Privacy Policy

Our contact page provides a contact form. When you submit the form, the data you enter (name, email address, optional phone number and practice/company name, the content of your message) along with your GDPR consent and technical metadata (IP address, user-agent, timestamp) are transmitted to our server at the path /api/kontakt and forwarded immediately by email to info@pulszahnmedizin.de. The submission is not stored in any database (data minimisation pursuant to Art. 5(1)(c) GDPR). Alternatively, you can still write to us directly by email at info@pulszahnmedizin.de. The legal basis for processing is your explicit consent pursuant to Art. 6(1)(a) GDPR; additionally Art. 6(1)(b) GDPR for pre-contractual enquiries and Art. 6(1)(f) GDPR (legitimate interest in answering your enquiry). Both the dispatch and the receiving mailbox are handled via our email service provider Mailbox.org Eversmann SE, Mehringdamm 33, 10961 Berlin, Germany (servers in Germany; data processing agreement under Art. 28 GDPR concluded). We delete your enquiry once the underlying matter is conclusively resolved and there are no statutory retention obligations to the contrary.

Our website includes a link that, when clicked, opens the WhatsApp application on your device and prepares a new chat with our mobile number +49 151 44903794 (so-called wa.me deeplink). We use neither an embedded WhatsApp plugin, nor the WhatsApp Business API, nor address-book synchronisation. Only when you actively send a message do you contact us via the WhatsApp infrastructure (operator: WhatsApp Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland).

If you contact us via WhatsApp, we process the data you supply (in particular your mobile number and the content of your message) in order to handle your enquiry on the basis of Art. 6(1)(f) GDPR (legitimate interest in a timely response). If your message concerns a pre-contractual measure or a contract, Art. 6(1)(b) GDPR also applies.

Please note that the content and metadata of your WhatsApp messages may be processed via the WhatsApp infrastructure and therefore also via servers of Meta Platforms Inc. in the USA. We have no influence over this processing. Transfers to the USA are based on the EU-US Data Privacy Framework. WhatsApp's privacy notice is available at: https://www.whatsapp.com/legal/?eea=1#privacy-policy. If you wish to avoid this processing, please use email or telephone instead.

Our website contains a simple outbound link to our Instagram profile (operator: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland). No Instagram plugin is embedded, no content is loaded automatically, and no Shariff-style solution is used. Only when you actively click the link are you redirected to the Instagram website, where Meta's privacy terms then apply.

An AI-supported reception kiosk (internal name: PAIRA Avatar) may be used in the practice rooms. A digital avatar is shown on a screen in the reception area; it can greet you, record your request and forward it to the practice team. Input is provided by voice or via a tablet/control panel used by staff.

• Audio stream during the interaction for real-time processing; no persistent audio recording is made.
• Spoken request or text input on the tablet/control panel.
• Raw transcript of the interaction, where technically necessary to handle and verify the request.
• For identified existing patients: name, date of birth and patient number from the local Tomedo practice management system, only where necessary.
• Tool and forwarding events, e.g. hand-off to staff or creation of a task.

Processing serves reception organisation, recording your request and initiating or performing the treatment contract (Art. 6(1)(b) GDPR). Where health data is processed, processing is based on Art. 9(2)(h) GDPR (health care). PAIRA does not provide medical diagnoses, health triage or treatment decisions; treatment-related decisions are made exclusively by licensed practitioners.

• BodoTech UG (haftungsbeschränkt), Dortmund: software operation and maintenance on behalf of the practice (DPA pursuant to Art. 28 GDPR).
• Google Cloud (Google Ireland Ltd.): Vertex AI Gemini Live for speech processing in the europe-west1 region (Belgium), with zero-data-retention configuration and no use of audio or transcript data for model improvement.

• Audio stream: real-time processing without persistent audio recording.
• Raw transcript: no more than 24 hours.
• Local Gemma summary: a local Gemma LLM may, where medically or operationally necessary, store a purpose-bound summary as a note in Tomedo or in the patient record. This note is not raw transcript retention and follows the rules for treatment documentation or patient records.
• Tool and audit metadata without conversation content is stored for purpose-bound audit and documentation obligations.

A data protection impact assessment (DPIA) pursuant to Art. 35 GDPR is available and can be inspected with the practice management.

Calls to the practice phone number may be answered outside consultation hours or during call peaks by an AI-supported telephone reception service (internal name: PAIRA Calls). At the beginning of each call you are informed about the AI support and referred to this privacy policy. You may hang up at any time or ask for a human staff member; in that case your request is recorded as a message or callback request.

• Phone number or caller ID, time, duration and technical status of the call.
• Audio stream during the call for real-time processing; no persistent audio recording is made.
• Raw transcript of the call to handle the request and for short-term quality and safety traceability.
• If identified as an existing patient: name, date of birth and patient number from the local Tomedo practice management system, only where necessary.
• Description of the request, e.g. appointment type, callback request, organisational notes or symptoms mentioned by the caller.
• Tool calls and audit metadata, e.g. appointment booked, cancelled, rescheduled or callback task created.

Processing serves answering and handling your calls, appointment organisation, callback coordination and initiating or performing the treatment contract (Art. 6(1)(b) GDPR). Where health data is processed, Art. 9(2)(h) GDPR applies; in the event of acute emergency indicators, forwarding to human practitioners may be based on Art. 6(1)(d) and Art. 9(2)(c) GDPR. Audit and security checks are based on Art. 6(1)(f) GDPR. PAIRA does not make diagnoses, perform health triage or make treatment decisions.

• BodoTech UG (haftungsbeschränkt), Dortmund: software operation and maintenance on behalf of the practice (DPA pursuant to Art. 28 GDPR).
• Starface GmbH: SIP trunk and telephone connection for production operation; Germany location, DPA pursuant to Art. 28 GDPR.
• Hetzner Online GmbH, Falkenstein: hosting of the telephone bridge or LiveKit components, where used (DPA pursuant to Art. 28 GDPR).
• Google Cloud (Google Ireland Ltd.): Vertex AI Gemini Live for speech processing in the europe-west1 region (Belgium), with zero-data-retention configuration and no use of audio or transcript data for model improvement.

• Audio recording: no persistent audio recording is made.
• Raw transcript: no more than 24 hours.
• Call metadata and tool/audit metadata without conversation content is stored for purpose-bound audit and documentation obligations.
• Local Gemma summary: a local Gemma LLM may, where medically or operationally necessary, store a purpose-bound summary as a note in Tomedo or in the patient record. This note is not raw transcript retention and follows the rules for treatment documentation or patient records.
• Vertex AI / Google Cloud processes real-time data with zero-data-retention configuration; the data is not used for model improvement.

You can decline the AI telephone reception by hanging up or expressly asking during the call for a human staff member. In that case your request is recorded as a message or callback request for the practice team.

A data protection impact assessment (DPIA) pursuant to Art. 35 GDPR is available and can be inspected with the practice management.

This website uses 'Plausible Analytics', a cookieless web analytics tool by Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia (EU). Plausible sets no cookies and does not collect any personal data or personally identifiable identifiers. Only aggregated reach statistics are collected (page views, visitor counts, approximate location at country level, dwell time, referrer, anonymised device/browser class). The IP address is not stored at any time; it is used only briefly server-side, in the form of a hash with a daily rotating salt, to generate an aggregated daily count, and is then discarded after 24 hours. Processing takes place on servers within the European Union. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in a data-minimising, cookieless reach measurement, in line with the DSK Orientierungshilfe Telemedien 2.0). Because Plausible technically does not read or store device or browser information, consent under Section 25 TDDDG is not required. You may object to this processing at any time pursuant to Art. 21 GDPR by writing to info@pulszahnmedizin.de. Plausible's privacy notice: https://plausible.io/privacy.

We additionally use 'Vercel Web Analytics' by Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA. This service is also fully cookieless and collects aggregated usage data on page views, performance metrics (Core Web Vitals) and approximate geo-information at country level. No profiling takes place; no persistent personally identifiable identifier (e.g. cross-device ID) is created. IP addresses are anonymised by Vercel and not stored. Initial processing takes place on Vercel edge servers within the EU; as part of internal corporate functions, data flows to Vercel Inc. in the USA may occur, secured by Standard Contractual Clauses (Art. 46(2)(c) GDPR) and the EU-US Data Privacy Framework certification. We have concluded a data processing agreement with Vercel pursuant to Art. 28 GDPR. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in ensuring performance, stability and aggregated reach measurement). You may object to this processing at any time pursuant to Art. 21 GDPR by writing to info@pulszahnmedizin.de. Vercel's privacy notice: https://vercel.com/legal/privacy-policy.

You may exercise your right to lodge a complaint under Art. 77 GDPR in particular before the supervisory authority competent for us: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany, https://www.ldi.nrw.de.