Privacy Policy of
Sani Medical AG

In this privacy policy, we, Sani Medical AG, explain how and for what purposes we collect and process your personal data. It applies to all persons whose personal data we process (e.g. patients, interested parties, website visitors, job applicants, contact persons of business partners and suppliers) and does not constitute an exhaustive description. Where applicable, we will inform you about further processing and/or obtain your consent for the processing of your data, e.g. as part of the registration form.

This privacy policy is designed to meet the requirements of the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). However, whether and to what extent these laws apply to the processing of your data depends on the specific case.

1. Identity and contact details of the controller

Responsible for the data processing as described in this privacy policy is the

Sani Medical AG, Bütbergstrasse 15, 8427 Rorbas.

Please direct your data protection-related questions and concerns to the following address: sani@sanimedical.ch

2. What personal data do we process?

Personal data is information that relates to a specific or identifiable natural person. We process various categories of such data. Below, you will find the most important categories for your information.

  • Master data This includes basic information about you, such as name, contact details, occupation, or date of birth. We collect your master data particularly when you receive services from us (e.g., medical treatment). Furthermore, we collect your master data when you sign up for a newsletter. We also collect master data about contact persons of business partners, organisations, or authorities.
  • Contract data This relates to information that arises in connection with the conclusion or execution of a contractual relationship (e.g., the type and duration of a treatment contract concluded between you and us, or billing information). Health data and information about third parties may also be processed as contractual data (e.g., cases of illness in the family). We primarily enter into contracts with patients, business partners, suppliers, and, if applicable, job applicants.
  • Health data In connection with our medical services, we also regularly process health data. This includes all information that allows conclusions to be drawn about your physical or mental health status (e.g. medical findings, information about treatments, prescriptions, certificates, etc.).
  • Communication data: When you or we initiate contact with each other, for example through calls, via an app, contact form, or postal and email correspondence, we process the exchanged content as well as information about the type, time, and location of communication. To verify your identity, we may ask you for identification and/or your health insurance number.
  • Behavioural and transactional data: When you use our services, our app or website, we collect data about this usage or your usage behaviour.
  • Preference data: In order to best align our offers and services with our customers, we also collect data on your interests and preferences. We can link and evaluate behavioural and transactional data with other data for this purpose. On this basis, we can draw conclusions about characteristics, preferences and anticipated behaviour, e.g. your preferences for certain products and services.
  • Technical data: When you use our website, we collect certain technical data, such as your IP address, information about your internet service provider, your device's operating system, referring URL details, browser information, date and time of access, and content viewed. This data is temporarily stored in log files. Technical data may include, in particular, behaviour, transaction, and preference data.
  • Photo, Video and Audio Recordings It is possible that we may create photo, video, and audio recordings of you. This may occur, for example, when you contact us by telephone or participate in an event hosted by us. During medical treatments, recordings may be made to enable a better assessment or to document treatment steps. We also make recordings in connection with video surveillance within our premises, particularly at the entrance, reception, and in the training area. With your prior consent, we may also use the (anonymised) recordings for advertising purposes (e.g., on our website).
  • Other data: We may also process your data in other situations. For example, data may arise in connection with official or legal proceedings (such as files, evidence, etc.) which may also relate to you. For health protection reasons, we may also collect data (e.g. as part of the implementation of protective concepts).

It is possible that we will process further personal data, particularly data that you disclose directly to us. Under points 3 and 4 respectively, we will inform you about the origin of the data and the purposes for processing this data.

3. Where do we obtain personal data from?

We primarily process personal data that we receive in the course of initiating, assessing, or carrying out the business relationship with you or your employer or other persons you represent, or that we collect from you as a user of our website or app. In particular, master data, contract data, and communication data are usually provided by you. Preference data is also regularly provided by yourself. If you transmit personal data of other persons (e.g. family members, work colleagues, etc.) to us, please ensure that these persons are aware of this data protection declaration and only share their personal data with us if you are permitted to do so and if this personal data is correct.

Certain personal data about you is also collected automatically, for instance when you visit our website or app. This usually comprises behavioural and transactional data, as well as technical data. Furthermore, we can derive personal data from existing data, for example by analysing behavioural and transactional data. This derived data relates to preference data or, in the case of medical examinations, master data. Insofar as we are permitted and it appears appropriate, for example to verify a (potential) business partner, we also obtain certain personal data from publicly accessible sources such as debt enforcement or commercial registers, or we obtain such information from authorities or other third parties (e.g. hospitals, referring physicians).

4. What are the purposes of data processing?

Where we process your personal data, this processing is always carried out for a specific purpose. This depends on your relationship with us (e.g. patient, interested party, website visitor, contact person for a business partner or supplier, job applicant, etc.). We always pursue one or more of the following purposes when processing your data:

  • Contract processing We process your personal data in the context of contract initiation, conclusion and fulfilment, particularly in connection with the provision of medical services. In doing so, we primarily use master data, contract data, health data where applicable, communication data, behavioural and transaction data, and preference data.
  • Communication To contact you or stay in touch, and to respond to your queries, we process personal data for communication with you. This includes making contact, answering enquiries, customer support, and arranging appointments. In doing so, we primarily use communication data and master data, and where applicable, also contract data within the scope of contract communications.
  • Offer improvement and development: We process your personal data to improve and develop our services. This includes conducting surveys and studies. The processing may concern all the data categories mentioned, as well as – where possible, pseudonymised or anonymised – information from customer surveys, polls and studies.
  • Compliance with legal obligations We process your personal data to comply with legal obligations (e.g., retention of patient records, patient information, reporting to authorities, ensuring data security, checking business partners, conducting internal investigations, complying with employment law). Processing may affect all categories of data mentioned.
  • Safety and Prevention We process your personal data to ensure personal and IT security, as well as to prevent theft, fraud and misuse. This includes the analysis of log data, access controls and video recordings. The processing may concern all the data categories mentioned.
  • Operation and Optimisation of Website and App We process your personal data to enable you to use our website and our app, to ensure and optimise their functionality, security and stability. We primarily use technical data for this.
  • Justification We process your personal data to enforce our own claims or to defend ourselves against third-party claims or accusations. This may include the judicial, pre-judicial or out-of-court assertion or defence of claims, as well as defence or co-operation within the scope of official proceedings. The processing may involve all of the mentioned data categories.
  • Information and Marketing We process your personal data for marketing purposes. This includes the delivery of written and electronic communications (e.g. newsletters) as well as the execution of marketing campaigns (e.g. invitations to events). You have the option to object to such communications at any time (see Section 13). In the case of newsletters, you can unsubscribe via the unsubscribe link. Personalisation of communications allows us to tailor information to your interests.

5. Grounds for justification

In the context of the applicability of the Data Protection Act, we generally do not require a legal basis for processing your personal data. Should we require one as a result of the applicability of the GDPR, we will generally base the respective processing on one of the following grounds, which usually corresponds to the purpose of the processing (see point 4):

  • Performance of a contract or taking steps prior to entering into a contract (Art. 6(1)(b) GDPR);
  • Necessity for compliance with a legal obligation (Art. 6 para. 1 lit. c GDPR);
  • Safeguarding overriding legitimate interests (Art. 6(1)(f) GDPR);
  • Exceptions to the processing of special categories of personal data, such as health data, trade union membership information, and data concerning criminal convictions and offences (Art. 9(2) GDPR)

The following are particular examples of legitimate interests, which may encompass both our own interests and those of third parties:

  • Improvement and development of products and services;
  • Provision of products and services to third parties;
  • Customer communication and relationship management;
  • Advertising and marketing activities;
  • The fight against fraud, and the prevention and investigation of criminal offences.;
  • Protection of customers, employees and other persons as well as data, secrets, know-how and other assets;
  • Ensuring IT security;
  • Guarantee and organisation of business operations.;
  • Management and Development;
  • Purchase or sale of companies and other assets;
  • Enforcement or defence of legal claims;
  • Compliance with domestic and foreign laws and internal policies.

As far as you give us your consent to process your personal data

for specific purposes (Art. 6(1)(a) GDPR; Art. 6(6) Data Protection Act), we process the data based on your consent, provided we have no other legal basis and require one. You can withdraw your consent at any time by emailing the address mentioned in Section 1, effective for the future.

6. Cookies and similar technologies on our website, app and in newsletters

We typically use «cookies» and similar technologies on our website and app to identify your end device (computer, smartphone, tablet, etc.). A cookie is a small file that is sent to your device or stored by your browser when you visit our website or use our app. This enables us to recognise you when you visit our website or app again, even if we do not know who you are (unless you are logged in with your account, e.g. in the app). In addition to cookies that are only used during a session and are deleted after your visit («session cookies»), we also use cookies to save your settings and other information for a certain period of time («permanent cookies»). We may also use technologies such as pixel tags or fingerprints to store data in the browser to track your behaviour on our website and app or in relation to our newsletters. Pixel tags are invisible graphics or codes that transmit information about your behaviour on our website and app or your interaction with our newsletter. Fingerprints are information about the configuration of your end device or browser that makes it distinguishable from other end devices.

We use these types of technologies on our website and app and may allow certain third parties to do so as well. Depending on the purpose of the technologies (i.e. for performance and marketing cookies, see below) we ask for your consent. You can configure your browser to block or bypass certain cookies or other technologies, or to delete existing cookies. You can also add a software extension to your browser that blocks tracking by certain third parties. For more information, please see your browser's help pages (usually under the heading «Privacy») or the websites of the third parties we list below.

Cookies (including other technologies such as fingerprinting) are categorised as follows:

  • Essential Cookies: Cookies that are essential for the website or app to function. For example, they ensure that your settings (e.g. language selection) or entries (e.g. appointment booking) are saved when your session (i.e. your visit to the website) ends. If you block these cookies, the website may not function. Such cookies expire after up to 12 months.
  • Performance cookies To optimise our website and app, and to better tailor our services to user needs, we use cookies to record and analyse website usage. The third-party providers (internet analytics service providers) we engage for this purpose are listed below. Performance cookies expire after up to 24 months. You can find more details on the third-party providers' websites.
  • Marketing cookies: We and our advertising partners are interested in targeting advertisements to the groups who are interested in relevant offers. For this purpose, we and our advertising partners use cookies. Depending on the situation, these cookies expire after a few days or 24 months.

In addition to cookies, we also use other technologies to manage online advertising on other websites to reduce wastage. Operators are not provided with personal email addresses of individuals they do not already know. However, for known email addresses, they can ascertain that the individuals concerned have been in contact with us and what content they have accessed.

We can also integrate other third-party offers on our website or app, particularly from social media platforms. This content is deactivated by default. As soon as you activate it (e.g., by clicking on a button), the respective platform operators can tell that you are on our website or app. If you have an account with the operator, they can link this information to you and thus track your use of online services. These operators process the data under their own responsibility.

We currently use services from the following service providers and advertising partners (if they use data from you or cookies placed on your device for advertising management):

  • Google Analytics: Google Ireland (based in Ireland) is the provider of the Google Analytics service and acts as our processor. In this context, Google Ireland uses Google LLC (based in the USA) as its processor (together: «Google»). Google uses tracking cookies and similar technologies (see above) to track the behaviour of visitors to our website (duration, frequency of pages viewed, geographical origin of access, etc.) and to compile reports on the use of our website on this basis. We have configured the service so that the IP addresses of Google visitors in Europe are truncated before being forwarded to the USA and cannot be tracked. We have activated the settings «Data transmission» and «Signals». Although we can assume that the information we share with Google is not personal data for Google, it is possible that Google uses this data for its own purposes to draw conclusions about the identity of visitors, create personal profiles and link this data to the Google accounts of the persons concerned. If you agree to the use of Google Analytics, you expressly consent to such processing, which also enables the transfer of personal data (in particular usage data for the website, device information and individual IDs) to the USA and other countries. Information on data protection at Google Analytics can be found here: https://support.google.com/analytics/answer/6004245. If you have a Google account, you can find more information about Google's processing activities at the following link: https://policies.google.com/technologies/partner-sites?hl=de.
  • Google Maps: Our website uses the Google Maps map service. The provider is Google LLC, USA. Google Maps allows us to show you our location. For this integration to work, Google stores data from you (search terms, IP address, latitude and longitude coordinates, starting address if needed when using the route function, etc.) and places at least one cookie in your browser that stores data about your user behaviour. Google uses this data primarily to optimise its own services and to provide individual, personalised advertising. Your data may also be transferred to the USA. You can find the data protection policy for the Google Maps map service at the following link: https://policies.google.com/privacy?hl=de.

The following links explain how to access cookie settings in different browsers:

7. Social Media

We operate pages and other online presences («fan pages», «channels», «profiles», etc.) on social networks and other platforms operated by third parties, through which we collect the data about you described below. We receive this data from you and from the platforms when you contact us via our online presence (e.g. when you communicate with us, comment on our content or visit our online presence). The platforms also evaluate your use of our online presence and link this data with other data about you that is known to the platforms (e.g. your behaviour and preferences). They also process the data for their own purposes under their own responsibility, in particular for marketing and market research purposes (e.g. to personalise advertising) and to manage their platforms (e.g. what content they show you). We receive data about you when you communicate with us via our online presences, display our content on the relevant platforms, visit our online presences or are active in your use of our online presences (e.g. when you publish content, make comments). These platforms also collect technical data, registration data, communication data as well as behavioural and preference data etc., either from you or about you. These platforms also carry out regular statistical analyses of how you interact with us or how you use our online presences and link this data with other information about you (e.g. age, gender and other demographic information). This enables them to create profiles about you and to compile statistics about the use of our online presences. They use this data and profiles to show you personalised advertising and content on the platform from us or from other parties and to control the behaviour of the platform. They also use the data for market research and user research purposes and to provide us and other entities with information about you and the use of our online presence. We have partial control over the analyses that these platforms create in relation to the use of our online presence. We process this data for the purposes described in section 4, in particular for communication and marketing purposes (including advertising on these platforms) and for market research purposes. You can find information on the relevant legal bases in section 5. We are authorised to share content published by you (e.g. comments) - on the platform or elsewhere. We and the operators of the platforms may also delete or restrict content from you or delete or restrict content from or to you in accordance with the usage guidelines (e.g. inappropriate comments).

For further information on the processing activities of the platform operators, please refer to the platforms' data protection policies. These policies also provide details about the countries in which they process your data, what rights you have to access and delete your data, what other rights you have as a data subject, and how you can exercise these rights or obtain further information. We currently use the following platforms:

8. Data transfer

We ensure that only those employees who require access to your personal data for their respective roles are granted such access. All employees are obliged to comply with our internal directives and to handle your data confidentially.

We regularly disclose your personal data to external third parties whose services we use. As a rule, such service providers process your data on our behalf, i.e. as so-called «contract processors». Our contract processors are obliged to process your personal data exclusively according to our instructions and to ensure data security. Through careful selection of service providers and contractual agreements, we ensure that data protection is guaranteed during the processing of your data. In the following cases, we also disclose your data to third parties who process the data not according to our instructions, but for their own purposes and thus in their own responsibility:

How long will the data be retained?

  • Referrals to hospitals or other specialists, colleagues (e.g. other doctor's practices), laboratories etc.;
  • Sharing information about your health condition with your relatives;
  • Communications to health insurers for the evaluation of cost approvals;
  • Sharing of anonymised or pseudonymised health data with educational and research institutions for use in scientific studies;
  • Engaging factoring and/or debt collection companies, assignment of claims where applicable;
  • Review or execution of corporate law transactions (e.g. company acquisitions, sales and mergers);
  • Disclosure of personal data to courts and authorities in Switzerland and abroad (e.g. to law enforcement agencies on suspicion of criminal offences or in connection with the implementation of health protection measures);
  • Disclosure of personal data to comply with a court order or to establish, exercise or defend legal claims.

Please also note the information on the integration of cookies and similar technologies on our website, apps and newsletters (Section 6) as well as on our presence on social media platforms (Section 7) in connection with the independent data collection by third-party providers, whose tools we may have integrated on our website.

We naturally adhere to the professional secrecy obligations that govern us within the scope of the doctor-patient relationship. In such cases, we will only disclose your data to third parties based on your separate consent or a corresponding release from the responsible supervisory authority. However, auxiliary staff (e.g. medical practice assistants, secretarial staff, and certain [IT] service providers) are not considered third parties.

9. Data transfer abroad

The recipients in accordance with item 8 are generally located in Switzerland, but can in principle also be located in any other country in the world. If a recipient is exceptionally located in a country without adequate data protection, we will undertake to do so by concluding the Standard Contractual Clauses of the EU Commission (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?– if necessary, with the required adaptations according to the GDPR – for compliance with applicable data protection law, insofar as it is not already subject to a legally recognised framework for ensuring data protection and we cannot rely on an exemption (e.g. legal proceedings abroad, overriding public interests, necessity for contract performance, consent of the data subject).

10. Retention period of personal data

We process and store your personal data for as long as it is necessary for the fulfilment of our contractual and legal obligations or otherwise for the purposes pursued with the processing, i.e. for the duration of the entire business relationship (from initiation, execution to termination of a contract) and beyond in accordance with statutory retention periods (your medical history is generally kept for 20 years after your last treatment). It is possible that personal data will be retained for the period in which claims can be asserted against us or other legitimate interests so require (e.g. for proof and documentation purposes). As soon as your personal data is no longer required for the aforementioned purposes, it will be deleted or anonymised. Shorter retention periods of a maximum of 48 hours apply to operational data (e.g. system logs, logs).

11. Data Security

We take appropriate technical and organisational measures to protect your data from loss, unauthorised access and misuse. These include, among other things, staff training, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions, pseudonymisation of personal data (e.g. in the context of data transfer to service providers), and regular checks.

12. Obligation to provide personal data

As part of our business relationship, you must provide the personal data that is necessary for the establishment and execution of a business relationship and the fulfilment of the associated contractual obligations. Without this data, we will generally not be able to provide the services you require. The website and app also cannot be used if certain details are not disclosed to ensure data traffic.

13. Your Rights

You have the right to information, correction, deletion, the right to restrict data processing and the right to object to processing, in particular for the purposes of direct marketing, and other legitimate interests in processing, as well as the right to the disclosure of certain personal data for the purpose of transfer to another organisation, within the framework of the applicable data protection law - insofar as this is provided for therein. Please note that we reserve the right to assert the restrictions provided for by law, for example if we are obliged to store or process certain data, have an overriding interest in doing so or need it to assert claims. If you incur costs (e.g. in the case of complex requests for information), we will inform you in advance. We have already informed you about the possibility of withdrawing your consent in section 5. Please note that exercising your rights may conflict with our contractual agreements and this may have corresponding consequences, such as premature cancellation of the contract.

Exercising such rights typically requires you to prove your identity unequivocally by providing a copy of your identification. To assert your rights, you can contact us at the address provided in section 1.

You have the right to enforce your claims in court or to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner.

13. Amendments

We can amend this privacy policy at any time. The version most recently published on our website will apply. If the privacy policy is part of an agreement with you, we will inform you of any changes in the event of an update.

Version valid from 01.09.2024