General Privacy Policy

Data Controller:

AMBOSS GmbH
Torstrasse 19
10119 Berlin, Germany
E-mail: hello@amboss.com
Phone: +49 (0) 30 – 5770221- 0

Managing Directors: Dr. med. Madjid Salimi, Dr. med. Nawid Salimi, Benedikt Hochkirchen
Local Court Berlin (Charlottenburg), HRB 209607

Contact details data protection officer:

AMBOSS GmbH
Data Protection Officer
Torstrasse 19
10119 Berlin, Germany
privacy@amboss.com

Privacy Policy Last Update Date: May 2024

AMBOSS GmbH is a young company providing high quality services for physicians and medical students as well as learning materials. We want you, as a user of our services, to understand how we use information and what options you have to protect your data. We are aware of the importance and sensitivity of your personal data and thank you for your trust. Handling it responsibly is a major concern for us. If you have any questions about this, please do not hesitate to contact us.

1. Basic information on data processing and legal basis

1.1 This privacy policy informs users about the nature, scope and purposes of the processing of personal data by the responsible provider, AMBOSS GmbH (“AMBOSS” or “we”). It applies to data processing in the following areas:

  • The website www.amboss.com operated by AMBOSS including the registered area of the online knowledge and learning program “AMBOSS” accessible via this website and
  • The AMBOSS mobile apps (native mobile apps on iOS and Android).

We inform separately about data processing in the following areas:

1.2 We process users’ personal data exclusively in compliance with the relevant provisions of data protection law. In accordance with Art. 13 EU General Data Protection Regulation (GDPR), we inform you about the legal basis of our data processing. If the respective legal basis is not mentioned in this privacy policy, the following applies: Legal basis for the processing of personal data with separate consent is Art. 6 para. 1 lit. a GDPR, legal basis for the processing of data for the performance of a contract and for the implementation of pre-contractual measures is Art. 6 para. 1 lit. b GDPR, legal basis for the processing of personal data to meet our legal obligations is Art. 6 para. 1 lit. c GDPR and legal basis for the processing of personal data to protect our legitimate interests is Art. 6 para. 1 lit. f GDPR.

2. Data sharing

2.1 First of all, only our employees who are involved in technical, commercial and editorial support receive knowledge of your personal data. In addition, we use external service providers within the scope of the data processing explained in this privacy policy or, if necessary, commission them with certain services. We list the categories of external recipients in detail below:

  • IT service providers, e.g. as part of the administration and hosting of our website, the online knowledge and learning program and the apps or individual services/functionalities as well as for analysis/measurement;
  • logistics service provider in order to be able to send you any information brochures you may have ordered;
  • payment service providers and banks, in processing payments, in particular Shopify Inc. (for Shop Pay) and Stripe Payments Europe, Ltd;
  • collection agencies and legal counsel in asserting our claims; or
  • our subsidiary company AMBOSS MD Inc. (234 5th Avenue, 2nd Floor, New York, NY, 10001) as required for our business purposes.

2.2 Personal data is only passed on to third parties on the basis of legal permits and within the framework of the legal requirements. If we commission service providers with the processing of data within the framework of a so-called “Data Processing Agreement (DPA)”, this is done on the basis of Art. 28 GDPR.

2.3 Personal data may also be transferred to servers outside the EU or to trusted third parties based outside the EU. If there is no EU Commission decision on an adequate level of data protection for the country in question, the transfer will take place on the basis of so-called EU standard contractual clauses, which aim to ensure that your rights and freedoms are adequately protected and guaranteed. You should be aware that many countries do not provide the same level of legal protection for personal data that you enjoy in the EU. While your personal data is located in another country, it may be accessed by courts, law enforcement and national security authorities of that country in accordance with its laws.

3. Purposes of data processing and legal bases

3.1 Informational use of the website

During the informational use of the website, we collect the personal data that the browser transmits to our server in order to ensure the stability and security of our website. This is our legitimate interest, so that the legal basis is Art. 6 para. 1 lit. f GDPR.

This data is: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request came, browser, operating system and its interface, language and version of the browser software.

This data is also stored in log files. They are deleted when their storage is no longer necessary, at the latest after 14 days.

3.2 Hosting and provision of the website

We use AWS to host our website. The provider is Amazon Web Services EMEA Sàrl, Avenue John F. Kennedy 38, 1855 Luxembourg. The provider thereby processes the personal data transmitted via the website, e.g. content, usage, meta/communication data or contact data, on servers in the EU. Further information can be found in the provider’s privacy policy at https://aws.amazon.com/de/privacy/?nc1=f_pr.

We also use the following content delivery networks:

  • Cloudfront: For description see section 4.1.1.
  • Cloudflare: For description see section 4.1.1.
  • Cloudinary: For description see section 4.1.1.

The hosting as well as the use of a content delivery network are technically necessary to provide images and other website resources. The legal basis of the processing is Art. 6 para. 1 lit. b GDPR.

3.3 Provision of contractual services / user account

3.3.1 We process inventory data (e.g. names, addresses and other contact data), contract data (e.g. payment information, service used) for the fulfillment of our contractual obligations and services pursuant to Art. 6 (1) lit. b GDPR as well as for the fulfillment of a legal obligation to which we are subject pursuant to Art. 6 (1) lit. c GDPR in connection with commercial, trade or tax law, insofar as we are obliged to record and store your data.

3.3.2 In order to be able to use our offer to the full extent, registration is required. As part of setting up a corresponding user account, you must provide a password in addition to your e-mail address. This information is used for login and secure identification on our site. If the registration and/or login takes place via a single sign-on procedure (SSO) of an institution (e.g. university or clinic), we will forward you to the respective website of the institution for the purpose of logging in and will transmit the e-mail address entered by you on our website for this purpose to the institution. After a successful login, information about you, namely your first and last name, affiliation with the institution and e-mail address, will be transmitted to us by the institution for the purpose of identification and processed by us for the provision and use of our offer on the basis of Art. 6 para. 1 lit. b GDPR. This data is linked to the AMBOSS user account.

3.3.3 We may also ask you for additional personal data such as first and last name, intended specialty, university, address or gender, e.g. as part of a survey or within your user account. Unless this information is necessary to provide our services, it is always voluntary. We use this information on the basis of Art. 6 para. 1 lit. f GDPR to tailor our services to you.

3.3.4 During registration and each login of your user account as well as the use of our online services, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests and the interest of users in protection against misuse and unauthorized use in accordance with Art. 6 para. 1 lit. f GDPR.

3.3.5 If you have created a user account with us and use our online knowledge and learning program “AMBOSS”, we automatically collect usage statistics regarding the exam/learn results of our online knowledge and learning program and the pages visited within our platform. This information is used for statistical evaluation of your personal learning needs. Anonymized overall statistics are created for this purpose.

3.4 Contact form

For questions of any kind, we offer you the possibility to contact us via a provided form. In doing so, it is necessary to provide a valid e-mail address so that we know from whom the inquiry originates and so that we can answer it. Further information can be provided voluntarily. The data processing for the purpose of contacting us is carried out in accordance with Art. 6 para. 1 lit. b and f GDPR for the appropriate response to your request.

3.5 Newsletter

3.5.1 If you have expressly consented in accordance with Art. 6 (1) a GDPR, we will use your e-mail address to send you our newsletter on a regular basis. Insofar as the contents of the newsletter are specifically described within the scope of the registration for the receipt of the newsletter, this information is decisive for the consent of the user. In addition, our newsletters contain information about our services, offers, promotions and our company. The provision of a valid e-mail address is sufficient for the receipt of the newsletter.

3.5.2 For newsletter registration, we use the so-called double opt-in procedure, i.e. we will only send you a newsletter by e-mail if you have previously expressly confirmed that you want us to activate the newsletter service. For this purpose, we will send you a notification e-mail and ask you to confirm that you would like to receive our newsletter by clicking on a link contained in this e-mail.

3.5.3 With the registration for the newsletter we store your IP address and the date of registration. This storage serves as proof of your registration for our newsletter.

3.5.4 You can revoke your consent to receive the newsletter at any time. The revocation can be done via a link in the newsletter itself, in your user account or by sending a message to the contact options above.

3.5.5 If you have already used our services, we may send you information about our own similar goods and services by e-mail. The legal basis for the processing is our legitimate interest of direct advertising according to Art. 6 para. 1 lit. f GDPR. You can object to this use of your e-mail address at any time with effect for the future free of charge via a link in the e-mail itself, in your user account or by sending a message to the contact options above.

3.6 AMBOSS network

3.6.1 You have the option of making individual personal data entered in your user profile (e.g. first name, last name, e-mail address, university, clinic) and other information (e.g. your own additions) retrievable and findable for other users. It may be possible to restrict the accessibility and retrievability of individual or all data and information to certain user groups and to release it only for them.

3.6.2 The release of your personal data and information to other users is always on a voluntary basis, i.e. with your express consent pursuant to Art. 6 (1) a GDPR. You can (partially) deactivate or activate this service in your user profile by making all, none or individual data and information retrievable and discoverable for all, none or, if applicable, only certain users by making the appropriate settings.

3.6.3 If you (partially) activate your profile for the AMBOSS network and can thus be found by other users under the released data, we will inform you by e-mail or via the user account in case of a contact request by another user.

3.7 AMBOSS Score Predictor

The AMBOSS Score Predictor gives you the option of submitting your practice exam scores to us so that we can provide you with your expected USMLE score. The release of your practice exam scores and other related personal data is always on a voluntary basis. We use this data to predict your USMLE score. We may also use this data to improve our score prediction algorithm. In both cases, the legal basis for the processing is our legitimate interest of providing you the score prediction service according to Art. 6 para. 1 lit. f GDPR.

3.8 Comments and contributions

When users enter comments or other contributions, their IP addresses are stored on the basis of our legitimate interests according to Art. 6 (1) lit. f GDPR. This is done for our security, in case someone posts illegal content.

3.9 Consent Management

3.9.1 We use cookies on our site. Cookies are pieces of information that are transmitted from our web server or third-party web servers to users’ web browsers, where they are stored for later retrieval. Cookies may be small files or other types of information storage. In addition, we use comparable storage and access technologies, such as local storage and web beacons, among others (hereinafter collectively referred to as “cookies”).

3.9.2 The use of cookies serves the purpose to make the use of our offer attractive for you. We use so-called session cookies to recognize that you have already visited individual pages of our website/apps. These are automatically deleted after you leave our website/app. In addition, to optimize user-friendliness, we use temporary cookies that are stored on your end device for a certain specified period of time. If you visit our website/apps again to use our services, it is automatically recognized that you have already been with us and which entries and settings you have made so that you do not have to enter them again.

3.9.3 We offer you the option to decide for yourself which cookies you would like to allow. The privacy settings feature ensures that only technically necessary cookies are set when you first visit the website/app. In the cookie banner, you can then either allow the use of cookies that require consent, reject them or call up the advanced cookie settings. In the cookie settings, you can select which cookies you want to allow. It is not possible to block the technically necessary cookies, these are always set. Other cookies are only set when you click on “Accept all” in the cookie banner or activate them in the cookie settings.

3.9.4 We process your personal data for cookie management of our website/apps to fulfill a legal obligation to which we are subject as the controller pursuant to Art. 6 (1) lit. c GDPR. There is a legal obligation to obtain and document your consent to access your terminal device and to process data based on this consent.

3.9.5 Insofar as the processing of information on your terminal device is absolutely necessary to enable the use of our website or apps expressly requested by you, the storage or access is carried out on the basis of Section 25 (2) No. 2 TDDDG (New German Telecommunications-Telemedia Data Protection Act) or the corresponding European Union member state implementation regulation for Article 5 (3) Sentence 1 of the ePrivacy Directive (2002/58/EC, amended by 2009/136/EC). Any further processing of information on your terminal device will be based on your consent in accordance with Section 25 (1) of the TDDDG (New German Telecommunications-Telemedia Data Protection Act) or the corresponding European Union member state implementing provision for Article 5 (3) sentence 2 of the ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC). The aforementioned legal bases of the GDPR then apply to the further processing of the personal data obtained through this. Companies located in third countries are also involved in the processing of your data in accordance with section 2.4. Insofar as companies located in the EU or companies located in third countries are also involved in the provision of services in the case of data hosted in the EU, this will also take place in accordance with section 2.4. You can revoke your consent in the data protection settings in the footer of this website at any time. The revocation does not affect the lawfulness of the processing until the revocation.

4. Technologies used

We use various third-party technologies on our website, in the registered area and in our apps, which we list below. You can find further information, in particular on the legal basis, the storage period of the cookies and the personal data obtained via them, in the privacy settings in the footer of this website. There you also have the option to revoke any consent given for these technologies with effect for the future. Further general information on consent management can be found in section 3.8.

4.1 Website and Registered Area

4.1.1 Required technologies


Alchemer

We use Alchemer from the company Widgix, LLC dba Alchemer, 168 Centennial Parkway Unit #250 Louisville, CO 80027, USA.The provider processes meta/communication data (e.g. device information, IP addresses) as well as the information provided by the participant in the survey form.

We use Alchemer to create online forms for customer surveys.

There is a data transfer to third countries (United States of America),

Further information can be found in the provider's privacy policy at https://www.alchemer.com/privacy.

Blueshift

We use Blueshift from the company of the same name Blueshift Labs, Inc, 231 Sansome St Suite 300, San Francisco, CA 94104, USA. The provider processes contact data (e.g. email addresses, phone numbers) and meta/communication data (e.g. device information, IP addresses) in the EU.

We use Blueshift to send important, contract-relevant messages as well as to display notifications in the registered area of the website. Furthermore, we use Blueshift to communicate offers and relevant information about the use of our services.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://blueshift.com/privacy_policy.

Braze

We use Braze from the company of the same name Braze, Inc, 330 W 34th St 18th floor, New York, NY 10001, USA. The provider processes contact data (e.g. email addresses, phone numbers) and meta/communication data (e.g. device information, IP addresses) on servers in the EU.

We use Braze to send important messages relevant to the contract as well as to display notifications in the registered area of the website. Furthermore, we use Braze to communicate offers and relevant information about the use of the services.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://www.braze.com/company/legal/privacy.

Cloudflare

We use Cloudflare from the company of the same name, Cloudflare, Inc, 101 Townsend St., San Francisco, CA 94107, USA. The provider processes the personal data transmitted via the website, e.g. content, usage, meta/communication or contact data.

We use Cloudflare to deliver content such as images faster to the user in the respective geographical region, to ensure the accessibility of our website and to provide security functions to protect our website from attacks. 
There is a data transfer to third countries (United States of America).
Further information can be found in the provider's privacy policy at https://www.cloudflare.com/privacypolicy/.

CloudFront

We use CloudFront from Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg. The provider thereby processes the personal data transmitted via the website or other offers, e.g. content, usage, meta/communication data or contact data.

We use Cloudfront to deliver content such as images more quickly to users in the relevant geographic region, to ensure the accessibility of our service, and to provide security features to protect our website from attack.

There is a data transfer to third countries (United States of America)

Further information is available in the provider’s privacy policy at https://aws.amazon.com/de/privacy/.

Cloudinary

We use Cloudinary from Cloudinary Ltd, 3400 Central Expy #110, CA Santa Clara, USA. The provider processes the personal data transmitted via the website or other offers, e.g. content, usage, meta/communication data or contact data.

We use Cloudinary to deliver content such as images faster to the user in the respective geographical region, to ensure the accessibility of our offer and to provide security functions to protect our website from attacks.

Data is transferred to third countries (United States of America).

Further information can be found in the provider's privacy policy at https://cloudinary.com/privacy.

Datadog

On our website, we use the service Datadog of the company of the same name Datadog, Inc., 620 8th Avenue, Floor 45, New York, NY 10018, USA.

We use Datadog to collect client- and server-side log files and performance information and present them in an analyzable form. The analyses help us to optimize the performance of our server infrastructure. So-called bottlenecks can be viewed and analyzed separately for application logic, external interfaces from third parties or database calls. In addition, any problems that occur (slow requests, failed requests) are pointed out. Furthermore, the technical functionality of the cookie banner is ensured through Datadog monitoring.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://www.datadoghq.com/legal/privacy/.

Google Webfonts

​We use Google Webfonts for fonts on the website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. However, the processing only takes place on our servers.

We process meta/communication data (e.g. device information, IP addresses).The legal basis for the processing is Art. 6 para. 1 s. 1 lit. f GDPR. We have a legitimate interest to use affordable and easy-to-display fonts.

Further information is available in the provider’s privacy policy at https://policies.google.com/privacy?hl=en-US.

Hubspot

We use Hubspot from the company of the same name HubSpot, Inc, 25 1st Street Cambridge, MA 0214, USA. The provider processes contact data (e.g. email addresses, phone numbers) and meta/communication data (e.g. device information, IP addresses).

We use Hubspot as follows

  • Integration of contact forms that enable you to get in touch with us or make use of our services.
  • Customer relationship management
  • Hosting our website and providing content.
  • Email communications, based on consent to participate in marketing promotions such as special offers.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://legal.hubspot.com/privacy-policy.

Jotform

We use Jotform from the company of the same name, Jotform, Inc, 4 Embarcadero Center, Suite 780, San Francisco CA 94111 USA, to create online forms for data collection or customer surveys.

The provider does not further process the collected data nor does Jotform perform analyses.

There is a data transfer to third countries (United States of America).

Further information is available in the Provider’s privacy policy at https://www.jotform.com/privacy.

Podigee

We use the podcast hosting service Podigee of the provider Podigee GmbH, Schlesische Straße 20, 10997 Berlin, Germany. The podcasts are thereby loaded by Podigee or transmitted via Podigee. Podigee processes IP addresses and device information to enable podcast downloads/playbacks and to determine statistical data, such as retrieval figures. This data is anonymized or pseudonymized before being stored in Podigee’s database, unless it is necessary for the provision of the podcasts.

Further information is available in the provider’s privacy policy at https://www.podigee.com/en/about/privacy.

ProductFruits

We use ProductFruits from the company Product Fruits s.r.o., Rozdělovská 1999/7, Břevnov, 169 00 Praha 6, Czech Republic.

The legal basis for the processing is Art. 6 para. 1 s. 1 lit. f GDPR. Users cannot use the platform reliably without this functionality.

The provider processes user data (email address, full name and role) on servers in the EU.

We use ProductFruits as an onboarding  service which supports the onboarding  journey with platform tours, tooltips and checklists.

Further information can be found in the provider's privacy policy at https://productfruits.com/policies/privacy.

Segment

We use Segment from the company of the same name Segment.io, Inc, 100 California Street Suite 700 San Francisco, CA 94111, USA. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.

We use Segment to store and validate user interactions in our own data environment. Segment does not perform any analysis or profiling.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://segment.com/legal/privacy/.

Sentry

On our website we use the service Sentry of Functional Software,Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105.

We use Sentry to display client-side log files and error messages in an analyzable form. The evaluations help us to improve the error-free functioning of our software and to accelerate error analysis.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://sentry.io/privacy/.

Verisoul 

On our website we use the service Verisoul of Verisoul Inc.,1401 Lavaca St. #989, Austin,TX 78701, United States. The provider processes Email addresses, device information and IP addresses in the USA.

We use Verisoul for fraud detection and prevention, and to verify the authenticity of users.

There is a data transfer to third countries (United States of America).

Further information is available in the provider's privacy policy at 

https://policies.verisoul.ai/privacy.html.

Zendesk

We use Zendesk from the company of the same name Zendesk, Inc., 1019 Market St., San Francisco, CA 94103, USA. The provider processes content data (e.g. entries in online forms), contact data (e.g. email addresses, telephone numbers), meta/communication data (e.g. device information, IP addresses) and master data (e.g. names, addresses) on servers in the EU.

We use Zendesk as a service center software to allow our visitors and customers to contact us via live chat, phone and form or to provide customer support.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://www.zendesk.de/company/agreements-and-terms/privacy-policy/.

4.1.2 Opt-in technologies

Unless expressly stated below, the third-party providers specified in this section also use the data processed by you for their own purposes. Details on this can be found in the privacy statements of the providers.

Amplitude

We use Amplitude from the company of the same name Amplitude Inc., 201 3rd Street, Suite 200, San Francisco, CA 94103, USA. The provider is an analytics service with which we aim to improve AMBOSS’ web and mobile products by performing statistical analysis and visualization of usage data (e.g. page visits, feature usage, access times) and meta/communication data (e.g. device information, IP addresses). 

Data processing happens in European data processing centers that are based in Frankfurt, Germany. Data is protected with Amplitude’s secure software development practices, native SOC 2 Type II certification, and advanced encryption for data in transit and at rest.

Further information is available in the provider's privacy policy at https://amplitude.com/privacy.

Bunchbox

We use Bunchbox of the company of the same name Bunchbox GmbH, Raboisen 30, 20095 Hamburg. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the EU on our behalf and not for its own purposes.

Further information is available in the provider’s privacy policy at https://bunchbox.co/datenschutz.

Facebook Pixel and Conversions API

We use Facebook Pixel and Conversions API for analysis. The provider is Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) in the USA.

We use Facebook Pixel on our website to analyze the success of promotions we run through Twitter.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://www.facebook.com/policy.php.

Facebook Social Plugins

Our website integrates social plugins of Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). Facebook processes the IP address of the visitor to display the content or perform the functions. Furthermore, usage data and meta and communication data may be processed.

The social plugins allow users to easily share content.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://www.facebook.com/privacy/policy.

Google Ads, Google Analytics and Google Tag Manager

We use marketing and remarketing services on our website in the Google Marketing Platform of Google Ireland Limited, Google Building Gordon House, 4 Barrow Street, Dublin D04 E5W5, Ireland (“Google”). These services allow us to display advertisements in a more targeted manner in order to present page visitors with ads that are tailored to their interests. Through remarketing, page visitors are shown ads and products for which interest has been identified on other websites in the Google network.

For these purposes, code is executed by Google when our website is called up and so-called (re)marketing tags are integrated into the website. With their help, an individual cookie or comparable technology is stored on the device of the site visitor. The cookies can be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. This file records which websites page visitors have visited, what content they are interested in and which offers they have clicked on. In addition, technical information on the browser and operating system, referring websites, time of visit and other details on the use of the website are stored. All data of the site visitors are processed only as pseudonymous data. Google thus does not store any names or e-mail addresses. All ads displayed are thus not targeted to a person, but to the owner of the cookie.

We use Google Tag Manager to integrate Google Analytics in a data-saving way and to shorten the IP address, for example.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://policies.google.com/privacy.

Google Translate

We use the translation service Google Translate on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google processes the IP address of the visitor to save the language settings and preferences.

There is a data transfer to third countries (United States of America).

Further information is available in the provider's privacy policy at https://policies.google.com/privacy.


Hotjar

We use the web analytics service Hotjar provided by Hotjar Ltd, Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta (hereinafter “Hotjar”). The provider processes on our behalf and not for its own purposes the activity of the site visitor (e.g., which pages he visited and on which elements he clicked), device and browser information (especially the IP address and operating system) and a tracking code in the form of a pseudonymized user ID. The information collected in this way is transmitted by Hotjar to a server in Ireland and stored there anonymously.

Further information is available in the provider’s privacy policy at https://www.hotjar.com/legal/policies/privacy.


LinkedIn Insight-Tag

We use the LinkedIn Insight tag on our website, a marketing product of LinkedIn Ireland Unlimited Company (LinkedIn Ireland/EU).

The LinkedIn Insight tag is a JavaScript tracking code that is triggered by LinkedIn when you visit our website and saves a cookie on the device you are using. The LinkedIn conversion tracking used by this is an analysis function that is supported by the LinkedIn Insight tag. The LinkedIn Insight tag enables the collection of data about visits to our website, including URL, referrer URL, IP address, device, and browser properties (user agent), and timestamp.

This processing is done for the purpose of obtaining information about our website audience and a report on the effectiveness of LinkedIn campaigns.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://www.linkedin.com/legal/privacy-policy.


Microsoft Ads

We use the Microsoft Advertising service of the provider Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (formerly Bing Ads) on our website. Microsoft Advertising is an online marketing service that uses the Universal Event Tracking (UET) tool to help us serve targeted ads through the Microsoft Bing search engine.

Microsoft Advertising uses cookies for these purposes. This involves processing personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about device and browser settings.

Microsoft Advertising is used for the purpose of optimising the placement of advertisements.

Data is transferred to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://privacy.microsoft.com/en-gb/privacystatement.

Mixpanel 

We use Mixpanel from the company of the same name Mixpanel, Inc, 1 Front Street, 28th Floor, San Francisco, CA 94111, USA. The provider is an analytics service with which we aim to improve AMBOSS’ web and mobile products by performing statistical analysis and visualization of usage data (e.g. page visits, feature usage, access times) and meta/communication data (e.g. device information, IP addresses). 

Data processing happens in European data processing centers that are based in the Netherlands. Data is protected with Mixpanel’s secure software development practices, native SOC 2 Type II certification, and advanced encryption for data in transit and at rest.

Further information is available in the provider's privacy policy at https://mixpanel.com/legal/privacy-policy.


Optimizely

For the optimization of our website we use the tool Optimizely from the company Episerver GmbH, Wallstraße 16, 10179 Berlin. The tool helps to perform simple tests on the design and content of the website. Personal data can be stored and evaluated as a result. This includes the activity of the site visitor (e.g., which pages they visited and which elements they clicked on), device and browser information (especially the IP address and operating system) and a tracking code in the form of a pseudonymized user ID, which are processed on our behalf and not for the provider’s purposes.

Further information is available in the provider’s privacy policy at https://www.optimizely.com/legal/privacy-policy/.

Statsig

We use Statsig for analysis. The provider is Statsig Inc, 14725 SE 36th St #200, Bellevue, WA 98006, United States. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses).

We use Statsig to provide users with access to new or experimental functions and to analyze data for use in ongoing experiments on such functions.

Data is transferred to third countries (United States of America).

Further information can be found in the provider's privacy policy at https://statsig.com/privacy.

TikTok Advertisement

We use TikTok Advertisement, the provider is TikTok Technology Ltd., 10 Earlsfort Terrace, Dublin, D02, T380 Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) in the USA.

We use TikTok Advertisement on our website to analyze the success of marketing campaigns we run through TikTok.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://www.tiktok.com/legal/page/eea/privacy-policy/en#section-1.


Twitter Advertisement

We use Twitter advertising, the provider is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, IrelandThe provider processes usage data (e.g. websites visited, interest in content, access times) in the USA.

We use Twitter on our website to analyze the success of promotions we run through Twitter.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://twitter.com/en/privacy.


YouTube

We embed videos from YouTube on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The data processed includes usage data and communication data. We use YouTube’s Privacy Enhanced Mode on our website to embed videos in a data-saving manner.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://policies.google.com/privacy.

4.2 Native mobile apps on iOS and Android

In addition to the technologies presented below, native mobile applications also use the following technologies, which are already described in Section 4.1:

  • Segment
  • Zendesk


Adjust

We use Adjust for analysis. The provider is Adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the EU.

We use Adjust to analyze the success of marketing activities for our mobile applications. The data is not used by Adjust for its own purposes.

Further information is available in the provider’s privacy policy at

https://www.adjust.com/terms/privacy-policy/ available.


Usercentrics

We use Usercentrics to manage consent on our native mobile apps. The provider is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich. The provider processes meta/communication data (e.g. device information, IP addresses) in the EU.

Further information is available in the provider’s privacy policy at https://usercentrics.com/privacy-policy/.


Google Firebase Analytics/Crashlytics/Performance

In our apps, we use Firebase, a framework from Google Ireland Limited, through which we track and manage the following real-time features in the app:

  • Tracking of app crashes and their reasons via Firebase Crashlytics.
  • Technical analysis of aggregated statistics from the use of our app

Firebase Analytics enables the technical analysis of the use of our offer. For this purpose, we have integrated an SDK (“Software Development Kit”) with which information about the use of our app is collected and transmitted to Google using the IDFA/AAID and stored there. Google will use the aforementioned information to anonymously evaluate the technical use of our app and to provide us with further services related to the technical use of apps.

Firebase Crashlytics and Firebase Performance are used to improve the stability and performance of the app. This involves collecting information about the device used and how our app is used (for example, the timestamp, when the app was launched, and when the crash occurred), which allows us to diagnose and resolve problems.

This information is usually transferred to a Google server in the USA and stored there.

There is a data transfer to third countries (United States of America).

Further information is available in the provider’s privacy policy at https://firebase.google.com/support/privacy.


4.3 Integration of third-party content and services

Based on our legitimate interests according to Art. 6 para. 1 lit. f GDPR (interest in the analysis, optimization and economic operation of our online offer), as well as partly for the fulfillment of our contractual obligations according to Art. 6 para. 1 lit. b GDPR, we also use various third-party content or services that do not access your terminal device or set cookies. This nevertheless has the consequence that the providers of these contents and services receive your IP address, as they cannot send the contents to the browser without the IP address.

We use content and services from the following providers:

  • Learning content of the platform “SmartZoom” of the provider Smart In Media GmbH & Co. Kg, Elsternweg 6, 50997 Cologne, Germany. Privacy policy: https://www.smartinmedia.com/privacy/

5. Data security

All communication of your browser with our services is done via an encrypted TLS connection to protect your information from unauthorized access by third parties. Only selected administrators have insight into the data and only to the extent necessary to maintain the services.


We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

6. Data deletion

Unless expressly stated within the scope of this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If your data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.

7. Data subject rights

You have the right:

  • in accordance with Art. 7 (3) GDPR to revoke your consent once given to us with effect for the future;
  • pursuant to Art. 15 GDPR to request information free of charge about your personal data processed by us;
  • in accordance with Art. 16 GDPR to immediately demand the correction of incorrect or completion of your personal data stored by us;
  • pursuant to Art. 17 GDPR to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
  • to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR;
  • in accordance with Art. 20 GDPR to receive your personal data that you have provided to us in a structured, common and machine-readable format to transfer this data to another controller;
  • object to the processing of your personal data on the basis of legitimate interests pursuant to Art. 21 GDPR;
  • report to a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace in an EU member state or our registered office.

8. Provisioning obligations / automated decision making

You only need to provide the personal data that is required for the establishment, implementation and termination of the business relationship or other relationships, or which we are required to collect by law. Without this data, we will usually have to refuse to conclude a contract or provide a service or will no longer be able to perform an existing contract or other relationship. Mandatory data are marked as such.


As a matter of principle, we do not use fully automated decision-making pursuant to Art. 22 GDPR. Should we use these procedures in individual cases, we will inform about this separately.

9. United States privacy disclosures

9.1 Personal data collection

We collect the following categories of personal data.

  • Identifiers
  • Commercial information
  • Internet or other electronic network activity
  • Geolocation
  • Professional or employment-related information
  • Education information
  • Sensitive personal information, including account login data
  • Inferences


9.2 Personal data sources

We collect the above categories of personal data from various sources, including directly from you, from our service providers, from third parties such as your educational institution, and from the social media platforms and networks that we use, which may also be governed by our Social Media Privacy Policy.


9.3 Personal data uses

We have collected these categories of personal data to fulfill our business and commercial purposes, including to provide services you requested; audit relating to counting ad impressions to unique visitors, verify positioning and quality of ad impressions, and audit compliance with applicable standards; helping to ensure security and integrity to the extent the use of the personal data is reasonably necessary and proportionate for these purposes; debugging to identify and repair errors that impair existing intended functionality; perform services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying your information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services;, undertaking internal research for technological development and demonstration; undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured for, or controlled by us; and for any other business purpose permitted by law.


9.4 Personal data disclosures

We may disclose the categories of personal data as described in section 9.1 for our business purposes as described in section 9.3 to the following categories of third parties: internet service providers.

We may share the following categories of personal data for purposes of targeted advertising to our advertising networks, internet service providers, data analytics providers, and social networks: internet or other electronic network activity.


9.5 Personal data rights


9.5.1 Description of data rights

Under applicable law of your United States state of residence, you may have the right to:

  • Access your personal data in a portable format, including (1) confirm we are processing your personal data, (2) confirm the categories of personal data that we process, (3) specific pieces of personal data we have collected about you, (4) categories of sources from which the personal data is collected, (5) the business or commercial purpose for collecting, selling, or sharing your personal data, (6) the categories of third parties to whom we disclose personal data, (7) the categories of personal data, if any, we share with third parties or affiliates for their direct marketing purposes, and (8) the categories of personal data sold or shared and the categories of third parties to whom the personal data was sold or shared.
  • Correct your personal data.
  • Delete your personal data.
  • Opt-out of your personal data being used for certain purposes, such as (1) targeted advertising, (2) the sale or share of your personal data, (3) limit the use and disclosure of sensitive personal data, and (4) certain profiling activities that result in legal or similarly significant effects on you.

We have not sold or shared your personal data in the past 12 months, and we have not knowingly sold or shared the personal data of anyone under 16 years of age. You will not receive discriminatory treatment or be retaliated against for the exercise of your rights.


These rights may be subject to certain exceptions under applicable law.


9.5.2 Exercising data rights

To exercise any of your data rights, you may email us at privacy@amboss.com. To exercise your right to opt out of the sharing of personal data for purposes of targeted advertising, visit “Privacy Settings” in the footer of our website. We currently do not respond to “Do Not Track” or opt-out preference signals. When making a request to exercise your data rights, please include your name, and your account email address.


You may also exercise your rights through an authorized agent. To do so, please provide written authorization signed by you and your designated agent and email us at privacy@amboss.com.


To protect your identity, we will take steps to reasonably verify your identity before fulfilling your request. This may include asking you to provide sufficient information such as your name and address, which we will match against our business records.


If you have questions or concerns about our response to your request, you may appeal a decision by emailing us at privacy@amboss.com. Virginia residents may contact the Attorney General by filing a complaint, here.

10. Changes to the privacy policy

We reserve the right to change this privacy policy from time to time to reflect changes in the law or expansion of the functionality of our services. We will post any updates to this privacy policy on our website or provide you with notice of such changes as required by applicable law. You should therefore read the privacy policy regularly to be informed about the protection of your data.