For us, the responsible handling of personal data is a central component of a trusting partnership. With this Privacy Policy, we provide transparent information about what personal data we process in connection with our websites and our online platform, for what purposes this is done, on what legal basis the processing takes place, and what rights data subjects have.
This Privacy Policy applies to our websites and the online platform (reimbursement.institute, reimbursement.info, app.reimbursement.info). Our services are expressly intended exclusively for commercial, institutional, and freelance customers (B2B). The conclusion of contracts with consumers is excluded. However, since our websites are publicly accessible, this policy informs all visitors (unregistered users), registered users acting on behalf of organizations, and affected healthcare professionals about data processing.
I. General Information and Data Controller
1. Name and Address of the Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is:
RI Innovation GmbH
Management: Nicole Eisenmenger
Lehnengasse 20a, 50354 Hürth – Germany
Tel.: +49 (0) 2233 805 77 97
Email: info@reimbursement.institute
Website: https://reimbursement.institute
Cologne Local Court, HRB 97427 | VAT ID: DE 815 815 580
Contact details of the Data Protection Officer
Data Protection Officer: Georg Leciejewski
Email: datenschutz@reimbursement.institute
II. Nature, Scope, and Purposes of Data Processing
2. Data Processing When Accessing the Website (Server Log Files)
Each time our website or online platform is accessed, our system automatically collects general data and information that is stored in the server’s log files:
- Browser types and versions used, as well as the operating system of the accessing system
- The website from which an accessing system reaches our site (Referrer)
- The subpages accessed, date and time of access
- The user’s Internet Protocol (IP) address and Internet service provider
Processing is carried out to ensure the correct delivery of content, to optimize systems, to guarantee continuous functionality, and to prevent threats in the event of cyberattacks. The legal basis is our legitimate interest pursuant to Art. 6(1)(f) GDPR. The server log files are stored separately from other personal data and evaluated only for the aforementioned purposes.
Infrastructure and Hosting:
Our website and online platform are hosted on the servers of a specialized cloud infrastructure service provider. We use the services of Hetzner Online GmbH for this purpose. The server is located in Germany. No processing or storage of data outside the European Union takes place within the scope of the hosting. A data processing agreement in accordance with Art. 28 GDPR has been concluded with the hosting service provider.
3. Cookies, Similar Technologies, and External Services
Our websites and the online platform use cookies, similar technologies, and external services. Below is a summary of the systems we use:
a) Technically necessary platform infrastructure
We use technically necessary cookies and similar technologies that are required for operation, security, login, session management, and the provision of explicitly requested functions. These include, in particular, session, login, and security cookies.
The storage of this information and access to the end device are based on Section 25(2) of the German Telemedia Act (TDDDG). The subsequent processing of personal data is based on Article 6(1)(b) of the GDPR to the extent necessary for the provision of the platform or the execution of the user relationship, and otherwise on Article 6(1)(f) of the GDPR.
b) Cookie Consent Tool
If a cookie consent tool is used, we store your selection regarding cookies and comparable technologies that require consent within it. This serves to document your consents, refusals, or revocations and to take them into account when you visit our website or online platform again. The legal basis for the use of the cookie consent tool is Section 25(2) of the TDDDG, as well as Article 6(1)(c) of the GDPR (fulfillment of a legal obligation to obtain and document consent) and Article 6(1)(f) of the GDPR. Our legitimate interest lies in the user-friendly implementation and legally compliant verification of these legal requirements.
c) Google Analytics (Reach Measurement and Usage Analysis)
We have integrated components of Google Analytics into this website. Google Analytics is a web analytics service for the collection, gathering, and evaluation of data regarding visitor behavior. The operating company is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics is only activated if you have previously given your active consent via our cookie consent tool. The storage of analytics cookies and access to comparable information on your device are based on your consent pursuant to Section 25(1) of the TDDDG. The subsequent processing of personal data is based on Article 6(1)(a) of the GDPR. You may revoke your consent at any time with future effect via the settings of our cookie consent tool. Additionally, you can prevent data collection by Google Analytics by installing a browser add-on at https://tools.google.com/dlpage/gaoptout According to Google, Google Analytics does not log or store individual IP addresses of users from the EU. IP addresses are discarded before logging and are used only to derive approximate location data.
d) Online Chat via Olark (Support)
For online chat and the processing of support requests (support communication as defined in the Terms of Use), we use the Olark service provided by Habla, Inc. d/b/a Olark, 2810 N Church St., #63602, Wilmington, DE 19802, USA. When using the chat, the following data may be processed in particular: name, email address, organization, chat history, and technical usage data (e.g., IP address). To the extent that Olark uses technically necessary cookies or comparable technologies to provide the chat, their use is based on Section 25(2) of the TDDDG. To the extent that cookies or comparable technologies are used beyond this that are not technically necessary, their use is based solely on your consent pursuant to § 25(1) TDDDG. The subsequent processing of personal data is based, depending on the purpose, on Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR. Our legitimate interest lies in providing efficient support and a user-friendly online platform.
Data processed separately from the import module, patient data, health data, and other special categories of personal data may not be transmitted via chat, free-text, or assistance functions.
e) General Data Protection Information for External Services
To the extent that external service providers process personal data on our behalf, this is done on the basis of corresponding data processing agreements in accordance with Article 28 of the GDPR. To the extent that processing of personal data by external service providers outside the European Union or the European Economic Area (in particular in the U.S.) cannot be ruled out, such processing takes place only in accordance with Art. 44 et seq. of the GDPR, in particular on the basis of an adequacy decision by the European Commission or suitable safeguards such as the EU Standard Contractual Clauses.
For data processed separately via the standalone import module, the specific provisions of the Terms of Use and the respective General Terms and Conditions apply in addition. Patient data, health data, and other special categories of personal data may not be transmitted via chat, free-text fields, or other communication tools, but exclusively via the import module provided for this purpose.
4. Data Security and Transport Encryption
To adequately protect the security of your data during transmission over the Internet, the Provider uses state-of-the-art encryption methods on the URLs of the website and the online platform, in particular TLS/SSL via HTTPS. You can recognize such encrypted transmission by the prefix “https://” in your browser’s address bar as well as by the closed padlock icon.
5. Contact, Support, Contract Management, and Billing
When you contact us via email, phone, contact form, support chat, or other means, we process the personal data you provide to handle and respond to your inquiry.
If a customer as defined in the Terms and Conditions or an organization as defined in the Terms of Use orders a paid premium version, consulting services, or other paid services, we process the contract, contact, billing, and payment data required for this purpose. This may include, in particular, name, organization, address, email address, contract data, service data, billing data, payment information, as well as details required under tax and commercial law.
If you contact us via support chat, helpdesk, contact forms, email, telephone, online chat, or similar communication channels, we process the “support communication” transmitted in this context as defined in the Terms of Use.
Processing is based on Article 6(1)(b) of the GDPR to the extent that it serves the initiation, performance, or fulfillment of a contractual relationship. To the extent that we process data to fulfill statutory retention, documentation, tax, or commercial law obligations, processing is based on Article 6(1)(c) of the GDPR. In all other cases, processing is based on Article 6(1)(f) of the GDPR. Our legitimate interest lies in the proper handling and documentation of inquiries, customer communication, and the management of our contractual and business relationships.
6. Registration and Creation of a User Account
Users have the option to register on our online platform by providing personal data. In doing so, the following data is collected via the input form: email address, username, password, as well as information regarding the organization, organization type, professional role, function, or position description. Registration is carried out via a double opt-in procedure.
Purpose & Legal Basis: Registration serves to fulfill or initiate a user relationship (Art. 6(1)(b) GDPR) as well as to manage access rights within the organizational domain.
Note: Our service is intended exclusively for business entities as defined by § 14 BGB. Registration by consumers as defined by § 13 BGB is therefore unfortunately not possible. Should a registration as a consumer nevertheless occur inadvertently, we will delete the account and the associated personal data. The necessary verification for this is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in limiting our service to B2B customers and complying with our Terms and Conditions.
7. Use of the Online Platform and Personalization
When using the online platform, we process log, interaction, and usage data, as well as information regarding the user’s organization, organizational type, professional role, function, or job description. This includes, in particular, login times, function calls, search and filter operations, interactions with user content—especially NUB templates and coding aids—information content, and platform functions.
The purposes of processing are, in particular:
- Provision, administration, and security of the online platform and user accounts.
- Error analysis, quality assurance, and detection of misuse.
- Personalization and relevance control of notifications, recommendations, and search results.
- Operation, quality assurance, and improvement of search, analysis, recommendation, and assistance functions.
Note on separately processed data: Data processed separately from the import module is processed separately from other platform data and exclusively in accordance with a previously validly concluded Data Processing Agreement (DPA) pursuant to Art. 28 GDPR. Further details are set forth in § 7 of the Terms of Use as well as in the respective DPA.
8. Processing of Physician, Contact Person, and Referring Physician Data pursuant to Art. 14 GDPR
Within the scope of the online platform, we provide information on healthcare facilities, hospitals, specialist departments, private practice physicians, hospital physicians, medical practices, medical care centers, medical contacts, as well as actual or potential referring physicians. To the extent that this information relates to identified or identifiable natural persons, we process personal data.
This may include, in particular, name, title, professional role, specialty, practice, clinic, or organizational affiliation, business address, phone number, email address, facility information, BSNR, LANR, regional affiliations, as well as referring physician or potential information.
Referrer and potential information is processed exclusively as professional and organizational analysis data. It is not used to assess the private characteristics, personal performance, health, or behavior of the data subject outside of their professional context.
Processing is limited to professional, role-related, and organizational information in connection with the data subjects’ activities in the healthcare sector. Private contact details, patient data, health data of the data subjects, and special categories of personal data within the meaning of Art. 9 GDPR are not specifically collected or provided.
Depending on the data category, the data originates from publicly accessible sources, official directories, hospital and practice websites, public registers, professional directories, data suppliers, cooperation partners, or from our own structured research and processing.
The processing is carried out for the purpose of providing, structuring, updating, and displaying search, filter, analysis, comparison, export, and evaluation functions within the online platform. This also includes processing by platform-internal search and assistance systems, to the extent necessary to provide the analysis and evaluation functions.
The legal basis is Art. 6(1)(f) GDPR. Our legitimate interest lies in providing a subject-specific information and analysis platform for professional users in the healthcare sector, as well as in the structured presentation of professional contact details, organizational information, and referral-related analytical information.
Since we process a large amount of professional contact data from various public and subject-specific sources, we inform data subjects centrally via this privacy policy. At the same time, we implement protective measures, in particular data minimization, purpose limitation, access restrictions, regular checks for up-to-date information, and simple objection and deletion processes.
The data may be displayed and made available to registered users and organizations within the scope of the platform’s activated features. Use for the purpose of establishing contact, initiating business, CRM storage, or direct marketing is permitted only in accordance with the Terms of Use and applicable legal requirements. The respective users or organizations are responsible for the lawfulness of such further use.
The data is stored for as long as it is necessary for the stated purposes or as long as there are legitimate interests in its processing. The data sets are regularly reviewed for currency, necessity, and accuracy and, if necessary, corrected, updated, restricted, or deleted.
Data subjects may object to the processing of their personal data based on Article 6(1)(f) of the GDPR at any time pursuant to Article 21 of the GDPR for reasons arising from their particular situation, as well as assert their other data subject rights. To do so, they may contact info@reimbursement.institute or datenschutz@reimbursement.institute. In the event of a justified objection, the relevant personal data will be deleted, blocked, or removed from display, provided there are no overriding legitimate grounds to the contrary. To implement objections or requests for deletion, we may maintain an internal block or exclusion list to prevent the re-display of data records that have already been blocked.
In addition, data subjects have the right to lodge a complaint with a data protection supervisory authority, in particular with the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia.
III. Legal Framework and Data Subject Rights
9. Automated Decision-Making and Profiling
We use automated processes to analyze usage patterns and provide users with content, information, recommendations, search results, analytical functions, or assistance features that are likely to be relevant to them. In particular, the organization, type of organization, professional role, function, or job description, as well as usage and interaction data, may be taken into account. This analysis may constitute profiling within the meaning of the GDPR. No decision with legal effect or similarly significant adverse impact is made exclusively by automated means. The final professional decision always remains with the user or the organization.
Even in connection with physician, contact person, and referring physician data as described in Section 8, the online platform provides only search, analysis, comparison, and evaluation functions. No decision is made exclusively by automated means that has legal effects or similarly significant adverse effects on the affected physicians or other contact persons. Decisions based on the information provided always remain with the respective user or organization.
10. Recipients and Categories of Recipients
Personal data is only provided to those internal departments and external service providers that require it to fulfill the stated purposes. External recipients may include, in particular, hosting, IT, maintenance, security, analytics, cookie consent tool, chat, payment, billing, tax, and legal advisory service providers, as well as government authorities. These include, in particular, Hetzner Online GmbH, Habla, Inc. d/b/a Olark, and PBC, to the extent that they are used in the respective processing context. Order processing is carried out on the basis of Art. 28 GDPR.
11. Routine Deletion and Retention Period
Personal data is deleted or anonymized as soon as the purpose for its processing no longer applies.
Notwithstanding the above, we store:
Contract and billing data: For the duration of the statutory retention periods under tax and commercial law (typically 6 to 10 years).
User account and registration data: For the duration of the active user relationship or until the account is deleted.
Contact, support, and usage data: Only for as long as necessary for processing, system security, error analysis, or the assertion of legal claims.
Data from the import module: Exclusively in accordance with the terms of the Data Processing Agreement (DPA) concluded with you.
12. Necessity of Providing Personal Data
The provision of certain personal data is necessary for registration, user accounts, organizational assignment, platform use, contract performance, and billing. Without this data, the respective functions or services cannot be provided, or cannot be provided in full.
To the extent that data is required due to statutory retention, tax, or commercial law obligations, the obligation to provide such data arises from the respective statutory provisions. Data based exclusively on consent is provided voluntarily; consent may be revoked at any time with future effect.
Data subjects whose physician, contact person, or referring physician data is processed in accordance with Section 8 from third-party sources, public sources, data providers, cooperation partners, or our own research are not required to provide us with this data.
13. Rights of the Data Subject
Data subjects may object to the processing of their personal data at any time or request rectification, restriction, or erasure. Such requests are accepted via info@reimbursement.institute or datenschutz@reimbursement.institute and reviewed in accordance with the GDPR. In the event of a justified objection, the relevant personal data will be deleted, blocked, or removed from the display, provided there are no overriding legitimate grounds to the contrary.
Special Note on the Right to Object (Art. 21 GDPR): You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest). This also applies to profiling based on these provisions.
The competent supervisory authority is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Kavalleriestraße 2-4, 40213 Düsseldorf, email: poststelle@ldi.nrw.de, website: https://www.ldi.nrw.de.
To exercise your rights, you may contact info@reimbursement.institute or datenschutz@reimbursement.institute at any time
