1. DATA CONTROLLER
Current Controller: Andrei Mancu (Individual)
Address: Distlhofweg 18, 81369 Munich, Germany
Email: support@aeirmed.com
Phone: +49 (0) 162 2171920
Note: We are in the process of establishing aeirmed GmbH as the corporate data controller. This privacy policy will be updated upon completion of entity formation.
2. SCOPE AND BUSINESS STATUS
aeirmed is developing AI-powered medical documentation solutions to improve healthcare efficiency and patient care. We are currently in the beta testing phase with selected healthcare professionals.
This privacy policy covers:
Our website: www.aeirmed.com
Beta version of the physician platform (healthcare professionals only)
All communication related to product development and testing
Clinical research activities in partnership with medical institutions
3. CATEGORIES OF PERSONAL DATA PROCESSED
3.1 Website Visitor Data
Browser information (type, version, operating system)
Usage data (pages visited, time spent, click patterns)
Referrer URL and search terms
Device information (screen resolution, device type)
Cookies and tracking technologies (as detailed in Section 8)
3.2 Professional User Registration Data
First and last name
Email address
Professional information (medical practice, specialty, license)
Phone number (optional)
Feedback and support requests
3.3 Beta Platform Usage Data
Authentication data (login credentials, session tokens)
Usage analytics (feature usage, session duration, error logs)
Performance metrics (system response times, error rates)
Feedback and support communications
Technical logs (automatically anonymized after 30 days)
3.4 Medical Documentation Data (Special Category Personal Data)
We process health-related data exclusively for authorized healthcare professionals using our platform:
Audio Data:
Real-time voice recordings during medical consultations
Processing method: Immediate speech-to-text conversion
Storage: NO permanent storage of audio data
Location: EU servers only (France)
Generated Medical Content:
Clinical notes and structured documentation
Medical terminology extraction and coding
Diagnostic information and treatment plans
Patient-related identifiers (anonymized where possible)
Legal Basis for Health Data:
Art. 9(2)(a) GDPR: Explicit consent from physician
Art. 9(2)(h) GDPR: Healthcare provision under medical confidentiality
Art. 9(2)(j) GDPR: Scientific research with appropriate safeguards
German Medical Confidentiality Laws: § 203 StGB, Medical Professional Codes
4. LEGAL BASES FOR DATA PROCESSING
Art. 6(1)(a) GDPR: Consent (contact forms, newsletter)
Art. 6(1)(b) GDPR: Contract performance (beta usage)
Art. 6(1)(f) GDPR: Legitimate interests (website operation, product development)
5. PURPOSES OF DATA PROCESSING
5.1 Website Operation
Website provision and technical optimization
Usage statistics analysis via Google Analytics
IT security assurance
5.2 Beta Testing and Product Development
Function testing of AI-powered documentation software
User feedback collection for product improvement
Performance optimization of medical AI algorithms
5.3 Communication and Support
Processing inquiries and technical support
Information about product updates and new features
Clinical study coordination (LMU Klinikum)
6. DATA SECURITY AND TECHNICAL MEASURES
Server Location: Exclusively EU (France) - GDPR compliant
Audit Logging: Complete logging of all access
Usage of Google Gemini and OpenAI Whisper
Special Security for Medical Data:
Audio data NOT stored (real-time processing)
Medical notes with AES-256 encryption
Separate systems for different medical practices
Regular penetration testing
7. THIRD-PARTY DATA PROCESSORS AND TRANSFERS
7.1 Google Services
Google Analytics:
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Website usage analysis and optimization
Data Categories: Anonymized usage statistics, demographics
Transfer Safeguards: EU-US Data Privacy Framework
Data Retention: 14 months (reduced from standard 26 months)
IP Anonymization: Enabled (last octet removed)
Opt-out: Available at https://tools.google.com/dlpage/gaoptout
DPA Status: Executed under Google's standard terms
Google Gemini (AI Processing):
Provider: Google Ireland Limited
Purpose: Medical text analysis and natural language processing
Data Categories: De-identified medical text only
Transfer Safeguards: EU-US Data Privacy Framework + Standard Contractual Clauses
Data Location: EU processing preferred where available
Retention: No permanent storage, processing only
DPA Status: Executed [Date to be added]
7.2 OpenAI Services
OpenAI Whisper (Speech-to-Text):
Provider: OpenAI Ireland Limited
Purpose: Real-time speech-to-text conversion
Data Categories: Audio streams (temporary processing only)
Transfer Safeguards: Standard Contractual Clauses (Art. 46 GDPR)
Data Location: EU processing where available
Retention: No permanent storage of audio data
DPA Status: Executed [Date to be added]
7.3 International Data Transfers
Transfer Impact Assessment: We have conducted Transfer Impact Assessments for all international data transfers as required by GDPR.
Safeguards Implemented:
Standard Contractual Clauses (2021 version)
Supplementary technical measures (encryption, pseudonymization)
Regular adequacy assessments
Contractual obligations for data protection
Third Countries: United States (Google, OpenAI services only)
Adequacy Decision: EU-US Data Privacy Framework where applicable
8. COOKIES AND TRACKING TECHNOLOGIES
8.1 Essential Cookies
Session management: User authentication and session maintenance
Security: CSRF protection and security headers
Functionality: Language preferences and accessibility settings
Retention: Session-based or 30 days maximum
8.2 Analytics Cookies
Google Analytics: Website usage statistics (anonymized)
Purpose: Website optimization and performance improvement
Retention: 14 months
Opt-out: Available via browser settings or Google opt-out tool
8.3 Cookie Management
Consent banner: Granular consent options available
Browser controls: Users can control cookies via browser settings
Withdrawal: Consent can be withdrawn at any time
Cookie policy: Detailed information available in separate cookie policy
9. DATA RETENTION PERIODS
Website logs: 7 days
Google Analytics data: 26 months (Google standard)
Contact/registration data: Until consent withdrawal
Beta usage data: Until end of beta phase + 3 months
Medical documentation: According to medical retention requirements (10 years)
Support communication: 3 years
10. YOUR RIGHTS UNDER GDPR (Articles 15-22)
You have the following rights at any time:
Right of access: Information about stored data
Right to rectification: Correction of incorrect data
Right to erasure: Deletion of your data ("right to be forgotten")
Right to restriction: Limitation of processing
Data portability: Receipt of your data in structured format
Right to object: Objection to processing
Withdrawal of consent: Possible at any time without reason
Exercise your rights: support@aeirmed.com
11. SUPERVISORY AUTHORITY
For complaints, contact:
Bavarian State Office for Data Protection Supervision
Promenade 18, 91522 Ansbach, Germany
Email: poststelle@lda.bayern.de
Phone: +49 981 180093-0
12. NO DATA TRANSFER TO THIRD COUNTRIES
All data is processed exclusively in the EU.
Exception: Google Analytics with appropriate safeguards.
Exception: Google Gemini and OpenAI Whisper.
13. CHANGES TO THIS PRIVACY POLICY
This privacy policy will be updated when there are significant changes to our data processing. We will notify you of significant changes by email.
14. CONTACT INFORMATION
For privacy questions:
Email: support@aeirmed.com
Phone: +49 (0) 162 2171920
Last updated: 22.05.202
