Privacy Policy

1. Privacy at a Glance

The protection of your personal data is of particular concern to us. We process your personal data exclusively in accordance with the General Data Protection Regulation (GDPR) and applicable national data protection legislation.

2. General Information and Mandatory Disclosures

Data Protection
The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this Privacy Policy.

When you use this website, various personal data are collected. Personal data is any data by which you can be personally identified. This Privacy Policy explains what information we collect and what we use it for. It also explains how and for what purpose this takes place.

Please note that data transmission over the internet (e.g. when communicating by e-mail) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.

Notice Regarding the Controller
The controller responsible for data processing on this website is:

Dr. BILDIR Medical GmbH
Dr. Ayse Bildir
Glücksteinallee 69
68163 Mannheim
Germany

+49-621-8455-308
info@drbildirmedical.com

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data (names, e-mail addresses, etc.).

Data Protection Officer
No Data Protection Officer has been appointed, as there is no statutory obligation to do so.

Retention Period
Unless a more specific retention period has been stated within this Privacy Policy, your personal data will remain with us until the purpose for which it was collected no longer applies. If you assert a legitimate request for deletion or withdraw your consent to data processing, your data will be deleted unless we have other legally permissible reasons for retaining your personal data (e.g. retention periods under tax or commercial law); in the latter case, deletion will take place once those reasons no longer apply.

General Information on the Legal Bases for Data Processing
If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR. In the event of explicit consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49(1)(a) GDPR.

If you have consented to the storage of cookies or to access to information on your device, data processing is additionally carried out on the basis of § 25(1) TDDDG. Consent may be withdrawn at any time. Where your data is required for the performance of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, we process your data where this is necessary for compliance with a legal obligation on the basis of Art. 6(1)(c) GDPR. Data processing may also be carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR. Information about the relevant legal bases applicable in each individual case is provided in the following sections of this Privacy Policy.

Recipients of Personal Data
In the course of our business activities, we work with various external parties. This sometimes requires the transfer of personal data to those external parties. We only disclose personal data to external parties where this is necessary for the performance of a contract, where we are legally obliged to do so (e.g. disclosure of data to tax authorities), where we have a legitimate interest in the disclosure pursuant to Art. 6(1)(f) GDPR, or where another legal basis permits the transfer. Where we use processors, we only disclose personal data of our customers on the basis of a valid data processing agreement.

3. SSL / TLS Encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL or TLS encryption. You can recognise an encrypted connection by the “https://” in your browser address bar.

4. Hosting and Server Log Files

Hosting Provider IONOS
We host our website with IONOS SE. The provider is IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany (hereinafter “IONOS”).

When you visit our website, IONOS collects various log files including your IP addresses. For details, please refer to the IONOS Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy

The use of IONOS is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the most reliable possible presentation of our website. Where consent has been requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent may be withdrawn at any time.

Data Processing Agreement: We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract required by data protection law which ensures that IONOS processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

When visiting the website, the following data is collected automatically:

IP address
Date and time
Browser type and version
Operating system
Referrer URL
Pages accessed
Data volume transferred
Access status (HTTP status code)

This data is processed to ensure the technical operation of the website.
Legal basis: Art. 6(1)(f) GDPR.
A data processing agreement pursuant to Art. 28 GDPR has been concluded with the hosting provider.

5. Cookies and Consent Tool

Our website uses cookies and similar technologies.

Technically necessary cookies (e.g. for basic shop/page functions) are used to enable the operation of the website. Where access to device information is required for this purpose, this is done on the basis of § 25(2) TDDDG (no consent required).

Non-technically necessary cookies (e.g. comfort functions, statistics/marketing – where used) are only set with your consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG).

Consent Tool / Cookie Banner
We use the WordPress plugin “Real Cookie Banner” to manage the cookies and similar technologies used on this website and to obtain and document consents. The provider is devowl.io GmbH, Tannet 12, 94539 Grafling, Germany.

The tool stores your cookie settings as well as your consent or withdrawal in a cookie in order to be able to assign these to future page visits. An consent log is also stored in order to be able to demonstrate the consents given. Processing is carried out for the purpose of complying with statutory obligations.

The stored data is saved on our server and is not passed on to third parties unless there is a statutory obligation to do so.
You can withdraw or change your consent at any time via the cookie banner settings.

Legal basis: Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (consent). The legal basis for the logging and documentation of consent is additionally Art. 6(1)(c) GDPR (legal obligation) and Art. 6(1)(f) GDPR (proof/defence). Retention period: The consent log is retained for as long as necessary to demonstrate the consents given, and is then deleted.

6. Contact

If you contact us by e-mail or via a contact form, we process your details in order to handle your enquiry.
Legal basis:

Art. 6(1)(b) GDPR (pre-contractual measures)
Art. 6(1)(f) GDPR (general enquiries)

Retention Period
We generally delete data arising from enquiries once the enquiry has been conclusively processed, unless statutory retention obligations apply.

7. Order Processing via WooCommerce

To process orders, we collect the following personal data:

First and last name
Billing and delivery address
E-mail address
Telephone number (optional)
Order data
Payment information
Customer history

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

Aufbewahrungsfristen:

Retention Periods: Data required for accounting purposes (e.g. invoices) is retained for 6 or 10 years in accordance with § 257 HGB and § 147 AO.

All other personal data not subject to statutory retention obligations will be deleted once it is no longer required for the performance of the contract or once your customer account data is deleted.

8. Customer Account and Guest Orders

You have the option of creating a customer account on our website. When creating an account, we collect the following personal data:

First and last name
E-mail address
Any further voluntary information (e.g. telephone number)

This data is used to enable you to manage your orders conveniently, e.g. for:

Viewing your order history
Saving your delivery addresses
Faster processing of future orders

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

You may also order as a guest without a customer account. In this case, we only collect the data required to process your order (e.g. delivery address, billing address, payment information).

Retention Periods:
Your personal data in the customer account will be deleted once you delete your account or the data is no longer required, unless statutory retention obligations (e.g. under commercial or tax law) prevent deletion. Where no statutory obligations apply, your data will be deleted no later than 2 years after the last activity.

For guest orders, we retain the required data (delivery address, billing address, payment information) only for as long as necessary for the performance of the contract or to comply with statutory retention obligations.

9. Payment Service Providers

We use external payment service providers to process payments. You select the payment service provider during the ordering process. The following provisions apply:

PayPal

If you choose PayPal as your payment method, payment is processed by PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg. The following personal data is automatically transmitted to PayPal:

Name
E-mail address
Payment amount
Transaction data
Any further data required for payment processing

This transmission serves to process the payment as well as for fraud prevention and compliance. PayPal processes the transmitted data as an independent controller, in particular for the purposes of payment processing, fraud prevention and compliance. PayPal’s own privacy policy applies.
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
For further information on data protection at PayPal, please visit: https://www.paypal.com/de/webapps/mpp/ua/privacy-full/

Stripe

If you pay by credit card, Apple Pay, Google Pay or SEPA direct debit, payment is processed by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter “Stripe”).

The following personal data is transmitted:

Name
Billing address
Payment amount
Payment data (e.g. credit card details / direct debit information)
Transaction number / transaction identifier

This data is processed primarily for payment and payment transaction purposes. . Stripe processes the transmitted data as an independent controller, in particular for the purposes of payment processing, fraud prevention and compliance. Stripe’s own privacy policy applies. A transfer of personal data to third countries (e.g. the USA) may occur, also on the basis of appropriate safeguards pursuant to Art. 46 GDPR.
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
For further information on data protection at Stripe, please visit: https://stripe.com/de/privacy.

10. Transfer of Data to Fulfilment and Shipping Service Providers

To process your order, we work with the external fulfilment service provider Handelshaus Huber-Kölle Lebensmittel GmbH, which handles storage, picking and shipping of goods on our behalf.

For this purpose, we transmit the personal data required for the performance of the contract, in particular:

First and last name
Delivery address
E-mail address (where applicable)
Telephone number (where applicable)

Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of contract).

A data processing agreement pursuant to Art. 28 GDPR has been concluded with Handelshaus Huber-Kölle Lebensmittel GmbH.

Shipping is carried out by the logistics service provider DHL. The data required for delivery (name, delivery address, contact details where applicable) is transmitted to DHL for this purpose.

DHL processes this data as an independent controller.

11. Social Media

No social media plugins from third-party providers are currently actively integrated on this website. You will only find links to our social media profiles, which you may visit voluntarily. When clicking on external links, the privacy policy of the respective provider applies.

12. Analytics Tools

We currently do not use any external analytics or tracking tools (such as Google Analytics, Google Tag Manager, Facebook Pixel, etc.) on this website. The only statistical evaluations are carried out via the server log files provided by our hosting provider IONOS (see Section 4). This Privacy Policy will be updated as soon as any further analytics tools are deployed.

13. Plugins and Tools

WordPress
This website uses WordPress as its content management system (open-source software). WordPress is self-hosted via IONOS SE (see Section 4). As WordPress is self-hosted, no data is transmitted to Automattic Inc. Third-party plugins used will be listed separately in this Privacy Policy where they process personal data.

WooCommerce
We use WooCommerce as our shop plugin (open-source software). WooCommerce is also self-hosted via IONOS SE. The data processed in connection with order handling is described in Section 7. As WooCommerce is self-hosted, no data is transmitted to Automattic Inc. Third-party plugins used will be listed separately in this Privacy Policy where they process personal data.

WPML (Multilingual)
To display our website in multiple languages, we use the plugin “WPML” by OnTheGoSystems Ltd., 22/F 3 Lockhart Road, Wanchai, Hong Kong. WPML is used exclusively for the technical provision of language versions within our self-hosted WordPress system. No data is transmitted to external translation services, as all translations are created manually. The provider is based in Hong Kong (a third country); a transfer of technical data (e.g. in connection with updates, licence verification or support) cannot be entirely ruled out depending on configuration, and where it occurs, is carried out on the basis of appropriate safeguards pursuant to Art. 46 GDPR (e.g. EU Standard Contractual Clauses).

14. Newsletter

We do not currently offer a newsletter. As soon as a newsletter service is deployed, you will be informed at this point about the data processing involved, the service provider used, the legal basis (Art. 6(1)(a) GDPR) and your right to unsubscribe at any time.

15. No Automated Decision-Making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.

16. No Obligation to Provide Personal Data

You are generally not obliged to provide personal data. However, without certain information, we may be unable to provide individual services (e.g. processing an order).

17. Your Rights

Below we inform you of the rights available to you under the GDPR and how you can exercise them.

Right of Access (Art. 15 GDPR)
You have the right to request information as to whether we process personal data about you. If this is the case, you have the right to access this data and to further information about the processing (e.g. purposes, recipients, retention period).

Right to Rectification (Art. 16 GDPR)
You have the right to request the immediate rectification of inaccurate personal data or the completion of incomplete personal data.

Right to Erasure (Art. 17 GDPR)
You may request the deletion of your personal data, provided no statutory retention obligations or other legal grounds prevent deletion.

Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request the restriction of processing of your personal data where:
– the accuracy of the data is contested,
– the processing is unlawful,
– we no longer need the data but you require it for the establishment, exercise or defence of legal claims.

Right to Data Portability (Art. 20 GDPR)
You have the right to receive data that we process automatically on the basis of your consent or for the performance of a contract in a structured, commonly used and machine-readable format, or to have it transmitted to another controller where technically feasible.

Right to Object (Art. 21 GDPR)
WHERE DATA PROCESSING IS CARRIED OUT ON THE BASIS OF ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO THE PROCESSING OF YOUR PERSONAL DATA; THIS ALSO APPLIES TO PROFILING BASED ON THOSE PROVISIONS. WHERE YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21(1) GDPR).

WHERE YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR SUCH MARKETING; THIS ALSO APPLIES TO PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. WHERE YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTION PURSUANT TO ART. 21(2) GDPR).

Withdrawal of Consent
You may withdraw any consent you have given at any time with effect for the future. The lawfulness of processing carried out prior to withdrawal remains unaffected.

Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with the competent data protection supervisory authority regarding the processing of your personal data. The competent authority is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Postfach 10 29 32
70025 Stuttgart
Telephone: +49 711 / 615541-0
E-mail: poststelle@lfdi.bwl.de
Website: https://www.baden-wuerttemberg.datenschutz.de

To exercise your rights, please contact us by e-mail at info@drbildirmedical.com or in writing at our company address.
We reserve the right to update this Privacy Policy as necessary. Please check the current version on our website regularly.

Status: February 2026