top of page
Color logo - no background.png

Privacy Policy

Dr. Zybura Ventures UG (haftungsbeschränkt)

1. General Overview of Data Protection

General Information

This Privacy Policy explains what happens to your personal data when you visit this website. Personal data refers to any information that can be used to identify you personally. Detailed information on data protection can be found in the sections below.

Data Collection on This Website

Who is responsible for data processing on this website?

Data processing on this website is carried out by the website operator. The relevant contact details can be found in the section "Controller Information" below.

How do we collect your data?

Some data is provided directly by you, for example when you contact us via a form or email. Other data is collected automatically by our IT systems when you visit the website. This includes technical data such as browser type, operating system, or access time.

Why do we process your data?

Certain data is required to ensure the website functions correctly and securely. Other data may be necessary to handle enquiries, initiate contracts, or provide requested services.

Your Rights

You have the right to obtain information about the origin, recipients, and purpose of your stored personal data at any time. You may also request correction or deletion of your data, restrict processing, or revoke previously granted consent. In addition, you have the right to lodge a complaint with the competent supervisory authority.

2. Hosting

This website is hosted by:

Wix.com Ltd.
40 Namal Tel Aviv St., Tel Aviv 6350671, Israel

Wix is a platform for website creation and hosting. When you access this website, Wix may collect technical information such as visitor numbers, location data, and access statistics. Wix also uses cookies that are required for website functionality and security. Data may be processed on servers located in different countries, including the United States and Israel. Wix relies on recognized safeguards under Article 46 GDPR, including standard contractual clauses (SCCs).

EU-US Data Privacy Framework (DPF)

Wix.com Ltd. is certified under the EU-US Data Privacy Framework (DPF). The DPF ensures compliance with European data protection standards for data processing in the US. For more information, see: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

Further information is available in Wix's privacy policy: https://de.wix.com/about/privacy

The use of Wix is based on Article 6(1)(f) GDPR (legitimate interest in reliable website operation). Where consent is required, processing is based on Article 6(1)(a) GDPR and § 25 TTDSG. Consent can be withdrawn at any time. A data processing agreement (DPA) has been concluded with Wix in accordance with Article 28 GDPR.

3. Controller Information

Controller pursuant to the GDPR:

Dr. Zybura Ventures UG (haftungsbeschränkt)
Rottfeldstr. 15–17
68199 Mannheim
Germany

E-mail: legal@drzybura.de

The controller determines the purposes and means of processing personal data.

4. Data Retention

Personal data is stored only for as long as necessary to fulfil the respective purpose. If you request deletion or revoke consent, your data will be deleted unless statutory retention obligations require continued storage (e.g., tax or commercial law retention periods of 6–10 years).

5. Legal Bases for Data Processing

Personal data is processed on the following legal bases:

  • Article 6(1)(a) GDPR – consent

  • Article 6(1)(b) GDPR – contract performance or pre-contractual measures

  • Article 6(1)(c) GDPR – legal obligation

  • Article 6(1)(f) GDPR – legitimate interest

  • § 25 TTDSG – consent for cookies and device fingerprinting

6. Data Protection Officer

We have appointed a data protection officer:

Dr. Jan Zybura
Rottfeldstr. 15
68199 Mannheim
Germany

E-mail: dsgvo@drzybura.de

7. Recipients of Personal Data

Personal data may be transferred to external service providers where necessary for contractual fulfilment, legal compliance, or legitimate interests. Processors are engaged only on the basis of valid data processing agreements (Art. 28 GDPR).

8. International Data Transfers

Some of the service providers we use are located in third countries outside the European Union, including the United States. Data transfers to the US are safeguarded through:

  • EU-US Data Privacy Framework (DPF) certification (Wix, WhatsApp, Microsoft Teams, Google Meet)

  • Standard Contractual Clauses (SCCs) under Article 46 GDPR

Important Notice:
Despite these safeguards, US law (including the CLOUD Act and National Security Letters) may permit US authorities to access data under certain circumstances. You have the right to object to such transfers where your rights and freedoms outweigh our legitimate interests.

9. Your Rights as a Data Subject

You have the right to:

  • Access your stored personal data (Art. 15 GDPR)

  • Rectification of inaccurate data (Art. 16 GDPR)

  • Deletion ("right to be forgotten") (Art. 17 GDPR)

  • Restriction of processing (Art. 18 GDPR)

  • Data portability (Art. 20 GDPR)

  • Object to processing based on legitimate interest (Art. 21 GDPR)

  • Lodge a complaint with a supervisory authority

Right to Object (Article 21 GDPR)

IF DATA IS PROCESSED BASED ON ARTICLE 6(1)(f) GDPR (LEGITIMATE INTEREST), YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION. WE WILL NO LONGER PROCESS YOUR DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR THE PROCESSING IS NECESSARY FOR LEGAL CLAIMS.

IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME. IF YOU OBJECT, YOUR DATA WILL NO LONGER BE USED FOR DIRECT MARKETING.

Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority:

Landesbeauftragte für Datenschutz und Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart
Germany

Phone: +49 711 615541-0
E-mail: poststelle@lfdi.bwl.de
Website: https://www.baden-wuerttemberg.datenschutz.de

10. Security Measures

This website uses SSL/TLS encryption to protect transmitted data. Encrypted connections can be recognised by the "https://" prefix and the lock icon in the browser address bar.

Despite technical and organisational security measures, data transmission over the internet cannot be guaranteed to be 100% secure. Residual risks remain.

11. Cookies and Consent Management

What are Cookies?

Cookies are small data files stored on your device. Some cookies are technically necessary to ensure website functionality. Others may be used only with your consent.

Cookie Categories

  • Technically necessary cookies: Required for basic website functionality (legal basis: Art. 6(1)(f) GDPR)

  • Functional cookies: Enhance user experience (legal basis: Art. 6(1)(a) GDPR / § 25 TTDSG)

  • Marketing/Analytics cookies: Track user behavior and preferences (legal basis: Art. 6(1)(a) GDPR / § 25 TTDSG)

You can configure your browser to restrict or delete cookies at any time. Disabling cookies may limit website functionality.

When you first visit our website, a cookie consent banner is displayed via the integrated consent tool of our website platform WIX. The banner allows you to accept or decline non-essential cookies. Your consent decision is stored in a functional cookie on your device for up to 12 months, after which your preference will be requested again. Non-essential cookies are only set following your explicit consent. You may withdraw your consent at any time by deleting the cookies stored in your browser. This will cause the consent banner to reappear on your next visit to our website.

The consent tool is operated by WIX.com Ltd., 40 Namal Tel Aviv St., Tel Aviv 6350671, Israel, as part of our hosting infrastructure. Data transfer is safeguarded by EU Standard Contractual Clauses and the EU-US Data Privacy Framework adequacy decision.

Legal basis: Art. 6(1)(c) GDPR in conjunction with § 25 TTDSG.

12. Server Log Files

The hosting provider automatically collects technical log data, including:

  • Browser type and version

  • Operating system

  • Referrer URL (previously visited page)

  • IP address (anonymized after 7 days)

  • Date and time of access

This data is processed based on Article 6(1)(f) GDPR to ensure secure and stable website operation. Log files are automatically deleted after 90 days unless required for security investigations.

13. Contact Enquiries

If you contact us via form, email, or telephone, your data will be processed solely to handle your request.

Data collected:

  • Name

  • Email address

  • Phone number (optional)

  • Company name (optional)

  • Message content

Legal basis: Article 6(1)(b) GDPR (pre-contractual measures) or Article 6(1)(f) GDPR (legitimate interest in responding to enquiries).

Data will be deleted once the enquiry has been fully processed (typically 6 months after final response), unless legal retention requirements apply.

14. Communication via WhatsApp

We may use WhatsApp for business communication.

Provider:
WhatsApp Ireland Limited
4 Grand Canal Square, Grand Canal Harbour
Dublin 2
Ireland

Communication is end-to-end encrypted. However, metadata (phone number, timestamp, device information) may be processed by WhatsApp and its parent company Meta Platforms, Inc. (USA).

EU-US Data Privacy Framework (DPF):
WhatsApp Ireland Limited is certified under the EU-US Data Privacy Framework. For more information, see: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active

Legal basis: Legal basis: Article 6(1)(a) GDPR (consent) where you initiate or explicitly agree to WhatsApp communication, or Article 6(1)(f) GDPR (legitimate interest in efficient communication) where you contact us directly via WhatsApp. You may withdraw your consent or object to processing at any time by notifying us at legal@drzybura.de

Further information: https://www.whatsapp.com/legal/privacy-policy

15. Newsletter

If you subscribe to our newsletter, we process your email address exclusively for sending the newsletter.

Legal basis: Your consent under Article 6(1)(a) GDPR.

You may unsubscribe at any time by clicking the "Unsubscribe" link in each newsletter or by contacting us directly. Your consent withdrawal does not affect the lawfulness of processing prior to withdrawal.

After unsubscription, your email address may be stored in a blacklist to prevent future mailings (legitimate interest under Art. 6(1)(f) GDPR for compliance with legal requirements).

16. CRM and Business Communications

We use HubSpot CRM to manage business contacts, schedule meetings, and organize internal workflows. HubSpot is connected to our Google Workspace (Gmail) account, through which business correspondence and scheduling data are processed.

Data processed:
Name, email address, phone number, company affiliation, email correspondence history, meeting schedules, calendar entries, task records, and interaction history.

Purpose of processing:
Managing business relationships, coordinating consultation appointments, organizing internal workflows, and maintaining structured records of business communications.

Legal basis:
Art. 6(1)(b) GDPR: processing necessary for the performance of a contract or pre-contractual measures for existing contacts and partners. Art. 6(1)(f) GDPR: legitimate interests for business contact management and workflow organization.

Data processors:

  • HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA: CRM and workflow management. Data transfer to the USA is based on EU Standard Contractual Clauses (SCCs) and HubSpot's certification under the EU-US Data Privacy Framework. Further information: https://legal.hubspot.com/privacy-policy

  • Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland: Email and calendar services (Google Workspace). Data transfer governed by Google Workspace Data Processing Addendum and EU Standard Contractual Clauses. Further information: https://workspace.google.com/terms/dpa_terms.html

Data retention:
Contact and communication data is retained for the duration of the business relationship and applicable statutory retention periods thereafter. You may request deletion at any time, subject to legal retention obligations.

Your rights:
You may at any time request information about, correction of, or deletion of your personal data stored in our CRM system by contacting us directly at the address provided in our Privacy Policy.

17. Online Meetings and Video Conferences

We use online conferencing tools for communication with clients, partners, and internal meetings.

Google Meet

Provider:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland

Data processed:

  • Email address and name

  • IP address

  • Device information (type, operating system, browser)

  • Meeting metadata (duration, participants, timestamps)

  • Audio and video transmissions

  • Cloud recordings (if enabled with participant consent)

  • Chat messages and shared files

EU-US Data Privacy Framework (DPF):
Google Ireland Limited is certified under the EU-US Data Privacy Framework. For more information, see: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

Legal basis: Article 6(1)(b) GDPR (contract performance) or Article 6(1)(f) GDPR (legitimate interest). Where meetings involve recordings or participants located outside the EEA, we will inform participants in advance and, where required by law, obtain explicit consent prior to recording under Article 6(1)(a) GDPR. You may withdraw such consent at any time.

A data processing agreement (DPA) has been concluded with Google in accordance with Article 28 GDPR.

Further information: https://policies.google.com/privacy

Microsoft Teams

Provider:
Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park
Leopardstown, Dublin 18, D18 P521
Ireland

Data processed:

  • Email address and name

  • IP address

  • Device information (type, operating system, browser)

  • Meeting metadata (duration, participants, timestamps)

  • Audio and video transmissions

  • Cloud recordings (if enabled with participant consent)

  • Chat messages, shared files, and whiteboard content

EU-US Data Privacy Framework (DPF):
Microsoft Corporation is certified under the EU-US Data Privacy Framework. For more information, see: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000KzNaAAK&status=Active

Legal basis: Article 6(1)(b) GDPR (contract performance) or Article 6(1)(f) GDPR (legitimate interest). Where meetings involve recordings or participants located outside the EEA, we will inform participants in advance and, where required by law, obtain explicit consent prior to recording under Article 6(1)(a) GDPR. You may withdraw such consent at any time.

A data processing agreement (DPA) has been concluded with Microsoft in accordance with Article 28 GDPR.

Further information: https://privacy.microsoft.com/en-us/privacystatement

18. Data Subject Rights: Response Timeline

We will respond to your data subject requests (access, rectification, deletion, restriction, portability, objection) within 30 days of receipt. If your request is complex, we may extend this period by an additional 60 days and will inform you of the extension and reasons.

You will not be discriminated against for exercising your data subject rights.

19. Revocation of Consent

Any consent you have given for data processing can be revoked at any time. Revocation does not affect the lawfulness of processing conducted prior to revocation. To revoke consent, please contact us at legal@drzybura.de or use the cookie settings/unsubscribe mechanisms provided.

 

Last updated: March 18, 2026.

bottom of page