Data Protection

Privacy Notice

We inform you below, in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR), about the processing of your personal data in connection with your use of our website and your associated rights.

1. Controller and Data Protection Officer

Controller for data processing (Art. 4(7) UK GDPR)
medisana GmbH
Carl-Schurz-Straße 2
41460 Neuss
Tel.: +49 (0) 2131 / 36 68 0
E-Mail: info@medisana.com
Managing Directors: Thomas Teckentrup, Shumei Chen

Data Protection Officer
Mr Stefan Kleinermann
Kleinermann & Sohn GmbH
Max-Planck-Str. 9
52499 Baesweiler
Tel.: (02401) 6054-0
E-Mail: dsb@das-datenschutz-team.de

2. Scope and Purpose of Data Processing
2.1 Access to our Website (Server Log Files)

When you access our website, access data is automatically collected and processed in so-called server log files. Access data includes: name of the accessed web page, file, date and time of access, data volume transferred, success notification, browser type and version, operating system, referrer URL, IP address and requesting provider. Legal basis: Art. 6(1)(f) UK GDPR (legitimate interest in ensuring IT security and providing the website). Retention period: Log file data is generally deleted after 7 days. Data that must be retained for evidentiary purposes is exempt until final clarification of the incident. Recipients: Hosting providers, external IT service providers (within the scope of data processing under Art. 28 UK GDPR).

2.2 Collection and Processing of Personal Data

Where you purchase products or services via our website or make enquiries, we process your personal data on the following legal bases:

Consent (Art. 6(1)(a) UK GDPR)
Contract performance or pre-contractual measures (Art. 6(1)(b) UK GDPR)
Compliance with a legal obligation (Art. 6(1)(c) UK GDPR)
Legitimate interests (Art. 6(1)(f) UK GDPR)

The personal data you provide (e.g. name, address, e-mail, telephone number) is stored and used exclusively for the performance of our services and individual communication with you, in accordance with the UK GDPR and the Data Protection Act 2018. We may transfer personal data to other entities within the Medisana group of companies where necessary for administrative purposes (Art. 6(1)(f) UK GDPR).

2.3 Data Processing for Order Fulfilment

For the purpose of processing orders (delivery and payment purposes), your personal data is disclosed to the contracted shipping company and the contracted financial institution in accordance with Art. 6(1)(b) UK GDPR. Where we owe you updates for goods with digital elements or digital products under a contract, we process your contact data (name, address, e-mail address) in accordance with Art. 6(1)(c) UK GDPR to inform you about upcoming updates within the legally prescribed period.

Plentymarkets

Order processing is carried out via plentysystems AG, Bürgermeister-Brunner-Str. 15, 34117 Kassel. Name, address and, where applicable, further personal data are disclosed to plentymarkets exclusively for the purpose of processing the online order in accordance with Art. 6(1)(b) UK GDPR. Details: plentymarkets.eu.

2.4 Product Orders / Online Shop

When you place an order in our online shop, we store your personal data for the following purposes (legal basis: Art. 6(1)(b) UK GDPR):

Order receipt and confirmation as well as shipping status notifications
Payment processing and invoice generation
Delivery of the ordered goods
Handling of cancellations, complaints and after-sales service

Shopware eCommerce Software
For our online shop we use the Shopware solution from shopware AG, Ebbinghoff 10, 48624 Schöppingen. Shopware stores only cookies necessary for shop operation (e.g. shopping basket, login status, CSRF protection). No personal information – only session IDs – is stored in the browser. Further information:

https://www.shopware.com/de/datenschutz/

2.5 Customer Account

You may create a customer account. Mandatory information: e-mail address, first and last name, street and house number, postcode and town, country and a password of your choice. Legal basis: Art. 6(1)(b) UK GDPR. During registration we additionally store your IP address and the time of registration for verification and fraud prevention purposes.

2.6 Guest Account

As an online retailer we are obliged to offer the option of ordering without registration (guest account). Mandatory information: e-mail address, first and last name, street and house number, postcode and town, country. The data is processed exclusively for the one-off product order (Art. 6(1)(b) UK GDPR) and deleted after all statutory retention obligations have been fulfilled.

2.7 Payment Methods / Payment Service Providers

For the processing of payment options (including PayPal, Sofort, Visa, Mastercard, Klarna, Apple Pay) we use external service providers.

Mollie

We use Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands. Your order data is disclosed exclusively for payment processing in accordance with Art. 6(1)(b) UK GDPR.

Privacy information: https://www.mollie.com/de/privacy

PayPal

PayPal is operated by PayPal (Europe) S.à r.l. & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. When you select PayPal we transmit the total order amount and a reference to the PayPal account.

Privacy information: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

2.8 Data Transfers / Recipients of Personal Data

For order processing we transfer your data to shipping/logistics companies (name and address) and payment service providers (invoice number, invoice amount, name and billing/delivery address). Legal basis: Art. 6(1)(b) UK GDPR. No further disclosure to third parties takes place. We contractually obligate our service providers to comply with data protection requirements.

2.9 Complaints / Warranty Processing

In the context of complaints and warranty processing, we process the necessary personal data (first and last name, address, order or RMA number) in accordance with Art. 6(1)(b) UK GDPR. Where necessary, data is transferred to service partners and shipping companies (Art. 6(1)(b) UK GDPR).

2.10 Online Help Centre / Support (Zendesk)

For handling service and support requests we use Zendesk Inc., 989 Market Street 300, San Francisco, CA 94102, USA. Legal basis: Art. 6(1)(f) UK GDPR (legitimate interest in efficient support processing). When using the chat window we store your IP address in addition to your chat messages. A request can be submitted with your e-mail address without providing your name. First and last name and e-mail address are required for registration in the online helpdesk (Art. 6(1)(b) UK GDPR). Data may be transferred to servers in the USA. Transfers are safeguarded by the UK International Data Transfer Agreement (IDTA) / UK Standard Contractual Clauses. Zendesk Inc. is certified under the EU-US Data Privacy Framework. We have concluded a data processing agreement (Art. 28 UK GDPR).

Further information: https://www.zendesk.de/company/agreements-and-terms/privacy-notice/
If you do not wish your request to be handled via Zendesk, you may alternatively contact us by telephone.

2.11 Web Hosting

Web hosting is provided by a contracted provider with server location in Germany. Legal basis: Art. 6(1)(f) UK GDPR. A data processing agreement in accordance with Art. 28 UK GDPR has been concluded with the provider.

3. Cookies

We use cookies on our website to improve user-friendliness, effectiveness and security, and to analyse access and personalise content. Technically necessary cookies may be set without consent. For all other cookie types we obtain your consent via our cookie banner (in accordance with the Privacy and Electronic Communications Regulations (PECR)).

Legal bases:

Technically necessary cookies: Art. 6(1)(f) UK GDPR
Analytics/tracking cookies: Art. 6(1)(a) UK GDPR in conjunction with PECR

You may withdraw or change your consent at any time via the cookie banner (“Cookie Settings”). Existing cookies can be deleted via your browser at any time. An overview of the cookies used can be found in our cookie banner under “Services”.

4. Newsletter

After explicit registration you will regularly receive our newsletter by e-mail. Upon registration we store your IP address, date and time of registration – as proof of consent and for fraud prevention. Legal basis: Art. 6(1)(a) UK GDPR. Data is deleted once the newsletter subscription is terminated.

You may cancel your subscription at any time via the unsubscribe link in the newsletter or by e-mail to info@medisana.com.

4.1 Newsletter Dispatch via JUNE

For newsletter dispatch we use the JUNE service from June – Online Marketing GmbH, Große Johannisstraße 3, 20457 Hamburg. Data is stored in German data centres. Legal basis: Art. 6(1)(f) UK GDPR (legitimate interest in reliable newsletter delivery). JUNE enables us to analyse newsletter dispatch (opened e-mails, click rate, conversion tracking). All data is collected exclusively in pseudonymised form and is not linked to other personal data. Further information: https://juneapp.com/email-marketing/

If you do not wish to be analysed, you may unsubscribe from the newsletter at any time. We have concluded a data processing agreement with JUNE (Art. 28 UK GDPR).

5. Prize Draws / Competitions

Where you participate in prize draws on our website, your data is processed exclusively for the conduct and administration of the relevant prize draw, to verify eligibility and to determine and notify winners. Legal basis: Art. 6(1)(a) UK GDPR. You may withdraw your consent at any time in accordance with Art. 7(3) UK GDPR with effect for the future. After the prize draw concludes, your data is generally deleted within 14 days, provided no retention obligations apply.

6. Website Plugins / Third-Party Providers / Analytics and Tracking Technologies
6.1 Consent Management / UserCentrics (Cookie Banner)

For obtaining and documenting your cookie consent we use UserCentrics GmbH, Sendlinger Straße 7, 80331 Munich. When the website is accessed, a connection is established to UserCentrics servers to collect your consent. Your IP address, browser information, device data and time of visit are transmitted. UserCentrics then stores a cookie to associate your consent. Legal basis: Art. 6(1)(c) UK GDPR in conjunction with PECR. A data processing agreement has been concluded with the provider (Art. 28 UK GDPR).

6.2 Google Analytics 4

Where you have given your consent via our cookie banner, we use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Legal basis: Art. 6(1)(a) UK GDPR and PECR.

Google Analytics 4 activates IP anonymisation by default. Data collected includes, among other things:

Page views and session starts
Click paths and scroll depth
Clicks on external links and file downloads
Internal search queries and video interactions
Approximate location (region), browser and device information
Referrer URL

Data linked to cookies is automatically deleted after 14 months. The maximum cookie lifetime is 2 years. Data may be transferred to Google servers in the USA. Google LLC is certified under the EU-US Data Privacy Framework. Transfers to the USA are additionally safeguarded by the UK International Data Transfer Agreement (IDTA). A data processing agreement has been concluded with Google (Art. 28 UK GDPR).
You may withdraw your consent at any time via the cookie banner.

Further information: https://policies.google.com/privacy?hl=de

6.3 Google Maps

On some pages we use the Google Maps API from Google Ireland Limited. When used, information (including IP address) may be transferred to Google servers in the USA. Legal basis: Art. 6(1)(f) UK GDPR. Google LLC is certified under the EU-US Data Privacy Framework.

Privacy notice and terms of use: https://www.google.com/intl/de_DE/help/terms_maps/

6.4 Google Tag Manager

We use Google Tag Manager (GTM) from Google Ireland Limited. GTM itself does not create user profiles, store cookies or carry out independent analyses; it merely manages and deploys the services integrated via it. However, the tool does capture your IP address, which may be transferred to servers in the USA. Legal basis: Art. 6(1)(a) UK GDPR in conjunction with PECR (consent via cookie banner). A data processing agreement has been concluded with Google and the UK IDTA / UK SCCs have been agreed.

6.5 Google Ads and Conversion Tracking

We use Google Ads from Google Ireland Limited to display advertisements in Google Search or on third-party websites. When our website is accessed via a Google advertisement, a cookie is set. We receive exclusively anonymised statistical evaluations without personal reference. Legal basis: Art. 6(1)(a) UK GDPR in conjunction with PECR. Consent may be withdrawn at any time. Google LLC is certified under the EU-US Data Privacy Framework.

6.6 Google reCAPTCHA

We use reCAPTCHA from Google Ireland Limited to detect automated inputs (e.g. by bots). reCAPTCHA analyses the behaviour of website visitors (including IP address, language settings, browser, dwell time, mouse movements). Transmission to Google servers in the USA cannot be excluded. Legal basis: Art. 6(1)(f) UK GDPR (legitimate interest in protection against spam and automated spying). A data processing agreement has been concluded with Google, the UK IDTA / UK SCCs have been agreed and Google LLC is certified under the EU-US Data Privacy Framework.

6.7 YouTube

We have embedded videos from Google Ireland Limited (YouTube) on our website. We use “enhanced privacy mode”, meaning that a connection to YouTube servers in the USA is only established upon your consent to marketing cookies and playback of the video. Legal basis: Art. 6(1)(a) UK GDPR and PECR. If you are simultaneously logged into Google, the information will be linked to your YouTube account. To prevent this, log out of your Google account before visiting our website.

6.8 Meta Ads Pixel (Facebook Pixel)

Where you have given your consent, we use the Meta Ads Pixel from Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. This script is used to measure advertising success on Facebook/Instagram. Data is processed on Meta servers in the USA. Meta Platforms Inc. is certified under the EU-US Data Privacy Framework. Legal basis: Art. 6(1)(a) UK GDPR in conjunction with PECR. Consent may be withdrawn at any time.

6.9 LightWidget (Instagram Plugin)

We use LightWidget from Black Sail Division, Molczyn 17 street, Leszna Gorna, 43-445 Dziegielow, to display Instagram content directly on our website. The plugin provider stores log data (e.g. IP address, connection information, browser type and version, operating system) to ensure display, prevent attacks and comply with legal requirements. Legal basis: Art. 6(1)(f) UK GDPR.

Privacy notice: https://lightwidget.com/privacy

6.10 TikTok Pixel

Where you have given your consent, we use the TikTok Pixel, operated in the EU by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. The pixel enables us to identify visitors to our website as a target group for TikTok advertising and to evaluate the effectiveness of our advertisements anonymously. Legal basis: Art. 6(1)(a) UK GDPR in conjunction with PECR. Consent may be withdrawn at any time.

6.11 Links to Social Media Pages

Our website includes links to our profiles on Facebook, Instagram, X (formerly Twitter), YouTube, TikTok and LinkedIn. For data protection reasons we have used links only (no embedded plugins): when simply accessing our website no data is transferred to these providers. Only by clicking on the respective logo will you be redirected to the provider's website, resulting in a data transfer over which we have no control.

Legal basis: Art. 6(1)(f) UK GDPR (legitimate interest in user communication). Provider privacy notices:

Facebook/Instagram: https://www.facebook.com/about/privacy
X (formerly Twitter): https://twitter.com/de/privacy
YouTube/Google: https://policies.google.com/privacy?hl=de
TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/de
LinkedIn: https://de.linkedin.com/legal/privacy-policy

6.12 Trusted Shops / Trustbadge

Our website incorporates the Trusted Shops quality seal (Trusted Shops GmbH, Subbelrather Str. 15c, 50829 Cologne). Upon access, a server log file is generated containing your IP address, date/time, data volume transferred and provider. The IP address is anonymised immediately after collection. Legal basis: Art. 6(1)(f) UK GDPR. Further personal data is only transmitted to Trusted Shops with your consent (Art. 6(1)(a) UK GDPR) or on the basis of a contract (Art. 6(1)(b) UK GDPR). The Trustbadge is delivered via a US CDN provider; an adequate level of data protection is ensured by the UK adequacy regulations and, where applicable, the UK IDTA.

7. Integration of Third-Party Services and Content

Third-party content (e.g. RSS feeds, external graphics) may be embedded on our website. This is done on the basis of our legitimate interest in accordance with Art. 6(1)(f) UK GDPR. Embedding requires that third-party providers receive the user's IP address, as without it they cannot deliver content. We endeavour to use only content from providers who use the IP address solely for delivery purposes.

8. Publication of Job Advertisements / Applications

You may apply for advertised positions via our website. Your application data is processed via our applicant management system “HR Works” for the purpose of applicant selection. A data processing agreement has been concluded with the provider (Art. 28 UK GDPR). Access is restricted exclusively to staff involved in the recruitment process. Legal basis: Art. 6(1)(b) UK GDPR in conjunction with Schedule 2, Part 1 of the Data Protection Act 2018. If hired, your data will be transferred to your personnel file. If rejected, your data will be deleted six months after notification of rejection, unless a longer retention period is required (e.g. for equal opportunities compliance). At your request, we may add you to our talent pool (legal basis: Art. 6(1)(a) UK GDPR). Your data will be stored there for a maximum of 12 months and then automatically deleted. You may withdraw your consent at any time in accordance with Art. 7(3) UK GDPR.

Our privacy notice for applicants can be found at: https://www.medisana.de/out/pictures/ddmedia/Medisana_Datenschutzerkla%CC%88rung_Bewerbung.pdf

9. Your Rights as a Data Subject

Under the UK GDPR you have the following rights against us:

Right to information (Art. 13, 14 UK GDPR) – which we fulfil with this privacy notice
Right of access (Art. 15 UK GDPR)
Right to rectification (Art. 16 UK GDPR)
Right to erasure (“right to be forgotten”, Art. 17 UK GDPR)
Right to restriction of processing (Art. 18 UK GDPR)
Right to data portability (Art. 20 UK GDPR)
Right to object (Art. 21 UK GDPR) – on grounds relating to your particular situation
Right to withdraw consent (Art. 7(3) UK GDPR) – with effect for the future

For requests to exercise your rights, please contact our Data Protection Officer (contact details in Section 1). For data protection reasons relating to other individuals, we can only provide information following adequate identification. You also have the right under Art. 77 UK GDPR to lodge a complaint with a supervisory authority of your choice. The supervisory authority responsible for our company is:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel.: 0303 123 1113
E-Mail: casework@ico.org.uk

10. Data Security

Your personal data is protected by TLS encryption during transmission over the internet. We secure our website and other systems by means of technical and organisational measures (TOMs) in accordance with Art. 32 UK GDPR against unauthorised access, loss, destruction, alteration or dissemination of your data.

11. Deletion and Restriction of Personal Data

The deletion and restriction (blocking) of your personal data takes place once the purpose for which it was collected no longer applies, provided the data is no longer required for the performance or initiation of a contract and no statutory retention obligations (in particular from tax and commercial law) stand in the way.

12. Contact Options

You may contact us by telephone, e-mail or via our contact form. We store your details for the purpose of processing your enquiry (legal basis: Art. 6(1)(f) UK GDPR; where the contact aims at concluding a contract, additionally Art. 6(1)(b) UK GDPR). Data is forwarded internally to the relevant department and not passed on to third parties. It is deleted once it is no longer required for the purpose and no retention obligations apply.

13. Links to Websites of Other Providers

Where we provide links to websites of other companies or organisations, the privacy notices and policies of those sites apply. We have no influence over those providers' compliance with data protection requirements.

14. Amendment and Update of this Privacy Notice

We reserve the right to amend this privacy notice at any time in accordance with applicable data protection legislation – for example due to changes in our data processing activities, new legislation, court decisions or updated contact information. We recommend that you read our privacy notice regularly.

Last updated: April 2025