Cookie Policy

Cookie Policy

Last Updated: 27 August 2025

This Cookie Policy explains how Synduct GmbH, a company incorporated under German law with registered office in Germany ('Company', 'we', 'us', and 'our') uses cookies and similar tracking technologies on our AI-powered clinical decision support platform, including our website, mobile applications, APIs, and all associated services (collectively referred to as the 'Platform'). This policy applies to all users of our Platform, including healthcare professionals, medical institutions, and authorized personnel.

1. LEGAL BASIS AND COMPLIANCE

This Cookie Policy is designed to comply with:

  • The General Data Protection Regulation (EU) 2016/679 ('GDPR')
  • The ePrivacy Directive 2002/58/EC and its national implementations
  • German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG)
  • German Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz – TTDSG)
  • Applicable healthcare data protection regulations

2. WHAT ARE COOKIES AND SIMILAR TECHNOLOGIES?

2.1 Cookies

Cookies are small text files that are placed on your device (computer, tablet, smartphone, or other electronic device) when you visit our Platform. They are widely used to make platforms work more efficiently and to provide analytical information to platform operators.

2.2 Similar Technologies

We also use similar technologies including:

  • Web beacons (also called 'pixel tags' or 'clear GIFs')
  • Local Storage Objects (LSOs)
  • Session storage and local storage
  • Software Development Kits (SDKs)
  • Application Programming Interface (API) logs
  • Device fingerprinting technologies
  • Analytics scripts and tracking pixels

For simplicity, this policy refers to all these technologies collectively as 'Cookies' unless specified otherwise.

3. TYPES OF COOKIES BY DURATION

3.1 Session Cookies

These are temporary cookies that are deleted when you close your browser or app. They enable us to link your actions during a particular browser session.

3.2 Persistent Cookies

These cookies remain on your device for a set period or until you delete them. They help us recognize you as a returning user and remember your preferences.

4. TYPES OF COOKIES BY ORIGIN

4.1 First-Party Cookies

Set directly by our Platform and can only be read by us.

4.2 Third-Party Cookies

Set by external service providers and can be read by those third parties.

5. CATEGORIES OF COOKIES WE USE

5.1 STRICTLY NECESSARY COOKIES

Purpose: Essential for the Platform's basic functionality and security
Legal Basis: Legitimate interest (Article 6(1)(f) GDPR)
Consent Required: No
Data Retention: Session to 12 months

Examples:

  • Authentication cookies for secure login
  • Session management cookies
  • Security cookies to prevent fraud
  • Load balancing cookies
  • CSRF protection tokens
  • Platform functionality cookies

Specific Cookies:

  • sessionId: Platform session management (Duration: Session)
  • auth_token: User authentication (Duration: 24 hours)
  • csrf_token: Security protection (Duration: Session)
  • lb_cookie: Load balancing (Duration: 1 hour)

5.2 FUNCTIONAL COOKIES

Purpose: Enable enhanced functionality and personalization
Legal Basis: Consent (Article 6(1)(a) GDPR)
Consent Required: Yes
Data Retention: 30 days to 2 years

Examples:

  • Language preference settings
  • User interface customizations
  • Remembered clinical specializations
  • Dashboard layout preferences
  • Regional medical guideline preferences

Specific Cookies:

  • user_prefs: User preferences (Duration: 1 year)
  • lang_setting: Language selection (Duration: 1 year)
  • dashboard_config: Dashboard customization (Duration: 6 months)

5.3 PERFORMANCE AND ANALYTICS COOKIES

Purpose: Understand how users interact with our Platform to improve services
Legal Basis: Consent (Article 6(1)(a) GDPR)
Consent Required: Yes
Data Retention: 26 months maximum

Examples:

  • Page views and user journeys
  • Feature usage statistics
  • Platform performance metrics
  • Error reporting and debugging
  • A/B testing cookies

Current Analytics Providers:

  • Google Analytics 4
  • Vercel Analytics
  • Meta Analytics (planned implementation)

Google Analytics Cookies:

  • _ga: Distinguishes users (Duration: 2 years)
  • _ga_[ID]: Session state (Duration: 2 years)
  • _gid: Distinguishes users (Duration: 24 hours)
  • _gat_gtag_[ID]: Throttle request rate (Duration: 1 minute)

Vercel Analytics:

  • __vercel_live_token: Performance monitoring (Duration: Session)

5.4 TARGETING AND ADVERTISING COOKIES

Purpose: Deliver relevant content and measure advertising effectiveness
Legal Basis: Consent (Article 6(1)(a) GDPR)
Consent Required: Yes
Data Retention: 12 months maximum

Examples:

  • Targeted medical education content
  • Relevant pharmaceutical information
  • Conference and training recommendations
  • Professional development opportunities

Future Implementation:

  • Meta advertising pixels
  • Professional network targeting
  • Medical conference advertising
  • Pharmaceutical partner cookies

6. HEALTHCARE-SPECIFIC DATA PROCESSING

6.1 Clinical Data Protection

We implement additional safeguards for healthcare-related data processing:

  • All cookies containing clinical data are encrypted
  • No patient health information (PHI) is stored in cookies
  • Aggregated clinical decision patterns only
  • No personally identifiable medical information in tracking

6.2 Professional Use Compliance

Our Platform is designed for healthcare professionals:

  • Verification of medical credentials required
  • Professional use disclaimers apply
  • Clinical decision support purposes only
  • Not intended for direct patient use

7. THIRD-PARTY SERVICE PROVIDERS

7.1 Current Third-Party Services

  • Google LLC (Analytics, Cloud Services)
  • Vercel Inc. (Hosting and Analytics)
  • Microsoft Corporation (Azure services)
  • Firebase (Authentication)

7.2 Future Third-Party Services

  • Meta Platforms Inc. (Analytics)
  • Additional medical database providers
  • Professional medical networks
  • Continuing medical education platforms

7.3 Data Transfer Safeguards

For transfers outside the European Economic Area (EEA):

  • Standard Contractual Clauses (SCCs) when required
  • Adequacy decisions where available
  • Additional technical and organizational measures
  • Regular compliance assessments

8. YOUR RIGHTS AND CHOICES

8.1 Consent Management

You have the right to:

  • Provide granular consent for different cookie categories
  • Accept or reject non-essential cookies
  • Change your preferences at any time
  • Withdraw consent as easily as it was given

8.2 Technical Controls

Browser Settings:

  • Most browsers allow you to block or delete cookies
  • Browser privacy modes prevent cookie storage
  • Third-party blocking options available
  • Consult your browser's help section for instructions

Platform Settings:

  • Cookie preference center accessible at all times
  • Granular control over cookie categories
  • Real-time consent updates
  • Download your consent history

8.3 GDPR Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ('right to be forgotten')
  • Restrict processing
  • Data portability
  • Object to processing
  • Withdraw consent

9. CONSENT REQUIREMENTS

9.1 Valid Consent Standards

In accordance with GDPR Article 7 and EDPB guidelines:

  • Consent must be freely given
  • Specific and informed
  • Unambiguous indication of agreement
  • Clear affirmative action required
  • As easy to withdraw as to give
  • Granular consent options provided
  • No pre-ticked boxes
  • Clear and plain language used

9.2 Consent Documentation

We maintain records of:

  • When consent was given
  • What was consented to
  • How consent was obtained
  • When consent was withdrawn
  • IP address and timestamp (for security)

9.3 Consent Renewal

  • Consent is renewed every 12 months
  • Notification provided before expiration
  • Opportunity to review and update preferences
  • Automatic blocking of expired consents

10. COOKIE POLICY FOR DIFFERENT USER TYPES

10.1 Healthcare Professionals

Additional considerations for medical users:

  • Professional verification requirements
  • Enhanced security measures
  • Continuing education tracking
  • Medical liability considerations
  • Professional development analytics

10.2 Medical Institutions

For institutional users:

  • Enterprise cookie management
  • Institution-wide preferences
  • Administrative oversight capabilities
  • Compliance reporting features
  • Multi-user consent management

10.3 Research and Development

For research participants:

  • Additional consent requirements
  • Anonymization protocols
  • Research ethics compliance
  • Data minimization principles
  • Special category data protections

11. DATA RETENTION

11.1 Retention Periods

  • Session cookies: Deleted when session ends
  • Functional cookies: Maximum 2 years
  • Analytics cookies: Maximum 26 months
  • Consent records: 3 years after withdrawal
  • Security logs: 12 months

11.2 Automatic Deletion

  • Automated deletion processes in place
  • Regular cleanup of expired data
  • Secure deletion methods used
  • Confirmation of deletion available

12. SECURITY MEASURES

12.1 Technical Safeguards

  • Encryption of cookie data in transit and at rest
  • Secure cookie flags (HttpOnly, Secure, SameSite)
  • Regular security audits and penetration testing
  • Access controls and authentication
  • Monitoring and intrusion detection

12.2 Organizational Measures

  • Staff training on data protection
  • Data protection impact assessments
  • Incident response procedures
  • Regular compliance reviews
  • Third-party security assessments

13. INTERNATIONAL TRANSFERS

13.1 Legal Framework

  • Primary processing within EU/EEA
  • Adequacy decisions respected
  • Standard Contractual Clauses for other transfers
  • Supplementary measures where required
  • Regular transfer impact assessments

13.2 Specific Regions

  • United States: Privacy Shield successors and SCCs
  • United Kingdom: Adequacy decision
  • Other regions: Case-by-case assessment

14. CHILDREN'S PRIVACY

Our Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children through cookies. If we become aware of such collection, we will delete the information immediately.

15. AUTOMATED DECISION MAKING

Some cookies may be used for automated decision making, including:

  • Content personalization algorithms
  • Security threat detection
  • Performance optimization
  • User experience improvements

You have the right to object to automated decision making that produces legal effects or similarly significant effects.

16. UPDATES TO THIS POLICY

16.1 Policy Changes

We may update this Cookie Policy to reflect:

  • Changes in our cookie usage
  • Legal or regulatory requirements
  • New technologies or services
  • User feedback and requests

16.2 Notification Process

  • Email notification to registered users
  • Platform notification banner
  • Version history maintained
  • Effective date clearly indicated
  • Opportunity to review changes before implementation

17. COMPLAINTS AND DISPUTES

17.1 Internal Complaints

Contact our Data Protection Officer:

  • Email: dpo@synduct.de
  • Response time: 30 days maximum
  • Escalation procedures available

17.2 Regulatory Complaints

You have the right to lodge a complaint with:

  • German Federal Commissioner for Data Protection and Freedom of Information (BfDI)
  • Your local data protection authority
  • European Data Protection Board (EDPB)

18. CONTACT INFORMATION

18.1 General Inquiries

Email: privacy@synduct.de
Address: Synduct GmbH
[Complete German Address]
Phone: [German Phone Number]

18.2 Data Protection Officer

Email: dpo@synduct.de
Address: Data Protection Officer
Synduct GmbH
[Complete German Address]

18.3 EU Representative

[If applicable under GDPR Article 27]

19. TECHNICAL IMPLEMENTATION

19.1 Cookie Consent Management

  • Consent Management Platform (CMP) implemented
  • IAB TCF 2.0 compliance
  • Real-time consent synchronization
  • Cross-device consent management
  • API for consent verification

19.2 Cookie Scanning

  • Automated cookie detection
  • Regular platform scans
  • Third-party cookie monitoring
  • Compliance reporting
  • Manual review processes

20. HEALTHCARE INDUSTRY SPECIFIC CONSIDERATIONS

20.1 Medical Device Regulation (MDR)

Where applicable:

  • Software as Medical Device considerations
  • Risk management for data processing
  • Clinical evaluation requirements
  • Post-market surveillance obligations

20.2 Professional Standards

  • Medical ethics compliance
  • Professional liability considerations
  • Clinical governance requirements
  • Quality management systems

21. DEFINITIONS

  • "Aggregated Data": Data that has been combined and anonymized
  • "Clinical Decision Support": Software providing healthcare-related assessments
  • "Healthcare Professional": Licensed medical practitioner
  • "Personal Data": Information relating to an identified or identifiable person
  • "Platform": Our website, applications, and services
  • "Processing": Any operation performed on personal data

22. EFFECTIVE DATE AND GOVERNING LAW

22.1 Effective Date

This Cookie Policy is effective from 27 August 2025 and replaces all previous versions.

22.2 Governing Law

This policy is governed by German law and EU regulations. Any disputes shall be subject to the jurisdiction of German courts.

By using our Platform, you acknowledge that you have read, understood, and agree to be bound by this Cookie Policy. If you do not agree with this policy, please do not use our Platform.

For the most current version of this policy, please visit drinfo.ai/cookiepolicy

Version: 2.0
Last Review Date: 27 August 2025