Privacy Policy

Last updated: 1 March 2026  ·  Effective date: 1 March 2026

This policy covers both GDPR (EU/Germany) and HIPAA (United States) obligations.

1. Data Controller / Covered Entity

The data controller within the meaning of the General Data Protection Regulation (GDPR) and, where applicable, the covered entity / business associate within the meaning of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations is:

AureonCare

97816 Lohr am Main

Bavaria (Bayern), Germany

Email: info@aureoncare.tech

Phone: +49 176 203 80707

For all privacy-related enquiries please contact our Data Protection Officer (DPO) at: privacy@aureoncare.tech

2. Scope of This Policy

This Privacy Policy applies to all personal data and protected health information (PHI) processed by AureonCare through:

  • Our website at aureoncare.tech and all sub-domains.
  • The AureonCare SaaS platform and mobile applications.
  • Any communication channels (email, telephone, contact forms, chat).
  • Business relationships with healthcare providers, clinics, and partners.

3. Categories of Data We Collect

3.1 Website Visitors

  • IP addresses and browser / device metadata (server logs, max. 7 days).
  • Contact form submissions: name, email address, company, message content.
  • Newsletter subscriptions: name, email address, opt-in timestamp.
  • Cookies and similar tracking technologies (see Section 9).

3.2 Healthcare Provider Accounts

  • Account credentials (name, work email, hashed password).
  • Organisation name, specialty, address, NPI / registration number.
  • Billing and payment information (processed by PCI-DSS–compliant payment processor; we do not store full card numbers).
  • Platform usage logs and audit trails (required for HIPAA §164.312).

3.3 Protected Health Information (PHI)

Where a healthcare provider uses AureonCare as a Business Associate (as defined in 45 CFR §160.103), AureonCare may process PHI on behalf of the provider. PHI includes, but is not limited to:

  • Patient demographics (name, date of birth, address, contact details).
  • Medical record numbers, diagnoses (ICD codes), medications, and treatment notes.
  • Insurance identifiers and claims information.
  • Electronic health records (EHR) and e-prescriptions.

AureonCare processes PHI solely as instructed by the covered entity under a signed Business Associate Agreement (BAA). Patients wishing to exercise rights over their PHI should contact their healthcare provider directly.

4. Legal Bases for Processing (GDPR — Art. 6 & 9)

Processing ActivityLegal Basis
Contact form enquiriesArt. 6(1)(b) — pre-contractual measures
Platform service deliveryArt. 6(1)(b) — contract performance
Tax and accounting recordsArt. 6(1)(c) — legal obligation (§ 147 AO, § 257 HGB)
Security, fraud prevention, audit logsArt. 6(1)(f) — legitimate interests
Marketing newslettersArt. 6(1)(a) — consent (freely withdrawable)
Processing health data (PHI / Art. 9 GDPR)Art. 9(2)(h) — healthcare provision; Art. 9(2)(a) — explicit consent where required

5. HIPAA Compliance

AureonCare implements and maintains administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 CFR Part 164, Subpart C) and complies with the HIPAA Privacy Rule (45 CFR Part 164, Subpart E):

5.1 Technical Safeguards

  • End-to-end encryption (TLS 1.3) for all data in transit.
  • AES-256 encryption for PHI at rest.
  • Unique user identification and automatic session timeouts.
  • Role-based access controls (RBAC) with least-privilege principle.
  • Audit logs capturing user access, modifications, and disclosures of PHI.
  • Multi-factor authentication (MFA) for all platform accounts.

5.2 Administrative Safeguards

  • Designated Security and Privacy Officer.
  • Annual workforce training on HIPAA privacy and security obligations.
  • Risk analysis and risk management programme reviewed at least annually.
  • Business Associate Agreements (BAAs) executed with all sub-processors handling PHI.
  • Incident response and breach notification procedures compliant with 45 CFR §164.400–414.

5.3 Physical Safeguards

  • Data hosted in ISO 27001–certified data centres with restricted physical access.
  • Workstation use and device disposal policies in place.
  • Media re-use and destruction procedures compliant with NIST SP 800-88.

5.4 Breach Notification

In the event of a breach of unsecured PHI, AureonCare will notify affected covered entities without unreasonable delay and no later than 60 calendar days after discovery, in accordance with 45 CFR §164.410. Covered entities remain responsible for notifying individuals and, where applicable, the U.S. Department of Health & Human Services (HHS) and media outlets pursuant to 45 CFR §164.404–408.

6. How We Use Your Data

  • Provide, maintain, and improve the AureonCare platform and website.
  • Respond to enquiries, support requests, and contact form submissions.
  • Process payments and manage subscriptions.
  • Send transactional communications (e.g., invoices, system alerts, security notices).
  • Send marketing communications where you have provided consent (opt-out available at any time).
  • Comply with applicable legal obligations (tax law, accounting, regulatory reporting).
  • Detect and prevent fraud, misuse, and security incidents.
  • Conduct anonymised product analytics to improve user experience.

We will never sell, rent, or trade personal data or PHI to third parties for their own commercial purposes.

7. Data Sharing and Recipients

We share personal data only when necessary and with appropriate contractual safeguards:

  • Cloud infrastructure providers — hosting, storage, CDN (under DPA / BAA).
  • Payment processors — PCI-DSS–certified providers for billing.
  • Email service providers — transactional and marketing emails (under DPA).
  • Analytics providers — anonymised/pseudonymised usage metrics only.
  • Professional advisors — lawyers, accountants, auditors (under confidentiality obligations).
  • Regulatory authorities — where required by law (e.g., tax authorities, supervisory authorities).

A current list of sub-processors is available on request at privacy@aureoncare.tech.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), AureonCare relies on one or more of the following transfer mechanisms:

  • European Commission adequacy decisions (Art. 45 GDPR).
  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Art. 46(2)(c) GDPR).
  • Binding Corporate Rules where applicable (Art. 47 GDPR).

PHI transferred to or from U.S.-based systems is subject to HIPAA requirements and is handled exclusively within environments covered by a valid BAA.

9. Cookies and Tracking Technologies

CategoryPurposeBasis
Strictly necessarySession management, authentication, securityArt. 6(1)(b)/(f) — no consent required
FunctionalUser preferences, language, layout settingsArt. 6(1)(a) — consent
AnalyticsAnonymised page views and feature usageArt. 6(1)(a) — consent
MarketingPersonalised advertising and retargetingArt. 6(1)(a) — consent (not currently active)

You can adjust cookie preferences at any time via your browser settings or our cookie consent banner. Withdrawing consent does not affect the lawfulness of processing before withdrawal.

10. Data Retention

  • Contact form data: 3 years from last contact.
  • Account data: Duration of contract + 3 years after termination.
  • Financial / invoicing records: 10 years (§ 147 AO, § 257 HGB).
  • PHI / EHR data: As directed by the covered entity; minimum retention periods apply per applicable state/federal law (typically 6–10 years after last service date; paediatric records until age of majority + retention period).
  • Audit logs (HIPAA §164.312): 6 years.
  • Server access logs: 7 days (then automatically purged).
  • Marketing consent records: Until consent is withdrawn + 3 years.

After the applicable retention period expires, data is securely deleted or anonymised in accordance with NIST SP 800-88 and DIN 66399 guidelines.

11. Your Rights under the GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

Right of Access (Art. 15)

Obtain confirmation of and access to your personal data.

Right to Rectification (Art. 16)

Have inaccurate data corrected without undue delay.

Right to Erasure (Art. 17)

Request deletion ("right to be forgotten") where conditions are met.

Right to Restriction (Art. 18)

Restrict processing while accuracy or legality is disputed.

Right to Portability (Art. 20)

Receive data in a structured, machine-readable format.

Right to Object (Art. 21)

Object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent (Art. 7(3))

Withdraw consent at any time without affecting prior lawful processing.

Right not to be Subject to Automated Decisions (Art. 22)

Not be subject to solely automated decisions with significant effects.

To exercise any of these rights, contact us at privacy@aureoncare.tech. We will respond within 30 days (extendable by two further months where necessary). We may ask you to verify your identity before fulfilling a request.

You also have the right to lodge a complaint with the competent supervisory authority. For AureonCare, the lead supervisory authority is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 18, 91522 Ansbach, Bavaria, Germany

Web: www.lda.bayern.de

12. Patient Rights under HIPAA

As a Business Associate, AureonCare supports covered entities in fulfilling the following patient rights under HIPAA (45 CFR §164.520–528):

  • Right to access PHI — Patients may request copies of their medical records from their provider.
  • Right to amend PHI — Patients may request corrections to inaccurate or incomplete records.
  • Right to an accounting of disclosures — Patients may request a list of certain disclosures of PHI.
  • Right to request restrictions — Patients may request limits on uses and disclosures of PHI.
  • Right to confidential communications — Patients may request alternative means or locations for communications.
  • Right to a Notice of Privacy Practices — Covered entities must provide this notice to patients.

Patients should direct all HIPAA rights requests to their healthcare provider. AureonCare will assist covered entities in responding to such requests as required by the applicable BAA.

13. Data Security

AureonCare implements industry-standard technical and organisational measures (TOMs) to protect personal data and PHI against unauthorised access, alteration, disclosure, or destruction:

  • TLS 1.3 encryption for all data in transit.
  • AES-256 encryption for all data at rest.
  • SOC 2 Type II–aligned security programme.
  • Penetration testing conducted at minimum annually by independent third parties.
  • Vulnerability management and patch management programme.
  • 24/7 security monitoring and intrusion detection systems.
  • Disaster recovery and business continuity plans tested regularly.
  • Background checks and confidentiality agreements for all staff with data access.

Despite these measures, no method of transmission over the Internet is 100% secure. We encourage users to use strong, unique passwords and enable MFA on their accounts.

14. Children's Privacy

Our website and platform are not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16 without verifiable parental or guardian consent. Where PHI of minors is processed within our platform, this is done solely at the direction of the covered entity and in compliance with applicable law (including the Children's Online Privacy Protection Act (COPPA) and Art. 8 GDPR).

If you believe we have inadvertently collected personal data from a child, please contact privacy@aureoncare.tech immediately.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by posting a prominent notice on our website and, where appropriate, by sending an email notification to registered users at least 30 days before the change takes effect. The "Last updated" date at the top of this page indicates when the most recent revision was made.

Your continued use of our services after the effective date constitutes your acceptance of the revised policy.

16. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or our data processing activities, please contact:

AureonCare — Data Protection

97816 Lohr am Main, Bavaria, Germany

Email: privacy@aureoncare.tech

Phone: +49 176 203 80707