Privacy Policy

This privacy policy applies to the website and web application of Simply Onno GmbH. Please read this privacy policy carefully before using our services.

The exclusive language available for this privacy policy shall be German. Translations to other languages are for information only. In the event of any discrepancy, contradiction, or inconsistency between the German text and the translations, the German text shall prevail in all respects.

Notice for residents of the United States:
Simply Onno GmbH provides its website and services exclusively for users outside the United States. The services are not intended for, and are not directed at, residents or citizens of the United States of America. Access to and use of the services by individuals located in or resident in the United States is expressly prohibited.

Any individual in the United States who accesses the services does so entirely at their own risk and acknowledges that such use is in violation of these terms. By accessing the services, US-based users expressly waive any and all claims, rights, demands, or causes of action against Simply Onno GmbH, its directors, employees, and affiliates.

Simply Onno GmbH shall not be liable for any consequences, damages, or legal ramifications arising from the unauthorised use of its services by residents or citizens of the United States, regardless of the legal basis of such claims.

A. Foreword

Simply Onno is a web application that uses AI language models to translate and explain medical documents in plain language. The information contained in the original document is not altered or interpreted, but translated and explained without evaluation or judgement.

To ensure easy understanding, the information may be simplified, shortened, or summarised where appropriate. In some cases, we also add extended descriptions or explanations, similar to a glossary. These additions serve solely to support understanding and are based exclusively on generally known facts (for example: “The triangular disc is a small cartilage disc in the wrist that sits between the ulna and the carpal bones.”).

In particular, there is no verification of diagnoses or findings entered by you. Simply Onno does not draw conclusions from medical information, does not serve for diagnosis, prevention, monitoring, prediction, or treatment of any disease, and does not provide recommendations for therapy or relief. The service provided by Simply Onno consists solely of objective translation and explanation in order to help you better understand your medical report and to enable you to ask informed questions during discussions with your doctor. The service provided by Simply Onno does not replace medical explanation or consultation.

We, Simply Onno GmbH (hereinafter collectively referred to as “the company”, “we”, or “us”), take the protection of your personal data very seriously and would like to inform you about data protection practices within our company at this point.

As part of our responsibilities under data protection law, additional obligations have been imposed on us following the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter “GDPR”) to ensure the protection of personal data of individuals affected by data processing (below, we also refer to you below as “user” or “data subject”).

We are aware of this responsibility and will process your (health) data only to the extent necessary, only on a legal basis, and with your explicit and informed consent, applying the highest possible security measures.

Where we, either alone or jointly with others, determine the purposes and means of data processing, this includes in particular the obligation to inform you transparently about the nature, scope, duration, and legal basis of the processing. With this statement (hereinafter “privacy policy”), we inform you about how and for what purpose your personal data is processed by us.

B. General information

1. Data Controller

Simply Onno GmbH
Sophienstrasse 18
10178 Berlin

Represented by:
Karen Hentschel, Marc Dantas Tiedemann, Stephan Thiel, Dr. med. Witold Polanski

2. Data Protection Officer

Marc Dantas Tiedemann

3. Definitions

Based on Article 4 of the GDPR, the following definitions apply to this privacy policy:

"Personal Data" (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person (“data subject”). A person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data, or by reference to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. Identifiability may also arise through the combination of such information or through additional knowledge. The form, manner, or embodiment of the information is irrelevant (photos, video, or audio recordings may also contain personal data). For example, your name, location data, IP address, device identifier, SIM card number, postal address, and email address constitute personal data. Your fingerprint, images, videos, audio recordings, and user behaviour also fall within this category.

"Processing" (Art. 4 No. 2 GDPR) means any operation or set of operations performed on personal data, whether or not by automated means. This includes, in particular, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure, or destruction of personal data, as well as any change to the purpose or objective originally underlying the processing.

"Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Third Party" (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data. This also includes other legal entities belonging to the same corporate group.

"Processor" (Art. 4 No. 8 GDPR) means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller, in particular in accordance with the controller’s instructions (for example, an IT service provider). For the purposes of data protection law, a processor is not considered a third party.

"Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, given by a statement or by a clear affirmative action, by which the data subject signifies agreement to the processing of personal data relating to them.

"User" means a person who uses the application either for themselves, on behalf of another person (for example, as a carer or support person), or as an invited user who has been granted access to the application by a main user.

"Health Data" means personal data related to the physical or mental health of a natural person, including the provision of healthcare services, from which information about that person’s health status is derived. For example, the information contained in your doctor’s letter constitutes health data.

4. Changes to the privacy policy

Our privacy notices are reviewed and updated on a regular basis. We will inform you about any changes. The current version is always available on our website.

This privacy policy is valid as of September 2025.

5. No Obligation to Provide Personal Data

We do not make the conclusion of contracts with us dependent on you providing personal data in advance. As a user, you are under no legal or contractual obligation to provide us with personal data. However, in some cases we may be able to provide our services only to a limited extent or not at all if you do not provide the data required for that purpose. If any limitations to our services arise due to missing data, we will inform you accordingly.

C. Information about the processing of your data

1. General information

When you use our website and web application, we process your personal data and anonymised health data.

As highly sensitive data, health data is subject to special protection under Article 9 of the GDPR. For all data processing activities and across all usage models, we comply with the strict requirements of the GDPR, in particular those set out in Article 9 GDPR.

Details of your consent are described at the end of this privacy policy under the section “Your consent”.

Your personal data and health data are processed as follows:

2. Which data is processed when you visit our website?

When you visit our website, we automatically collect certain data. This always includes data that is necessary for the use of the website and the web application (so called usage data). This includes:

●  Visited page on our domain

● Date and time of the server request

● Browser type and browser version

● Operating system used

● Device type

● Referrer URL

● Country, region, and city

This data processing is carried out in order to provide you with the functions of the Simply Onno website and web application. There is no merging of this data with other data sources, in particular not with documents that you may upload at a later point in time.

The data processing is justified on the basis that it is necessary for the use of the website and thus for the performance of the user agreements between you and us (Art. 6 (1) (b) GDPR).

In some cases, we also process this data to improve our services and user friendliness, to maintain the functionality of Simply Onno, or to protect the application against misuse.

For web analytics, we use Google Analytics 4 (GA4) via Google Tag Manager (GTM) in order to understand how visitors use our website (for example, which search terms they use to find us or which content is accessed particularly frequently).

Analytics cookies are only set after you have given your consent via the cookie banner.

The data processed includes, among other things, device and browser information, usage data (for example page views, time spent on pages, and clicks), and an approximate location. IP addresses are not stored by GA4; for users in the EU, they are discarded before logging.

The legal basis for this processing is your consent pursuant to Art. 6 (1)(a) GDPR in conjunction with § 25 (1) TTDSG. The recipients are Google Ireland Ltd and Google LLC (USA). A transfer to a third country takes place on the basis of the EU US Data Privacy Framework (DPF) and the EU Standard Contractual Clauses (Article 46 GDPR).

You can withdraw your consent at any time via the cookie banner.

Further information on data processing by Google can be found at: https://policies.google.com/privacy

3. Which data is processed when you contact us by email, telephone, contact form, or post?

If you contact us by email, telephone, via our contact form, or by post, we store the personal data you provide to us (for example, your name and contact details). We use this data solely to respond to your enquiry.

The data collected in this context is deleted without delay once storage is no longer necessary. If we are subject to statutory retention obligations that require us to store the data for a longer period, we restrict the processing of your data until it is finally deleted.

The legal basis for this data processing depends on the reason for your contact and is either the permissibility of processing in the context of pre contractual measures, the performance of a contract, or our legitimate interest in providing a communication channel for general enquiries, in accordance with Art. 6 (1) (b) and (f) GDPR.

Please note that email communication without encryption recognised under data protection law is not sufficiently secure. For this reason, please do not send confidential information, data, or health data to us by email. Instead, use postal mail or, after prior consultation with us, the upload options we provide. We accept no liability for data that you send to us unsolicited by email.

We will never send you personal data by email without your request. Contact by email takes place only in connection with technical support enquiries or the service “Detailed Translation & Explanation”.

4. Which data is processed when you use the services of Simply Onno?

4.1 Specific functions and data processing activities of Simply Onno within the “free and simple summary” service

In addition to the automatically collected personal data listed in section 2, we also collect and process data that you provide to us yourself. We process this data in order to provide you with the translation service you have requested.

Specifically, we request and collect the data listed below in order to fulfil the purposes stated:

• Documents relating to your medical history that you have anonymised yourself, such as diagnoses, examination results, doctors’ letters, or other medical content. [intended use]

  Name and email address (optional) when using the feedback function, if you wish to be contacted. [intended use]

4.2 Specific functions and data processing activities of Simply Onno within the “Detailed Translation & Explanation” service

• Documents relating to your medical history, such as diagnoses, examination results, doctors’ letters, or other medical content. [intended use]

  Email address for communication and for the final provision of the created document via a separate encrypted download. [intended use and technical functionality]

  First name and last name, if you wish to be addressed personally in communication. [intended use]

  Gender, age, and other additional voluntary information (optional), which may assist in the classification of the documents to be processed but is not required. [intended use]

4.3. Lawfulness of data processing

The data processing activities described in sections 4.1 and 4.2 are carried out for the purpose of fulfilling the contract concluded between you and Simply Onno for the provision of digital content or digital services (digital products, sections §§ 327 et seq. of the German Civil Code BGB).

The usage data referred to in sections 4.1 and 4.2 is also processed in part in order to review, improve, and maintain the technical functionality of the Simply Onno application. In some cases, we process this data to ensure the user friendliness of Simply Onno, to further develop our services, and to ensure the highest possible quality. This includes, for example, information about when, how often, and which areas of the application are used and whether any issues occur. At this stage, it is no longer possible for us to establish a personal reference.

In addition, the generated translations are regularly evaluated on the basis of anonymised sources. This evaluation enables us to maintain a high quality standard, continuously improve our services, and adapt them to your individual needs.

The data processing activities described in sections 4.1 and 4.2 are lawful under the GDPR, as the processing is necessary for the performance of the contract between you and us regarding the use of Simply Onno (Art. 6 (1) (b) GDPR), and because you have given your consent to the data processing (Art. 6 (1) (a) GDPR, Art. 9 (2) (a) GDPR).

The use of Simply Onno is dependent on this consent. You may withdraw your consent at any time. Details regarding consent are described at the end of this privacy policy under the section “Your consent” (Section D).

5. Data processing based on legal obligations or legitimate interests

In certain cases, we also process your personal data for the following purposes:

●  To comply with our legal obligations, including participation in investigations and proceedings conducted by governmental bodies or authorities (Article 6 (1) (c) GDPR).

● Where we are legally obliged to do so (Article 6 (1) (c) GDPR), we may process your personal data in order to protect our rights and security, as well as those of our customers and third parties.Even where there is no legal obligation, we may process data for this purpose on the basis of our legitimate interests or the legitimate interests of other data subjects, in particular for the establishment, exercise, or defence of legal claims (Article 6 (1) (f) GDPR).

6. Information about product updates by email

If you expressly consent in accordance with Article 6 para. 1 lit. GDPR, we will use your email address to send you information about product developments at irregular intervals. To receive this information, providing an email address and registering via the so called double opt in procedure is sufficient.

No further data is collected in this context. We use the personal data collected for this purpose exclusively for sending these product updates.

You may unsubscribe at any time, for example via the link provided at the end of each product update. Alternatively, you may also send your request to unsubscribe to us by email at any time.

7. Your rights

With regard to the data we process about you, you have the following rights:

• Right to rectification and erasure

  Right to data portability

  Right to restriction of processing

  Right of access

  Right to object to processing

Whether and to what extent these rights apply in an individual case and under which specific conditions they may be exercised is determined by law, in particular by the GDPR and the German Federal Data Protection Act (BDSG new).

For data processing activities based on your consent, you have the right to withdraw your consent at any time with effect for the future in accordance with Article 7 para. 3 GDPR. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of your consent prior to withdrawal. You may submit your withdrawal to the data controller named above by email at [email protected].

You also have the right to lodge a complaint with the competent data protection supervisory authority regarding the processing of your personal data by our company.

The competent authority for us is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin

 Email: [email protected]

8. How and for how long do we store your data and uploaded documents?

In general, the storage period is limited by the purpose of processing (Article 5 (1) (e) GDPR).

We store your personal data and the documents you upload only for as long as is necessary to achieve the purpose for which they were collected or to comply with legal obligations.

To determine appropriate storage periods for your personal data, we apply criteria based on the respective processing purpose, for example to facilitate the management of customer relationships and to fulfil legal claims or requests from authorities.

The original documents uploaded by you, as well as the text generated from them, are deleted no later than 30 days after receipt. This is done primarily for quality assurance purposes during the initial phase. In order to ensure the quality of your translation and to allow continuous review by our doctors, we reserve the right to store the anonymised texts created from your documents for as long as is strictly necessary.

If data cannot be deleted because it is required for other legally permissible purposes, its processing will be restricted. Where processing is restricted, the data will be blocked and may not be processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

You may withdraw your consent to processing at any time, without giving reasons, using the contact details listed in the legal notice or by email at [email protected].

By using the service, you consent to your data being stored in anonymised form even after the original purpose has ceased (for example, to provide the translation result), for the purpose of use as training data for AI based language models or for the evaluation of our services. These data will be deleted once the training or usage period has ended. The anonymised data is used by Simply Onno exclusively for internal purposes and solely for the improvement and further development of the translation systems.

9. Transfer of data to third parties / categories of recipients

We share some of your data with third parties in order to provide our services to you. In doing so, we assume that you have removed all personal identifiers in advance and that the data therefore does not constitute personal data. Nevertheless, we treat this data with the utmost care and transparency and disclose all uses here.

Where, in the course of processing, we disclose data to other persons or companies (processors or third parties), transfer data to them, or otherwise grant them access to your data, this is done solely on the basis of a legal basis, your consent, where we are legally obliged to do so, or on the basis of our legitimate interests (for example, when using third parties for server hosting).

Where we engage third parties to process data on the basis of a so called data processing agreement, this is done in accordance with Article 28 GDPR. Accordingly, we only use processors who provide sufficient guarantees that appropriate technical and organisational measures are implemented to ensure that data processing is carried out in compliance with legal requirements and with our privacy policy.

In order to provide our service and our website, your data is processed in part by the following providers:

9.1 Processors such as hosting providers and IT service providers

Microsoft Azure Microsoft Corporation, One Microsoft Way Redmond, WA 98052-6399 USA
We use Microsoft Azure to store and process data such as uploaded documents or generated texts. In addition, we make use of various Azure services, including:

• OCR text recognition (Document Intelligence): for the automated recognition and extraction of text content from documents.

  Content Safety: for the identification and filtering of potentially harmful content.

The data is stored exclusively on servers located in Germany. This ensures that your data remains within the strict legal framework of German and European data protection laws.

The transfer of your data to Azure takes place on the basis of our data processing agreement in accordance with Article 28 GDPR. Azure may process data outside the EU or EEA.

Further information can be found in Microsoft’s privacy policy: https://privacy.microsoft.com/en-gb/privacystatement

Vercel Inc., Avenue Huart Hamoir 71, 1030 Brussels, Belgium
We use Vercel to host our application. This includes the provision and display of the user interfaces. No user data is stored on Vercel servers. However, as part of the hosting process, Vercel may collect usage data such as access statistics or technical information required to provide the services.

The specific retention period for the processed usage data is not determined by us, but by Vercel. Further information can be found in Vercel’s privacy policy at: https://vercel.com/legal/privacy-policy

The transfer of your data to Vercel takes place on the basis of our data processing agreement in accordance with Article 28 GDPR. Vercel may process data outside the EU or EEA.

Sentry, Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105
We use Sentry to collect and analyse error reports (so called log data). This is done to identify and resolve technical issues and to improve the stability and user friendliness of our application.

The specific retention period for the processed usage data is not determined by us, but by Sentry. Further information can be found in Sentry’s privacy policy at: https://sentry.io/privacy/

The transfer of your data to Sentry takes place on the basis of our data processing agreement in accordance with Article 28 GDPR. Sentry may process data outside the EU or EEA.

Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992
We use Supabase to keep track of your translations and to monitor the current processing status. In this context, certain data is logged; however, no personally identifiable information is stored. Processing takes place solely to ensure smooth functionality and the management of translation processes.

The specific retention period for the processed usage data is not determined by us, but by Supabase. Further information can be found in Supabase’s privacy policy at: https://supabase.com/privacy

The transfer of your personal data to Supabase takes place on the basis of our data processing agreement in accordance with Article 28 GDPR. Supabase may process data outside the EU or EEA.

Langfuse GmbH, Gethsemanestraße 4, 10437 Berlin, Germany
We use Langfuse to monitor the quality of the language models used. In this context, primarily AI generated data and texts are processed and stored. Processing takes place exclusively to ensure smooth functionality and to improve our services.

The specific retention period for the processed usage data is determined by Langfuse and is outside our sphere of influence. Further information can be found in Langfuse’s privacy policy at: https://langfuse.com/privacy

The transfer of your personal data to Langfuse takes place on the basis of our data processing agreement in accordance with Article 28 GDPR. Langfuse may process data outside the EU or EEA.

9.2 Third parties for billing purposes (financial institutions and payment service providers)

For paid services, we use the payment service provider Stripe Technology Europe, Limited (STEL).

Stripe Technology Europe, Limited (STEL), The One Building, 1, Lower Grand Canal Street, Dublin 2, Ireland
During the payment process, Stripe collects buyer, contact, and billing data under its own responsibility. For the performance of the contract, Stripe provides us with the following data: name, email address, postal address, purchase history, customer ID, invoice ID, and transaction ID.

The legal basis for this processing is Article 6 para. 1 lit. b GDPR (performance of a contract) as well as our legitimate interest in customer support and fraud prevention pursuant to Article 6 (1) (f) GDPR. Consent for marketing purposes is obtained separately (Article 6 (1) (a) GDPR).

Processing may take place in countries outside the EU (including the UK and the USA). For this purpose, Stripe uses EU standard contractual clauses and, where applicable, the UK addendum.

Further information can be found in Stripe’s privacy policy at: https://stripe.com/en-de/privacy.

9.3 Providers of AI language models

For the anonymisation, classification, translation, and summarisation of your documents, we use various language models based on artificial intelligence. We continuously evaluate the results to ensure the highest possible quality. Depending on performance and current developments, we switch between models from the following providers:

OpenAI Ireland Ltd (1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland]
OpenAI generally stores data transmitted via its API only for a short period of time (less than 30 days) and exclusively for purposes such as troubleshooting, abuse detection, and service improvement. No permanent storage or use for model improvement takes place. In exceptional cases, for example in the event of suspected misuse or for legal reasons, data may be retained for a longer period.

The specific retention period for the processed data is not determined by us, but by OpenAI. Further information can be found in OpenAI’s privacy policy at: https://openai.com/en-GB/policies/row-privacy-policy/

The transfer of your data to OpenAI takes place on the basis of a separate data processing agreement (DPA) concluded between us and OpenAI in accordance with Article 28 GDPR. This DPA ensures that OpenAI, as a processor, processes your data exclusively in accordance with our instructions and in compliance with the requirements of the General Data Protection Regulation (GDPR). OpenAI has undertaken to ensure an adequate level of protection for the processing of personal data, including the implementation of appropriate technical and organisational measures and the contractual binding of sub processors.

OpenAI may process personal data outside the EU or EEA. The conditions and obligations governing such processing are also set out in the concluded data processing agreement.

Anthropic Ireland Limited [6th Floor, South Bank House, Barrow Street. Dublin 4, D04 TR29 Ireland]
Anthropic does not store data transmitted via its API. The data retention period specified by Anthropic for our account is 0 days. Further information can be found in Anthropic’s privacy policy at: https://www.anthropic.com/privacy

The transfer of your data to Anthropic takes place on the basis of a separate data processing agreement (DPA) concluded between us and Anthropic in accordance with Article 28 GDPR. This DPA ensures that Anthropic, as a processor, processes your data exclusively in accordance with our instructions and in compliance with the requirements of the General Data Protection Regulation (GDPR). Anthropic has undertaken to ensure an adequate level of protection for the processing of personal data, including the implementation of appropriate technical and organisational measures and the contractual binding of sub processors.

Anthropic may process personal data outside the EU or EEA. The conditions and obligations governing such processing are also set out in the concluded data processing agreement.

9.4 Providers of analytics tools and product information services

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
We use Google Analytics 4 (GA4), provided by Google Ireland Ltd, to analyse user behaviour on our website. Google Analytics uses cookies that are only set after you have given your consent via the cookie banner.

The information generated by cookies about your use of this website (including your IP address, which is shortened through IP anonymisation) is transmitted to Google servers and stored there. Google may use this information to compile reports on website activity for us and to provide further services related to website usage.

The legal basis for this processing is your consent pursuant to Article 6 para. 1 lit. a GDPR in conjunction with section § 25 para. 1 TTDSG (consent via the cookie banner).

Google may transfer data to third countries, in particular the United States. We have concluded standard contractual clauses with Google in accordance with Article 46 GDPR. Further information can be found in Google’s privacy policy at: https://policies.google.com/privacy

Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia
We use Plausible Analytics to analyse usage data of our website in aggregated form. No personal data is collected, meaning that no conclusions can be drawn about individual users. Plausible operates without the use of cookies and is fully compliant with the General Data Protection Regulation (GDPR). Further information can be found at: https://plausible.io/data-policy

The retention period for the aggregated usage data is determined by Plausible and is outside our sphere of influence. Further information can be found in Plausible’s privacy policy at: https://plausible.io/privacy

The transfer of your data to Plausible takes place on the basis of our data processing agreement in accordance with Article 28 GDPR. Plausible processes data within the EU, as its servers are hosted in Germany.

Mailchimp, Intuit Inc, 2700 Coast Ave, Mountain View, CA 94043 USA
If you provide your email address on our website in order to receive information about product updates, and only in this case, we use Mailchimp to keep you informed with your consent.

The specific retention period for the processed data is not determined by us, but by Intuit Mailchimp. Further information can be found in Intuit Mailchimp’s privacy policy at: https://www.intuit.com/privacy/statement/

The transfer of your personal data to Intuit Mailchimp takes place on the basis of our data processing agreement in accordance with Article 28 GDPR. Intuit Mailchimp may process personal data outside the EU or EEA.

9.5 If necessary, Simply Onno may also disclose your data to the following categories of recipients:

• In the event that we acquire or dispose of all or part of our company, or another company, data may be transferred to our potential contractual partners. We have a legitimate interest in developing our company in this way (Article 6 (1) (f) GDPR). 

• To law enforcement authorities, public authorities, and courts, in order to comply with legal obligations to participate in investigations and proceedings conducted by governments or authorities (Article 6 (1) (c) GDPR). 

• To other companies, individuals, or authorities, where we are legally obliged to disclose personal data (Article 6 (1) (c) GDPR), or on the basis of legitimate interests for the protection of our rights or the security of ourselves, our customers, and third parties (Article 6 (1) (f) GDPR).

10. Purpose and legal basis for the transfer of data to third countries

In certain cases, we transfer your personal data outside Germany and ensure that your personal data is adequately protected regardless of the location of processing.

The use of the third party services listed above is based on your consent pursuant to Article 6 para. 1 lit. a GDPR and section § 25 para. 1 TTDSG. The third party providers may intend to transfer personal data to third countries outside the European Economic Area, in particular the United States. In cases where no adequacy decision by the European Commission exists (for example, in the United States), we have agreed on other appropriate safeguards with the recipients of the data within the meaning of Articles 44 et seq. GDPR. Unless otherwise stated, these safeguards consist of the European Commission’s standard contractual clauses in accordance with Implementing Decision (EU) 2021/914 of 4 June 2021. A copy of these standard contractual clauses can be accessed at: https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32021D0914&from=DE.

In addition, prior to such a transfer to a third country, we obtain your consent pursuant to Article 49 para 1 lit. a GDPR, which you provide through your consent when using the application. We would like to point out that transfers to third countries may involve risks that are not fully known in detail (for example, data processing by security authorities in the third country, the exact scope and consequences of which are unknown to us, over which we have no influence, and of which you may not become aware).

11. Cookies how and why we use them

Cookies are small text files that are stored on your device and enable the identification of a specific device or browser. There are different types of cookies. We use only so called session cookies (which expire at the end of your browser session) for functional purposes.

We have carefully evaluated how to measure the success of our services and have decided to use Google Analytics. It is important to us to understand which search terms users use to find us and which content is particularly helpful. Only in this way can we continue to develop Simply Onno successfully and sustainably. We handle your data responsibly and use Google Analytics only in compliance with data protection requirements and only after your explicit consent.

We use cookies and similar technologies exclusively where they are technically necessary (functional cookies) or where you have given your consent via the cookie banner (analytics cookies).

You can change or withdraw your decision at any time via the cookie banner. Functional cookies are always active. Analytics cookies (Google Analytics 4) are set only after your consent. There is no cookie wall. Use of the website is also possible without analytics cookies.

Legal Bases:

• § 25 (2) No. 2 TTDSG (technically necessary cookies)

• § 25 (1) TTDSG (consent for non essential cookies)

• Article 6 (1) (b) GDPR (performance of a contract, where necessary)

• Article 6 (1) (f) GDPR (legitimate interest in secure and stable operation)

• Article 6 (1) (a) GDPR (consent to data processing for analytics cookies)

11.1 Functional cookies (always active)

These cookies are necessary for our website and the Onno app to function (for example session management, security, delivery of the translation, and storage of consent). Without them, the service cannot be used.

Examples (may vary):

• session_id – Session management (duration: session)

• csrf_token – Protection against cross site request forgery (duration: session)

• cookie_consent – Stores your consent decision in the banner (duration: up to 12 months)

Legal Bases:
§ 25 (2) No. 2 TTDSG; Article 6 (1) (b) GDPR; Article 6 (1) (f) GDPR.
Consent is not required for functional cookies.

11.2 Analytics cookies (Google Analytics 4 via Google Tag Manager)

We use Google Analytics 4 (GA4) via Google Tag Manager (GTM) to understand how visitors use our website (for example, which search terms they use to find us and which content is used most frequently).

GA4 tags are triggered only after you have given your consent. GTM is configured so that no analytics tags are fired before consent is granted.

Important note regarding IP addresses:
Google Analytics 4 does not log or store IP addresses. For users in the EU, IP addresses are discarded before any logging takes place; separate IP masking is not required in GA4.

Technologies used and data categories processed:

• cookies and client ID, device and browser information

• event data (events and parameters) and interactions (for example page views, clicks, and time spent)

• approximate geolocation information derived from technical signals (without storing the IP address)

Examples for GA4-cookies (may vary):

• _ga – User recognition (duration: up to 24 months)

• _ga_XXXXXXXXXX – Session analysis (duration: up to 24 months)

Data retention in GA4:

We have set the retention period for user and event related data to 14 months.

Google Signals and advertising features:

Google Signals is disabled. There is no linking with Google accounts and no cross device recognition. (If this feature is enabled in the future, we will obtain separate consent and update this section accordingly.)

Consent Mode v2:

We use Google Consent Mode v2. Without consent, no analytics cookies are set. Google receives only technically limited, cookie free signals in aggregated form for measurement purposes, without the creation of personal profiles.

Legal bases:

Section § 25 para. 1 TTDSG (consent for non essential cookies);
Article 6 para. 1 lit. a GDPR (consent to data processing).

Transfer to third countries:

Google may process data in third countries, in particular the United States. For transfers to Google LLC (USA), we rely on the EU US Data Privacy Framework (DPF). In addition, EU standard contractual clauses pursuant to Article 46 GDPR are in place. Further information can be found in Google’s privacy policy.

11.3 Managing your consent (opt in and opt out)

• Granting and withdrawing consent: You can change or withdraw your consent at any time via the cookie banner.

• Consequences of withdrawal: Processing carried out up to the point of withdrawal remains lawful. After withdrawal, no analytics cookies will be set. Analytics cookies that have already been set will, where technically possible, be deleted or no longer read.

• Browser settings: You can also delete or block cookies in your browser settings. This may result in functional limitations for non essential features; basic functional features will remain available.

11.4 Recipients and controllers in connection with cookies

• Google Ireland Limited / Google LLC (GA4): Processor and sub processor for analytics purposes in accordance with our configuration.

• Google Tag Manager: Controls the triggering of tags; analytics tags are activated only after consent has been given. 

• No sharing of GA4 data by us for Google’s own purposes; no activation of optional data sharing features with Google for marketing purposes without separate consent.

Further information: https://policies.google.com/privacy

12. Data security

To protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful or unauthorised forms of processing in accordance with applicable law, we have implemented appropriate technical and organisational security measures pursuant to Article 32 GDPR. In doing so, we have taken into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

Our measures include, in particular, safeguarding the confidentiality, integrity, and availability of data through controls on physical access to data, as well as controls relating to access, input, disclosure, availability, and separation of data. We have also implemented procedures to ensure the exercise of data subject rights, the deletion of data, and appropriate responses to data security incidents. Furthermore, we take the protection of your personal data into account already at the stage of development or selection of hardware and processes, in accordance with the principles of data protection by design and data protection by default (Article 25 GDPR).

For security reasons and to protect the transmission of confidential content that you send to Simply Onno as the website operator, our website uses SSL or TLS encryption exclusively. This ensures that data transmitted via this website cannot be read by third parties.

You can recognise an encrypted connection by the “https://” prefix in your browser’s address bar and by the padlock symbol displayed in the browser.

13. Contact details

For all questions relating to the processing of personal data and for the exercise of your rights, please contact the data controller (see section B.1).

Please specify as precisely as possible which data is to be amended, deleted, reviewed, or updated, or for which data you wish to request a restriction of processing. We will respond to your request as quickly as possible.

D. Your consent

The personal data and health data that you provide to us when using Simply Onno and that are processed by us in order to fulfil the contractual purpose of Simply Onno may, if they are not fully anonymised by you, constitute particularly sensitive personal data. In such cases, they are subject to special protection pursuant to Article 9 GDPR and may in particular not be processed without your consent. We therefore ask you, as a precaution, to provide the following declarations of consent:

(1) I consent to Simply Onno processing my personal data, in particular my health data, where applicable, for the purpose of fulfilling its contractual obligations pursuant to sections §§ 327 et seq. of the German Civil Code (BGB) and to ensure technical functionality.

(2) I consent to Simply Onno sending me email messages for the purpose of fulfilling its contractual obligations pursuant to sections §§ 327 et seq. of the German Civil Code (BGB) (see section C.4.3.2).

(3) I consent to my personal data and health data, where applicable, being anonymised after the end of my use of the Simply Onno services and used as anonymised data for the purpose of training AI based language models and for the further development of Simply Onno.

Use of Simply Onno is dependent on your consent. You may withdraw any consent you have given at any time.

Withdrawal of consent

Each of these consents may be withdrawn by you at any time with effect for the future.

To exercise your right of withdrawal, please inform us (Simply Onno GmbH, contact details set out in section B.1) of your withdrawal by means of a written declaration (for example by post or by email). Please clearly state whether you wish to withdraw all consent declarations or only specific consents. We will confirm receipt of your withdrawal without delay.

Consequences of withdrawal

Withdrawal of consent does not affect the lawfulness of data processing carried out prior to the withdrawal. After withdrawal, your personal data may continue to be processed where legally permissible, for example for invoicing purposes, in accordance with statutory retention obligations, or in connection with legal proceedings before courts or authorities.

If you withdraw your consent pursuant to section D (1), (2), and/or (3), you withdraw our right to process data that is required for the operation of Simply Onno and for the fulfilment of our contractual obligations pursuant to sections 327 et seq. of the German Civil Code (BGB). As a result of such withdrawal, you will no longer be able to use Simply Onno. In this case, Simply Onno GmbH will be released from its contractual obligation to perform.