Last modified: May 24th, 2018
How to contact us:
Dr. med. Madjid Salimi, Dr. med. Nawid Salimi, Benedikt Hochkirchen
Registered office: Cologne
Commercial Register: AG Cologne, HRB 33282
Our representative and wholly-owned subsidiary in the US:
AMBOSS MD Inc.
234 5th Avenue, 2nd Floor
New York, NY, 10001
Data Protection Commissioner:
AMBOSS GmbH is a young company providing a high quality service by physicians for physicians and medical students, as well as study materials. We want you as a customer of our service to understand how we use your data and which options you have to protect it. We are aware of the importance and sensitivity of your data and thank you for your trust. For us the careful handling of your information is a matter of major concern. If you have any individual questions, please do not hesitate to contact us.
1. Basic Information on Data Processing and Legal Basis
2. Transfer to a Third Party and Third-Party Providers
2.1. In agreement with the applicable legal regulations we are authorised to assign other companies or legal persons to carry out tasks on our behalf, for which the transfer of personal data is required. These include, for example, companies specializing in i.e. payment processing, the transfer of goods or the delivery of newsletters.
2.2. Personal data shall only be transferred to third parties on the basis of legal allowances and within the framework of legal provisions. We are only transferring personal data to third parties if this is necessary on the basis of art. 6 par. 1 lit. b GDPR for the fulfillment of the contract or when we pursue our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR. If third parties are assigned with the processing of data within the scope of a so-called ‘commissioned-processing contract’ this is done on the basis of art. 28 GDPR.
2.3. Provided we are using services of third parties in order to perform a service, we are taking appropriate legal measures as well as technical and organisational measures in order to ensure the protection of personal data according to the relevant legal provisions.
2.4. These measures may include the transfer of personal data to servers outside of the EU or trustworthy third parties based outside the EU for fulfilment of contract. You should be aware that some countries might not offer the same lawful protection of personal data as EU member states. While your personal data is stored in another country, courts, law enforcement authorities and national authorities of the respective country may access this data in conformity with the national laws. Subject to legal regulations we promise that every third party processing your personal data outside of the EU must take measures to ensure maximum security of your data according to our instructions as well as EU legislation. Therefore we only have data processed in a third country if the requirements according to art. 44 ff. GDPR are fulfilled.
What information we collect3. Fulfillment of Contractual Agreements / User-Account
3.1. We are processing basic data (i.e. name, address and further contact data), contractual data (i.e. payment information, services received and/or used) for the fulfillment of the contractual obligations and services in accordance with art. 6 par. 1 lit. b GDPR.
3.2. In order to fully use our service a registration is required. During the creation of the corresponding user-account you will be required to provide personal information (i.e. email address) and specify a password. This information serves as the basis for the login as well as the secure identification on AMBOSS.
3.3. In addition we will possibly ask you for further personal data such as the desired specialization, university, address or gender, i.e. as part of a survey or within your user-account. If this information is not required for the fulfillment of the contract it is provided on a voluntary basis. We will use this information to tailor our services to your needs.
3.4. During the registration and each time the user logs in and uses the online service, we save the IP address as well as the timestamp of the respective user action. The storage is done due on the basis of our legitimate interests and the interest of the user to be protected from misuse and unauthorized usage in accordance with art. 6 par. 1 lit. f GDPR.
4. Contact Form
4.1. In case of questions of any kind we are offering you the opportunity to contact us via a contact form on our website. In order to use the contact form a valid email address must be given enabling us to identify who has sent the request and answer it. Further information can be provided on a voluntary basis. The processing of data for the purpose of establishing contact with us is carried out in accordance with art. 6 par. 1 p. 1 lit. a GDPR based on your voluntarily given consent.
5.1. You have the possibility to apply for any current job opportunities through our online application portal. In order to process your application we collect, process and use the personal data you provided through our online application portal. Your personal data is used solely for processing your application. This includes establishing contact with you. Your personal data shall only be transferred to third parties within the bounds of a commissioned-processing contract or after the provision of your explicit unambiguous consent.
5.2. For our online application portal we are using the services of Greenhouse Software Inc., 455 Broadway, New York NY, 10013 USA, a cloud services provider located in the United States of America. Accordingly, if you are located outside of the United States, your personal data will be transferred to the United States once you submit it through this site. Because the European Union Commission has determined that United States data privacy laws do not ensure an adequate level of protection for personal data collected from EU data subjects, the transfer will be subject to an appropriate commissioned-processing contract.
5.3. Your personal data will be retained by AMBOSS as long as AMBOSS determines it is necessary to evaluate your application for employment. In case of a rejection, your data will be completely deleted after 6 months. In case you have agreed to retaining your data further, AMBOSS will transfer your data to a talent pool and completely delete your data after 1 year. In case AMBOSS and you enter into an employment relationship, your data will be transferred from our recruiting software Greenhouse into our HR Management software BambooHR and afterwards deleted in Greenhouse.
5.4. The processing and storage of your personal data is based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: the processing of your application and the filling of vacant positions.
6.1. Providing you have given your consent in accordance to art. 6 par. 1 p. 1 lit. a GDPR we will send periodic email newsletters to the email address you have provided. Where the registration for the newsletter included a concrete description of the newsletter content this description is authoritative for your consent. Newsletters include information on our products, offerings, special offers and our company. For the reception of our newsletters the provision of a valid email address is sufficient.
6.2. For the newsletter registration we use the so-called double opt-in procedure, i.e. you need to confirm the provided email address before being added to our email list and receiving newsletters. In order to confirm the newsletter registration we will send you an email with a confirmation link, which you need to click in order to confirm your newsletter registration.
6.3. With a registration for the newsletter we store your IP address and the date of your registration. The storage of this information shall serve as the proof of your newsletter registration.
6.4. You may withdraw your registration for the newsletter at any time with effect for the future via a link in the newsletter itself, in your user-account or via e-mail to the address given above.
6.5. If you have made a purchase of goods or services from us, we are entitled to send you information about our own similar goods or services to the the e-mail address given to us during the conclusion of the contract. You may object to this use of your e-mail address at any time with effect for the future via a link in the newsletter, in your user-account or via e-mail to the address given above.
7.1. You have the possibility to make individual personal data in your user profile (i.e. first name, last name, email address, university, clinic) as well as further information (i.e. personal notes) findable for other users. When doing so, it is possible to limit the availability or findability to certain user groups.
7.2. The release of your personal data and information for other users is performed on a voluntary basis, i.e. providing you have given your consent in accordance to art. 6 par. 1 p. 1 lit. a GDPR. You can revoke or modify the consent, limit the availability or findability to certain user groups and the released data at any time in your user profile.
7.3. If you have enabled (partial) findability for personal data as well as further information, we will notify you via email or directly in the user profile in case of a contact request by another user.
7.4. You may revoke your consent for making individual personal data as well as further information findable any time with effect for the future via your user-account or via e-mail to the address given above.
8. Comments and Contributions
8.1. Users of AMBOSS may post comments, personal notes or other content. If users decide to do so their IP address is stored based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: for our security in the event a user posts illegal content.
9. Access Data and Log Files
9.1. When you visit AMBOSS, our server automatically collects certain browser or device generated information, which may in some cases constitute personal data, including but not limited to:
- your domain;
- your IP address;
- your date, time and duration of your visit;
- your browser type;
- your operating system;
- your page visits;
- information from third parties;
- other information about your computer or device; or
- Internet traffic.
9.2. If you have created a user account and use AMBOSS, we automatically collect usage statistics on question results as well as visited pages within our learning platform. This information is collected, processed and used in order to tailor our services to your needs. Therefore anonymous, aggregated statistics are created.
9.3. The processing and storage of this data is based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: the maintenance and improvement of our services, as well as for security reasons (i.e. the investigation of misappropriation).
10.1. We are using cookies on our website. A cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile device browser from our website’s server or the servers of third parties and is stored on your device’s hard drive for later access.
10.3. The processing and storage of data gathered through cookies is based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: the maintenance and improvement of our services.
10.4. Most browsers accept cookies automatically. However you can configure your browser to refuse to accept cookies or display a warning whenever a website tries to store a cookie on your device. Blocking all cookies may, however, affect the usability of AMBOSS and is not recommended.
11. Facebook Social Plugins
11.1. Based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: the analysis, optimization and operation of our online services, we are employing Social Plugins (‘Plugins’), a service by the social network facebook.com, operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Irland (‘Facebook’). These Plugins are indicated by the Facebook logo (‘f’).
11.2. Whenever you access a page of our website that contains the Plugin, your browser establishes a direct connection to the servers of Facebook. The content of the plug-in is transferred from the respective provider directly to your browser and integrated into the page. he integration of the plug-in allows the provider to receive notification that your browser has accessed the corresponding page of our website, even if you do not have a profile on the corresponding social network or are not logged in. This information (including your IP address) is transferred from your browser directly to a server of the respective provider and stored there. If you are logged in to one of the social networks, the providers can directly associate the visit to our website with your Facebook profile. If you interact with the plug-ins by clicking ‘like’, for example, the corresponding information is also transferred directly to a server of the provider and stored there. The information is also published on the social network and displayed to your contacts there.
11.4. If you do not want Facebook to associate your data collected via our website directly with your profile on the social network, you must log out of the corresponding network and delete your cookies before visiting our website. Further settings and options to object can be accessed via the Facebook profile settings: https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fads%2Fpreferences%2F%3Fentry_product%3Dad_settings_screen
12. Facebook Remarketing-Services / Custom Audience
12.1. Based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: the analysis, optimization and operation of our online services, we are the so-called ‘Facebook-Pixel’, a service by the social network facebook.com, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or for users from the EU, Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”).
12.2. We use pixel tags from Facebook, and the information collected is to help us to display placed advertisements (so-called ‘Facebook-Ads) only to users that have shown a clear interest in our services or have certain characteristics that have been transferred to facebook (so-called ‘Custom Audiences’). By using the Facebook-Pixel we can trace, whether a user has clicked on a Facebook-Ad and has thereby been redirected to our website (so-called ‘Conversion’).
12.3. Every time you visit AMBOSS, Facebook creates a cookie (as described under clause 10). If you are logging in to the Facebook website or visit the Facebook website in the logged in state your visit to AMBOSS is stored in your Facebook profile. The data gathered and evaluated will remain anonymous and the identity of the user cannot be traced.
However, the respective data is stored and processed by Facebook, whereby a connection to the Facebook user profile is possible and this data can be used for market-research and advertising.
12.4. Based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, we are employing the ‘Advanced Matching’ feature provided by using the Facebook-Pixel. In this case personal data, i.e. country, university or Facebook-ID, is used to create target groups (so-called ‘Custom-Audiences’) is transferred to Facebook. Further information on ‘Advanced Matching’ can be found here: https://www.facebook.com/business/help/611774685654668
12.5. Based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: the correct, lawful and purposeful display of advertisements in the context of Facebook Custom Audience services, we are employing the ‘Custom Audience from File’ service provided by Facebook. We are only uploading e-mail addresses of users that have registered for our newsletter. The upload of these addresses is made in encrypted form.
12.6. Processing of personal data by Facebook takes place within the framework of the Facebook data policies. Further details on the display of Facebook-Ads can be found in the Facebook data policy here: https://www.facebook.com/policy.php. Details on the Facebook-Pixel as its functioning can be found in the support area of Facebook’s website:https://www.facebook.com/business/help/651294705016616
12.7. You may refuse the storage of the information through the Facebook-Pixel and the use of your data to display Facebook-Ads and/or change the types of ads that are displayed within Facebook here: https://www.facebook.com/settings?tab=ads
13. Facebook Login
13.1. We offer you the ability to register and login to AMBOSS with Facebook Login. This only takes place with the explicit consent in accordance with art. 6 par. 1 p. 1 lit. a GDPR.
Facebook Login is a service provided Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Thereby no further and separate registration or login is required. In order to complete the registration or login you will be redirected to the Facebook website where you can login with your Facebook credentials. By linking your Facebook account we automatically receive the following data from Facebook Inc.:
- First and Last Name
- E-Mail Address
- Your Facebook Username
13.2. We only use personal data provided, which is required for the completion of your user profile in accordance with those named under clause 3. This information is absolutely necessary for our service in order to identify you.
14. Google Sign-In
14.1. We offer you the ability to register and login to AMBOSS with Google Sign-In. This only takes place with the explicit consent in accordance with art. 6 par. 1 p. 1 lit. a GDPR.
Google Sign-In is a service provided by Google LLC („Google“), Amphitheatre Parkway, Mountain View, CA 94043, USA. Thereby no further and separate registration or login is required. In order to complete the registration or login you will be redirected to the Google website where you can login with your Google credentials. By linking your Google account we automatically receive the following data from Google LLC:
- First and Last Name
- E-Mail Address
- Ihre Google Username (if different from your E-Mail Address)
14.2. We only use personal data provided, which is required for the completion of your user profile in accordance with those named under clause 3. This information is absolutely necessary for our service in order to identify you.
15. Google Analytics
15.1. Based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: the analysis, optimization and operation of our online services, we are employing Google Analytics, a service by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, („Google“). In this context pseudonymous user profiles are created and cookies are used (as described under clause 10). The information stored by the cookie, such as browser-type/-version, operating system, referrer-URL (the previously visited site), hostname of the accessing device (ip address) and the timestamp of the server request are transferred to a server operated by Google for storage.
15.2. The information generated relating to our website is used to create reports about the use of AMBOSS in order to improve our website and tailor our services to your needs.
The IP addresses are anonymised (ip-masking) and used for statistical purposes; person-related evaluation of the IP addresses is impossible.
15.3. We use Google analytics to display placed advertisements by Google and its partners only to users that have shown a clear interest in our services or have certain characteristics that let assume on an interest in our services (so-called ‘Google-Analytics-Audiences’)
15.5. In addition, you may refuse the storage of the information generated by the cookie that allows for conclusions about your use of the website (incl. your ip address) as well as the processing of this data by Google. In order to do so you need to download and install a browser-addon provided by Google that can be found here: https://tools.google.com/dlpage/gaoptout?hl=de
15.6. Alternatively to the browser-addon or within the scope of browsers on mobile devices please visit the following link in order to set an opt-out-cookie that will prevent Google Analytics from collecting personal data in the future (please note that the effect of the cookie is limited to this browser on this device and needs to be downloaded again if you delete your cookies):
16. Google Remarketing
16.1. Based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: the analysis, optimization and operation of our online services, we are employing Google Remarketing, a service by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, („Google“).
16.2. The Google Remarketing services allow for displaying advertisement based on user interest. For this purpose so-called ‘Remarketing-Tags’ are placed on AMBOSS websites as well as the websites of other participants of the Google Remarketing service. Through these Remarketing-Tags a cookie is stored on the device of the user, containing information such as browser-type/-version, operating system, referrer-URL (the previously visited site), hostname of the accessing device (ip address) and the timestamp of the server request. The IP addresses of AMBOSS users is not combined with with other Google data. Nevertheless, Google may combine other aforementioned information with information from other sources. If the user visits another website participating in the Google Remarketing service afterwards, the user can be targeted with advertisements according to his or her individual interests.
16.3. This website uses the online advertising tool ‘Google AdWords’, a service provided by Google. In this context the so-called ‘Conversion-Tracking’ is used. The conversion tracking cookie is set when a user clicks on a Google advertisement. These cookies are invalidated after 30 days and are not used for personal identification.If this cookie has not yet expired when the user visits certain pages of AMBOSS, Google and AMBOSS GmbH will be able to tell that the user clicked on a specific advertisement and proceeded to that page. Every customer of Google Adwords receives an individual cookie. Therefore cookies cannot be tracked across the websites of different Google AdWords customers. The information collected through the conversion-cookie serves to generate statistics for Google AdWords customers that are using the Google AdWords service. Google AdWords customers are able to retrieve the total number of users clicks on advertisements that have been marked for conversion tracking. However the data gathered and evaluated will remain anonymous and the identity of the user cannot be traced. Users that do not want to participate in Conversion-Tracking can easily delete the cookies stored on their device through their browser. These users are will not be included in the conversion tracking statistics.
16.5. Furthermore we use “Google Tag Manager”, a service that allows us to embed Gogole Analytics and Google Remarketing into our website.
16.6. The personal data collected by Google Remarketing services is transferred to a server operated by Google in the USA. The processing of data within the scope of Google Remarketing services will only be done in strictly pseudonymous form. This shall not be the case, if the user has given his or her explicit consent to process the personal data without pseudonymization.
16.8. You may refuse the display of advertisements through the Google Remarketing service and the use of your data to display advertisements and/or change your preferences for the service here: http://www.google.com/ads/preferences.
17.1. Based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: the analysis, optimization and operation of our online services, we are employing ‘Blueshift’ a web-analytics tool by Blueshift Labs, Inc., 231 Sansome St Suite 300, San Francisco, CA 94104, USA.
17.2. We use Blueshift to display advertisements to pseudonymous users or groups of users. These advertisements are individually aligned and interest-based. Additionally we are also able to see, whether users have clicked on an advertisement and subsequently made purchases.
17.3. Every time you visit AMBOSS Blueshift creates a cookie (as described under clause 10) that stores pseudonymous user data such as browser-type/-version, operating system, referrer-URL (the previously visited site), hostname of the accessing device (ip address) and the timestamp of the server request. This information is transferred to a server operated by Blueshift in the USA for storage.
17.5. You may object to receive mail or email through the remarketing services by using the opt-out service provided by Blueshift that can be accessed here:
18.1. Based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: the statistical analysis of user behavior, optimization and operation of our online services, we are employing Mouseflow, a service by Mouseflow ApS, Flaesketorvet 68, 1711 Copenhagen, Denmark. This tool records randomly selected users (only by strictly pseudonymous ip address). Thereby a protocol of mouse movements and clicks is used to create session recordings that allow for the identification of potential usability improvements.
18.2. You may object the web analysis through Moseflow at any time temporarily by deactivating the setting on your browser (deactivating cookies) or permanently by setting an opt-out cookie. You can download and install the available opt-out cookie here: https://mouseflow.de/opt-out/
19. Amazon Partnernet
19.1. Based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: the statistical analysis of user behavior, optimization and operation of our online services, we are participating in Partnernet, a service by Amazon Europe S.à.r.l.. Partnernet is an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com. However we are not sending data to Amazon directly, but only link to offers on amazon.com.
20. Use of Contents and Services of Third Parties
Based on our legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, namely: the statistical analysis of user behavior, optimization and operation of our online services as well as the fulfilment of contract according to art. 6 par. 1 lit. b GDPR we are using contents or services of third parties. The consequence is that the third parties providing these contents or services receive the ip address of the user accessing the website employing the content or service. We try to only employ contents and services of providers that limit the use of the ip address for the provision of these contents and services.
20.1. We are using content and services of the following providers:
21. Data Security
21.1. The entire communication of your browser with AMBOSS is ensured through a TLS-secured connection in order to protect your information against the unauthorised access by third parties. Only selected administrators have access to your data as far as this is indispensable to the fulfillment of the contract.
21.2. We apply appropriate technical and organisational security measures in order
to protect your personal data against manipulation, partial or full loss and against unauthorised access by third parties. The standards shall be kept up to date in the light of technological progress and the developments in good engineering practice in safety matters
22. Deletion of Data
22.1. We will immediately delete the personal data we have stored after the contract has been fulfilled or unless otherwise indicated by provisions of law. If user data is not deleted due to provisions of law, the processing of this data is constrained, i.e. not used for other services. This applies for example for user data stored due to commercial or tax law provisions.
23. Rights of the Persons Affected
23.1. You have the right:
- to withdraw your consent at any time for future effect, in accordance with art. 7 par. 3 GDPR
- to request information concerning the personal data stored about them at any time, free of charge, in accordance with art. 15 GDPR ;
- to request rectification of any incomplete or inaccurate information, in accordance with art. 16 GDPR;
- to request the deletion of your personal data stored with us unless it opposes the processing for the fulfillment of contract, the right to freedom of expression and information, grounds of public interest or the establishment, exercise or defence of legal claims, in accordance with art. 17 GDPR;
- to request the restriction of the processing of your personal data, in accordance with art. 18 GDPR ;
- to request your personal data stored with us the personal data stored in a structured, standardized and machine-readable format or request the delivery to another authorized party, in accordance with Art. 20 GDPR;
- to complain to the responsible supervisory authority, in accordance with Art. 77 GDPR.
24. Right of Refusal
24.1. In case your personal data is processed based on legitimate interests in accordance to art. 6 par. 1 lit. f GDPR, you have the right to refuse the processing of your personal data, based on art. 21 GDPR, if there are legitimate reasons or the refusal is directed towards direct advertising. In the latter case you have a general right of refusal without being required without having to offer a legitimate reason.
24.2. If you would like to exercise your right of refusal or revocation, please do so via e-mail to the address given above