top of page

Privacy Policy

Dr. Zybura UG (haftungsbeschränkt) [for Dr. Zybura Ventures UG (haftungsbeschränkt) see here]

1. General Overview of Data Protection

General Information

This Privacy Policy explains what happens to your personal data when you visit this website. Personal data refers to any information that can be used to identify you personally. Detailed information on data protection can be found in the sections below.

Data Collection on This Website

Who is responsible for data processing on this website?

Data processing on this website is carried out by the website operator. The relevant contact details can be found in the section "Controller Information" below.

 

How do we collect your data?

Some data is provided directly by you, for example when you contact us via a form or email. Other data is collected automatically by our IT systems when you visit the website. This includes technical data such as browser type, operating system, or access time.

 

Why do we process your data?

Certain data is required to ensure the website functions correctly and securely. Other data may be necessary to handle enquiries, initiate contracts, or provide requested services.

Your Rights

You have the right to obtain information about the origin, recipients, and purpose of your stored personal data at any time. You may also request correction or deletion of your data, restrict processing, or revoke previously granted consent. In addition, you have the right to lodge a complaint with the competent supervisory authority.

2. Hosting

This website is hosted by:

Wix.com Ltd.
40 Namal Tel Aviv St., Tel Aviv 6350671, Israel

Wix is a platform for website creation and hosting. When you access this website, Wix may collect technical information such as visitor numbers, location data, and access statistics. Wix also uses cookies that are required for website functionality and security. Data may be processed on servers located in different countries, including the United States and Israel. Wix relies on recognized safeguards under Article 46 GDPR, including standard contractual clauses (SCCs).

EU-US Data Privacy Framework (DPF)

Wix.com Ltd. is certified under the EU-US Data Privacy Framework (DPF). The DPF ensures compliance with European data protection standards for data processing in the US. For more information, see: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

Further information is available in Wix's privacy policy: https://de.wix.com/about/privacy

The use of Wix is based on Article 6(1)(f) GDPR (legitimate interest in reliable website operation). Where consent is required, processing is based on Article 6(1)(a) GDPR and § 25 TDDDG. Consent can be withdrawn at any time. A data processing agreement (DPA) has been concluded with Wix in accordance with Article 28 GDPR.

3. Controller Information

Controller pursuant to the GDPR:

Dr. Zybura UG (haftungsbeschränkt)
Rottfeldstr. 15–17
68199 Mannheim
Germany

E-mail: legal@drzybura.de

The controller determines the purposes and means of processing personal data.

4. Data Retention

Personal data is stored only for as long as necessary to fulfil the respective purpose. If you request deletion or revoke consent, your data will be deleted unless statutory retention obligations require continued storage (e.g., tax or commercial law retention periods of 6–10 years).

5. Legal Bases for Data Processing

Personal data is processed on the following legal bases:

  • Article 6(1)(a) GDPR – consent

  • Article 6(1)(b) GDPR – contract performance or pre-contractual measures

  • Article 6(1)(c) GDPR – legal obligation

  • Article 6(1)(f) GDPR – legitimate interest

  • § 25 TDDDG – consent for cookies and device fingerprinting

6. Data Protection Officer

We have appointed a data protection officer:

Dr. Jan Zybura
Rottfeldstr. 15
68199 Mannheim
Germany

E-mail: dsgvo@drzybura.de

7. Recipients of Personal Data

Personal data may be transferred to external service providers where necessary for contractual fulfilment, legal compliance, or legitimate interests. Processors are engaged only on the basis of valid data processing agreements (Art. 28 GDPR).

8. International Data Transfers

Some of the service providers we use are located in third countries outside the European Union, including the United States. Data transfers to the US are safeguarded through:

  • EU-US Data Privacy Framework (DPF) certification (Wix, WhatsApp, Microsoft Teams, Google Meet)

  • Standard Contractual Clauses (SCCs) under Article 46 GDPR

Important Notice:
Despite these safeguards, US law (including the CLOUD Act and National Security Letters) may permit US authorities to access data under certain circumstances. You have the right to object to such transfers where your rights and freedoms outweigh our legitimate interests.

9. Your Rights as a Data Subject

You have the right to:

  • Access your stored personal data (Art. 15 GDPR)

  • Rectification of inaccurate data (Art. 16 GDPR)

  • Deletion ("right to be forgotten") (Art. 17 GDPR)

  • Restriction of processing (Art. 18 GDPR)

  • Data portability (Art. 20 GDPR)

  • Object to processing based on legitimate interest (Art. 21 GDPR)

  • Lodge a complaint with a supervisory authority

Right to Object (Article 21 GDPR)

IF DATA IS PROCESSED BASED ON ARTICLE 6(1)(f) GDPR (LEGITIMATE INTEREST), YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION. WE WILL NO LONGER PROCESS YOUR DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR THE PROCESSING IS NECESSARY FOR LEGAL CLAIMS.

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME. IF YOU OBJECT, YOUR DATA WILL NO LONGER BE USED FOR DIRECT MARKETING.

Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority:

Landesbeauftragte für Datenschutz und Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart
Germany

Phone: +49 711 615541-0
E-mail: poststelle@lfdi.bwl.de
Website: https://www.baden-wuerttemberg.datenschutz.de

10. Security Measures

This website uses SSL/TLS encryption to protect transmitted data. Encrypted connections can be recognised by the "https://" prefix and the lock icon in the browser address bar.

Despite technical and organisational security measures, data transmission over the internet cannot be guaranteed to be 100% secure. Residual risks remain.

11. Cookies and Consent Management

What are Cookies?

Cookies are small data files stored on your device. Some cookies are technically necessary to ensure website functionality. Others may be used only with your consent.

Cookie Categories

  • Technically necessary cookies: Required for basic website functionality (legal basis: Art. 6(1)(f) GDPR)

  • Functional cookies: Enhance user experience (legal basis: Art. 6(1)(a) GDPR / § 25 TDDDG)

  • Marketing/Analytics cookies: Track user behavior and preferences (legal basis: Art. 6(1)(a) GDPR / § 25 TDDDG)

You can configure your browser to restrict or delete cookies at any time. Disabling cookies may limit website functionality.

Usercentrics Consent Management Platform

We use the Usercentrics consent management platform to obtain and manage your consent for cookies and similar technologies.

Provider:
Usercentrics GmbH
Sendlinger Straße 7
80331 Munich
Germany

Data processed:

  • Consent status (granted/denied)

  • Consent timestamp

  • IP address (anonymized)

  • Browser information

  • Device type and operating system

  • Cookie preferences

Legal basis: Article 6(1)(c) GDPR (legal obligation to obtain consent under § 25 TDDDG)

Your consent data is stored for up to 12 months and can be withdrawn at any time via the cookie settings on our website. A data processing agreement (DPA) has been concluded with Usercentrics in accordance with Article 28 GDPR. Further information: https://usercentrics.com/privacy-policy/

12. Server Log Files

The hosting provider automatically collects technical log data, including:

  • Browser type and version

  • Operating system

  • Referrer URL (previously visited page)

  • IP address (anonymized after 7 days)

  • Date and time of access

This data is processed based on Article 6(1)(f) GDPR to ensure secure and stable website operation. Log files are automatically deleted after 90 days unless required for security investigations.

13. Contact Enquiries

If you contact us via form, email, or telephone, your data will be processed solely to handle your request.

Data collected:

  • Name

  • Email address

  • Phone number (optional)

  • Company name (optional)

  • Message content

Legal basis: Article 6(1)(b) GDPR (pre-contractual measures) or Article 6(1)(f) GDPR (legitimate interest in responding to enquiries).

Data will be deleted once the enquiry has been fully processed (typically 6 months after final response), unless legal retention requirements apply.

14. Communication via WhatsApp

We may use WhatsApp for business communication.

Provider:
WhatsApp Ireland Limited
4 Grand Canal Square, Grand Canal Harbour
Dublin 2
Ireland

Communication is end-to-end encrypted. However, metadata (phone number, timestamp, device information) may be processed by WhatsApp and its parent company Meta Platforms, Inc. (USA).

EU-US Data Privacy Framework (DPF):
WhatsApp Ireland Limited is certified under the EU-US Data Privacy Framework. For more information, see: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active

Legal basis: Article 6(1)(a) GDPR (consent) or Article 6(1)(f) GDPR (legitimate interest in efficient communication). We strongly recommend obtaining explicit consent before using WhatsApp for business communication given evolving legal expectations.

Further information: https://www.whatsapp.com/legal/privacy-policy

15. Newsletter

If you subscribe to our newsletter, we process your email address exclusively for sending the newsletter.

Legal basis: Your consent under Article 6(1)(a) GDPR.

You may unsubscribe at any time by clicking the "Unsubscribe" link in each newsletter or by contacting us directly. Your consent withdrawal does not affect the lawfulness of processing prior to withdrawal.

After unsubscription, your email address may be stored in a blacklist to prevent future mailings (legitimate interest under Art. 6(1)(f) GDPR for compliance with legal requirements).

16. Online Meetings and Video Conferences

We use online conferencing tools for communication with clients, partners, and internal meetings.

Google Meet

Provider:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland

Data processed:

  • Email address and name

  • IP address

  • Device information (type, operating system, browser)

  • Meeting metadata (duration, participants, timestamps)

  • Audio and video transmissions

  • Cloud recordings (if enabled with participant consent)

  • Chat messages and shared files

 

EU-US Data Privacy Framework (DPF):
Google Ireland Limited is certified under the EU-US Data Privacy Framework. For more information, see: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

Legal basis: Article 6(1)(b) GDPR (contract performance) or Article 6(1)(f) GDPR (legitimate interest). We recommend obtaining explicit consent before conducting video conferences given evolving legal expectations around recordings and international data transfers.

A data processing agreement (DPA) has been concluded with Google in accordance with Article 28 GDPR.

Further information: https://policies.google.com/privacy

 

Microsoft Teams

Provider:
Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park
Leopardstown, Dublin 18, D18 P521
Ireland

Data processed:

  • Email address and name

  • IP address

  • Device information (type, operating system, browser)

  • Meeting metadata (duration, participants, timestamps)

  • Audio and video transmissions

  • Cloud recordings (if enabled with participant consent)

  • Chat messages, shared files, and whiteboard content

EU-US Data Privacy Framework (DPF):
Microsoft Corporation is certified under the EU-US Data Privacy Framework. For more information, see: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000KzNaAAK&status=Active

 

Legal basis: Article 6(1)(b) GDPR (contract performance) or Article 6(1)(f) GDPR (legitimate interest). We recommend obtaining explicit consent before conducting video conferences given evolving legal expectations around recordings and international data transfers.

A data processing agreement (DPA) has been concluded with Microsoft in accordance with Article 28 GDPR.

Further information: https://privacy.microsoft.com/en-us/privacystatement

17. Contact Forms and Appointment Booking

Appointment Booking System

We use WIX Bookings to manage consultation and service appointments. When you book an appointment through our website, the following data is collected and processed:

 

Data Collected:

  • Name and contact information (email address, phone number)

  • Appointment type, date, and time

  • Any notes or special requests you provide

 

Purpose of Processing:
To schedule, confirm, and manage your consultation appointments.

Legal Basis:
Art. 6(1)(b) GDPR – Processing is necessary for the performance of a contract or to take steps at your request prior to entering into a contract.

Data Processor:
WIX.com Ltd., Tel Aviv, Israel (data transfer based on EU Standard Contractual Clauses and the EU-US Data Privacy Framework adequacy decision)

Data Retention:
Appointment data is stored for the duration of our business relationship and for statutory retention periods thereafter (typically 3 years under German commercial law, § 257 HGB).

Your Rights:
You can view, modify, or cancel your appointments at any time by contacting us directly. You also have the right to request deletion of your booking history, subject to legal retention requirements.

Note: Our booking system has technical capabilities for payment processing. However, we do not currently use these features. All payments are processed separately

18. Data Subject Rights: Response Timeline

We will respond to your data subject requests (access, rectification, deletion, restriction, portability, objection) within 30 days of receipt. If your request is complex, we may extend this period by an additional 60 days and will inform you of the extension and reasons.

You will not be discriminated against for exercising your data subject rights.

19. Revocation of Consent

Any consent you have given for data processing can be revoked at any time. Revocation does not affect the lawfulness of processing conducted prior to revocation. To revoke consent, please contact us at legal@drzybura.de or use the cookie settings/unsubscribe mechanisms provided.

 

Last updated: January 13, 2026.

bottom of page