Privacy policy
Website data protection statement and information for data subjects pursuant to Article 13 and Article 14 of the EU General Data Protection Regulation
In this privacy policy, we inform you about the processing of personal data and about access and storage of information on your device when using our services.
1. Controller and contact person
The contact person and controller for the processing of your personal data when you use our services within the meaning of the General Data Protection Regulation (GDPR) is:
Company: MX Healthcare GmbH
Legal representative: Jonas Muff
Address: Max-Urich-Str. 3, 13355 Berlin, Germany
Email: dataprotection@vara.ai
2. Data protection officer
If you have any questions about data protection in connection with our products/services or the use of our services, you can also contact our data protection officer at any time. The data protection officer can be contacted at the above postal address or email address (e.g. titled: "Attn. data protection officer"). We would like to advise that the contents of the incoming messages might not be exclusively accessed by the data protection officer. If you wish to exchange confidential information, please request direct contact by sending a message to the above email address first.
3. Purposes of data processing, legal basis and legitimate interests
We process your data for the following purposes based on the lawful bases and the legitimate interests mentioned:
Service Provision: Enabling the usability of our services, ensuring the permanent functionality and security of our systems, maintaining our services in general for administrative purposes, including the storage of log files in order to find the cause and take action in the event of repeated or criminal calls that jeopardise the stability and security of our services (Art. 6 (1)(b), (f) GDPR)
Contact: Processing and answering your contact requests, and providing a contact form (Art. 6 (1)(b), (f) GDPR)
Newsletter: Providing and sending our newsletter, including storage of the subscription data for documentation obligations, and aggregate tracking regarding the opening of emails and the clicks on links (Art. 6 (1)(a), (f) GDPR)
Job applications: Receipt and processing of applications for the selection of applicants for the possible establishment of an employment relationship, including the provision of a digital careers page and the administration of incoming applications, and for the retention of personal data in a talent pool, if applicable (Art. 6 (1)(b), (a) GDPR)
Necessary tools: Providing necessary tools, including management, implementation and creation of content, consent banner, functions, scripts and design, as well as payment, fraud prevention and security services to protect against bots and abusive or malicious traffic (Art. 6 (1)(b), (f) GDPR)
Functional tools: Providing functional tools, including troubleshooting and external media and content (Art. 6 (1)(a) GDPR)
Analytical tools: Providing analytical tools which recognise users of our services by identifiers, measure visited pages, analyse the usage behaviour, perform A/B tests, create heatmaps, and use the information to optimise our services (Art. 6 (1)(a) GDPR)
Marketing tools: Providing marketing tools which create user profiles about interests, allocate advertising categories, serving personalised ads, evaluate marketing campaigns, do retargeting, conversion tracking, cross-site and cross-device tracking, matching of hashed email addresses with social media partners (Art. 6 (1)(a) GDPR)
Social Network Business Pages: Providing and managing a social network business page, including communication with interested parties and clients, and processing of aggregated business page insight data for the optimisation of the business page's structure and design (Art. 6 (1)(b), (f) GDPR)
Data Privacy Requests / Data Subject Requests: Processing and answering your data privacy requests / data subject requests, and storage of your requests for documentation obligations (Art. 6 (1)(f) GDPR)
4. Categories of data processed
The processing may include the following categories of data, depending on the use case:
Applicant data: e.g. applicant's master and contact data, certificates, CV, salary expectations
Business page insight data: e.g. demographic information such as age, gender, region and country, interaction with the business page such as likes, subscriptions, sharing and viewing content, posts, interests
Communication data: e.g. email content, chat messages, social media posts
Connection data: e.g. HTTP header, user agent, IP address
Consent data: e.g. selected tools and categories of the consent banner
Contact data: e.g. email address, phone number
Core data: e.g. name, date of birth, gender, postal address
Data privacy requests: e.g. your specific request, our answer, our documentation of the fulfilment of the request
Device data: e.g. device type, screen resolution, browser type, operation system, language
Diagnostic data: e.g. errors and issues during the provision of the service, performance, loading time
Identifiers: e.g. user ID, device ID, advertising ID
Location data: e.g. country, region, city
Profile data: e.g. interests, advertising seen or clicked, allocation to advertising categories
Usage data: e.g. pages visited, date and time of visit, duration of visit, previously visited pages, mouse movement, scroll activity, buttons clicked, links followed, files downloaded, interaction with media and forms
5. Recipients of data
The data collected by us will only be forwarded on if there is a lawful basis for this under data protection law in the specific case, in particular if:
you have given your consent (Art. 6 (1)(a) GDPR),
this is legally permissible and necessary for the performance of a contract or for the implementation of pre-contractual measures that are carried out at your request (Art. 6 (1)(b) GDPR),
we are legally obliged to disclose your data, in particular if this is necessary due to binding requirements, official enquiries, court orders and legal proceedings for legal prosecution or enforcement (Art. 6 (1)(c) GDPR),
the disclosure is necessary to protect our interests or for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest which require protection in not disclosing your data (Art. 6 (1)(f) GDPR).
Your data will be forwarded especially to the following recipients:
Google (Google Tag Manager, Google Analytics, Google DoubleClick): Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland - privacy notice: https://business.safety.google/privacy/ - privacy settings: https://adssettings.google.com/notarget - transfer to third country: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (adequacy decision, certified under the EU-US Data Privacy Framework)
Hotjar: Hotjar Ltd., Dragonara Business Centre 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta - privacy notice: https://www.hotjar.com/privacy/
LinkedIn (LinkedIn Insight Tag): LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland - privacy notice: https://www.linkedin.com/legal/privacy-policy - privacy settings: https://www.linkedin.com/psettings/enhanced-advertising - transfer to third country: LinkedIn Corporation, 2029 Stierlin Ct. Ste. 200 Mountain View, California 94043, USA (adequacy decision, certified under the EU-US Data Privacy Framework)
Meta (Meta Pixel): Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland - privacy notice: https://www.facebook.com/privacy/policy/ - privacy settings: https://www.facebook.com/settings/?tab=ads - transfer to third country: Meta Platforms Inc., 1601 Willow Road, Menlo Park, California 94025, USA (adequacy decision, certified under the EU-US Data Privacy Framework)
Wix: Wix.com Ltd., Yunitsman 5 St, Tel Aviv, Israel - privacy notice: https://de.wix.com/about/privacy
In exceptional cases, we are jointly responsible for specific data processing with the following recipients:
LinkedIn Business Page: We process insight data of our LinkedIn business page jointly with LinkedIn Ireland Unlimited Company as joint controllers. LinkedIn is contractually responsible for fulfilling data subject rights. We will forward any requests we receive to LinkedIn. More information can be found in this privacy notice. You can find the relevant contracts with our joint controllers at: LinkedIn (LinkedIn Ireland Unlimited Company): https://legal.linkedin.com/pages-joint-controller-addendum.
Meta Pixel: We and Meta Platforms Ireland Ltd. process event data for the targeting of advertising, for the delivery of commercial and transactional messages, and for the improvement of ad delivery, personalisation features and content with the help of aggregated data as joint controllers. You can find the relevant contracts with our joint controllers at: https://www.facebook.com/legal/controller_addendum.
Some of the data processing may be carried out by our service providers which are bound by our instructions. In addition to the service providers mentioned in this privacy notice, this may include the following in particular:
Hosting, software and IT providers who maintain our systems and services
Consultancy companies
Furthermore, we may transfer your personal data to other recipients who process your personal data under their own responsibility. These may include the following in particular:
Postal service providers
Credit institutions and payment service providers
Tax consultants, lawyers or auditors
Credit agencies
Public bodies such as authorities and courts
6. Transfer to third countries
We may use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or transfer personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union.
If an adequacy decision of the European Commission (Art. 45 GDPR) exists for these countries, we base the data transfer on this decision. This applies, for example, to transfers to Argentina, Israel, Japan, Canada, the Republic of Korea, New Zealand, Switzerland, Uruguay or the United Kingdom. In the case of the USA, this only applies if the US recipient has certified itself for the EU-US Data Privacy Framework.
If no adequacy decision has been issued for the country in question, we have taken appropriate safeguards to ensure an adequate level of data protection for any data transfers. These include the standard contractual clauses of the European Union or binding corporate rules (Art. 46 GDPR).
Where this is not possible, we base the transfer of data on exceptions under Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures.
If a transfer to a third country is planned and there is no adequacy decision or appropriate safeguards, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence agencies) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. If your explicit consent is obtained, you will also be informed of this.
Your data may be forwarded in particular to the recipients in third countries mentioned in the section about the recipients of data.
7. Storage period
In principle, we only store personal data for as long as necessary to fulfil the purposes for which we collected the data. We then delete the data immediately, unless we still need the data until the statutory limitation period expires for evidence purposes for civil law claims (e.g. three years), due to statutory retention obligations (e.g. two to ten years) or there is another lawful basis under data protection law for the continued processing of your data in the specific individual case.
Your data will be stored especially for the following periods:
Applicant data: duration of your employment relationship (if we accept your application), or six months at latest (if we reject your application) or beyond, if you give us your explicit consent;
Connection data: for the time of your visit and beyond in logfiles for a limited period;
Contact data: for the time necessary to process your request;
Data privacy requests / data subject requests: for three years to prove the fulfilment of your data privacy request / data subject requests;
Newsletter data: for the time of your subscription and beyond for documentation obligations.
8. Data subject rights including right to object
Your rights have been stipulated in Art. 7 (3), Art. 15 - 22 GDPR and you can exercise them at any time if the respective legal requirements are met:
Right to withdraw your consent at any time with effect for the future (Art. 7 (3) GDPR);
Right to object to the processing of your personal data on grounds relating to your particular situation, or without any reasoning in case of the processing for direct marketing purposes (Art. 21 GDPR);
Right to obtain information about your personal data processed by us (Art. 15 GDPR);
Right to rectify your personal data stored by us that is incorrect (Art. 16 GDPR);
Right to erase your personal data (Art. 17 GDPR);
Right to restrict processing of your personal data (Art. 18 GDPR);
Right to receive your personal data in a structured, commonly used and machine-readable format (Art. 20 GDPR);
Right not to be subject to a decision based solely on automated processing which produces legal effects or similarly significantly affects you, including the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision (Art. 22 GDPR).
You can perform your right of withdrawal for the usage of tool easily in our consent banner.
To assert your rights described here, you can contact us at any time using the contact details above. This also applies if you wish to receive copies of guarantees to demonstrate an adequate level of data protection. If the respective legal requirements are met, we will comply with your request.
Finally, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). You can assert this right, for example, with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement.
9. Automated decision-making
Automated decision-making including profiling in accordance with Art. 22 GDPR which produces legal effects or similarly significantly affects you does not take place.
However, as part of the use of technologies to personalise our services, automated decisions may be made about personalised content and advertising that is played or sent. These decisions are based on the previously automatically collected usage data or the information you provide yourself, for example in the context of form fields. We use this data to create a profile that is used to select the appropriate content and advertising. Personalised advertising is only displayed with your prior explicit consent.
10. Access and storage of information on the device
We only access or store information on your device if this is strictly necessary to provide your requested digital services, i.e. for the main functions of our services, or if you have given your prior consent, i.e. for optional services, according to implementation laws of Art. 5 (3) of the ePrivacy Directive of the EU member states, in Germany in accordance with § 25 TDDDG.
We use technologies such as cookies, local storage or session storage, which are stored on the device, or scripts, Software Development Kits (SDK) and other programming code, which access information on your device, like identifiers such as device ID or advertising ID. Usually, such technologies are not blocked by your device or browser. But you can adapt your browser settings to block all or specific cookies, the display of graphics or the performance of scripts, or you can adapt your device settings on mobile devices to block the access to your advertising ID.
The following cookies will be stored on your device:
Google Tag Manager
"_gcl_au" (90 days): Experimenting Advertisement efficiency of website using their services.
Google Analytics
"_ga" (1 year 1 month 4 days): Recognition and differentiation of visitors through a user ID;
"_ga_*" (1 year 1 month 4 days): Storing and Counting page views.
Hotjar
"_hjSessionUser_*" (1 year): Storage of user data and user ID;
"_hjSession_*" (1 hour): Storage of session data.
"_hjTLDTest" (session): Generic cookie path detection, session data storage and URL-based fallback mechanism.
LinkedIn Insight Tag
"language" (session): Saving the language setting;
"lidc" (24 hours): Optimisation of the choice of data centre;
"bcookie" (1 year): Prevention of misuse;
"bscookie" (1 year): Storage of performed actions;
"UserMathHistory" (30 days): Usage analysis, synchronisation of IDs with LinkedIn Ads;
"AnalyticsSyncHistory" (30 days): Storage for synchronising information about LinkedIn members.
"il_sugr" (90 days): Usage analysis and optimisation of website and advertisement.
Meta Pixel
"_fbp" (90 days): Usage analysis and retargeting;
"fr" (90 days): Display of advertisements, usage analysis, conversion tracking.
Google Doubleclick.net
"test_cookie" (15 minutes): Determination for user's browser support of cookies;
"IDE" (1 year 24 days): Storage of user interaction data for targeted advertising.
Wix
"ssr-caching" (less than a minute): Indicates how a site was rendered;
"hs" (session): security purposes;
"svSession" (1 year 1 month 4 days): Identifes unique visitors and tracks a visitor's session on a site;
"XSRF-TOKEN" (session): security purposes;
"bSession" (1 hour): cookie is set in context with load balancing to improve user experience.
PHP applications
"PHPSESSID" (1 month): Session management, user session identification.
Uncategorized cookies
"csaas_user_id" (1 year)
"csaas_referrer" (2 minutes)
"debug" (never)