Privacy Policy

1. Controller

The controller within the meaning of the GDPR is:

VitaLink ATLS Education GmbH
Kipsburg 31, 44263 Dortmund, Deutschland
Managing director: Oualid Messaoudi
Registry court: Amtsgericht Dortmund — HRB 38336 Dortmund
Tax number: 315/5775/2827
VAT ID: applied for
Phone: +49 178 3332857
E-Mail: datenschutz@vitalink-atls-education.de

2. Data Protection Officer

The appointment of a data protection officer is currently not required pursuant to § 38 BDSG (fewer than 20 persons engaged in permanent data processing). Please direct privacy requests to datenschutz@vitalink-atls-education.de.

2a. Hosting

The site is hosted on Lovable (Lovable AB, Sweden) with Cloudflare CDN (US, DPF-certified). Database and authentication run on Supabase (Frankfurt, EU). Legal basis: Art. 6(1)(f) GDPR. Data processing agreements pursuant to Art. 28 GDPR are in place.

3. General Information on Data Processing

We process personal data of our users only insofar as this is necessary for the provision of a functional website and our content and services. Processing regularly only takes place with the consent of the user or on the basis of a legal basis (Art. 6(1) GDPR).

4. Data Collection When Visiting the Website (Server Log Files)

Each time our website is accessed, our system automatically collects data from the accessing computer: IP address, date and time, browser type, operating system, referrer URL, page accessed. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in security and functionality). Log files are deleted after 7 days unless security-relevant events require longer storage.

5. Registration and Customer Account

Setting up a customer account is required to book courses. We collect:

• Title, first and last name
• Email address, password (stored encrypted)
• Postal address, telephone number
• Job title, proof of qualification (insofar as required for course participation)
• Billing and payment data

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligations, in particular commercial and tax retention obligations). Storage period: for the duration of the customer relationship and subsequently within the framework of statutory retention periods (up to 10 years pursuant to § 147 AO, § 257 HGB).

6. Processing in the Context of Course Delivery

As part of course delivery, we process attendance lists, examination results and certificate data. Legal basis: Art. 6(1)(b) GDPR. Certificate data may be transmitted to certification bodies (e.g. American College of Surgeons for ATLS). Transfers to third countries (USA, Egypt) are made on the basis of appropriate safeguards pursuant to Art. 46 GDPR (Standard Contractual Clauses).

7. Payment Processing (Stripe)

Payments are processed via Stripe Payments Europe Ltd. (1 Grand Canal Street Lower, Dublin, Ireland). Stripe processes payment and identification data (e.g. card tokens, IP, name, billing address) as an independent controller for fraud prevention and as a processor for contract execution. Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR. Transfers to the USA (Stripe Inc.) are based on Standard Contractual Clauses and the EU-US DPF. Details: https://stripe.com/privacy

7a. Third-country transfer to Egypt (course delivery)

To deliver ATLS® courses, we transfer your name, contact data, professional details and where applicable exam results to the ACS-accredited course site in Egypt (Egyptian Life Support Training Center, Cairo). There is NO adequacy decision for Egypt. The transfer is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR) and a Transfer Impact Assessment. Legal basis: Art. 6(1)(b) GDPR with Art. 49(1)(b) GDPR. You may object at any time — course participation will then no longer be possible.

7b. Google Analytics 4 (optional, only with consent)

Subject to your consent, we use Google Analytics 4 (Google Ireland Ltd., Dublin) for anonymized usage measurement. IP anonymization is active and Consent Mode v2 is implemented. Cookie storage up to 24 months. Transfers to the USA (Google LLC) are based on the EU-US DPF. Legal basis: Art. 6(1)(a) GDPR, § 25(1) TTDSG. Withdraw consent at any time via cookie settings.

7c. TikTok Pixel (optional, only with consent)

Subject to your consent, we use the TikTok Pixel (TikTok Technology Limited, Dublin) for conversion measurement of TikTok ad campaigns. TikTok is NOT DPF-certified; data may be transferred to the USA and China. Residual risks regarding government access remain. SCCs and supplementary safeguards are in place. Legal basis: Art. 6(1)(a) GDPR. Withdraw consent at any time.

8. Newsletter

If you subscribe to our newsletter, we use your email address exclusively for sending the newsletter. Sending is done via the double opt-in procedure. Legal basis: Art. 6(1)(a) GDPR. You can unsubscribe at any time via the unsubscribe link in the newsletter.

9. Cookies and Tracking

Our website uses technically necessary cookies (legal basis Art. 6(1)(f) GDPR, § 25(2) TTDSG) as well as – with your consent – analytics and marketing cookies (Art. 6(1)(a) GDPR, § 25(1) TTDSG). You can revoke your consent at any time via the cookie settings in the footer.

9.1 Cloudflare (Bot & Security Protection)

We use Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) as a Content Delivery Network (CDN) and Web Application Firewall to protect against automated attacks, bots and DDoS. Your IP address is transmitted to Cloudflare and briefly processed. Cloudflare sets the technically necessary cookie __cf_bm (Cloudflare Bot Management, max. 30 minutes lifetime) to distinguish between human visitors and bots. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in IT security) in conjunction with § 25(2) No. 2 TTDSG (strictly necessary for the explicitly requested telemedia service). Transfers to the USA are based on the EU-US Data Privacy Framework (Cloudflare is certified) and supplementary Standard Contractual Clauses pursuant to Art. 46 GDPR. More info: https://www.cloudflare.com/privacypolicy/

9.2 Overview of cookies used

• __cf_bm — Cloudflare Bot Management, strictly necessary, max. 30 minutes
• cf_clearance — Cloudflare security check (only when triggered), strictly necessary, max. 30 days
• sb-*-auth-token — Authentication (login), strictly necessary, session
• vl_consent — Stores your cookie choice, strictly necessary, 12 months
• vl_lang — Language preference, strictly necessary, 12 months

10. Disclosure to Third Parties

Your data is only disclosed to third parties insofar as this is necessary for the performance of the contract (e.g. instructors, event partners, payment service providers), we are legally obliged to do so, or you have expressly consented. Data processing agreements pursuant to Art. 28 GDPR exist with processors.

11. Your Rights as a Data Subject

You have the following rights:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR) — as easy as giving it, anytime via the cookie button
• Right to lodge a complaint (Art. 77 GDPR) with the LDI NRW, Kavalleriestraße 2–4, 40213 Düsseldorf, www.ldi.nrw.de.

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place.

12. Data Security

We employ technical and organisational measures pursuant to Art. 32 GDPR to protect your data against accidental or intentional manipulation, loss, destruction or unauthorised access (including SSL/TLS encryption, access controls, regular security updates).

13. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in the legal situation or changes to our services. The current version is always available on our website.

14. Contact

For privacy questions: datenschutz@vitalink-atls.com