Privacy Policy
Last updated: July 2026
This privacy policy explains which personal data we process when you visit this website, for what purposes, and what rights you have. For data processing in the context of medical treatment at our practice, we inform you separately on site or in the patient portal.
1. Controller
Sustainable Med Berlin Jan Okoye-Weeg Schicklerstr. 5 10179 Berlin, Germany Phone: +49 152 33520967 Email: info@sustainable-med.com
2. Principles and legal bases
We process personal data only to the extent necessary to provide a functional website and our content and services. Depending on the processing, the legal bases are: Art. 6 (1) lit. a GDPR (consent), Art. 6 (1) lit. b GDPR (contract or pre-contractual steps), Art. 6 (1) lit. c GDPR (legal obligation), and Art. 6 (1) lit. f GDPR (legitimate interest). For storing or accessing information on your device (e.g. cookies), Section 25 of the German TDDDG additionally applies.
We do not process health data via this website. Please do not send us sensitive health information through unsecured channels — use our patient portal or speak to us in person instead.
3. Hosting and server log files
This website is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. When you access the website, Vercel automatically processes server log data (IP address, date and time of access, page accessed, browser type, operating system, referrer URL). This processing is necessary for the technical operation and security of the website (Art. 6 (1) lit. f GDPR). A data processing agreement pursuant to Art. 28 GDPR is in place with Vercel. Insofar as data is transferred to the USA, this is based on the EU Standard Contractual Clauses and the EU-U.S. Data Privacy Framework. Log data is automatically deleted after a short period.
4. Cookies and consent management
We use technically necessary storage to save your cookie decision and language preference (Section 25 (2) TDDDG). Optional analytics cookies are used only with your consent (Art. 6 (1) lit. a GDPR, Section 25 (1) TDDDG).
On your first visit, we ask for your decision via a cookie banner (“Accept all” or “Necessary only”). We store your decision for 12 months. You can withdraw or change your consent at any time with effect for the future — via the “Cookie settings” link in the footer of this website or by clearing your browser data.
5. Web analytics and marketing (PostHog, Google Tag Manager, Google Analytics)
If you have given your consent, we use the analytics service PostHog, provided by PostHog Inc., to analyse and improve our website. We exclusively use PostHog's EU cloud; data is processed on servers within the European Union (Frankfurt am Main, Germany).
The data processed includes: pages visited, time spent, interactions (e.g. button clicks), approximate city-level location, browser and device information, and a pseudonymous identifier. We use this data to understand how our website is used and to improve content and flows — not to identify you personally.
No analytics run without your consent: the service is disabled by default and only starts after you click “Accept all”. If you decline, no analytics cookies are set. The legal basis is Art. 6 (1) lit. a GDPR. A data processing agreement pursuant to Art. 28 GDPR is in place with PostHog. More information: posthog.com/privacy.
Also only with your consent, we use Google Tag Manager and Google Analytics 4, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a tool for managing website tags and is only loaded after you give consent; in addition, we use Google Consent Mode v2, which keeps all Google services set to “denied” by default and activates them only after your consent. Google Analytics processes pseudonymous usage data (pages visited, interactions, truncated IP address, browser and device information) to provide us with statistics about the use of our website and the effectiveness of our advertising campaigns. Data may be transferred to the USA; Google LLC is certified under the EU-U.S. Data Privacy Framework, and EU Standard Contractual Clauses apply in addition. The legal basis is your consent (Art. 6 (1) lit. a GDPR, Section 25 (1) TDDDG), which you can withdraw at any time via “Cookie settings” in the footer. More information: policies.google.com/privacy.
6. Contacting us (email, phone, WhatsApp)
If you contact us by email, phone, or WhatsApp, we process the details you provide (name, contact data, content of your inquiry) to handle your request and any follow-up questions. The legal basis is Art. 6 (1) lit. b GDPR (pre-contractual steps) or Art. 6 (1) lit. f GDPR (legitimate interest in responding to inquiries).
WhatsApp is a service of WhatsApp Ireland Ltd. and the Meta group. When you use WhatsApp, metadata (e.g. your phone number, time of communication) may also be processed on servers outside the EU; message content is end-to-end encrypted. Using WhatsApp is voluntary — you can equally reach us by email or phone. Please do not send sensitive health data via WhatsApp.
We delete inquiries once they are no longer required, unless statutory retention obligations apply.
7. Appointment booking via Doctolib
For online appointment booking we link to Doctolib (Doctolib GmbH, Mehringdamm 51, 10961 Berlin, Germany). When you book an appointment via Doctolib, Doctolib processes your data partly under its own responsibility; Doctolib's privacy policy (doctolib.de/terms/privacy) applies in addition. We receive from Doctolib the details required for appointment management (e.g. name, contact data, appointment, and reason for visit) and process them on the basis of Art. 6 (1) lit. b GDPR or — where health data is concerned — Art. 9 (2) lit. h GDPR in connection with the treatment relationship.
8. AI-assisted data processing
We use AI-assisted tools in a supporting role in our practice organisation and administration — for example to structure documents, prepare appointments, and analyse anonymised or pseudonymised usage and quality data. The following principles apply:
No automated decision-making: There is no solely automated decision-making within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you. Medical assessments and treatment decisions are always made by a physician.
Data minimisation and security: Wherever possible, AI tools work with anonymised or pseudonymised data. Personal data is processed only to the extent necessary for the respective purpose. Service providers we use are contractually bound pursuant to Art. 28 GDPR; your personal data is not used by third parties to train AI models.
Depending on the processing, the legal bases are Art. 6 (1) lit. b GDPR (performance of a contract) or Art. 6 (1) lit. f GDPR (legitimate interest in efficient, high-quality practice organisation); where health data is concerned, processing is based on Art. 9 (2) lit. h GDPR or your explicit consent (Art. 9 (2) lit. a GDPR). If you have questions about our use of AI tools, you can contact us at any time.
9. Fonts and external content
The fonts used on this website are self-hosted. No connection to Google or other font providers is established when you visit the website.
Our website contains links to our profiles on Instagram and LinkedIn. These are plain links — no social media plugins are embedded, and no data is transferred to these platforms when you visit our website. Only when you follow a link do the privacy policies of the respective platform apply.
10. Recipients and third-country transfers
Recipients of personal data are exclusively the service providers (processors) named in this policy and bodies to which we are legally obliged to transfer data. Insofar as data is transferred to countries outside the EU/EEA (e.g. hosting infrastructure in the USA), we ensure an adequate level of data protection through EU Standard Contractual Clauses and — where applicable — the EU-U.S. Data Privacy Framework.
11. Retention periods
We store personal data only for as long as necessary for the purposes stated or as required by statutory retention obligations (e.g. under tax and professional law). After that, the data is deleted or anonymised.
12. Your rights
You have the following rights regarding your personal data: access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR), and objection to processing based on Art. 6 (1) lit. f GDPR (Art. 21 GDPR).
You can withdraw any consent you have given at any time with effect for the future — for analytics cookies directly via the “Cookie settings” link in the footer.
You also have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit), Alt-Moabit 59–61, 10555 Berlin, datenschutz-berlin.de.
13. Data security
For security reasons, this website uses TLS encryption (recognisable by “https://” in the address bar). In addition, we implement technical and organisational measures pursuant to Art. 32 GDPR to protect your data against loss, misuse, and unauthorised access.
14. Changes to this privacy policy
We update this privacy policy whenever changes to our data processing or the legal situation make it necessary. The current version published here applies.