to our commitments under the GDPR and other applicable data protection laws. Providers using myon.clinic in the US remain the Covered Entity under HIPAA, and myon.clinic supports you in fulfilling your HIPAA responsibilities.
We expressly reserve the right to change this Privacy Policy in the future at our sole discretion. Changes or additions maybe necessary, for example, to meet legal requirements, to comply with technical and economic developments, or to meet the interests of myon.clinic service users.
Status: June 2026
We want you to feel secure when using the services and content of myon.clinic GmbH. The protection of your personal data is of particular importance to us.
We process your personal data in accordance with the applicable statutory provisions, in particular the EU General Data Protection Regulation (“GDPR”) and the country-specific data protection laws applicable to us. We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR).
In this Privacy Notice, you will learn why and how we process personal data — including health data — when you use myon.clinic Services. In particular, you will find information on:
All personal data that you transmit to us or make accessible to us will be treated confidentially by us and processed exclusively for specified purposes in compliance with the statutory requirements. Please read this Privacy Notice carefully.
Important notice regarding platform technology (myoncare App / PWA / platform): ONCARE GmbH processes personal data as a processor pursuant to Art. 28 GDPR for the technical provision of the platform and, where applicable, as an independent controller for IT security and platform operations. An overview of the processing activities can be found in Section X. In addition, the Privacy Notice of ONCARE GmbH applies to data processing by ONCARE in the context of the use of this technical platform. You can find it here: https://www.myoncare.com/de/privacy-policy/
myon clinic GmbH
Balanstr. 71a, 81541 Munich
Tel.: +49 89 444 51156
Email: info@myon.clinic
Data Protection Officer:
Dr. Sebastian Kraska
Email: privacy@myon.clinic
The competent data protection supervisory authority is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany.
“Digital Patient Monitoring” means digital support within myon.clinic Services by means of the collection of health-related data and — if activated by the user — the retrieval of activity data, vital data, and measurement data from wearables, medical devices, or connected laboratories via the myoncare platform. The use of myon.clinic Services may take place both in the context of medical treatment and independently thereof (e.g., for self-observation or information purposes)
“Service Provider” means physicians, clinics, medical care centers (MVZs), or other medical institutions or members of the healthcare professions, as well as — where applicable — providers of health, prevention, counseling, or care services that provide or offer services via the platform.
“Partner” includes medical Service Providers as well as technical service providers (e.g., device manufacturers, distributors of medical devices, laboratories), insofar as these provide supporting services on behalf of a Service Provider or on behalf of myon.clinic.
“myoncare App” is the mobile application of ONCARE GmbH for use by users (e.g., patients or participants in prevention or Self-Care programs). Insofar as the term “patient” is used in this Privacy Notice, it shall always mean the user of the myoncare App or PWA.
“myoncare PWA” is a web-based application (Progressive Web App) with app-like functionality.
“Mobile” is the product name for the myoncare App and the PWA.
“myoncare platform” is the web portal for professional use by Service Providers as an interface between the Service Provider and the user.
“Telemonitoring Services” are supportive services linked to Digital Patient Monitoring (e.g., reminders, structured queries, educational content, status reports) that do not constitute independent medical treatment and do not replace diagnostic or therapeutic decisions.
“Caretask” means a task (e.g., questionnaire, request for measurement, information/education in text/image/video/audio form).
“Pathway” means a chronological sequence of Caretasks. Pathways may be structured on the basis of medical guidelines, but within myon.clinic — unless expressly used by a Service Provider as part of a treatment — they serve, in particular, structured support, information, and self-observation and do not replace a medical diagnosis or treatment decision.
“Case Report/Report” means a document generated by myon.clinic (e.g., a PDF report) on the basis of the entries and measured values available in the system. Reports do not constitute a medical evaluation, diagnosis, or treatment recommendation. They serve exclusively for the structured presentation of the data entered or measured by the user.
“myon.prevent” is a site within myon.clinic that may optionally be joined and that can make suggestions for preventive health measures on the basis of voluntarily provided health data. It is an optional Self-Care offering without medical treatment that serves exclusively prevention, information, structuring, and self-observation.
Data protection responsibility depends on the usage constellation in which you use myon.clinic Services and on the function assumed by the respective parties involved.
myon.prevent is a personalized Self-Care Service by myon.clinic for the provision of preventive offerings, structured programs, reminders, self-observation, and personalized prevention and health recommendations on the basis of the information you voluntarily provide.
Legal basis:
Art. 6(1)(b) GDPR (contract for the use of the Services, insofar as necessary for the provision of myon.prevent)
For health data: Insofar as health data are processed, this takes place exclusively on the basis of your explicit consent pursuant to Art. 9(2)(a) in conjunction with Art. 6(1)(a) GDPR, unless a statutory legal basis under Art. 9(2)(h) GDPR applies.
For the use of myon.prevent, it is necessary that you expressly consent to the processing of the health data voluntarily provided by you for the purpose of creating and providing personalized preventive offerings, programs, and recommendations. Without this consent, myon.prevent cannot be offered by myon.clinic.
This concerns exclusively the health data voluntarily provided by you, in particular data from the Medical Profile (medical history data), laboratory data, and wearable data. There is no obligation to provide such data. However, if you decide to use myon.prevent, the provision of such data as well as your consent to their processing are prerequisites for the use of the Service.
The use of myon.prevent does not constitute medical treatment and does not replace a medical diagnosis or therapy.
You may withdraw your consent at any time with effect for the future. The withdrawal shall not affect the lawfulness of processing carried out on the basis of the consent before its withdrawal. In the event of withdrawal, myon.prevent can no longer be used from the time of receipt of the withdrawal onward. Unless statutory retention obligations preclude deletion, the health data processed for myon.prevent will be deleted after termination of the Service.
In this constellation, myon.clinic is an independent controller within the meaning of Art. 4 No. 7 GDPR. Health data are processed only on the basis of the respectively applicable data protection legal bases.
A Service Provider may recommend the use of myon.clinic Services to you or invite you to participate in digital support offerings. Data protection responsibility as well as the nature of the services depend on the form in which the use takes place.
a) Use upon recommendation of a Service Provider (without integration into that Service Provider’s treatment)
If you use the Services upon recommendation of a Service Provider, without such Services constituting part of the medical treatment by that Service Provider, the use is initiated by you on your own initiative. In this case, there is no joint controllership and no processor relationship between myon.clinic and the recommending Service Provider.
The services serve exclusively information, structured support, prevention, and self-observation and do not constitute medical treatment.
In this constellation, myon.clinic is an independent controller within the meaning of Art. 4 No. 7 GDPR. Health data are processed only on the basis of your explicit consent pursuant to Art. 6(1)(a) and Art. 9(2)(a) GDPR.
Information, documentation, or reports are transmitted to the recommending Service Provider only if you expressly request this or have consented thereto. Without such consent, no data will be transmitted to the recommending Service Provider.
b) Use in the context of medical treatment by a Service Provider
Insofar as the use of myon.clinic Services forms part of medical treatment by a Service Provider, data processing is carried out, depending on the contractual arrangement, either
In all cases, medical responsibility remains with the treating Service Provider.
Status information, documentation, or reports are transmitted only to Service Providers specifically selected by you or connected by your active action, and exclusively for the respective care requested by you.
c) Digital support by cooperating or contractually bound Service Providers
Insofar as services are provided by qualified Service Providers cooperating with myon.clinic or contractually bound to myon.clinic, an independent care relationship is established between you and the respective Service Provider.
In this case, the processing of health data takes place for the provision of healthcare pursuant to Art. 9(2)(h) GDPR as well as the respectively applicable professional law and social law provisions by the respective service provider as the data controller within the meaning of Art. 4 No. 7 GDPR. Medical responsibility lies exclusively with the respective Service Provider.
ONCARE GmbH provides the technical platform (myoncare App/ /PWA Plattform) and processes data, depending on the constellation, as a processor pursuant to Art. 28 GDPR for the respective controller or, insofar as ONCARE decides on certain processing activities for its own purposes, as an independent controller, in particular for platform and operational data such as IT security, system stability, technical administration, and abuse prevention. ONCARE processes health data or content data for its own purposes only insofar as this is legally permissible, legally required, or expressly agreed.
No joint controllership:
Unless expressly described otherwise in this Privacy Notice or contractually agreed otherwise, there is no joint controllership pursuant to Art. 26 GDPR between myon.clinic and ONCARE or between myon.clinic and Service Providers.
The specific data protection responsibility depends in each case on the specific usage situation and the underlying contractual relationships between the parties involved. The specific allocation of roles is determined by the respective underlying contractual arrangements between the parties involved (e.g., data processing agreement pursuant to Art. 28 GDPR or independent controllership). Users will be informed thereof within the respective usage situation.
Personal data means any information relating to an identified or identifiable person (e.g., name, contact details, IP address).
Health data means personal data relating to the physical or mental health status of a person, or from which information about that person’s health status can be derived (Art. 9 GDPR).
Pseudonymized identifiers may be attributed to a person where additional information is available.
Users may upload documents or images via the platform (e.g., laboratory reports, physicians’ letters, or medical findings). To the extent technically required, such documents may be automatically analyzed or structurally extracted (e.g., by means of OCR technologies) in order to display content more easily within the platform or to make such content usable for Caretasks, Reports, or Pathways.
Access to personal data takes place exclusively by authorized persons and only to the extent necessary for the performance of the respective tasks.
We process personal data only where a legal basis exists. For health data, Art. 9 GDPR additionally applies.
Purpose:
Account creation, login, user administration, technical provision of the Services, support, abuse prevention, IT security, and ensuring system stability.
Legal basis:
Art. 6(1)(b) GDPR (contract / pre-contractual measures)
Art. 6(1)(f) GDPR (legitimate interest in secure operation). Our legitimate interest lies in particular in ensuring IT security, abuse prevention, and the stability of the platform. Your interests are safeguarded by appropriate protective measures (e.g., pseudonymization and access restrictions).
To the extent health data are concerned, processing by ONCARE takes place only where an appropriate legal basis under Art. 9(2) GDPR applies, in particular:
Purposes of the processing
Within the optional Self-Care offering myon.prevent, myon.clinic processes personal data and health data voluntarily provided by you for the purpose of providing the Service, conducting structured preventive offerings and programs, providing reminders and content for self-observation, and creating personalized preventive and health recommendations.
Legal bases of the processing
The processing of personal data takes place, to the extent necessary for the provision of myon.prevent, on the basis of Art. 6(1)(b) GDPR.
The processing of health data takes place on the basis of your explicit consent pursuant to Art. 6(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR.
Purpose:
Performance of the contract, provision of digital content, billing, customer service, abuse prevention.
Legal basis:
Art. 6(1)(b) GDPR (performance of a contract)
To the extent health data are processed in the context of use, such processing takes place exclusively on the basis of your explicit consent pursuant to Art. 6(1)(a) and Art. 9(2)(a) GDPR.
Purpose:
Support of a treatment or care process through digital support, monitoring, structured queries, reminders, and the creation of status information or Reports.
Legal basis (depending on the constellation):
a) In the context of medical treatment
myon.clinic acts as a processor pursuant to Art. 28 GDPR on behalf of the Service Provider.
The legal basis for the processing of health data lies with the respective Service Provider, in particular:
Art. 6(1)(b) GDPR in conjunction with Art. 9(2)(h) GDPR.
b) Outside a care relationship
If the use does not form part of medical treatment, processing takes place on the basis of your explicit consent:
Art. 6(1)(a) and Art. 9(2)(a) GDPR.
5) Transmission of status information / Reports to your Service Provider
Purpose:
Support of medical care by means of progress reports or status information.
Transmission does not take place automatically, but only:
Legal basis: Within the treatment relationship with the Service Provider: Art. 6(1)(b) GDPR in conjunction with Art. 9(2)(h) GDPR.Outside such a relationship: consent pursuant to Art. 6(1)(a) and Art. 9(2)(a) GDPR.
Transmission to merely recommending Service Providers without an existing care relationship takes place exclusively with your explicit consent.
Purpose:
Import and display of activity, vital, and measurement data for structured support.
Legal basis:
Your consent pursuant to Art. 6(1)(a) and Art. 9(2)(a) GDPR.
The connection of such services takes place exclusively on the initiative of the user. The user’s consents may be withdrawn at any time, and connected services may be deactivated at any time.
We receive data (i) directly from you (entries / uploads), (ii) from connected sources activated by you (e.g., Apple Health / Google Fit / wearables / laboratories, to the extent technically connected), and (iii) — insofar as you are integrated into treatment / care — where applicable from the treating Service Provider or its systems, to the extent this is provided for in the respective usage constellation.
The connection of such services takes place exclusively on the initiative of the user and may be deactivated at any time.
Purpose:
Support of statutory or contractual billing processes.
Legal basis:
Art. 6(1)(c) GDPR (legal obligation)
Art. 9(2)(h) GDPR (health care)
Purpose:
Quality assurance, IT security, documentation, and fulfillment of regulatory requirements (e.g., MDR obligations and obligations to record and report adverse events).
Legal basis:
Art. 6(1)(c) GDPR
where applicable Art. 9(2)(i) GDPR or Art. 9(2)(h) GDPR
For research and analytics purposes, myon.clinic uses exclusively anonymized data or evaluations at an aggregated level, provided and to the extent that no conclusions can thereby be drawn as to identified or identifiable persons. To the extent that personal data are anonymized, such anonymization shall take place only on the basis of the respectively applicable data protection legal bases and by applying appropriate technical and organizational measures.
Purpose:
Provision of individually tailored content and programs.
Legal basis:
Your explicit consent pursuant to Art. 6(1)(a) and Art. 9(2)(a) GDPR.
This may constitute profiling within the meaning of Art. 4 No. 4 GDPR. No solely automated decision-making producing legal effects within the meaning of Art. 22 GDPR takes place. Automated evaluations are based on rule-based algorithms (e.g., thresholds, comparative values, or standardized questionnaires) and serve exclusively to generate recommendations.
Processing generally takes place within the EU/EEA.
If services are provided via a US service provider or a HIPAA-relevant constellation exists, storage in the USA may take place. In these cases suitable safeguards pursuant to Art. 44 et seq. GDPR are implemented (e.g. EU standard contractual clauses or — if applicable — EU-US Data Privacy Framework).
ONCARE uses Google Firebase (Google Ireland Limited) for certain technical functions. Google Firebase is used to ensure technical stability and for notifications. In this context, technical usage data may be processed. Processing generally takes place on servers in the EU/EEA; access from the USA cannot be excluded in exceptional cases (support/maintenance). If required, this takes place on the basis of suitable safeguards (e.g., standard contractual clauses) and technical measures (e.g., pseudonymization/encryption).
Access to data stored in the USA from Europe may take place exclusively for support purposes:
by authorized employees of ONCARE GmbH (second-level support),
by authorized employees of myon.clinic GmbH (first-level support),
each only to the extent necessary and under technical and organizational safeguards.
If a transfer to third countries takes place, you may request a copy of the suitable safeguards (e.g. standard contractual clauses) using the contact details stated in Section II.
No solely automated decision-making producing legal effects or similarly significant adverse effects within the meaning of Art. 22 GDPR takes place.
To the extent that automated evaluations, categorizations, or risk assessments (e.g., on the basis of questionnaire data or measurement values) are carried out within the myon.clinic Services, these serve exclusively for the purposes of information, support, and the structured presentation of data.
Personalized suggestions or recommendations based on voluntarily provided data are made exclusively on the basis of your consent.
A medical evaluation, diagnosis, or treatment decision is made exclusively by a qualified Service Provider and not automatically by the system. Automated evaluations (e.g., structured risk scores, evaluations of questionnaire data, or vital parameters) serve exclusively to support, structure, and prioritize information and do not constitute an independent medical evaluation or diagnosis.
We disclose personal data only if a legal basis exists, in particular:
Possible recipients:
Disclosure takes place exclusively to the necessary extent and only on the basis of a corresponding legal basis (in particular consent or medical treatment relationship).
We conclude the required contracts pursuant to Art. 28 GDPR with processors.
In case of misuse, personal data may be processed for assertion or defense of legal claims (Art. 6 para. 1 lit. f GDPR). Disclosure to authorities may also take place insofar as we are legally obliged.
We store personal data only as long as necessary for the purposes stated in this privacy policy or statutory retention periods exist. After cessation of the respective purpose and expiry of statutory periods, the data are deleted or their processing restricted.
In the medical context, service providers may be subject to their own statutory documentation and retention obligations. Depending on the type of records, these periods may range from several years to several decades. myon.clinic generally has no influence on such data; deletion requests may therefore have to be addressed directly to the respective service provider.
For contract, billing and store-related data, commercial and tax retention obligations apply (in particular under HGB and AO).
For technical reasons, data may remain stored in backup copies for a limited period after deletion; such backups are stored separately for technical purposes and are accessible only for administrative purposes. During this period, no active processing takes place, and the data are finally deleted after expiry of the technical retention cycles.
The retention period and the necessity to provide data are determined on the basis of the following criteria: the duration of the usage agreement, statutory retention obligations, the necessity for IT security, and limitation periods for potential legal claims.
The provision of certain personal data is required for the registration for and use of the myon.clinic Services. Without such data, the conclusion of a contract and/or the use of individual functions may be impossible in whole or in part. The provision of health data is, as a rule, voluntary; however, insofar as health data are strictly required for the function selected by you, their processing is only permissible on the basis of consent. Without such consent, the respective function cannot be used.
We would like to inform you about your rights as a data subject. These rights include, in particular:
If you have given consent for the processing of your personal data, you may withdraw this consent at any time with effect for the future. The lawfulness of any data processing carried out prior to the withdrawal remains unaffected.
Responsibility for the exercise of your rights: For the processing of your treatment and health data, your Service Provider is the data protection controller. Please address corresponding requests generally to your Service Provider. myon.clinic typically processes such data as a processor and supports the Service Provider in fulfilling your rights within the scope of the data processing agreement. Insofar as myon.clinic processes personal data under its own responsibility (e.g., for purposes of IT security or product safety), you may exercise your rights by contacting privacy@myon.clinic .
Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data by us. The supervisory authority competent for us is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany (www.lda.bayern.de).
Proof of identity: In order to process your request, suitable proof of identity may be required to ensure that personal data are not disclosed to unauthorized third parties.
Use of myon.clinic Services is generally intended from the age of 18. For users under 18 years, consent of the legal guardian is required insofar as consent is the legal basis of processing. Where appropriate, we reserve the right to request proof of the legal guardian’s consent.
Insofar as services are provided within the US healthcare system, processing of Protected Health Information (PHI) takes place in accordance with the requirements of the Health Insurance Portability and Accountability Act (HIPAA). In these cases the respective US healthcare institution generally acts as “Covered Entity”. Insofar as services are provided via myoncare Inc., it acts as “Business Associate” on the basis of corresponding agreements. myon.clinic GmbH assumes no independent responsibility under HIPAA in these cases unless expressly contractually agreed.
myon.clinic provides a digital platform through which users can use structured programs, supportive monitoring services as well as further medical and non-medical content and — optionally via the myon.clinic Store — purchase digital programs, either on their own initiative or upon recommendation or referral by a service provider.
The services serve information, structured support and organization of health-related data. They do not replace individual medical advice, diagnosis or treatment.
If use takes place within medical treatment, medical responsibility remains with the respective service provider.
myon.clinic itself does not provide independent medical treatment unless expressly provided by qualified cooperating service providers.
Use may take place, depending on the offer, independently of a treatment relationship or within medical care by a service provider. Data protection responsibility depends on the respective usage constellation.
We reserve the right to adapt this privacy policy if necessary for legal, technical or organizational reasons. The current version will be provided to you in an appropriate form.
***