Data Privacy Decleration

Last updated: 9th of November 2025

1. Controller & Contact

Private Clinic Schloss Schellenstein GmbH
Am Schellenstein 1
59939 Olsberg

Email: info@implantologieklinik.de
Phone: +49 2962 97190

2. Scope of this Policy

This Privacy Policy applies to https://www.profkhoury.com (including language/country variants) and to our contact forms and newsletter subscription.

3. Categories of Personal Data

3.1 Contact forms (12 forms – 6 courses × 2 languages)

  • Identity & contact data: Name, email address, phone number (if provided), course reference/language
  • Content data: Free‑text message, form ID, timestamp

3.2 Newsletter (Brevo)

  • Signup data: Title, first name, last name, email address
  • Double‑opt‑in proof: Timestamp, IP address, consent text, DOI status

3.3 Usage/technical data (only after consent)

  • Analytics (Microsoft Clarity): e.g., page views, click paths, interactions, session IDs (heatmaps/session replay), browser/device information, timestamps

4. Purposes & Legal Bases

4.1 Handling inquiries (contact forms)

  • Purpose: Processing and responding to your course‑related or general inquiries; follow‑ups
  • Legal bases: Art. 6(1)(b) GDPR (pre‑contractual/contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in effective communication). Any marketing use requires consent (Art. 6(1)(a) GDPR).

4.2 Newsletter (Brevo) – Double opt‑in

  • Purpose: Sending newsletters/updates after prior DOI confirmation
  • Legal bases: Art. 6(1)(a) GDPR (consent);
    Compliance/record‑keeping: Art. 6(1)(c)/(f) GDPR for documenting and managing consent.
  • Withdrawal: You can withdraw consent at any time with future effect (unsubscribe link in each email or by contacting us).

4.3 Cookies & similar technologies (consent via CCM19)

  • Purpose: Obtain/manage your choices; block non‑essential technologies until opt‑in
  • Legal bases: Section 25 German TDDDG (end‑device access only with consent, where required); subsequent processing based on Art. 6(1)(a) GDPR.

4.4 Analytics (Microsoft Clarity) – only after opt‑in

  • Purpose: UX improvement through analytics (heatmaps, session replay, error analysis)
  • Legal bases: Section 25 TDDDG (consent for non‑essential technologies) in conjunction with Art. 6(1)(a) GDPR. Without consent, Clarity is not activated.

5. Recipients / Processing on our behalf / International Transfers

We use carefully selected service providers under Art. 28 GDPR:

  • Website/hosting/CMS: Webflow, Inc. (USA)
  • Automation/form routing: Zapier, Inc. (USA) – temporary handling of form data to trigger workflows (Zap history/logs)
  • Newsletter/transactional email: Brevo (Sendinblue), France/EU – sending, DOI, consent management
  • Analytics: Microsoft Clarity (Microsoft Corporation, USA) – analytics/session replay only after consent
  • Consent management: CCM19 – management/logging of consent decisions

We have Data Processing Agreements (DPAs/AVVs) in place with our processors. Where data is transferred to third countries (in particular the USA), we rely—where available—on the EU‑US Data Privacy Framework (DPF) and/or the EU Standard Contractual Clauses (SCCs) together with supplementary measures.

6. Cookies & Similar Technologies

6.1 Strictly necessary

Cookies that are technically required for operation/security/functionality (legal bases: Section 25(2) TDDDG; Art. 6(1)(f) GDPR). Details are shown in the CCM19 banner.

6.2 Analytics (Microsoft Clarity – only after consent)

Typical Clarity cookies:

NameProviderPurposeStorageType_clckMicrosoft ClarityPersists Clarity User ID & preferences (site‑specific)~1 yearFirst‑party_clskMicrosoft ClarityConnects multiple page views into a session~1 dayFirst‑partyCLIDMicrosoft ClarityIdentifies first time Clarity saw this user on any Clarity site~1 yearThird‑partyANONCHKMicrosoftIndicates whether MUID is passed to ANID (for Clarity: 0)SessionThird‑partyMRMicrosoftManages/refreshes MUIDup to ~7 daysThird‑partyMUIDMicrosoftUnique browser ID (analytics/operational)up to ~1 yearThird‑partySMMicrosoftMUID synchronization across Microsoft domainsSessionThird‑party

Activation: These cookies/technologies are set only after your opt‑in via CCM19. You can revisit your choice at any time through the “Cookie settings” link in the footer and withdraw consent.

7. Storage & Deletion

  • Contact inquiries (forms via Zapier): Used to process and route your request; Zapier generally retains Zap history/logs for up to ~60 days. We do not keep additional permanent copies. If exceptionally needed for follow‑up, we delete such data no later than 60 days.
  • Newsletter (Brevo): Stored until consent is withdrawn/you unsubscribe. DOI/consent records are typically retained for up to 3 years for evidence purposes (limitation period) and then deleted/anonymised.
  • Consent logs (CCM19): Up to 2 years (or shorter if no longer required).
  • Clarity data: Local cookie lifetimes as per the table; server‑side session/project data per provider policy.

8. Obligation to Provide Data

You are not legally required to provide data. Without certain details we may be unable to respond to your inquiry; without consent we do not use analytics.

9. Your Rights

Subject to statutory conditions, you have rights to access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), object (Art. 21), and to withdraw consent with effect for the future. You also have the right to lodge a complaint with a data protection supervisory authority.

10. Security

We implement appropriate technical and organisational measures (e.g., TLS encryption, access/permission concepts, DOI/consent logging, deletion & retention routines).

11. Updates to this Policy

We will update this Policy when our processes, services, or the legal situation change. The current version is always available on this page.