Privacy Policy

Last updated: January 31, 2026

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent in connection with the provision of our services.

This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites and in the client portal. The terms used are not gender-specific.

Table of Contents

  • Data Controller
  • Data Protection Officer Contact
  • Overview of Processing Activities
  • Applicable Legal Bases
  • Security Measures
  • Transfer of Personal Data
  • International Data Transfers
  • Deletion of Data and Retention Periods
  • Rights of Data Subjects
  • Cookies and Cookie Banner
  • Client Account and Client Portal
  • Free Consultation Call (Lead Management)
  • Booking and Appointment Scheduling
  • Processing of Health Data (Concerns)
  • Psychological Counseling
  • Appointment Reminders via Email
  • Marketing Emails and Follow-up Communication
  • Newsletter
  • Payment Processing
  • Third-Party Providers and Services Used
  • Web Hosting and Technical Infrastructure
  • Web Analytics (Google Analytics)
  • Contact and Inquiries
  • Changes and Updates to the Privacy Policy

Data Controller

Philipp Scholz & Ronny Glotzbach GbR
Psychofit – Psychological Counseling
Fritz-Haber-Str. 5
67454 Haßloch
Germany

Email: kontakt@psychofit.de
Legal Notice: https://psychofit.de/impressum

Data Protection Officer Contact

For questions regarding data protection, you can reach us at:

Email: kontakt@psychofit.de

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of Data Processed

  • Inventory data (e.g., names, addresses)
  • Contact data (e.g., email, phone numbers)
  • Content data (e.g., entries in online forms)
  • Contract data (e.g., subject matter of contract, term)
  • Payment data (e.g., bank details, invoices)
  • Usage data (e.g., websites visited, access times)
  • Meta, communication and procedural data (e.g., IP addresses, timestamps)
  • Special categories of data: Health data (counseling concerns)

Categories of Data Subjects

  • Clients and prospective clients
  • Counseling clients (persons receiving psychological counseling)
  • Communication partners
  • Users (e.g., website visitors)

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations
  • Conducting psychological counseling
  • Management of client accounts and client portal
  • Appointment booking and management
  • Payment processing
  • Contact inquiries and communication
  • Appointment reminders via email
  • Security measures
  • Provision and improvement of our online services
  • Web analytics and reach measurement (only with consent)

Applicable Legal Bases

Below you will find an overview of the legal bases of the DSGVO (GDPR) on which we process personal data:

Consent (Art. 6(1)(a) DSGVO / Art. 9(2)(a) DSGVO)

The data subject has given consent to the processing of their personal data for one or more specific purposes. For health data (Art. 9 DSGVO/GDPR), explicit consent is required.

Contract Performance and Pre-contractual Inquiries (Art. 6(1)(b) DSGVO)

Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject.

Legal Obligation (Art. 6(1)(c) DSGVO)

Processing is necessary for compliance with a legal obligation to which the controller is subject.

Legitimate Interests (Art. 6(1)(f) DSGVO)

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection regulations of the DSGVO (GDPR), national data protection regulations in Germany also apply. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains special provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated individual decision-making including profiling.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of the threat to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include in particular:

  • TLS/SSL Encryption: Our website uses HTTPS encryption to protect data transmission.
  • Access Restrictions: Personal data is only accessible to authorized employees and counselors.
  • Secure Passwords: Passwords in the client portal are hashed with bcrypt (not stored in plain text).
  • Session Management: Time-limited login sessions with secure, encrypted session cookies.
  • Regular Backups: Daily database backups to protect against data loss.
  • Data Processing Agreements (DPA): With all third-party providers that process personal data.

Transfer of Personal Data

In the course of our processing of personal data, it may happen that the data is transferred to or disclosed to other bodies, companies, legally independent organizational units or persons. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and in particular conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

An overview of the data processors and third-party providers used can be found in the section "Third-Party Providers and Services Used".

International Data Transfers

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, entities or companies, this is only done in accordance with legal requirements.

We use the following for this purpose:

  • EU-US Data Privacy Framework (DPF): For certain US providers that are certified under this framework agreement.
  • Standard Contractual Clauses (SCC): EU Standard Contractual Clauses pursuant to Art. 46(2)(c) DSGVO (GDPR) as a basis for third-country transfers.
  • Adequacy Decision: The EU Commission has determined an adequate level of data protection for certain countries.

Further information on the individual third-party providers and their data protection guarantees can be found in the section "Third-Party Providers and Services Used".

Deletion of Data and Retention Periods

The data processed by us will be deleted in accordance with legal requirements as soon as the consents permitted for processing are revoked or other permissions no longer apply (e.g., if the purpose of processing this data has ceased to apply or it is not required for the purpose).

If the data is not deleted because it is required for other legally permissible purposes, its processing is limited to these purposes. This means that the data is blocked and not processed for other purposes.

Statutory Retention Periods

This applies in particular to data that must be retained for commercial or tax law reasons:

  • 8 years: Invoices, accounting records (§ 147(1) AO; since 01.01.2025 reduced from 10 to 8 years for records from 2025 onwards)
  • 6 years: Business letters, commercial correspondence (§ 257(4) HGB)

Note: The retention period begins at the end of the calendar year in which the last entry was made, the record was created, or the document was received/sent.

Retention Periods for Specific Data

  • Lead Data (Consultation Call): Automatic deletion after 6 months if no paid booking has been made. The period begins from the date of the consultation call.
  • Client Account: Data is stored as long as the client account is active. After account deletion, data is treated according to statutory retention periods.
  • Counseling Concerns: Stored together with booking data as long as this is necessary for contract fulfillment. After completion of counseling, deletion occurs unless statutory retention obligations exist. Upon withdrawal of consent, the concern is deleted immediately.
  • Enrollment Certificates (Student Discount): Collected solely for verification of student status and deleted immediately after successful review (approval or rejection). Only the review result (verified yes/no) is stored until the end of the respective semester. Legal basis: Art. 6(1)(b) DSGVO (GDPR) (contract performance). We recommend redacting unnecessary data (e.g., date of birth, place of birth, student ID number) before uploading — name, university and validity period are sufficient for verification.
  • Appointment Reminders: Information about sent reminders is stored for the duration of the contractual relationship.
  • Cookie Settings: 12 months (cookie consent cookie)
  • Session Cookies: Deleted when the browser is closed
  • Google Analytics Cookies: Up to 2 years (only with consent given)

Rights of Data Subjects

As a data subject, you are entitled to various rights under the DSGVO (GDPR), which arise in particular from Articles 15 to 21 DSGVO (GDPR):

Right to Object (Art. 21 DSGVO/GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) DSGVO (GDPR).

Right to Withdraw Consent (Art. 7(3) DSGVO/GDPR)

You have the right to withdraw consent at any time. This applies in particular to consent to the processing of health data (counseling concerns) and to consent to the use of Google Analytics. Withdrawal can be made by email to kontakt@psychofit.de.

Right of Access (Art. 15 DSGVO/GDPR)

You have the right to obtain confirmation as to whether personal data is being processed and to information about this data as well as further information and a copy of the data in accordance with legal requirements. Please contact us by email at kontakt@psychofit.de.

Right to Rectification (Art. 16 DSGVO/GDPR)

You have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you. You can do this yourself via the client portal.

Right to Erasure (Art. 17 DSGVO/GDPR)

You have the right to request that data concerning you be deleted without undue delay, or alternatively to request restriction of processing. You can delete your client account at any time via the client portal. Please note that deletion is not possible if there are still active bookings or statutory retention obligations apply.

Right to Data Portability (Art. 20 DSGVO/GDPR)

You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to request its transmission to another controller. Please contact us by email at kontakt@psychofit.de.

Right to Lodge a Complaint with a Supervisory Authority (Art. 77 DSGVO/GDPR)

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates the DSGVO (GDPR).

Competent supervisory authority for Rhineland-Palatinate:
The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate
Hintere Bleiche 34
55116 Mainz
www.datenschutz.rlp.de

Contact: To exercise your rights, please contact kontakt@psychofit.de. We will respond to your request within one month.

Cookies and Cookie Banner

Cookies are small text files that store information on end devices and read information from end devices. They are used, for example, to save the login status in a user account or to provide website functionality.

Cookies Used

1. Necessary Cookies (without consent)

The following cookies are required for the functionality of the website and do not require consent pursuant to § 25(2) No. 2 TTDSG (German Telecommunications-Telemedia Data Protection Act):

  • psychofit-kunde-session: Authentication in the client portal. Stores your encrypted session ID to keep you logged in. Duration: 7 days.
  • psychofit-session: Authentication in the counselor dashboard. Stores the encrypted session ID. Duration: 24 hours.
  • psychofit-cookie-consent: Stores your cookie settings so you are not asked again on each visit. Duration: 1 year.

Legal basis: Art. 6(1)(b) DSGVO (GDPR) (contract performance) and § 25(2) No. 2 TTDSG (technically necessary).

2. Analytics Cookies (only with consent)

The following cookies are only set if you have given consent via our cookie banner:

  • _ga: Google Analytics – Distinguishes individual visitors using a randomly generated ID. Duration: 2 years.
  • _ga_*: Google Analytics – Stores and counts page views. Duration: 2 years.
  • _gid: Google Analytics – Distinguishes visitors within a day. Duration: 24 hours.

Legal basis: Art. 6(1)(a) DSGVO (GDPR) (consent) and § 25(1) TTDSG.

Cookie Banner and Consent Management

When you first visit our website, a cookie banner appears through which you can decide whether to allow the use of analytics cookies (Google Analytics). Necessary cookies are set without your consent as they are required for the functionality of the website.

You can change your cookie settings at any time via the link in the website footer or via the page /cookies.

Withdrawal of Consent: You can withdraw your consent at any time by changing the cookie settings or deleting cookies in your browser. Please note: If you block necessary cookies, certain areas of the website (such as the client portal) may not function correctly.

Note: Our cookie banner is based on a custom implementation without an external consent management platform. Consents are stored exclusively locally in your browser (cookie "psychofit-cookie-consent").

Further information can be found in our Cookie Policy.

Client Account and Client Portal

A client account is automatically created for you when you make your first booking. This serves to manage your appointments, view bookings and provide you with access to our client portal.

Creation of the Client Account

With your first booking, a client account is automatically created under your email address. You will then receive a welcome email with a link to set a password for your client account. This link is valid for 7 days.

Note on automatic account creation: With your booking, a client account is automatically created to manage your appointments. You will receive your login credentials by email. Legal basis: Art. 6(1)(b) DSGVO (GDPR) (contract performance). Further information can be found in this privacy policy.

Features of the Client Portal

In the client portal you can:

  • View your booked appointments
  • Book additional sessions
  • Edit your contact information
  • Change your password
  • Enable/disable appointment reminders
  • Manage your consent for the processing of health data (concerns)
  • Export your data as PDF, JSON or CSV (data portability pursuant to Art. 20 DSGVO/GDPR)
  • Delete your client account (right to erasure pursuant to Art. 17 DSGVO/GDPR)

Data Processed

  • Name, first name
  • Email address
  • Phone number (optional)
  • Password (encrypted with bcrypt)
  • Booking history
  • Appointment details
  • Preferences (e.g., appointment reminders)
  • Consents (e.g., for processing of health data)

Legal bases:

  • Art. 6(1)(b) DSGVO (GDPR) (contract performance) for the management of your client account and your bookings
  • Art. 6(1)(a) DSGVO (GDPR) (consent) for optional features such as appointment reminders and newsletters
  • Art. 6(1)(f) DSGVO (GDPR) (legitimate interests) for security measures and improvement of our service

Deletion of Client Account

You can delete your client account at any time via the settings in the client portal. Please note:

  • Deletion is only possible if there are no active bookings (status: SCHEDULED) remaining.
  • After deletion, your personal data will be anonymized or deleted, unless statutory retention obligations apply (e.g., for invoice data).
  • Teams meeting links will be released and can be reused for other clients.
  • You will receive a confirmation email after successful deletion.

Free Consultation Call (Lead Management)

We offer you the opportunity to book a free consultation call to learn about our counseling services and to determine whether psychological counseling is suitable for your concerns.

Data Processed During the Consultation Call

  • First and last name
  • Email address
  • Phone number
  • Counseling concern (optional – see section "Processing of Health Data")
  • Selected appointment (date and time)

Purpose of Processing

The collected data is processed in order to:

  • Conduct the consultation call
  • Send you the Microsoft Teams meeting link
  • Remind you of the appointment
  • Create a client account for booking further sessions if you are interested

Lead Status and Retention Period

Persons who have booked a consultation call but have not yet made use of a paid session are stored as a "lead" (prospective client) in our system.

Automatic Deletion After 6 Months

Lead data is automatically deleted after 6 months if you have not made a paid booking during this time. The period begins from the date of the consultation call.

This deletion period is based on the principle of data minimization (Art. 5(1)(c) DSGVO/GDPR) and storage limitation (Art. 5(1)(e) DSGVO/GDPR): We only store your data as long as there is a legitimate interest in contacting you.

Conversion to Client

If you book a paid counseling session after the consultation call, your status is changed from "lead" to "client". In this case, the regular retention period for client data applies (see section "Deletion of Data and Retention Periods").

Legal bases:

  • Basic data (name, email, phone): Art. 6(1)(b) DSGVO (GDPR) (pre-contractual measures at the request of the data subject)
  • Concern (health data): Art. 9(2)(a) DSGVO (GDPR) (explicit consent) – see section "Processing of Health Data"

Booking and Appointment Scheduling

You can book appointments for psychological counseling on our website. Appointment booking is done through our own booking system — your data is processed exclusively on our own servers in the EU.

Data Processed During Booking

  • First and last name
  • Email address (required)
  • Counseling concern (see separate section "Processing of Health Data")
  • Selected appointment (date and time)
  • Selected payment method (Stripe or PayPal)
  • Booking type (e.g., initial session, follow-up session)

Booking Process

  1. You select an appointment on our website and enter your data.
  2. Your booking is stored in our database.
  3. You are redirected to payment via Stripe.
  4. After successful payment, your appointment is confirmed.
  5. You receive a booking confirmation email with appointment details and the Microsoft Teams link for the video consultation.
  6. The assigned counselor also receives a notification about the booking.

Legal basis: Art. 6(1)(b) DSGVO (GDPR) (contract performance) – Processing is necessary for the fulfillment of the counseling contract.

Processing of Health Data (Concerns)

When booking a counseling appointment, you have the option to describe your counseling concern. This field is optional but enables our counselor to optimally prepare for the session.

Why Are Concern Descriptions "Health Data"?

Information about counseling concerns may allow conclusions about your health status (e.g., "stress", "anxiety", "relationship problems") and therefore fall under the special categories of personal data pursuant to Art. 9 DSGVO (GDPR) (health data).

Legal background: The European General Data Protection Regulation (DSGVO/GDPR) protects health data particularly strictly. The European Court of Justice has ruled that even theoretical conclusions about health status are sufficient to classify data as health data (ECJ Case C-184/20). The processing of such data is generally prohibited unless explicit consent exists (Art. 9(2)(a) DSGVO/GDPR).

Two Options for the Concern Field

We offer you two options:

Option 1: "I would prefer to discuss my concern in the session"

If you choose this option, the note "Will discuss in the session" is automatically saved. In this case, you do not share any health data with us and no separate consent is required.

Legal basis: Art. 6(1)(b) DSGVO (GDPR) (contract performance) – no health data processed.

Option 2: Describe your concern in the text field

If you enter your concern in the text field, a consent declaration for the processing of health data (Art. 9(2)(a) DSGVO/GDPR) appears. You must give this consent by checking a checkbox before you can complete the booking.

Consent text (summary):

"I expressly consent to my counseling concern information – which may be considered health data under Art. 9 DSGVO (GDPR) – being processed for the preparation and conduct of psychological counseling. I can withdraw this consent at any time with effect for the future."

Processing and Use of the Concern

Your counseling concern will be:

  • Transmitted to the assigned counselor so they can prepare for the session.
  • Stored in our system as long as this is necessary for contract fulfillment.
  • Not shared with third parties (except for technical service providers who assist us with processing and are also bound by confidentiality obligations).

Withdrawal of Consent

You can withdraw your consent to the processing of your counseling concern at any time:

  • By email to kontakt@psychofit.de
  • By post to: Philipp Scholz & Ronny Glotzbach GbR, Fritz-Haber-Str. 5, 67454 Haßloch

Consequences of withdrawal: Upon withdrawal of consent, your counseling concern will be immediately deleted from our system. This does not affect the conduct of the counseling, but your counselor will no longer be able to prepare based on the described concern. The lawfulness of the processing carried out until the withdrawal remains unaffected.

Legal basis: Art. 9(2)(a) DSGVO (GDPR) (explicit consent for the processing of health data).

Psychological Counseling

We offer psychological counseling by qualified psychology graduates (B.Sc.) under supervision. Counseling sessions take place via video conference through Microsoft Teams.

Data Processed During Counseling

  • Counseling content (NOT recorded or protocolled)
  • Appointment details (date, time, duration)
  • Assigned counselor
  • Microsoft Teams meeting link
  • Connection data (IP address, device information) are processed by Microsoft Teams

Confidentiality and Data Security

Your counseling sessions are confidential:

  • No recordings: We do not record any counseling sessions.
  • No protocols: Session content is not documented in writing (unless you explicitly request this).
  • Encrypted transmission: Microsoft Teams uses end-to-end encryption for video calls.
  • Counselor confidentiality: Our counselors are bound by psychological confidentiality obligations.

Legal basis: Art. 6(1)(b) DSGVO (GDPR) (contract performance) and Art. 9(2)(a) DSGVO (GDPR) (consent for the processing of health data in the context of counseling).

Further information on Microsoft Teams can be found in the section "Third-Party Providers and Services Used".

Session Notes

If you activate the "Session Notes" feature in the client portal, you and your counselor can create and view notes for your counseling sessions.

Data Processed

  • Counselor notes (visible to client): Notes written by your counselor that are visible to you
  • Private counselor notes: Only visible to the counselor — you do not have access to these
  • Personal reflections: Personal reflections written by you about the session

Encryption and Security

  • AES-256-GCM Encryption: All notes are stored encrypted server-side with AES-256-GCM (BSI TR-02102-1)
  • Individual Keys: A separate key is derived for each note type (HKDF)
  • No Plaintext: Only encrypted data is stored in the database
  • Versioning: Changes to notes are logged (audit trail)

Consent and Withdrawal

The use of the session notes feature requires your explicit consent (Art. 9(2)(a) DSGVO/GDPR). You can grant or withdraw this consent at any time in the client portal under "Session Notes".

Upon withdrawal of consent, all counselor notes visible to you as well as your own reflections will be irrevocably deleted. Private counselor notes remain with the counselor as they constitute their work documentation and are subject to counselor confidentiality.

Legal Bases

  • Client-visible notes and reflections: Art. 9(2)(a) DSGVO (GDPR) (explicit consent for the processing of health data)
  • Private counselor notes: Art. 6(1)(f) DSGVO (GDPR) (legitimate interest in counseling documentation for quality assurance and professional practice) in conjunction with § 6 of the counseling contract (release of confidentiality for treatment coordination)

Appointment Reminders via Email

To ensure that you do not miss your counseling appointment, we automatically send you appointment reminders by email.

Timing of Reminders

  • 24 hours before the appointment: First reminder (only if the appointment is more than 24 hours in the future)
  • 1 hour before the appointment: Second reminder

Content of Reminders

The emails contain:

  • Appointment details (date, time)
  • Name of your counselor
  • Microsoft Teams meeting link
  • Tips for preparing for the session

Opt-out (Unsubscribe)

Appointment reminders are enabled by default as they serve the interest of contract fulfillment and help you attend your appointments. However, you can deactivate appointment reminders at any time:

Note: Appointment reminders are not advertising and therefore do not require a double opt-in procedure. They serve exclusively for contract fulfillment and customer service.

Legal basis: Art. 6(1)(b) DSGVO (GDPR) (contract performance) – Appointment reminders are necessary for the proper conduct of counseling and are in your interest.

Emails are sent via the Brevo service. Further information can be found in the section "Third-Party Providers and Services Used".

Marketing Emails and Follow-up Communication

With your explicit consent, we occasionally send you emails for customer retention and information about our services.

Type of Emails

The following emails are covered by your consent:

  • Reminders to continue counseling: Friendly reminders if you have not booked a session in a while.
  • Information about offers: News about our services and special promotions.
  • Tips for mental health: Occasional helpful information about mental well-being.

Consent

You can actively consent to receiving marketing emails during booking. This consent is voluntary and has no influence on the provision of our counseling services. The checkbox is not checked by default (opt-in).

Consent text: "I would like to occasionally receive reminders to continue my counseling as well as information about offers via email. I can withdraw this consent at any time."

Withdrawal of Consent

You can withdraw your consent at any time without giving reasons:

  • By clicking the unsubscribe link: Every marketing email contains an unsubscribe link at the bottom. One click is sufficient.
  • Via the client portal: In your settings you can deactivate marketing emails at any time.
  • By email: Write to kontakt@psychofit.de.

Effects of Withdrawal

After withdrawal, you will no longer receive marketing emails. The following emails are not affected (as they are part of contract fulfillment):

  • Booking confirmations
  • Appointment reminders (24h and 1h before the appointment)
  • Password reset emails
  • Important information about your client account

The withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal.

Legal basis: Art. 6(1)(a) DSGVO (GDPR) (consent).

Emails are sent via the Brevo service. Further information can be found in the section "Third-Party Providers and Services Used".

Newsletter

You have the option to subscribe to our free newsletter to receive tips on mental health and information about our services.

Registration (Double Opt-In)

We use the double opt-in procedure for newsletter registration:

  1. You enter your email address in our newsletter form.
  2. You receive a confirmation email with a confirmation link.
  3. Only after clicking the confirmation link will you be added to the mailing list.

The confirmation link is valid for 24 hours. Without confirmation, your data will not be stored.

Data Processed

  • Email address (required)
  • Time of registration
  • Time of confirmation
  • Source of registration (e.g., website footer, blog)
  • IP address at registration (for proof of consent)

Newsletter Content

The newsletter contains:

  • Tips for mental health
  • References to new blog posts
  • Occasional information about our services

Unsubscribe

You can unsubscribe from the newsletter at any time:

  • By clicking the unsubscribe link: At the bottom of every newsletter email there is an unsubscribe link.
  • By email: Write to kontakt@psychofit.de.

After unsubscription, your data will be deleted within 30 days, unless statutory retention obligations apply.

Conversion Upon Booking

If you make a booking with us as a newsletter subscriber, your newsletter subscription is automatically linked to your client account. Your marketing consent is maintained. You can then manage marketing emails via the client portal.

Legal basis: Art. 6(1)(a) DSGVO (GDPR) (consent).

Emails are sent via the Brevo service. Further information can be found in the section "Third-Party Providers and Services Used".

Payment Processing

Payment processing is handled by our payment service provider Stripe. Stripe enables you to pay with various payment methods:

  • Credit card (Visa, Mastercard)
  • Apple Pay
  • Google Pay
  • Klarna (Pay now, Invoice, Installments)
  • SEPA Direct Debit
  • PayPal (via Stripe Link)

All mentioned payment methods are provided and processed by Stripe. Apple Pay, Google Pay, Visa, Mastercard, Klarna and PayPal are registered trademarks of their respective companies.

Data Processed

The following data is transmitted to Stripe during payment processing:

  • First and last name
  • Email address
  • Amount
  • Booking number
  • Payment information (e.g., credit card details, bank details) is entered directly at Stripe and is NOT transmitted to us

Payment Confirmation

After successful payment, we only receive a confirmation of the successful transaction from Stripe. We receive no credit card numbers, bank details or other sensitive payment data.

Invoices

You automatically receive an invoice by email after each payment. Invoices are retained for 8 years in accordance with § 147(1) AO (since 01.01.2025 reduced from 10 to 8 years for records from 2025 onwards).

Legal basis: Art. 6(1)(b) DSGVO (GDPR) (contract performance) and Art. 6(1)(c) DSGVO (GDPR) (legal obligation to retain invoice data).

Further information on Stripe and PayPal can be found in the section "Third-Party Providers and Services Used".

Third-Party Providers and Services Used

We use various third-party providers to deliver our services. We have concluded data processing agreements (DPA) pursuant to Art. 28 DSGVO (GDPR) with all providers that process personal data on our behalf.

Stripe (Payment Processing)

Stripe is our central payment service provider. Via Stripe we offer various payment methods: Credit card (Visa, Mastercard), Apple Pay, Google Pay, Klarna, SEPA Direct Debit and PayPal.

  • Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA
  • Data processed: Name, email, payment information (depending on payment method: credit card details, bank details, wallet data), invoice data
  • Purpose: Payment processing
  • Legal basis: Art. 6(1)(b) DSGVO (GDPR) (contract performance)
  • Data transfer to third country: USA – EU-US Data Privacy Framework (DPF)
  • Privacy policy: stripe.com/de/privacy

Microsoft Teams (Video Counseling)

Microsoft Teams is the platform through which our video counseling sessions take place.

  • Provider: Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
  • Data processed: Name, email, connection data (IP address, device information), video and audio data during the session
  • Purpose: Conducting video counseling
  • Legal basis: Art. 6(1)(b) DSGVO (GDPR) (contract performance), Art. 9(2)(a) DSGVO (GDPR) (consent for health data)
  • Data transfer: Data processing within the EU (Ireland)
  • Privacy policy: privacy.microsoft.com/de-de/privacystatement
  • GDPR information: learn.microsoft.com/de-de/compliance/regulatory/gdpr

Brevo (Email Delivery)

Brevo (formerly Sendinblue) is our email delivery service provider for transactional emails (booking confirmations, appointment reminders, welcome emails).

  • Provider: Brevo (formerly Sendinblue), 55 rue d'Amsterdam, 75008 Paris, France
  • Data processed: Email address, name, appointment details, email opens and clicks (only for transactional emails)
  • Purpose: Sending booking confirmations, appointment reminders and welcome emails
  • Legal basis: Art. 6(1)(b) DSGVO (GDPR) (contract performance)
  • Data transfer: Data processing within the EU (France)
  • Privacy policy: brevo.com/de/legal/privacypolicy
  • Data processing agreement: brevo.com/de/legal/termsofuse/#annex

DigitalOcean (Web Hosting)

DigitalOcean hosts our website and database.

  • Provider: DigitalOcean LLC, 101 Avenue of the Americas, 10th Floor, New York, NY 10013, USA
  • Data processed: All data stored on our website and in our database, server log files, IP addresses
  • Purpose: Provision and operation of our website
  • Legal basis: Art. 6(1)(f) DSGVO (GDPR) (legitimate interests)
  • Data transfer: Our servers are located in the DigitalOcean data center in Frankfurt am Main (Germany) – no third-country transfer
  • Privacy policy: digitalocean.com/legal/privacy-policy
  • Data processing agreement: digitalocean.com/legal/data-processing-agreement

Google Analytics (Web Analytics)

We use Google Analytics to analyze the usage of our website. Google Analytics is only activated if you have given consent via our cookie banner.

  • Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Data processed: IP address (anonymized), page views, time on site, device information, browser type, referrer URL
  • Purpose: Analysis of website usage, improvement of services
  • Legal basis: Art. 6(1)(a) DSGVO (GDPR) (consent via cookie banner)
  • IP anonymization: Enabled – your IP address is truncated before being transmitted to Google
  • Data transfer to third country: USA – EU-US Data Privacy Framework (DPF)
  • Cookie duration: Up to 2 years (only with consent given)
  • Withdrawal: You can withdraw your consent at any time via the cookie settings
  • Privacy policy: policies.google.com/privacy
  • Opt-out option: Browser add-on to disable Google Analytics

Web Hosting and Technical Infrastructure

We process user data to make our online services available to them. For this purpose, we process the user's IP address, which is necessary to deliver the content and functions of our online services to the user's browser or device.

Server Log Files

Access to our online services is logged in the form of so-called "server log files". Server log files may include:

  • Address and name of the accessed web pages and files
  • Date and time of access
  • Amount of data transferred
  • Notification of successful access (HTTP status code)
  • Browser type and version
  • User's operating system
  • Referrer URL (the previously visited page)
  • IP address of the requesting computer
  • Requesting provider

The server log files serve security purposes (e.g., to prevent server overload, especially in the case of abusive attacks such as DDoS attacks) and to ensure the load and stability of the servers.

Retention period: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is necessary for evidence purposes is exempt from deletion until the final resolution of the respective incident.

Legal basis: Art. 6(1)(f) DSGVO (GDPR) (legitimate interests) – Ensuring the functionality and security of our website.

Web Analytics (Google Analytics)

We use Google Analytics to analyze the usage of our website. Google Analytics is only activated if you have given consent via our cookie banner.

How It Works

Google Analytics uses cookies to analyze how users use our website. The information generated by the cookies about your use of this website (including your IP address) is transferred to a Google server and stored there.

IP Anonymization

We have activated IP anonymization (anonymizeIP). As a result, your IP address is truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there.

Purpose of Processing

Google will use this information on our behalf to:

  • Evaluate the use of our website
  • Compile reports on website activity for us
  • Provide other services relating to website and internet usage

Withdrawal of Consent

You can withdraw your consent at any time:

Legal basis: Art. 6(1)(a) DSGVO (GDPR) (consent via cookie banner).

Further information on Google Analytics can be found in the section "Third-Party Providers and Services Used".

Contact and Inquiries

When contacting us (e.g., by email, phone or via a contact form), the information of the inquiring person is processed to the extent necessary to respond to the contact inquiries and any requested measures.

Data Processed

  • Name
  • Email address
  • Phone number (optional)
  • Content of the inquiry/message
  • Time of the inquiry

Purpose: Responding to your inquiry, communication, customer service.

Legal basis: Art. 6(1)(b) DSGVO (GDPR) (pre-contractual inquiries), Art. 6(1)(f) DSGVO (GDPR) (legitimate interests in responding to inquiries).

Retention period: Data is deleted as soon as it is no longer necessary for the purpose for which it was collected. For contact data and inquiries that do not lead to a contract, this is generally after 6 months. For inquiries related to existing contractual relationships, the retention period of the respective contractual relationship applies.

Changes and Updates to the Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of participation on your part (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time. Please verify the information before contacting them.

Do You Have Questions About Data Protection?

If you have questions about the processing of your personal data or about exercising your rights, we are happy to help:

Email: kontakt@psychofit.de

Privacy Policy - Psychofit