Privacy Policy
We are pleased that you are interested in our website and our practice. The protection of your personal data is of particular importance to us. We process your personal data confidentially and in accordance with the applicable data protection laws, in particular the General Data Protection Regulation (GDPR). Where data is collected directly from you, information obligations pursuant to Article 13 GDPR apply.

1. Controller
The controller within the meaning of Article 4 no. 7 GDPR is:
VITALITY – Practice for Physiotherapy & Training
Owner: Franziska Kurzrock
Schillerstraße 30–40
60313 Frankfurt am Main
Germany
Phone: +49 69 153 43 443
Email: info@physio-vitality-frankfurt.de

2. General information on data processing
We process personal data only to the extent permitted by law. Depending on the specific processing activity, the following legal bases may apply in particular:
• Article 6(1)(a) GDPR (consent)
• Article 6(1)(b) GDPR (contract or pre-contractual measures)
• Article 6(1)(c) GDPR (compliance with a legal obligation)
• Article 6(1)(f) GDPR (legitimate interest)
Where health data is processed as part of the new patient form or treatment, such processing is additionally based on Article 9(2)(h) GDPR, insofar as the processing is necessary for preventive healthcare, diagnosis, treatment, or the management of healthcare services. The German National Association of Statutory Health Insurance Physicians (KBV) also makes clear that patients must be informed about data processing and that the processing of patient data is generally not based on blanket consent, but is regulated by law.

3. Server log files (website visit)
When you access our website, our hosting provider automatically collects and stores technically necessary information in so-called server log files. This may include in particular:
• IP address (shortened or anonymised)
• date and time of the request
• page or file accessed
• amount of data transferred
• browser type and browser version
• operating system
Our legitimate interest lies in the secure, stable and error-free provision of our website and in ensuring system security.
Legal basis: Article 6(1)(f) GDPR.
Storage period: The storage period for server log files depends on the technical and organisational requirements of our hosting provider as well as the needs of system security and error analysis. Unless longer retention is required in an individual case, the data will be deleted once the respective purpose no longer applies.

4. Contact and form enquiries
4.1 Contact forms / general enquiries
If you contact us via contact form or email, we process the information you provide in order to handle your enquiry.
Depending on the content of your enquiry, the processing is based on:
• Article 6(1)(b) GDPR, insofar as your enquiry is aimed at entering into or performing a contract, or
• Article 6(1)(f) GDPR, insofar as there is another legitimate interest in handling your enquiry.
Our legitimate interest lies in the proper processing and answering of your enquiry.
If you voluntarily provide special categories of information, processing may additionally be based on your consent.
4.2 New patient form
We provide a new patient form on our website. The following data in particular may be processed in this context:
• master data
• contact details
• insurance data
• uploaded documents (in particular medical prescriptions, findings or other treatment-related documents)
The processing is carried out in order to handle your enquiry, prepare a treatment relationship, organise our practice and, where treatment takes place, to carry out and document such treatment.
Legal bases:
• Article 6(1)(b) GDPR
• for health data additionally Article 9(2)(h) GDPR
• where you voluntarily consent to certain communication channels, additionally Article 6(1)(a) GDPR
Obligation to provide data
Where the provision of certain data is necessary for processing your enquiry, organising appointments or preparing a treatment relationship, these details are marked as mandatory fields. Without this data, we may not be able to process your enquiry, or may not be able to do so in full, or prepare a treatment relationship.

5. Technical interim storage and practice software / cloud
The data transmitted via the new patient form is technically received, processed and, where required for practice organisation, transferred into our practice software.
For the temporary technical interim storage of data transmitted via the new patient form, we use Dropbox as an external service provider on the basis of a data processing agreement pursuant to Article 28 GDPR. Interim storage there serves exclusively technical processing purposes and the data is deleted again after transfer into our practice processes.
Where personal data is processed outside the European Union or the European Economic Area in connection with Dropbox, this is carried out on the basis of the legal requirements for international data transfers. Dropbox states that it complies with the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework. Further information on the safeguards used is available upon request.
For further practice organisation, documentation and administration, we use THEORG by SOVDWAER Gesellschaft für EDV-Lösungen mbH, Franckstraße 5, 71636 Ludwigsburg, Germany. According to the provider, the cloud / data centre infrastructure is provided by Individuelle Daten Technik GmbH (IDT), Franckstraße 5, 71636 Ludwigsburg, Germany. External service providers with access to patient or employee data may only be engaged within the framework of data processing on our behalf; the KBV expressly points out that data processing agreements are required for this.

6. Communication by email
Where you have expressly consented to this, we may contact you by email for organisational purposes, in particular for:
• appointment coordination
• appointment reminders
• sending appointment slips
• sending invoices and fee agreements
Invoices and fee agreements may be sent as password-protected PDF documents.
Legal basis: Article 6(1)(a) GDPR.
Please note that communication via ordinary email may involve security risks. The German Data Protection Conference (DSK) has published requirements regarding protective measures for email transmission. The KBV also points out that sensitive patient data, in particular health data, should not be sent unencrypted via email over the internet. We therefore transmit sensitive medical content only where necessary and where suitable protective measures are in place or another communication channel is used.

7. Recipients or categories of recipients
Your data will only be disclosed where this is necessary for the provision of our services, for practice organisation, or where we are legally obliged to do so. Recipients or categories of recipients may in particular include:
• website hosting provider
• technical service providers for form processing
• Dropbox for temporary technical interim storage
• SOVDWAER / THEORG as practice software provider
• IDT as cloud / data centre provider
• email service providers
• treating physicians or other healthcare providers, where this is necessary for your treatment or prescription
• public authorities or other recipients where we are legally obliged to disclose data
Article 13 GDPR requires information on recipients or categories of recipients; the KBV also expressly recommends providing patient data protection information both in the practice and on the website.

8. Storage period and deletion
We store personal data only for as long as necessary to fulfil the respective purpose or where statutory retention obligations apply.
For data transmitted via the new patient form, the following applies:
• technical interim storage in Dropbox is only temporary and the data is deleted after processing or transfer into our practice processes
• after transfer into our practice software or treatment documentation, the applicable statutory retention periods apply
• contact and form enquiries without treatment relevance are deleted once the purpose no longer applies and no statutory retention obligations prevent deletion
The KBV expressly points out that statutory retention obligations apply to treatment records.

9. Data security
We implement appropriate technical and organisational measures pursuant to Article 32 GDPR to protect your personal data against loss, manipulation, unauthorised access or misuse.
These include in particular:
• encrypted data transmission via SSL/TLS
• server-side processing of sensitive data
• restricted access to internal systems
• role-based and permission-based access according to the need-to-know principle
• regular security and software updates
• password-protected documents for certain email attachments
• organisational and technical protective measures in connection with external processors
The GDPR requires a level of protection appropriate to the risk; the German Data Protection Conference (DSK) has further specified this in particular for email transmission.
10. Cookies
Our website uses only technically necessary cookies where required for the secure and error-free operation of the website. In particular, we do not carry out:
• tracking
• analytics
• marketing
• profiling

Our legitimate interest lies in the technically secure and functional operation of the website.
Legal basis: Article 6(1)(f) GDPR.

11. External content and links
11.1 External links
Our website contains links to external platforms, for example:
• Facebook
• Instagram
• Jameda
• Google
• YouTube
These are purely external links. A connection to the respective provider is established only when you click on the link.

11.2 Bing Maps
We use Bing Maps by Microsoft to display the location of our practice. When the map is loaded, personal data, in particular your IP address, may be transmitted to Microsoft. Microsoft states in its privacy policy that personal data may also be transferred to other countries, including countries for which no adequacy decision exists. Where data is transferred to third countries in this context, this is carried out on the basis of the legal requirements of Articles 44 et seq. GDPR.
Our legitimate interest lies in providing a user-friendly display of our location and travel directions.
Legal basis: Article 6(1)(f) GDPR, insofar as the integration is necessary to provide a user-friendly route display.

11.3 Structured data
We use structured data (Schema.org / search engine markups) on our website in order to provide search engines with information about our practice. No personal data is independently stored or analysed in this context.

11.4 Automated decision-making
Automated decision-making, including profiling within the meaning of Article 22 GDPR, does not take place.

12. Rights of data subjects
Within the framework of the applicable legal requirements, you have the right to:
• access pursuant to Article 15 GDPR
• rectification pursuant to Article 16 GDPR
• erasure pursuant to Article 17 GDPR
• restriction of processing pursuant to Article 18 GDPR
• data portability pursuant to Article 20 GDPR
• object to processing pursuant to Article 21 GDPR
• withdraw consent granted, with effect for the future
You also have the right to lodge a complaint with a data protection supervisory authority. The BfDI explains information obligations and data subject rights in its GDPR materials.

The competent data protection supervisory authority is:
The Hessian Commissioner for Data Protection and Freedom of Information
Postfach 3163
65021 Wiesbaden
Germany

13. Withdrawal of consent
You may withdraw any consent you have given at any time with effect for the future, for example by email to:
info@physio-vitality-frankfurt.de

14. Currency and amendments
We reserve the right to amend this privacy policy in the event of legal, technical or organisational changes. The current version is always available on our website.
As of: April 2026