Data security is important to us. Because the protection of patient data is critical, OnlineDoctor encrypts all data transfers with SSL/TLS. To guarantee the highest level of security, OnlineDoctor uses two-factor authentication, which is used in e-banking. With this additional layer of security, OnlineDoctor ensures that only you can access your Skin Check Report. The following data protection guidelines give a detailed description of how we handle your personal information.
Privacy statement
General
We, OnlineDoctor, take the protection of the personal data of our customers and those interested in our offers very seriously. For this reason, it is our duty to protect user data that is entrusted to us when visiting our website. It is very important to us to protect the privacy of the users of our website at all times. If and insofar as the user voluntarily provides personal data, this data is collected and stored in accordance with the statutory data protection provisions of the Swiss Data Protection Act (DSG). It goes without saying that all data is treated confidentially. With the following data protection information, we would like to explain in more detail what data is collected, what happens to this data and what security precautions we have taken to protect this data from misuse. We also inform you about your rights with regard to the processing of your data. By providing this transparent and comprehensible information about our data protection provisions, we want to ensure that visitors and customers are well and adequately informed about the collection, processing and use of personal data.
Responsible office
The organisation responsible for the collection, processing and use of your personal data is
OnlineDoctor AG
Waisenhausstrasse 15
9000 St. Gallen
support@onlinedoctor.ch
Personal data
Personal data is all data that relates to an identified or identifiable person. This includes the following categories of personal data:
- Inventory data (e.g. name, function, organisational affiliation)
- Contact details (e.g. address, e-mail address, telephone/fax number)
- Content data (e.g. text input)
- Usage data (e.g. access data, IP address, date and time of access)
Your personal data will not be transferred to third parties when using our website or when contacting us by e-mail or via the contact form for purposes other than those listed below.
Data transfer and recipients
As a rule, your personal data will not b e transferred to third parties, unless
- we have explicitly pointed this out in the description of the respective data processing and
- You have given your express consent to this, or
- the disclosure is necessary for the assertion, exercise or defence of legal claims or is in our legitimate interest for other reasons and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data, or
- there is a legal obligation for the disclosure or
- the transfer is necessary for the processing of contractual relationships with you.
We also use external service providers for the provision of our services and the processing of our services, which we select and commission carefully. These service providers are bound by our instructions and are regularly monitored by us. We have also concluded order processing contracts with them where necessary. The service providers are responsible for web hosting, sending e-mails, maintaining and servicing our IT systems and payment management.
Furthermore, we may pass on your personal data to third parties if contracts or similar services are offered by us together with partners. You will receive more detailed information on this when you provide your personal data or in the description of the respective offer you have taken advantage of.
If our service providers or partners are based in a country outside the European Union (EU) or the European Economic Area (EEA), we will inform you of the consequences of this circumstance in the description of the service used in each case and of the guarantees we provide to protect your personal data.
Processing of personal data when visiting our website (personal data concerned and purpose of processing)
When you use our website www.onlinedoctor.ch for information purposes only, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security:
- IP address
- Date and time of the enquiry
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Amount of data transferred in each case
- Website from which the request comes
- Browser
- Operating system and its interface
- Language and version of the browser software.
We process the aforementioned data for the following purposes:
- Ensuring a smooth connection to the website,
- To ensure a comfortable use of our website,
- Evaluation of system security and stability and
- for further administrative purposes.
Under no circumstances do we use the data collected for the purpose of drawing conclusions about your person. The data may also be processed in anonymised form for statistical purposes. At no time will this data be stored together with other personal data of the user, compared with other databases or passed on to third parties.
We also use cookies and analysis services when you visit our website. You will find more detailed explanations in this privacy policy below.
Processing of personal data in the context of making contact (categories of personal data concerned and purpose of processing)
You can contact OnlineDoctor by e-mail using the e-mail address published on our website or the contact form provided.
If you use one of the above-mentioned contact channels, the personal data you provide (e.g. surname, first name, address), but at least the e-mail address, as well as the information contained in the e-mail or in the contact form will be stored for the purpose of contacting you and processing your request. We delete the data arising in this context after storage is no longer required, or restrict processing if there are statutory retention obligations.
Processing of personal data as part of the newsletter subscription (categories of personal data concerned and purpose of processing)
If you subscribe to the OnlineDoctor newsletter, the data in the respective input mask will be transmitted to the controller. We use rapidmail to send newsletters. The provider is rapidmail GmbH, Wentzingerstraße, 21, 79106 Freiburg, Germany. Among other things, rapidmail is used to organise and analyse the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter is stored on rapidmail’s servers in Germany.
The registration for our newsletter takes place in a so-called double opt-in procedure. This means that after registering, you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that no-one can register with other people’s e-mail addresses. When registering for the newsletter, the user’s IP address andthe date and time of registration are stored. This serves to prevent misuse of the services or the e-mail address of the person concerned. The data is not passed on to third parties. An exception is made if there is a legal obligation to pass on the data. The data is used exclusively for sending the newsletter. You can cancel your subscription to the newsletter at any time. You can also revoke your consent to the storage of personal data at any time. There is a corresponding link for this purpose in every newsletter.
We use the provider rapidmail to analyse whether and how you have opened the contents of the newsletter. For the purpose of the analysis, the emails sent with rapidmail contain a so-called tracking pixel, which connects to the rapidmail servers when the email is opened. In this way, it can be determined whether a newsletter message has been opened. We can alsouse rapidmail to determine whether and which links in the newsletter message are clicked on. All links in the e-mail are so-called tracking links, with which your clicks can be counted. Depending on the font used in the newsletter, a connection to external servers such as Google Fonts is established.
If you do not wish to be analysed by rapidmail, you must unsubscribe from the newsletter. We provide a link for this purpose in every newsletter message.
The data stored by us as part of your consent for the purpose of the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from our servers as well as from the servers of rapidmail after cancellation of the newsletter. Data stored by us for other purposes remains unaffected by this.
Processing the mobile phone number for 2-factor authentication
In order to protect your personal data, in particular your health data, access to your treatment recommendations is only possible by means of 2-factor authentication. This ensures that your personal data is only accessible to you. This requires you to enter an activation code, which is sent to your mobile phone number, to access the treatment recommendation.
When you register on our website, your mobile phone number is recorded for this purpose and forwarded to the authentication platform Auth0 (Auth0 Inc., 100 First Street, Floor 6, San Francisco, CA 94105) and a user account is created in which no data other than your mobile phone number is stored.
We have concluded an order processing contract with Auth0 Inc. in which we oblige the service provider to protect our customers’ data and not to pass it on to third parties.
When using the service, your data may also be processed in countries outside Switzerland, the European Union (EU) and the European Economic Area (EEA) in third countries, in particular in the USA. For data transfers to the USA, there is an adequacy decision of the Federal Council pursuant to Art. 16 para. 1 FADP with regard to companies with certification under the Swiss-U.S. Data Privacy Framework. Auth0 Inc. is certified in accordance with the Swiss-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: Participant Search (dataprivacyframework.gov).
Your mobile phone number will not be passed on to third parties or used for advertising purposes.
Your personal data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. This is usually the case when you delete your OnlineDoctor account.
Processing of personal data for sending a satisfaction survey by e-mail
We process your e-mail address received during the registration process for the purpose of sending you a satisfaction survey on counselling via OnlineDoctor.
To create the survey, we use Typeform, a survey tool from the company Typeform SL, based in C/ Can Rabia 3-5, 4th floor, 08017 – Barcelona (Spain). The data entered by you for the purpose of answering the survey will be stored by Typeform SL on servers of the cloud computing provider Amazon Web Services in the EU used by Typeform SL.
You have the right to object to the processing of your personal data. If you wish to exercise your right to object, you can send your objection informally by e-mail to hello@onlinedoctor.ch.
Processing of personal data in the context of the teledermatological counselling service (categories of personal data concerned and purpose of processing)
In addition to the purely informational use of our website, we offer various specialist medical counselling services via the dermatologists registered with us (hereinafter referred to as “teledermatological consultation services”), which you can use if you are interested. To do so, you must generally provide further personal data (e.g. health data, payment data), which we and the dermatologist use to provide the respective service.
The mediation and technical implementation of the specialist medical consultation service and the provision of related support services constitutes the processing of your personal data by OnlineDoctor on behalf of the respective dermatologist. The dermatologist selected by you is responsible under data protection law for the implementation of the treatment contract.
Health data is processed for the teledermatological counselling service. This belongs to the special category of personal data. We will only process this special category of personal data with your express consent.
If you choose to make use of teledermatological consultation services via our website, the following personal data will be processed by us and forwarded to the dermatologist commissioned to answer your enquiry:
- First name and surname
- Gender
- Date of birth
- address
- Telephone/mobile number
- Image data based on the photographs of skin changes uploaded by the user
- other health data provided by the user, if applicable, and based on this
- recommendations for action drawn up by dermatologists (the “health data”)
- Billing data such as name, address, credit card information and/or bank details
- Health insurance details, if applicable
Data is collected, processed and used for the following purposes:
- Mediation of treatment contracts
- Processing for anonymised evaluations for scientific, statistical and analytical purposes, including the development of new data-based diagnostic procedures – in each case if and to the extent permitted by law.
Processing for billing purposes
The teledermatological counselling service is billed via the external payment service provider Datatrans Ltd (“Datatrans”), which is based in Switzerland and is integrated into our website. OnlineDoctor and Datatrans have concluded an order data processing agreement. If you use a teledermatological consultation service via our website, the payment is processed via Datatrans, which enables payment by credit card, Paypal, Twint, Post Finance Card, Discover or Diners Club.
OnlineDoctor transmits the following transaction data to Datatrans for payment processing:
- First and last name of the card account holder
- Card information
- Expiry date
- CVV/CVC code
- DateTime
- Amount of the transaction
Datatrans does not gain access to your health data at any time.
Processing for the (further) development of AI-supported diagnostics
If you give us your consent, we will process some of your health data (image data, symptom data, age and gender) to train artificial intelligence. The aim of this is to continuously improve the quality of diagnosis and optimise the teledermatology consultation services we provide. Giving your consent is voluntary. You can make use of the teledermatological counselling services even if you do not give us your consent.
Artificial intelligence is an application that supports the diagnosis of certain dermatological conditions using image data and additional information from patient self-reports.
Your data will be treated strictly confidentially and in accordance with the highest possible security standards. Consent can be revoked at any time for the future. All you need to do is send an email to hello@onlinedoctor.de. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Data security
Within the website, we use the widespread SSL (Secure Socket Layer) method in conjunction with the highest level of encryption supported by your web browser. As a rule, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can recognise whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.
We also use suitable technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
Duration of storage of personal data
The duration of the storage of personal data is based on the relevant statutory retention obligations.
After the respective period has expired, the corresponding data will be routinely deleted. If data is required for contract fulfilment or contract initiation or if we have a legitimate interest in further storage, the data will be deleted if it is no longer required for these purposes or if you exercise your right of revocation or objection.
Zendesk – Processing of support requests
If you send us an enquiry by e-mail or contact us via our platform, we use the ticket system Zendesk, a customer service platform of Zendesk Inc, 989 Market Street #300, San Francisco, CA 94102.
In order to answer user enquiries, necessary data such as surname, first name, telephone number and e-mail address are collected.
Further information on data processing by Zendesk can be found in Zendesk’s privacy policy at http://www.zendesk.com/company/privacy. We have concluded an order processing contract with Zendesk in which we oblige the service provider to protect our customers’ data and not to pass it on to third parties.
When using the service, your data may also be processed in countries outside Switzerland, the European Union (EU) and the European Economic Area (EEA) in third countries, in particular in the USA. For data transfers to the USA, there is an adequacy decision of the Federal Council pursuant to Art. 16 para. 1 FADP with regard to companies with certification in accordance with the Swiss-U.S. Data Privacy Framework. Zendesk is certified in accordance with the Swiss-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which c a n be viewed at the following link: Participant Search (dataprivacyframework.gov).
Use of cookies
In addition to the above-mentioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive and assigned to the browser you are using and through which certain information flows to the organisation that sets the cookie (in this case, us). Cookies cannot execute programmes or transfer viruses to your computer. They are used to make the website more user-friendly and effective overall.
This website uses the following types of cookies, the scope and function of which are explained below:
- Transient cookies, e. cookies that are automatically deleted when you close the browser. These include session cookies in particular. These store a so-called session ID, with which various requests from your browser can be assigned to the joint session. This allows your computer to be recognised when you return to our website. The session cookies are deleted when you log out or close the browser.
- Persistent cookies, e. cookies for which you can configure your browser settings according to your wishes. Here, for example, you can refuse to accept third-party cookies or all cookies. We would like to point out that you may not be able to use all the functions of this website.
We use cookies to identify you for subsequent visits if you have an account with us. Otherwise you would have to log in again for each visit.
The Flash cookies used are not recorded by your browser, but by your Flash plug-in.
In some cases, cookies are used to simplify website processes by storing settings (e.g. the provision of pre-selected options). If personal data is also processed by individual cookies implemented by us, the processing is carried out either to fulfil the contract or to protect our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the page visit.
You can set your browser so that you
- be informed about the setting of cookies,
- Only allow cookies in individual cases,
- exclude the acceptance of cookies for certain cases or in general,
- Activate the automatic deletion of cookies when closing the browser
The cookie settings can be managed for the respective browsers under the following links:
- Mozilla Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen
- Internet Explorer: http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies
- Safari: https://support.apple.com/kb/ph21411?locale=de_DE
- Opera: https://help.opera.com/en/latest/web-preferences/#cookies
You can also manage cookies from many companies and functions that are used for advertising individually. To do this, use the corresponding user tools, available at https://www.aboutads.info/choices/ or http://www.youronlinechoices.com/uk/your-ad-choices.
We also use HTML5 storage objects, which are stored on your end device. These objects store the required data independently of the browser you are using and do not have an automatic expiry date. If you do not want Flash cookies to be processed, you must install an appropriate add-on, e.g. “Clear Flash Cookies” for Mozilla Firefox (https://addons.mozilla.org/de/firefox/addon/clear-flash-cookies) or the Adobe Flash Killer cookie for Google Chrome. You can prevent the use of HTML5 storage objects by setting your browser to private mode. We also recommend that you regularly delete your cookies and browser history manually.
Changes to your cookie settings
You can revoke or change your cookie settings at any time. To do this, call up the cookie settings again via this link Change cookie settings.
Web analytics and advertising tracking Google
We use some services and technologies from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google uses so-called cookies. These are text files that are stored on your computer and enable your use of the website to be analysed. The information generated by cookies about your use of this website is usually transferred to a Google server in the USA and stored there.
When using the service, your data may also be processed in countries outside Switzerland, the European Union (EU) and the European Economic Area (EEA) in third countries, in particular in the USA. For data transfers to the USA, there is an adequacy decision of the Federal Council pursuant to Art. 16 para. 1 FADP with regard to companies with certification in accordance with the Swiss-U.S. Data Privacy Framework. Web analytics and advertising tracking Google is certified inaccordance with the Swiss-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: Participant Search (dataprivacyframework.gov).
Google Analytics
Google Analytics uses cookies to analyse and improve your use of our website.
We only use Google Analytics with activated IP anonymisation. This means that the IP address of Google users within the member states of the European Union or in other signatory states to the Agreement on the European Economic Area is truncated, which means that it cannot be traced back to a specific person.
On behalf of the operator of this website, Google will use this information to analyse your use of the website. This is used to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. The terms of use of Google Analytics and information on data protection can be accessed via the following links:
You can prevent the storage of cookies by selecting the appropriate settings in your browser software. However, we would like to point out that in this case you may not be able to use all functions of this website to their full extent. You can also prevent the collection of data generated by cookies and related to your use of the website (including your IP address) and the processing of this data by Google, by downloading and installing the browser plug-in available at URL http://tools.google.com/dlpage/gaoptout?hl=de.
Information on how Google Analytics handles user data can be found in the privacy policy from Google: https://support.google.com/analytics/answer/6004245?hl=de
When using the service, your data may also be processed in countries outside Switzerland, the European Union (EU) and the European Economic Area (EEA) in third countries, in particular in the USA. For data transfers to the USA, there is an adequacy decision of the Federal Council pursuant to Art. 16 para. 1 FADP with regard to companies with certification in accordance with the Swiss-U.S. Data Privacy Framework.
Google Analytics is certified in accordance with the Swiss-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: Participant Search (dataprivacyframework.gov).
Google AdWords conversion tracking
We use Google AdWords conversion tracking to measure the success of our advertising measures. After certain target achievements on our website (“conversions”), this is recorded by Google. Google can thus measure the number of target achievements. In addition, Google will use previously set cookies to allocate which adverts were previously clicked on and were therefore decisive for the achievement of the target.
As shown above, you can configure your browser to reject cookies. You can also prevent Google from using cookies for advertising purposes in the cookie settings of Google’s privacy policy.
When using the service, your data may also be processed in countries outside Switzerland, the European Union (EU) and the European Economic Area (EEA) in third countries, in particular in the USA. For data transfers to the USA, there is an adequacy decision of the Federal Council pursuant to Art. 16 para. 1 FADP with regard to companies with certification in accordance with the Swiss-U.S. Data Privacy Framework. Google AdWords conversion tracking is certified in accordance with the Swiss-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which c a n be viewed at the following link: Participant Search (dataprivacyframework.gov).
Google Tag Manager
Our website uses the Google Tag Manager. The Tag Manager can be used to manage tracking tools and website tags. This service does not use cookies and no personal data is collected. The Google Tag Manager triggers other tags, which in turn may collect data. However, the Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags if they are implemented with the Google Tag Manager.
When using the service, your data may also be processed in countries outside Switzerland, the European Union (EU) and the European Economic Area (EEA) in third countries, in particular in the USA. For data transfers to the USA, there is an adequacy decision of the Federal Council pursuant to Art. 16 para. 1 FADP with regard to companies with certification in accordance with the Swiss-U.S. Data Privacy Framework. Google Tag Manager is certified in accordance with the Swiss-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which c a n be viewed at the following link: Participant Search (dataprivacyframework.gov).
Google Maps
Our website uses the online map service provider Google Maps via an interface. This allows us to display interactive maps directly on the website and enables you to use the map function conveniently. Provider of the of the map service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. To use the functionalities of Google Maps, it is necessary to save your IP address.
Google uses cookies to collect information about user behaviour. The legal basis for the processing of your personal data is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
When using the service, your data may also be processed in countries outside Switzerland, the European Union (EU) and the European Economic Area (EEA) in third countries, in particular in the USA. For data transfers to the USA, there is an adequacy decision of the Federal Council pursuant to Art. 16 para. 1 FADP with regard to companies with certification in accordance with the Swiss-U.S. Data Privacy Framework. Google Maps is certified in accordance with the Swiss-U.S. Data Privacy Framework and is therefore committed to complying with appropriate data protection standards, which c a n be viewed at the following link: Participant Search (dataprivacyframework.gov).
Further information on the handling of user data can be found in Google’s privacy policy:
https://www.google.de/intl/de/policies/privacy/
Opt-out: https://www.google.com/settings/ads/
Hotjar
Our website uses the web analysis service Hotjar from Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe (“Hotjar”).
Hotjar’s technology gives us a better understanding of our users’ experiences (e.g. how much time users spend on which pages, which links they click on, etc.). This helps us to tailor our offering to our users’ feedback. Hotjar works with cookies and other technologies to collect data about the behaviour of our users and their end devices, in particular the IP address of the device (is only recorded and stored in anonymised form during your use of the website), screen size, device type (unique device identifiers), information about the browser used, location (country only), preferred language for displaying our website. Hotjar stores this information on our behalf in a pseudonymised user profile.
We pay particular attention to the protection of your personal data when using this tool. For example, we can only track which buttons are clicked, the path of the mouse, how far you scroll, the screen size of the device, device type and browser information, geographical location (country only) and preferred language to display our website. Areas of the websites on which personal data about you or third parties is displayed are automatically hidden by Hotjar and are therefore not traceable at any time. Hotjar stores customer data in the European Union.
Hotjar offers every user the option of using a “Do Not Track header” to prevent the use of the Hotjar tool so that no data about the visit to the respective website is recorded. This is a setting that is supported by all standard browsers in current versions. To do this, your browser sends a request to Hotjar to deactivate the tracking of the respective user. If you use our websites with different browsers/computers, you must set up the “Do Not Track header” separately for each of these browsers/computers. You can prevent the use of Hotjar by going to the opt-out page https://www.hotjar.com/legal/compliance/opt-out and clicking “Deactivate Hotjar”.
Further information about Hotjar Ltd. and the Hotjar tool can be found at: https://www.hotjar.com. The privacy policy of Hotjar Ltd. can be found at: https://www.hotjar.com/privacy
Linking to social media
Social networks (e.g. Facebook or LinkedIn) are only integrated on our website in the form of a link to the corresponding services. After clicking on the integrated text/image link, you will be redirected to the page of the respective provider. User information is only transferred to the respective provider after you have been forwarded. For information on the handling of your personal data when using these websites, please refer to the respective privacy policies of the providers you use.
Your rights
You are entitled to the following rights:
- to request information about your personal data processed by us;
- to request the correction of incorrect or incomplete personal data stored by us;
- to request the deletion of your personal data stored by us;
- to demand the restriction of the processing or disclosure to third parties or the prohibition of the processing of your personal data;
- Under certain circumstances, to receive your personal data that you have
- provided to us in a structured, commonly used and machine-readable format or
- to request that it be transferred to another controller;
- Under certain circumstances, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller;
- to revoke your consent to the processing of data at any time with effect for the future. In the event of revocation, we will delete the data concerned immediately, unless further processing can be based on a legal basis for processing without consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal; and
- depending on the applicable law, to file a complaint with a supervisory
You can declare your rights to OnlineDoctor or the respective dermatologist.
Changes to our privacy policy
We reserve the right to update this privacy policy if necessary, in compliance with the applicable data protection regulations. In this way, we can adapt it to the current legal requirements and take into account changes to our services, e.g. when introducing new services. The latest version applies to your visit.
Status of this privacy policy: August 2024