MedVertical

Privacy Policy

Privacy Policy

Last updated: May 2026

1. Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

André Sheydin, trading as MedVertical (sole proprietorship)
c/o Sheydin Studio, Remagener Str. 5, 50968 Cologne, Germany
Email: privacy@medvertical.com

We prioritize data minimization and do not use invasive tracking or advertising cookies.

2. Legal Bases for Processing

We process personal data only where a legal basis under Art. 6(1) GDPR applies:

  • Art. 6(1)(b) GDPR — to respond to and handle inquiries you send us (pre-contractual and contractual communication).
  • Art. 6(1)(f) GDPR — our legitimate interest in the secure, stable, and aggregate-measurable operation of this website (hosting, server logs, privacy-friendly analytics).

3. Hosting and Server Logs

This website is hosted by Vercel Inc. (USA). When you access the site, Vercel automatically processes technical connection data (e.g. IP address, request timestamp, requested resource, referrer, browser/OS information) in server logs for the purpose of delivering the site and ensuring its security and stability (Art. 6(1)(f) GDPR).

Because Vercel is based in the USA, accessing the site may involve a transfer of personal data to a third country. Vercel is certified under the EU-U.S. Data Privacy Framework (and its UK Extension and Swiss-U.S. counterpart). In addition, transfers are safeguarded by the EU Standard Contractual Clauses pursuant to Art. 46 GDPR.

4. Analytics

We use Vercel Analytics to measure aggregate page views and performance.

  • No cookies are used.
  • No cross-site tracking across devices or other websites.
  • Data is anonymized and aggregated; we cannot identify individual visitors.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in understanding aggregate site usage). Where this processing involves a transfer to the USA, the safeguards described in Section 3 apply.

5. Contact Form

Data entered in the contact form (Name, Email, Organization, Message) is processed solely for the purpose of communicating with you regarding your inquiry (Art. 6(1)(b) GDPR).

  • We do not store this data in a database on this website.
  • Messages are delivered to us by email via Resend (Resend, Inc., USA), acting as a processor on our behalf. Resend is certified under the EU-U.S. Data Privacy Framework (and its UK Extension) and additionally relies on the EU Standard Contractual Clauses (Art. 46 GDPR) for transfers to the USA.
  • We do not share this data with third parties for marketing purposes.

6. Retention

We retain personal data only as long as necessary for the purpose for which it was collected:

  • Contact inquiries that do not lead to a business relationship are deleted at the latest 6 months after the inquiry has been handled.
  • Inquiries that become business correspondence are retained for the statutory periods under German commercial and tax law (6 years pursuant to §257 HGB; up to 10 years pursuant to §147 AO where tax-relevant).
  • Server log data is retained only for the short period needed for security and operational purposes (typically up to 30 days).

7. Protected Health Information (PHI)

Do not submit Protected Health Information (PHI) or any patient-identifiable data through our contact form. This website is for technical and business communication only.

8. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15 GDPR);
  • Rectification of inaccurate data (Art. 16 GDPR);
  • Erasure (Art. 17 GDPR);
  • Restriction of processing (Art. 18 GDPR);
  • Data portability (Art. 20 GDPR);
  • Object to processing based on legitimate interest (Art. 21 GDPR);
  • Withdraw consent at any time, where processing is based on consent (Art. 7(3) GDPR), without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at privacy@medvertical.com.

You also have the right to lodge a complaint with a supervisory data protection authority (Art. 77 GDPR). The authority competent for us is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW).

9. No Automated Decision-Making

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR on this website.

10. Changes to This Policy

We may update this policy to reflect changes in our processing or legal requirements. The current version is always available on this page.