Privacy Policy

1. Data Controller

The data controller for this website is:

Dr. med. José Uy
Schoarerbergstr. 12
5302 Henndorf am Wallersee
Austria

Phone: +43 676 5119550
Email: [email protected]

Dr. med. José Uy is responsible for the processing of your personal data in accordance with the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

2. General Information on Data Processing

2.1 Scope of Personal Data Processing

We only process personal data of our users to the extent necessary for providing a functional website and our content and services. The processing of personal data generally only takes place with the user's consent. An exception applies in cases where prior consent cannot be obtained for practical reasons and the processing of data is permitted by law.

2.2 Legal Basis for Processing Personal Data

Where we obtain consent from the data subject for processing personal data, Article 6(1)(a) GDPR serves as the legal basis.

For the processing of personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for pre-contractual measures.

Where processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis.

Where processing is necessary for the purposes of legitimate interests pursued by our company or a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR serves as the legal basis.

2.3 Data Deletion and Storage Duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may continue if provided for by European or national legislators in EU regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or deleted when a storage period prescribed by the aforementioned standards expires, unless further storage is necessary for the conclusion or performance of a contract.

3. Hosting and Content Delivery

3.1 Cloudflare Pages

This website is hosted on Cloudflare Pages, a service provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA.

Type and Purpose of Processing:
Cloudflare provides the infrastructure and services for operating our website. Data transmitted by you when visiting our website (e.g., IP address, time of access, pages visited) is processed on Cloudflare servers.

Legal Basis:
Processing is based on our legitimate interest in the secure, fast, and efficient provision of our online offering (Article 6(1)(f) GDPR).

GDPR Compliance and Data Protection:
Cloudflare is certified under the EU-US Data Privacy Framework and has committed to GDPR compliance. A Data Processing Agreement (DPA) pursuant to Article 28 GDPR has been concluded with Cloudflare, ensuring compliance with European data protection standards. Cloudflare processes your data exclusively on our instructions and only for the agreed purposes.

Data Transfer to Third Countries:
Cloudflare operates servers worldwide, including in the USA. Data transfer to the USA is based on EU Standard Contractual Clauses and Cloudflare's certification under the EU-US Data Privacy Framework. Cloudflare has implemented comprehensive technical and organizational measures to ensure an adequate level of data protection.

Storage Duration:
Cloudflare stores technical log data (IP addresses, access times) for security and performance purposes for a maximum of 30 days.

More Information:
Detailed privacy information from Cloudflare: https://www.cloudflare.com/privacypolicy/

4. Website Provision and Log Files

4.1 Description and Scope of Data Processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected:

• Browser type and version
• Operating system used
• Referrer URL (previously visited page)
• Hostname of the accessing computer
• Time of server request
• IP address (anonymized)

This data is also stored in our system's log files. This data is not stored together with other personal data of the user.

4.2 Legal Basis

The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR (legitimate interest in the functionality and security of the website).

4.3 Purpose of Data Processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must be stored for the duration of the session. Storage in log files ensures the functionality of the website and is used to optimize the website and ensure the security of our information technology systems.

4.4 Storage Duration

The data is deleted as soon as it is no longer necessary for the purpose of its collection. In the case of data collection for website provision, this is when the respective session ends. Log files are automatically deleted after a maximum of 30 days.

5. Contact Form and Email Contact

5.1 Description and Scope of Data Processing

A contact form is available on our website, provided via Systeme.io. When you send us inquiries via the contact form or email, your information from the inquiry form or email, including the contact details you provided, is stored for the purpose of processing the inquiry and in case of follow-up questions.

Data collected via Systeme.io:

• Name
• Email address
• Phone number
• Message content
• Timestamp of inquiry
• IP address (for security purposes)

5.2 Legal Basis

Data processing is based on Article 6(1)(a) GDPR (consent) or Article 6(1)(b) GDPR (contract initiation).

5.3 Purpose of Data Processing

The processing of personal data serves solely for handling your contact request. In case of contact via email, this also constitutes the necessary legitimate interest in data processing.

5.4 Systeme.io as Data Processor

Systeme.io (Systeme.io Inc., 201 Saint Charles Ave, Suite 2500, New Orleans, LA 70170, USA) processes data collected via the contact form on our behalf. A Data Processing Agreement pursuant to Article 28 GDPR has been concluded with Systeme.io. Systeme.io is GDPR-compliant and has committed to European data protection standards.

Data Transfer to Third Countries:
Systeme.io uses servers in the USA. Data transfer is based on EU Standard Contractual Clauses.

5.5 Storage Duration

Data is deleted as soon as it is no longer necessary for the purpose of its collection. For personal data from the contact form and email contact, this is when the respective conversation with the user has ended. The conversation is considered ended when it can be inferred from the circumstances that the matter in question has been conclusively resolved.

Retention Obligations:
If legal retention obligations apply, data will be stored for the duration of the statutory retention period after the end of the conversation and then deleted.

5.6 Objection and Removal Options

You may withdraw your consent to the processing of personal data at any time. All personal data stored during the contact process will be deleted in this case, unless legal retention obligations prevent deletion.

6. Online Courses and User Accounts (Systeme.io)

6.1 Description and Scope of Data Processing

We offer online courses on TCM (Traditional Chinese Medicine) on our website. The course platform, user management, and email communication are handled via Systeme.io.

Data collected during registration and course use:

• First and last name
• Email address
• Password (encrypted)
• IP address at registration
• Course progress and activities
• Purchase history
• Timestamps of activities

Age Requirement:
Use of our courses is only permitted from the age of 16. By registering, you confirm that you are at least 16 years old.

6.2 Legal Basis

Processing is based on:

• Article 6(1)(b) GDPR (contract performance) for course provision
• Article 6(1)(a) GDPR (consent) for email communication

6.3 Purpose of Data Processing

Data processing serves the following purposes:

• Creating and managing your user account
• Providing booked courses
• Managing your course progress
• Communication regarding your courses
• Invoicing and payment processing
• Technical administration

6.4 Systeme.io as Data Processor

Systeme.io processes your data exclusively on our behalf. A Data Processing Agreement pursuant to Article 28 GDPR has been concluded with Systeme.io. Systeme.io is GDPR-compliant and has implemented comprehensive security measures.

Data Transfer to Third Countries:
Systeme.io uses servers in the USA. Data transfer is based on EU Standard Contractual Clauses pursuant to Article 46 GDPR.

More Information:
Systeme.io Privacy Policy: https://systeme.io/privacy

6.5 Storage Duration

Your account data is stored as long as your user account is active. After account deletion, your personal data will be deleted unless legal retention obligations exist (e.g., for invoice data pursuant to § 132 BAO: 7 years).

Course progress data is deleted 6 months after course completion or cancellation.

6.6 Account Deletion

You may request account deletion at any time. Please contact us via email at [email protected]. After account deletion, all personal data will be deleted unless legal retention obligations prevent this.

7. Payment Processing

7.1 Stripe

For payment processing, we use the payment service provider Stripe (Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland).

Data Processed:

• Name
• Email address
• Billing address
• Payment information (credit card data, IBAN, etc.)
• Transaction data
• IP address

Legal Basis: Article 6(1)(b) GDPR (contract performance)

Purpose: Data processing is for the secure handling of payment transactions.

Data Transfer: Stripe is based in the EU and GDPR-compliant. Stripe may also transfer data to servers in the USA. Transfer is based on EU Standard Contractual Clauses.

Storage Duration: Stripe stores payment data in accordance with legal requirements and its own compliance requirements. Transaction data is retained by us for tax purposes for 7 years.

More Information:
Stripe Privacy Policy: https://stripe.com/privacy

7.2 PayPal

Alternatively, we offer payments via PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg).

Data Processed:

• Name
• Email address
• PayPal account information
• Transaction data

Legal Basis: Article 6(1)(b) GDPR (contract performance)

Purpose: Data processing is for the secure handling of payment transactions via PayPal.

Data Transfer: PayPal is based in the EU and GDPR-compliant. PayPal may also transfer data to servers in the USA. Transfer is based on EU Standard Contractual Clauses.

Storage Duration: Transaction data is retained by us for tax purposes for 7 years.

More Information:
PayPal Privacy Policy: https://www.paypal.com/webapps/mpp/ua/privacy-full

8. YouTube Video Integration

8.1 Description and Scope of Data Processing

Videos from YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) are embedded on our website.

Type of Integration:
Videos are embedded in "enhanced privacy mode." This means YouTube only collects information about you as a visitor when you actually play the video.

Data processed when playing a video:

• IP address
• Cookie data
• Device information
• Interactions with the video (play, pause, etc.)

8.2 Legal Basis

YouTube video integration is based on Article 6(1)(f) GDPR (legitimate interest in providing video content) and your consent pursuant to Article 6(1)(a) GDPR via our cookie banner.

8.3 Purpose of Data Processing

YouTube video integration serves to provide you with comprehensive course content and audiovisual information.

8.4 Data Transfer to Third Countries

YouTube is a Google service with servers worldwide, including in the USA. Data transfer to the USA is based on the EU-US Data Privacy Framework, under which Google is certified, as well as EU Standard Contractual Clauses.

8.5 Storage Duration

YouTube stores collected data in accordance with Google's privacy policy. Storage duration depends on the type of data and may vary.

8.6 Objection Option

You can object to processing by avoiding video playback or adjusting your cookie settings.

More Information:
Google/YouTube Privacy Policy: https://policies.google.com/privacy

9. Web Analytics via Google Analytics

9.1 Scope of Personal Data Processing

We use Google Analytics (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to analyze user behavior on our website.

Google Analytics uses cookies that enable analysis of your use of the website. Information generated by the cookie about your use of this website is generally transferred to a Google server in the USA and stored there.

Data Collected:

• IP address (anonymized)
• Pages visited and time spent
• Browser type and version
• Operating system
• Referrer URL
• Time of access
• Device information

IP Anonymization:
We have activated IP anonymization on this website. This means your IP address is truncated by Google within member states of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and truncated there.

9.2 Legal Basis

The legal basis for using Google Analytics is your consent pursuant to Article 6(1)(a) GDPR, which you provide via our cookie banner.

9.3 Purpose of Data Processing

Google Analytics is used for the following purposes:

• Analyzing user behavior
• Optimizing the website
• Improving user experience
• Measuring content success

On behalf of the website operator, Google will use this information to evaluate your use of the website, compile reports on website activity, and provide other services related to website and internet usage to the website operator.

9.4 Data Processing Agreement

A Data Processing Agreement pursuant to Article 28 GDPR has been concluded with Google.

9.5 Data Transfer to Third Countries

Google Analytics may transfer data to servers in the USA. Data transfer is based on the EU-US Data Privacy Framework, under which Google is certified, and on EU Standard Contractual Clauses pursuant to Article 46 GDPR.

9.6 Storage Duration

Data sent by us and linked to cookies is automatically deleted after 14 months. Deletion of data whose retention period has been reached occurs automatically once a month.

9.7 Objection and Withdrawal

You can prevent cookie storage through appropriate browser settings. You can also prevent collection of data generated by the cookie relating to your use of the website (including your IP address) by Google and processing of this data by Google by downloading and installing the browser plugin available at the following link:

Google Analytics Opt-out Browser Add-on:
https://tools.google.com/dlpage/gaoptout

Alternatively, you can adjust your cookie settings via our cookie banner.

More Information:
Google Privacy Policy: https://policies.google.com/privacy

10. Cookies

10.1 Description and Scope of Data Processing

Our website uses cookies. Cookies are text files stored in or by the internet browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string that enables unique identification of the browser when revisiting the website.

We use the following types of cookies:

10.1.1 Technically Necessary Cookies

These cookies are essential for providing the website and its functions properly. Without these cookies, certain services cannot be provided.

Examples:

• Session cookies for user accounts
• Cookie consent storage
• Security cookies

Legal Basis: Article 6(1)(f) GDPR (legitimate interest)

10.1.2 Analytics Cookies (Google Analytics)

These cookies are used to collect information about how visitors use our website. These cookies do not collect information that personally identifies a visitor.

Legal Basis: Article 6(1)(a) GDPR (consent via cookie banner)

10.2 Cookie Banner and Consent

When you first visit our website, a cookie banner appears where you can grant or refuse consent to the use of non-essential cookies. You can withdraw your consent or adjust your cookie settings at any time.

10.3 Storage Duration

Technically necessary cookies: Session-based (deleted when browser closes) or maximum 12 months

Google Analytics cookies: Maximum 14 months

10.4 Objection and Removal Options

You can configure your browser to notify you about cookie placement and allow cookies only in individual cases, exclude acceptance of cookies for certain cases or generally, and enable automatic deletion of cookies when the browser closes.

Browser-specific instructions:

• Chrome: https://support.google.com/chrome/answer/95647
• Firefox: https://support.mozilla.org/en-US/kb/cookies
• Safari: https://support.apple.com/guide/safari/sfri11471/mac
• Edge: https://support.microsoft.com/en-us/microsoft-edge

11. Rights of the Data Subject

When personal data concerning you is processed, you are a data subject within the meaning of the GDPR and you have the following rights against the controller:

11.1 Right of Access (Article 15 GDPR)

You may request confirmation from us as to whether personal data concerning you is being processed by us. If such processing takes place, you may request information about:

• the purposes for which personal data is processed
• the categories of personal data being processed
• the recipients or categories of recipients to whom your personal data has been or will be disclosed
• the planned duration of storage of your personal data
• the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by the controller, or a right to object to such processing
• the existence of a right to lodge a complaint with a supervisory authority
• all available information about the origin of the data if personal data is not collected from the data subject
• the existence of automated decision-making including profiling

11.2 Right to Rectification (Article 16 GDPR)

You have a right to rectification and/or completion against the controller if the processed personal data concerning you is inaccurate or incomplete.

11.3 Right to Restriction of Processing (Article 18 GDPR)

Under the following conditions, you may request restriction of processing of personal data concerning you:

• if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data
• the processing is unlawful and you oppose erasure of the personal data and request restriction of its use instead
• the controller no longer needs the personal data for processing purposes, but you need it for the establishment, exercise, or defense of legal claims
• if you have objected to processing pursuant to Article 21(1) GDPR and it has not yet been determined whether the controller's legitimate grounds override your grounds

11.4 Right to Erasure (Article 17 GDPR)

You may request that we erase personal data concerning you without undue delay if one of the following grounds applies:

• The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed
• You withdraw consent on which processing was based and there is no other legal basis for processing
• You object to processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for processing
• The personal data concerning you has been unlawfully processed
• Erasure of personal data concerning you is required for compliance with a legal obligation under Union or Member State law

Exceptions: The right to erasure does not apply to the extent that processing is necessary:

• for compliance with a legal obligation
• for the establishment, exercise, or defense of legal claims

11.5 Right to Notification (Article 19 GDPR)

If you have exercised your right to rectification, erasure, or restriction of processing against the controller, the controller is obligated to communicate this rectification or erasure of data or restriction of processing to all recipients to whom personal data concerning you was disclosed, unless this proves impossible or involves disproportionate effort.

11.6 Right to Data Portability (Article 20 GDPR)

You have the right to receive personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, provided that:

• processing is based on consent or a contract, and
• processing is carried out by automated means

11.7 Right to Object (Article 21 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you based on Article 6(1)(f) GDPR (data processing based on legitimate interests).

The controller will no longer process personal data concerning you unless they can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or processing serves the establishment, exercise, or defense of legal claims.

11.8 Right to Withdraw Consent (Article 7(3) GDPR)

You have the right to withdraw your data protection consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out based on consent before its withdrawal.

11.9 Right to Lodge a Complaint with a Supervisory Authority (Article 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

Competent supervisory authority in Austria:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Austria

Phone: +43 1 52 152-0
Email: [email protected]
Website: https://www.dsb.gv.at/

12. Contact Information for Appointments

12.1 Phone and Email Buttons

On our website, we offer you the option to contact us directly by phone or email via buttons to arrange appointments at our practices.

Phone Button:
Clicking the phone button opens your standard phone app with our phone number (+43 6214 20360). No data is transmitted to us until you make the call.

Email Button:
Clicking the email button opens your standard email application with our email address ([email protected]). No data is transmitted to us until you send the email.

12.2 Data Processing When Contacting

When you contact us by phone or email, we process the following data:

For phone calls:

• Your phone number (if transmitted)
• Call content (as documented for appointment management)
• Date and time of call

For emails:

• Email address
• Message content
• Date and time
• Subject

12.3 Legal Basis

Processing is based on:

• Article 6(1)(b) GDPR (contract initiation for appointment booking)
• Article 6(1)(f) GDPR (legitimate interest in communication with interested parties/patients)

12.4 Purpose of Data Processing

Data processing serves exclusively for appointment scheduling and communication regarding your treatment inquiry at our practices.

12.5 Storage Duration

Data is deleted as soon as it is no longer necessary for the purpose of its collection. For appointment scheduling, this is after completion of treatment or after expiry of statutory retention periods (for medical documentation pursuant to § 51 Austrian Medical Act: 10 years).

12.6 No Online Appointment Booking

Please note that we do not offer automated online appointment booking. Appointments are only arranged through direct contact via phone or email.

13. Data Security

13.1 SSL/TLS Encryption

For security reasons and to protect the transmission of confidential content, this site uses SSL/TLS encryption. You can recognize an encrypted connection by the browser address bar changing from "http://" to "https://" and the lock symbol in your browser bar.

When SSL/TLS encryption is activated, data you transmit to us cannot be read by third parties.

13.2 Technical and Organizational Measures

We implement comprehensive technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or access by unauthorized persons. Our security measures are continuously improved in line with technological developments.

Measures include:

• Encrypted data transmission (SSL/TLS)
• Access restrictions and authentication
• Regular security updates
• Firewalls and intrusion detection systems
• Regular backups
• Employee data protection training
• Data Processing Agreements with all service providers

14. International Data Transfers

Some of our service providers process data outside the European Union (e.g., in the USA). We ensure that such transfers only take place in compliance with the GDPR:

Legal bases for international transfers:

1. EU-US Data Privacy Framework: Google, Cloudflare, and other US service providers are certified under this framework
2. EU Standard Contractual Clauses (Article 46 GDPR): EU Standard Contractual Clauses have been agreed with all service providers processing data outside the EU
3. Additional Safeguards: All service providers have implemented additional technical and organizational measures to ensure an adequate level of protection

You have the right to request a copy of the safeguards for data transfer. Please contact us at [email protected].

15. No Automated Decision-Making

We do not use automated decision-making including profiling pursuant to Article 22 GDPR. All decisions concerning you (e.g., course access, communication) are made by us personally.

16. Data Protection for Minors

16.1 Age Requirement

Our online courses are intended for persons aged 16 and over. Persons under 16 may only use our courses with the express consent of their legal guardians.

16.2 Verification

We do not conduct active age verification. By registering, you confirm that you are at least 16 years old or have the consent of your legal guardians.

16.3 Deletion of Minor's Data

If we become aware that personal data of persons under 16 has been processed without the consent of legal guardians, we will promptly delete this data.

17. Changes to This Privacy Policy

We reserve the right to amend this privacy policy from time to time to ensure it always complies with current legal requirements or to implement changes to our services in the privacy policy, e.g., when introducing new services.

You can always access the current privacy policy on our website. The date of the last update can be found at the top of this page.

18. Contact for Data Protection Questions

If you have questions about data protection, exercising your rights, or complaints, please contact us at any time:

Dr. med. José Uy
Schoarerbergstr. 12
5302 Henndorf am Wallersee
Austria

Phone: +43 6214 20360
Email: [email protected]

We will process your inquiry promptly and respond as soon as possible.

Last updated: January 2026