This Pri­va­cy Pol­i­cy clar­i­fies the nature, scope and pur­pose of the pro­cess­ing of per­son­al data (here­inafter referred to as “Data”) with­in our online offer­ing and the relat­ed web­sites, fea­tures and con­tent, as well as exter­nal online pres­ence, e.g. our social media pro­files on. (col­lec­tive­ly referred to as “online offer”). With regard to the ter­mi­nol­o­gy used, e.g. “Pro­cess­ing” or “Respon­si­ble”, we refer to the def­i­n­i­tions in Arti­cle 4 of the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR).


Ekayana gGmbH, Rait­en­buch­er Str. 17, 79853 Lenzkirch-Rait­en­buch, Germany
rep­re­sent­ed by Dr. med. Tilmann Borghardt

E‑mail address:
Link to the imprint:

Types of processed data:

- Inven­to­ry data (e.g., names, addresses).
- con­tact infor­ma­tion (e.g., e‑mail, phone numbers).
- con­tent data (e.g., text input, pho­tographs, videos).
- usage data (e.g., web­sites vis­it­ed, inter­est in con­tent, access times).
- Meta / com­mu­ni­ca­tion data (e.g., device infor­ma­tion, IP addresses).

Purpose of processing

- Pro­vi­sion of the online offer, its func­tions and contents.
- Answer­ing con­tact requests and com­mu­ni­cat­ing with users.
- Safe­ty measures.
- Reach Mea­sure­ment / Marketing

Used terms

“Per­son­al data” means any infor­ma­tion relat­ing to an iden­ti­fied or iden­ti­fi­able nat­ur­al per­son (here­inafter the “data sub­ject”); a nat­ur­al per­son is con­sid­ered as iden­ti­fi­able, which can be iden­ti­fied direct­ly or indi­rect­ly, in par­tic­u­lar by means of assign­ment to an iden­ti­fi­er such as a name, to an iden­ti­fi­ca­tion num­ber, to loca­tion data, to an online iden­ti­fi­er (eg cook­ie) or to one or more spe­cial fea­tures, that express the phys­i­cal, phys­i­o­log­i­cal, genet­ic, men­tal, eco­nom­ic, cul­tur­al or social iden­ti­ty of this nat­ur­al person.

“Pro­cess­ing” means any process per­formed with or with­out the aid of auto­mat­ed pro­ce­dures or any such process asso­ci­at­ed with per­son­al data. The term goes far and includes vir­tu­al­ly every han­dling of data.

“Pseu­do­nymi­sa­tion” means the pro­cess­ing of per­son­al data in such a way that the per­son­al data can no longer be assigned to a spe­cif­ic data sub­ject with­out addi­tion­al infor­ma­tion being pro­vid­ed, pro­vid­ed that such addi­tion­al infor­ma­tion is kept sep­a­rate and sub­ject to tech­ni­cal and orga­ni­za­tion­al mea­sures to ensure that the per­son­al data not assigned to an iden­ti­fied or iden­ti­fi­able nat­ur­al person;

“Pro­fil­ing” means any kind of auto­mat­ed pro­cess­ing of per­son­al data which involves the use of such per­son­al data to eval­u­ate cer­tain per­son­al aspects relat­ing to a nat­ur­al per­son, in par­tic­u­lar aspects relat­ing to job per­for­mance, eco­nom­ic sit­u­a­tion, health, per­son­al To ana­lyze or pre­dict pref­er­ences, inter­ests, reli­a­bil­i­ty, behav­ior, where­abouts or loca­tion of this nat­ur­al person;

“Respon­si­ble per­son” means the nat­ur­al or legal per­son, pub­lic author­i­ty, body or body that decides, alone or in con­cert with oth­ers, on the pur­pos­es and means of pro­cess­ing per­son­al data.

‘Proces­sor’ means a nat­ur­al or legal per­son, pub­lic author­i­ty, body or body that process­es per­son­al data on behalf of the controller;

Relevant legal bases

In accor­dance with Art. 13 GDPR, we inform you about the legal basis of our data pro­cess­ing. Unless the legal basis in the data pro­tec­tion dec­la­ra­tion is men­tioned, the fol­low­ing applies: The legal basis for obtain­ing con­sent is Arti­cle 6 (1) lit. a and Art. 7 DSGVO, the legal basis for the pro­cess­ing for the per­for­mance of our ser­vices and the exe­cu­tion of con­trac­tu­al mea­sures as well as the response to inquiries is Art. 6 (1) lit. b DSGVO, the legal basis for pro­cess­ing in order to ful­fill our legal oblig­a­tions is Art. 6 (1) lit. c DSGVO, and the legal basis for pro­cess­ing in order to safe­guard our legit­i­mate inter­ests is Arti­cle 6 (1) lit. f DSGVO. In the event that vital inter­ests of the data sub­ject or anoth­er nat­ur­al per­son require the pro­cess­ing of per­son­al data, Art. 6 para. 1 lit. d DSGVO as legal basis.

Safety measures

We take appro­pri­ate tech­ni­cal mea­sures in accor­dance with Art. 32 GDPR, tak­ing into account the state of the art, the imple­men­ta­tion costs and the nature, scope, cir­cum­stances and pur­pos­es of the pro­cess­ing as well as the dif­fer­ent like­li­hood and sever­i­ty of the risk to the rights and free­doms of nat­ur­al per­sons and orga­ni­za­tion­al mea­sures to ensure a lev­el of pro­tec­tion appro­pri­ate to the risk; Mea­sures include, in par­tic­u­lar, ensur­ing the con­fi­den­tial­i­ty, integri­ty and avail­abil­i­ty of data by con­trol­ling phys­i­cal access to the data, as well as their access, input, dis­clo­sure, avail­abil­i­ty and sep­a­ra­tion. In addi­tion, we have estab­lished pro­ce­dures that ensure the enjoy­ment of data sub­ject rights, data era­sure and data vul­ner­a­bil­i­ty. Fur­ther­more, we con­sid­er the pro­tec­tion of per­son­al data already in the devel­op­ment, or selec­tion of hard­ware, soft­ware and pro­ce­dures, accord­ing to the prin­ci­ple of data pro­tec­tion by tech­nol­o­gy design and by pri­va­cy-friend­ly default set­tings tak­en into account (Arti­cle 25 GDPR).

Collaboration with processors and third parties

If, in the con­text of our pro­cess­ing, we dis­close data to oth­er per­sons and com­pa­nies (con­tract proces­sors or third par­ties), trans­mit them to them or oth­er­wise grant access to the data, this will only be done on the basis of a legal per­mis­sion (eg if a trans­mis­sion of the data to third par­ties, as required by pay­ment ser­vice providers, pur­suant to Art. 6 (1) (b) GDPR to ful­fill the con­tract), you have con­sent­ed to a legal oblig­a­tion or based on our legit­i­mate inter­ests (eg the use of agents, web­hosters, etc.).

If we com­mis­sion third par­ties to process data on the basis of a so-called “con­tract pro­cess­ing con­tract”, this is done on the basis of Art. 28 GDPR.

Transfers to third countries

If we process data in a third coun­try (ie out­side the Euro­pean Union (EU) or the Euro­pean Eco­nom­ic Area (EEA)) or in the con­text of the use of third par­ty ser­vices or dis­clo­sure or trans­mis­sion of data to third par­ties, this will only be done if it is to ful­fill our (pre) con­trac­tu­al oblig­a­tions, on the basis of your con­sent, on the basis of a legal oblig­a­tion or on the basis of our legit­i­mate inter­ests. Sub­ject to legal or con­trac­tu­al per­mis­sions, we process or have the data processed in a third coun­try only in the pres­ence of the spe­cial con­di­tions of Art. 44 et seq. DSGVO. That the pro­cess­ing is e.g. on the basis of spe­cif­ic guar­an­tees, such as the offi­cial­ly rec­og­nized lev­el of data pro­tec­tion (eg for the US through the Pri­va­cy Shield) or com­pli­ance with offi­cial­ly rec­og­nized spe­cial con­trac­tu­al oblig­a­tions (so-called “stan­dard con­trac­tu­al clauses”).

Rights of data subjects

You have the right to ask for con­fir­ma­tion as to whether the data in ques­tion is being processed and for infor­ma­tion about this data as well as for fur­ther infor­ma­tion and a copy of the data in accor­dance with Art. 15 GDPR.

You have accord­ing­ly. Art. 16 DSGVO the right to demand the com­ple­tion of the data con­cern­ing you or the cor­rec­tion of the incor­rect data con­cern­ing you.

In accor­dance with Art. 17 GDPR, they have the right to demand that the rel­e­vant data be delet­ed imme­di­ate­ly or, alter­na­tive­ly, to require a restric­tion of the pro­cess­ing of data in accor­dance with Art. 18 GDPR.

You have the right to demand that the data relat­ing to you, which you have pro­vid­ed to us, be obtained in accor­dance with Art. 20 GDPR and request their trans­mis­sion to oth­er per­sons responsible.

You have gem. Art. 77 DSGVO the right to file a com­plaint with the com­pe­tent super­vi­so­ry authority.


You have the right to grant con­sent in accor­dance with. Art. 7 para. 3 DSGVO with effect for the future

Right to

You can object to the future pro­cess­ing of your data in accor­dance with Art. 21 GDPR at any time. The objec­tion may in par­tic­u­lar be made against pro­cess­ing for direct mar­ket­ing purposes.

Cookies and right to object in direct mail

“Cook­ies” are small files that are stored on users’ com­put­ers. Dif­fer­ent infor­ma­tion can be stored with­in the cook­ies. A cook­ie is pri­mar­i­ly used to store the infor­ma­tion about a user (or the device on which the cook­ie is stored) dur­ing or after his vis­it to an online offer. Tem­po­rary cook­ies, or “ses­sion cook­ies” or “tran­sient cook­ies”, are cook­ies that are delet­ed after a user leaves an online ser­vice and clos­es his brows­er. In such a cook­ie, e.g. the con­tents of a shop­ping cart are stored in an online store or a login jam. The term “per­ma­nent” or “per­sis­tent” refers to cook­ies that remain stored even after the brows­er has been closed. Thus, e.g. the login sta­tus will be saved if users vis­it it after sev­er­al days. Like­wise, in such a cook­ie the inter­ests of the users can be stored, which are used for range mea­sure­ment or mar­ket­ing pur­pos­es. A “third-par­ty cook­ie” refers to cook­ies that are offered by providers oth­er than the per­son who man­ages the online offer (oth­er­wise, if it is only their cook­ies, this is called “first-par­ty cookies”).

We can use tem­po­rary and per­ma­nent cook­ies and clar­i­fy this in the con­text of our pri­va­cy policy.

If users do not want cook­ies stored on their com­put­er, they will be asked to dis­able the option in their browser’s sys­tem set­tings. Saved cook­ies can be delet­ed in the sys­tem set­tings of the brows­er. The exclu­sion of cook­ies can lead to func­tion­al restric­tions of this online offer.

A gen­er­al objec­tion to the use of cook­ies used for online mar­ket­ing pur­pos­es can be found in a vari­ety of ser­vices, espe­cial­ly in the case of track­ing, via the US site or the EU site be explained. Fur­ther­more, the stor­age of cook­ies can be achieved by switch­ing them off in the set­tings of the brows­er. Please note that not all fea­tures of this online offer may be used.

Deletion of data

The data processed by us are delet­ed or lim­it­ed in their pro­cess­ing in accor­dance with Arti­cles 17 and 18 GDPR. Unless explic­it­ly stat­ed in this pri­va­cy pol­i­cy, the data stored by us are delet­ed as soon as they are no longer required for their pur­pose and the dele­tion does not con­flict with any statu­to­ry stor­age require­ments. Unless the data is delet­ed because it is required for oth­er and legit­i­mate pur­pos­es, its pro­cess­ing will be restrict­ed. That The data is blocked and not processed for oth­er pur­pos­es. This applies, for exam­ple for data that must be kept for com­mer­cial or tax reasons.

Accord­ing to legal require­ments in Ger­many, the stor­age takes place in par­tic­u­lar for 10 years accord­ing to §§ 147 Abs. 1 AO, 257 Abs. 1 Nr. 1 and 4, Abs. 4 HGB (books, records, man­age­ment reports, account­ing doc­u­ments, trad­ing books, rel­e­vant for tax­a­tion Doc­u­ments, etc.) and 6 years in accor­dance with § 257 (1) no. 2 and 3, para. 4 HGB (com­mer­cial letters).

Accord­ing to legal reg­u­la­tions in Aus­tria the stor­age takes place espe­cial­ly for 7 years accord­ing to § 132 para­graph 1 BAO (account­ing doc­u­ments, receipts / invoic­es, accounts, receipts, busi­ness papers, state­ment of income and expens­es, etc.), for 22 years in con­nec­tion with real estate and for 10 years in the case of doc­u­ments relat­ing to elec­tron­i­cal­ly sup­plied ser­vices, telecom­mu­ni­ca­tions, broad­cast­ing and tele­vi­sion ser­vices pro­vid­ed to non-entre­pre­neurs in EU Mem­ber States and for which the Mini-One-Stop-Shop (MOSS) is used.

Business-related processing

In addi­tion we process
- con­tract data (e.g., sub­ject, term, cus­tomer category).
- Pay­ment data (e.g., bank details, pay­ment history)
from our cus­tomers, prospects and busi­ness part­ners for the pur­pose of pro­vid­ing con­trac­tu­al ser­vices, ser­vice and cus­tomer care, mar­ket­ing, adver­tis­ing and mar­ket research.


The host­ing ser­vices we use are for the pur­pose of pro­vid­ing the fol­low­ing ser­vices: infra­struc­ture and plat­form ser­vices, com­put­ing capac­i­ty, stor­age and data­base ser­vices, secu­ri­ty and tech­ni­cal main­te­nance ser­vices we use to oper­ate this online service.

Here we, or our host­ing provider, process inven­to­ry data, con­tact data, con­tent data, con­tract data, usage data, meta and com­mu­ni­ca­tion data of cus­tomers, inter­est­ed par­ties and vis­i­tors to this online offer on the basis of our legit­i­mate inter­ests in an effi­cient and secure pro­vi­sion of this online offer acc. Art. 6 para. 1 lit. f DSGVO i.V.m. Art. 28 DSGVO (con­clu­sion of con­tract pro­cess­ing contract).

Collection of access data and log files

We, or our host­ing provider, col­lects on the basis of our legit­i­mate inter­ests with­in the mean­ing of Art. 6 para. 1 lit. f. DSGVO Data on every access to the serv­er on which this ser­vice is locat­ed (so-called serv­er log files). The access data includes name of the retrieved web page, file, date and time of retrieval, amount of data trans­ferred, mes­sage about suc­cess­ful retrieval, brows­er type and ver­sion, the user’s oper­at­ing sys­tem, refer­rer URL (the pre­vi­ous­ly vis­it­ed page), IP address and the request­ing provider ,

Log­file infor­ma­tion is stored for secu­ri­ty pur­pos­es (for exam­ple, to inves­ti­gate abu­sive or fraud­u­lent activ­i­ties) for a max­i­mum of 7 days and then delet­ed. Data whose fur­ther reten­tion is required for evi­den­tial pur­pos­es shall be exempt­ed from the can­cel­la­tion until final clar­i­fi­ca­tion of the incident.


When con­tact­ing us (for exam­ple, by con­tact form, e‑mail, tele­phone or via social media) the infor­ma­tion of the user to process the con­tact request and its pro­cess­ing in accor­dance with. Art. 6 para. 1 lit. b) DSGVO processed. User infor­ma­tion can be stored in a Cus­tomer Rela­tion­ship Man­age­ment Sys­tem (“CRM Sys­tem”) or com­pa­ra­ble request organization.

We delete the requests, if they are no longer required. We check the neces­si­ty every two years; Fur­ther­more, the legal archiv­ing oblig­a­tions apply.

Integration of services and contents of third parties

Based on our legit­i­mate inter­ests (ie inter­est in the analy­sis, opti­miza­tion and eco­nom­ic oper­a­tion of our online offer with­in the mean­ing of Art. 6 (1) lit. DSGVO), we make use of con­tent or ser­vices offered by third-par­ty providers in order to pro­vide their con­tent and ser­vices Ser­vices, such as Include videos or fonts (col­lec­tive­ly referred to as “con­tent”).

This always pre­sup­pos­es that the third-par­ty providers of this con­tent per­ceive the IP address of the users, since they could not send the con­tent to their brows­er with­out the IP address. The IP address is there­fore required for the pre­sen­ta­tion of this con­tent. We endeav­or to use only con­tent whose respec­tive providers use the IP address sole­ly for the deliv­ery of the con­tent. Third par­ties may also use so-called pix­el tags (invis­i­ble graph­ics, also referred to as “web bea­cons”) for sta­tis­ti­cal or mar­ket­ing pur­pos­es. The “pix­el tags” can be used to eval­u­ate infor­ma­tion such as vis­i­tor traf­fic on the pages of this web­site. The pseu­do­ny­mous infor­ma­tion may also be stored in cook­ies on the user’s device and may include, but is not lim­it­ed to, tech­ni­cal infor­ma­tion about the brows­er and oper­at­ing sys­tem, refer­ring web pages, vis­it time, and oth­er infor­ma­tion regard­ing the use of our online offer.

Google fonts

We incor­po­rate the fonts (“Google Fonts”) pro­vid­ed by Google LLC, 1600 Amphithe­ater Park­way, Moun­tain View, CA 94043, USA. Pri­va­cy Pol­i­cy:, opt-out:

Google ReCaptcha

We bind the func­tion to detect bots, e.g. when enter­ing into online forms (“ReCaptcha”) of the provider Google LLC, 1600 Amphithe­ater Park­way, Moun­tain View, CA 94043, USA. Pri­va­cy Pol­i­cy:, opt-out:

Google Maps

We include maps from the Google Maps ser­vice pro­vid­ed by Google LLC, 1600 Amphithe­ater Park­way, Moun­tain View, CA 94043, USA. The processed data may include, in par­tic­u­lar, users’ IP address­es and loca­tion data, but these are not col­lect­ed with­out their con­sent (usu­al­ly as part of the set­tings of their mobile devices). The data can be processed in the USA. Pri­va­cy Pol­i­cy:, opt-out:

Cre­at­ed with by RA Dr. med. Thomas Schwenke