Privacy Policy

Last updated: April 7, 2026

This privacy policy explains how ONLAINEZ ("we", "us", "our") collects, uses, and protects your personal data in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR).

1. Data Controller

The data controller for the platform and its infrastructure is:
ONLAINEZ, operated by Adán Lainez
Bavaria, Germany
Contact: privacy@onlainez.net

For data entered by clinics, pharmacies, or shops about their clients/patients: the clinic, pharmacy, or shop owner is the data controller. We act as data processor on their behalf (see Section 8).

2. Data We Collect

2.1 Account holders (clinic owners, shop owners, staff)

  • Account data: name, email, password (bcrypt hashed), role, language preference
  • Billing data: subscription plan, payment history (processed by Stripe — we do not store card data)
  • Usage data: IP address, browser, device, pages visited (for security and platform improvement)

2.2 End users (patients, customers)

  • Contact data: name, email, phone (provided when booking or purchasing)
  • Health data: only if the Healthcare or Pharmacy module is active — see Health Data Annex
  • Transaction data: only if the Shop module is active — order history, delivery address

2.3 Website visitors

  • Essential cookies: session, CSRF protection, language preference
  • IP-based geolocation: country/city (resolved locally via MaxMind GeoLite2 — no data sent to third parties)

We do not use third-party tracking cookies (Google Analytics, Facebook Pixel, etc.). We do not sell personal data.

3. Legal Basis for Processing

PurposeLegal basis
Providing the platform servicesContract performance (Art. 6.1.b)
Processing health dataExplicit consent (Art. 9.2.a) and/or healthcare provision (Art. 9.2.h)
Subscription billing and invoicesContract performance (Art. 6.1.b) + Legal obligation (Art. 6.1.c)
Email notifications (appointments, orders)Legitimate interest (Art. 6.1.f)
Security (rate limiting, audit logs, fraud detection)Legitimate interest (Art. 6.1.f)
Tax record retentionLegal obligation (Art. 6.1.c)

4. How We Use Your Data

  • To provide and maintain the platform services
  • To process payments and manage subscriptions
  • To send service-related notifications (appointment reminders, order confirmations, security alerts)
  • To detect and prevent fraud, abuse, and security threats
  • To comply with legal obligations (tax records, regulatory requirements)

5. Data Sharing

We share personal data only with:

  • Stripe Inc. — payment processing (PCI-DSS compliant). Stripe Privacy Policy
  • Our hosting provider — server infrastructure within the EEA (data processing agreement in place)
  • Authorities — when required by law or court order

We do not share data with advertising networks, data brokers, or any other third party.

6. Cookies

  • Essential cookies (always active): session management, CSRF protection, language preference, theme preference

No optional or third-party cookies are used. No cookie consent banner is required for essential-only cookies under the ePrivacy Directive. We display one as a courtesy.

7. Your Rights (GDPR Articles 15-22)

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erase your data — "right to be forgotten" (Art. 17), subject to legal retention obligations
  • Restrict processing (Art. 18)
  • Data portability — export your data in machine-readable format (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time without affecting the lawfulness of prior processing (Art. 7.3)
  • Lodge a complaint with your national data protection authority (AEPD in Spain, BfDI in Germany, CNIL in France)

To exercise any right: privacy@onlainez.net. We will respond within 30 days.

8. Data Processing Agreement (DPA)

When you use the platform to process personal data of your clients or patients, you are the data controller and we are the data processor under GDPR Article 28. A DPA is available upon request at privacy@onlainez.net.

9. Data Retention

  • Account data: retained while your account is active. Deleted within 60 days after account termination
  • Billing records: retained for 7 years after the transaction (German tax law — AO §147)
  • Security logs: automatically purged after 90 days
  • Health data: see Health Data Annex (if applicable)

10. Data Security

We protect your data with:

  • HTTPS encryption (TLS) for all data in transit
  • Password hashing (bcrypt) — we never store plaintext passwords
  • CSRF protection on all forms
  • Rate limiting on authentication and public endpoints
  • Role-based access control (RBAC) with network-level data isolation
  • Audit logging of administrative actions
  • Automated backups with encryption

11. International Transfers

Your data is processed within the European Economic Area (EEA). If Stripe processes payment data in the US, this transfer is covered by Stripe's Standard Contractual Clauses and Data Privacy Framework certification.

12. Children

The platform is not directed at children under 16. We do not knowingly collect personal data from children. Patient records of minors are entered by their legal guardians or healthcare providers.

13. Changes to This Policy

We will notify you of material changes via email at least 30 days before they take effect. The "last updated" date at the top reflects the most recent revision.

14. Contact

Data protection inquiries: privacy@onlainez.net

← Back
Language
English Español Deutsch
We use cookies to enhance your experience. Essential cookies are always active. Privacy Policy · Terms of Service