alloCare
Back to homealloCare

Privacy Policy

Last updated: January 2025

We take the protection of your personal data seriously. This Privacy Policy explains what data we collect, how we use it, and what rights you have. It applies to all services provided through allo.care.

1. Data Controller

The entity responsible for processing your personal data under the GDPR is:

Antler Innovation GmbH
Jägerstraße 32
10117 Berlin
Germany

Email: privacy@allo.care

2. Data We Collect

We collect the following categories of personal data:

  • Contact details: First name, last name, email address, phone number (optional), postcode
  • Health-related information: Responses to the eligibility questionnaire (PrEP status, insurance type, preferred care path)
  • Consent records: Timestamp, IP address, and user agent to document your consent
  • Technical data: IP address, browser type, device information, page views (pseudonymised)

3. Legal Basis for Processing

We process your data on the following legal bases under Art. 6 GDPR:

  • Art. 6(1)(a) GDPR (Consent): For processing health-related data and optional email marketing
  • Art. 6(1)(b) GDPR (Contract performance): For processing consultation bookings and care services
  • Art. 6(1)(c) GDPR (Legal obligation): To fulfil statutory retention requirements
  • Art. 6(1)(f) GDPR (Legitimate interests): For security, fraud prevention, and service improvement

For special categories of data (health data), processing is additionally based on Art. 9(2)(a) GDPR (explicit consent).

4. Purposes of Processing

  • Running the eligibility questionnaire and directing you to the appropriate next step
  • Booking and managing doctor consultations
  • Managing waitlists (GKV waitlist, international waitlist)
  • Communicating by email about appointments, lab reminders, and service updates
  • Optional newsletter about PrEP and health topics (only with separate consent)
  • Improving and developing our platform

5. Sharing of Data

We do not sell or share your data with third parties for advertising purposes. Data is shared only in the following cases:

  • Treating physicians: Relevant details are shared with your doctor to the extent required for the consultation
  • Data processors: Technical service providers (e.g. database infrastructure) who we carefully vet and contractually bind
  • Authorities: Where we are legally required to do so

We use Supabase (Supabase Inc., USA) as our database infrastructure. Data transfers to the USA are based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).

6. Retention Periods

  • Questionnaire data and leads: 3 years from last contact, unless an active service relationship exists
  • Consent records: 10 years (statutory proof requirement)
  • Booking and payment data: 10 years (tax retention obligation)
  • Waitlist entries: Until the purpose is fulfilled or consent is withdrawn

7. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): You may request a copy of all data we hold about you
  • Right to rectification (Art. 16 GDPR): You may request correction of inaccurate data
  • Right to erasure (Art. 17 GDPR): You may request deletion of your data, subject to any retention obligations
  • Right to restriction (Art. 18 GDPR): You may request that we restrict processing of your data
  • Right to data portability (Art. 20 GDPR): You may receive your data in a machine-readable format
  • Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests
  • Right to withdraw consent: You may withdraw any consent at any time, without affecting the lawfulness of prior processing

To exercise your rights, contact us at: privacy@allo.care

You also have the right to lodge a complaint with the competent supervisory authority. Our lead supervisory authority is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit).

8. Cookies and Tracking

Allo Care uses only technically necessary cookies required for the operation of the platform. We do not use advertising cookies or third-party tracking tools. No cookie consent banner is therefore required.

9. Security

We protect your data through technical and organisational measures, including encrypted data transmission (TLS/HTTPS), access controls, and regular security reviews. Health data is subject to heightened protection and is accessible only to authorised personnel.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The current version is always available on this page. For material changes, we will notify you by email if we hold your address.

For privacy-related enquiries, contact us at privacy@allo.care.