Wherever possible, we endeavor to process data within the European Union (EU) or the European Economic Area (EEA). Your personal data will only be transferred to third countries (i.e. outside the EU or the EEA) in accordance with legal requirements.

Within the scope of our services, data may be transferred to third countries in particular if we use external service providers whose servers are operated outside the EEA. This applies in particular to the use of the following providers

• Zoom Video Communications, Inc (USA) - for video conferencing and communication

• Twilio Inc (USA) and its subsidiary SendGrid - for communication and email services

• Apple Inc (Apple Pay), Google LLC (Google Pay), PayPal Holdings, Inc, Klarna Bank AB and Stripe, Inc - as payment service providers for processing payments

If there is no adequacy decision by the EU Commission for these data transfers, we ensure that suitable guarantees exist in accordance with Art. 46 GDPR, in particular by concluding standard contractual clauses and, if necessary, additional protective measures.

With regard to the transfer of personal data to the United States, we rely on the adequacy decision of the EU Commission of July 10, 2023 (C(2023) 4745 final, OJ EU No. L 231 of 20.09.2023, “Transatlantic Data Privacy Framework”), insofar as the US companies concerned are certified under this framework. For the United Kingdom, the adequacy decision of the EU Commission of June 28, 2021 (C(2021) 4801 final, OJ EU No. L 360, 11.10.2021, p. 1), which is currently valid until June 27, 2025, applies.

If none of the aforementioned bases apply in individual cases, data will only be transferred with your express consent in accordance with Art. 49 para. 1 lit. a GDPR.

Our portal uses so-called cookies. Cookies are pieces of information that are stored on your devices with the help of the browser. They are downloaded by your internet browser the first time you visit a website. The next time you visit this website with the same device, the cookie and the information stored in it is either sent back to the website that created it (first party cookie) or sent to another website to which it belongs (third party cookie). This allows the website to recognize that it has already been accessed with this browser and in some cases varies the content displayed.

Cookies are generally used to provide users with additional functions on a website, e.g. to make it easier for you to navigate the website or to save preferences (language settings or similar). Cookies cannot access, read or change any other data on your computer.

With regard to the storage period, a distinction is made between so-called session cookies, which are automatically deleted when you leave our website, and persistent cookies, which remain stored on your computer until you delete them manually in your browser or a preset period has expired.

If you want to block or delete cookies, you can make these changes in your browser settings. To find out how to do this in a specific browser, you can use the help function integrated into the browser or alternatively visit https://www.aboutcookies.org/. Please note, however, that in this case you may have to reckon with a limited display of the page.

The legal basis on which we process your personal data using cookies depends on whether we ask for your consent. If this is the case and you have consented to the use of cookies, your data will be processed on the basis of the consent you have given. Otherwise, the data processed using cookies may also be processed on the basis of our legitimate interests (e.g. in the case of a business transaction via our online service and its improvement) or if the use of cookies is necessary to fulfill our contractual obligations.

If we do not provide any explicit information on storage periods for permanent cookies (e.g. as part of a so-called cookie opt-in), please assume that the storage period can be up to two years.

Regardless of whether the processing is based on consent or legal permission, you have the option at any time to object to the processing of your data using cookies or to withdraw your consent (collectively referred to as “opt-out”). You can initially declare your objection via the settings of your browser, e.g. by deactivating cookies (which may also restrict the functionality of our online services).

It will always be necessary to change this privacy policy and adapt it to technical or legal circumstances. You will find the latest version here. We therefore recommend that you check it regularly. We will of course also inform you of any changes on our website.

If you have any questions, please contact the following e-mail address:

datenschutz@mavie.care

Status: 02.05.2025

Disclaimer on translation

This Privacy Policy was originally drafted in German and has been translated into English for convenience. In the event of any discrepancies or inconsistencies between the German and English versions, the German version shall prevail. We do not accept any liability for errors or misinterpretations arising from the translation. If you have questions or require clarification, please contact us directly.

The following information is intended to inform you (whether as an interested party, user, customer or employee of a customer) about how and why we collect, pass on and process your data.

The user is requested to read the following privacy policy. In it, we explain what data we collect, for what purposes we process it, to whom we may pass this data on and what legal options the user has in this context.

All data processing is carried out on the basis of the relevant legal regulations (GDPR, DSG, TKG) and only for the purposes that we specifically name here. On the one hand, we process personal data that you disclose to us as a user and, on the other hand, data that we receive through the use of our portal. Our external service providers are all subject to a statutory and contractual duty of confidentiality, as are our employees. You can therefore rest assured that the matters entrusted to us will also be treated confidentially.

The services we use also include sending, receiving and storing e-mails. For this purpose, the addresses of recipients and senders as well as further information on the sending of e-mails (e.g. the providers involved) and the content of the respective e-mails are processed. The above-mentioned data may also be processed for the purposes of SPAM detection. Please note that e-mails on the Internet are generally not sent in encrypted form. E-mails are normally encrypted during the sending process itself, but not on the servers from which they are sent and received (unless a so-called end-to-end encryption process is used). We can therefore accept no responsibility for the transmission of e-mails between sender and recipient on our server.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

The legal basis for this is the fulfillment of the contract and pre-contractual inquiries (Art 6 para 1 lit b GDPR), the consent given (Art 6 para 1 lit a GDPR), as well as the legitimate interest (Art 6 para 1 lit f GDPR).

Mavie Next GmbH, based at Rothschildplatz 4, 1020 Vienna, is the controller pursuant to Article 4(7) of the General Data Protection Regulation (GDPR). We operate this portal.

Our managing directors are Lukas Mayrl and Ondrej Gandel.

E-mail address: contact@mavie.care 

Our data protection officer is lexetdata e.U., Dr. Beata Mangelberger

For data protection inquiries, please contact datenschutz@mavie.care 

When visiting the portal, the processing of personal data is technically necessary in order to display the portal and ensure its stability and security. This supports the traceability of errors and sustainable troubleshooting. In addition, the processing serves to improve the quality and further development of the portal, to increase user-friendliness, to prevent and remedy illegal use of the portal content and for statistical evaluations. For technical reasons, in particular to ensure a functional and secure website, we process technically necessary information about access to our portal, which your browser automatically transmits to us, in so-called server log files. This data is processed to provide and optimize the website and to ensure the functionality and availability of the website. The following personal data is transmitted from your browser to our server:

• Website accessed

• Browser type used incl. version, operating system used

• Host name of the accessing device (IP address used)

• Date and time of access

• Website of the incoming request (source/reference from which you accessed the page)

Under no circumstances will the data collected be used to draw conclusions about your person. It is used exclusively for technical purposes and enables us to keep the website functional. Our portal uses SSL encryption for security reasons and to protect the transmission of confidential content, such as the inquiries you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. If SSL encryption is activated, the data you transmit to us cannot be read by third parties.

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected, but after 90 days at the latest.

We base this data processing on our legitimate interest pursuant to Art. 6 (1) GDPR.

Our portal provides the technical infrastructure for telemedical consultation between doctors, dieticians and users. The treatment contract is concluded exclusively between the treating doctor or dietician and the user.

In the course of using our platform, medical data (e.g. diagnoses, prescriptions, nutrition plans or findings) are also processed. We store this data for a period of 7 years in order to ensure ongoing, high-quality support for users, to enable the treating doctors and dieticians to access the relevant information and to safeguard and document the services provided.

In accordance with the applicable legal provisions (e.g. Section 51 of the Austrian Medical Practitioners Act and the Austrian Health Professions Register Act), the treating doctors and dieticians are also obliged to store medical data independently and securely for the legally prescribed period.

After the 7 years have expired, the medical data stored on our portal will be automatically deleted, provided that there are no further statutory retention obligations. Users can contact us or their treating doctor or dietician at any time to obtain information about the medical data stored or to request its early deletion, provided that there are no legal requirements to the contrary.

You can request information about your personal data processed by us at any time. If we process data about you that is incorrect or incomplete, you can request that it be corrected or completed. You can also request the deletion of unlawfully processed data. Please note, however, that this only applies to incorrect, incomplete or unlawfully processed data. Please note that these rights are complementary, so that you can only request either the rectification or completion of your data or its erasure.

If it is unclear whether the data processed about you is incorrect or incomplete or is being processed unlawfully, you can request that the processing of your data be restricted until this question has been finally clarified.

Even if your personal data is correct and complete and is processed by us lawfully, you can object to the processing of this data in specific individual cases justified by you. If the processing of your personal data is based on a balancing of interests (Art. 6 para. 1 lit. f GDPR: legitimate interests), you have the right to object to the processing at any time for reasons arising from your particular situation. When exercising your right to object, we ask you to explain your reasons why we should not process your personal data as we have done. We will examine the situation and either discontinue or adapt the data processing or show you our compelling reasons worthy of protection and continue the data processing. We will also continue the data processing if it serves the assertion, exercise or defense of legal claims.

You can receive the data we process about you, provided we have received it from you, in a machine-readable format specified by us or instruct us to transmit this data directly to a third party of your choice, provided that this recipient enables us to do so from a technical point of view and the data transmission does not conflict with any unreasonable effort or legal or other confidentiality obligations or confidentiality considerations on our part or on the part of third parties (data transmission).

For all your concerns, we ask you to contact us using the contact details provided, whereby we may ask you to provide proof of your identity, for example by sending a copy of your electronic ID.

Even if we make every effort to ensure the protection and integrity of your data, differences of opinion about the way in which we use your data cannot be ruled out. If you believe that we are using your data in an unauthorized manner, you have the right to lodge a complaint with the Austrian Data Protection Authority. In this case, however, we would ask you to contact us first.

4.1 Creation of a user account

To create an account on our platform, we collect the following personal data:

• e-mail address

• Password (set by the user)

This data is processed to provide a secure user account in accordance with Art. 6 para. 1 lit. b GDPR (fulfillment of contract).

4.2 Completion of the user profile (optional)

Users can voluntarily complete their profile with additional information:

• First name and surname

• Date of birth

• Salutation

This data is processed exclusively to personalize the use of our platform. The processing takes place on the basis of the consent given (Art. 6 para. 1 lit. a GDPR).

4.3 Customer service

When users contact our customer support by email, we process the data they provide exclusively for the purpose of processing their request. This data is deleted once the business case has been concluded. Users are requested not to transmit any health data in this communication.

The processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR (fulfillment of contract).

4.4 Booking a consultation with a health expert

Users have the option of consulting a doctor or dietician via our portal. Via the option to book an appointment, users can arrange an online consultation and voluntarily provide the specialist with previous medical records and other documents. Data that may be created in the course of this consultation (e.g. a diet plan, doctor's report or prescription) is also made available to users via the portal. When booking a consultation, we collect the following personal data

• First name and surname - to identify the user and correctly assign the booking

• Date of birth - for age verification and identification in medical contexts

• Gender - to provide medically relevant advice, as certain health recommendations, diagnoses and treatments may have gender-specific differences

• Nationality - to check possible legal framework conditions for medical consultations

• Social security number - for billing and identification in the healthcare system

• Mobile phone number - to send SMS notifications regarding bookings and appointment changes.

• Address and place of residence

The processing is carried out for the organization and execution of the consultation in accordance with Art. 6 para. 1 lit. b GDPR (fulfillment of contract).

4.5 Payment for consulting services

We process the following for the processing of payments and the issuing of invoices

• Billing address (for issuing the invoice)

• Payment data (e.g. card number, depending on the payment method selected)

The processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR (contract fulfillment) and, if applicable, in accordance with Art. 6 para. 1 lit. c GDPR (statutory retention obligations).

4.6 Performing the consultation

Users can optionally provide medical documents via our portal before the consultation. If required, the health expert will issue a health report after the consultation, which will be made available to the user via the portal. This data is processed exclusively for the provision of medical advice and is based on the user's consent in accordance with Art. 6 para. 1 lit. a GDPR.

The Mavie Portal (“Portal”) serves as a central platform for access to various portals of the Mavie Holding group of companies. Thanks to a single sign-on (SSO) system, it enables seamless use of all connected portals with just one login. The portal also offers telemedical consultations with doctors and other health experts (e.g. dieticians) via the integrated Mavie Telemed service. Users can book appointments with health experts via the portal, make the corresponding payments for these consultations and participate in the consultations directly in the portal via video and/or audio call. In addition, users have the opportunity to view both their own health documents, which they have provided before or during the consultation, as well as the reports and medical assessments that our experts prepare after the consultation. The portal also allows users to centrally manage their Mavie account and personal data. In this context, personal data, including health data, is processed in order to provide the services offered and to enable secure access. The protection of this sensitive data is a top priority for us.

The provision of personal data is necessary for our corporate purpose, as contractual or statutory obligations cannot otherwise be met. The consequence of non-provision is that we will not be able to support you.

This privacy policy is regularly adapted and updated in line with legal or technical developments. If you have any questions in this regard, please contact the contact point listed under the section 3.

To support certain processing steps, we use service providers who process personal data on our behalf or who are given access to this data in the course of their work for us.

10.1 IT service providers

The tools we use are selected according to the standards of data protection and data security. The providers have concluded corresponding order processing contracts in accordance with Art. 28 GDPR.

10.2 Payment service provider

We offer efficient and secure payment options for payment processing on our website. Personal data such as names, account numbers and credit card details are processed and transmitted to the payment service providers. For this purpose, we do not rely on just one, but on several, which we specify below. These process data on their own responsibility Name, address, account numbers, credit card data, passwords, TANs and transaction-related information. The data is processed and stored exclusively by the payment service providers. We subsequently receive payment confirmations or rejections, but no account or credit card data. If necessary, a credit check is carried out by credit agencies. For further information and rights, please refer to the terms and conditions and data protection notices of the respective payment service providers.

Apple Pay:

• Payment services (technical connection of online payment methods);

• Service provider: Apple Inc, Infinite Loop, Cupertino, CA 95014, USA;

• Website: https://www.apple.com/de/apple-pay/

• Privacy policy: https://www.apple.com/legal/privacy/de-ww/

Google Pay:

• Payment services (technical connection of online payment methods);

• Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA;

• Website: https://pay.google.com/intl/de_de/about/

• Privacy policy: https://policies.google.com/privacy

PayPal:

• Payment services (technical connection of online payment methods) (e.g. PayPal, PayPal Plus, Braintree);

• Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg;

• Website: https://www.paypal.com/de

• Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

Stripe:

• Payment services (technical connection of online payment methods);

• Service provider: Stripe, Inc, 510 Townsend Street, San Francisco, CA 94103, USA;

• Website: https://stripe.com

• Privacy policy: https://stripe.com/de/privacy

Klarna:

• Klarna Bank AB, registered in the Swedish Commercial Register under company registration number 556737-0431 with registered office at Sveavägen 46, 111 34 Stockholm,

• Website: www.klarna.com/at/

• Privacy policy: https://cdn.klarna.com/1.0/shared/content/legal/terms/de-AT/privacy

In order to provide our service, we rely on service providers who support us in the organization and provision of our offer. These service providers have concluded an order processing contract with us in accordance with Art. 28 GDPR and may therefore only process personal data on our behalf.

Zoom

We use the “Zoom” tool to conduct video calls or consultations between medical experts and patients. “Zoom” is a service provided by Zoom Video Communications, Inc. based in the USA. We do not operate “Zoom” ourselves. Various types of data are processed when “Zoom” is used. The scope of the data also depends on the information you provide before or when participating in an “online meeting”.

The following personal data is always processed:

• Meeting metadata: Topic, description (optional), participant IP addresses, device/hardware information

Twilio

We use the Twilio communication service to send SMS notifications in connection with appointment bookings. Twilio is a service provided by Twilio Inc. based in the USA. The following personal data is processed

• Telephone number - to send SMS notifications regarding bookings and appointment changes

• Appointment description with date, time and name of the healthcare professional

This data is processed in accordance with Art. 6 para. 1 lit. b GDPR for the fulfillment of the contract.

Sendgrid (Twilio-owned)

We use Sendgrid, a service provided by Twilio Inc. based in the USA, to send booking confirmations and notification emails. The following personal data is processed

• E-mail address - for the delivery of confirmations and notifications regarding telemedicine appointments

• Appointment description with date, time and name of the healthcare professional

• Notification of missed and canceled appointments with information on any refunds

This data is processed in accordance with Art. 6 para. 1 lit. b GDPR to fulfill the contract.