Privacy Policy

The data controller for this website is: Reha Med Visselhövede e.V. Burgstr. 9, 27374 Visselhövede Contact person: Ingo Bolz Role: Vorsitzender Email: hallo@rmvv.online Phone: 0162 3565264 For further contact details, please see the Legal Notice.

When you register as a member of Reha Med Visselhövede e.V., we collect the following data: • First and last name • Date of birth • Address (street, house number, postal code, city) • Phone number (optional) • Email address • Bank details (IBAN, BIC, bank name) for the SEPA direct debit mandate During registration, your IP address is also logged as proof of consent. Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(a) GDPR (consent).

When you contact us via the contact form, we collect: • Your name • Your email address • Subject and message text This data is used exclusively to process your inquiry and is stored on our own server. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).

Your data is used exclusively for the following purposes: • Managing your membership • Processing SEPA direct debit payments for membership fees • Notifications about course changes and association activities (only with your consent via email or push notification) • Automatic birthday greetings via email (only with your consent) • Compliance with legal retention obligations

If you enable push notifications, we store technical data from your browser (endpoint URL, encryption keys). This data is used exclusively for sending notifications about association activities. Legal basis: Art. 6(1)(a) GDPR (consent). You can deactivate push notifications at any time via your browser settings.

We log the sending of emails (recipient, subject, time, delivery status) for quality assurance and proof of delivery (especially for SEPA pre-notifications). Log data is automatically deleted after 24 months. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in provability).

All personal data is stored with AES-256 encryption in our database. Data transmission occurs exclusively via HTTPS-encrypted connections. Passwords are hashed with scrypt (a secure key derivation function). We do not use any external services, tracking tools, or third-party cookies. All data processing takes place on our own server in Germany.

This website uses only technically necessary cookies for session management (session cookie). No tracking cookies or third-party cookies are used. Additionally, we store your accessibility preferences (font size, contrast mode) in your browser's local storage (localStorage). This data does not leave your device and contains no personal information.

Member documents (e.g., medical certificates, prescriptions) can be uploaded by administrators. These files are stored on our own server and are only accessible to authenticated administrators. Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(f) GDPR (legitimate interest in document management).

Incoming and outgoing email correspondence of the association is managed through an internal mailbox system. The following data is processed: • Sender and recipient addresses • Subject and message content • Attachments • Timestamps Emails are automatically linked to member records when the sender address matches an email address provided during registration. This linking serves efficient inquiry processing and fulfillment of disclosure obligations under Art. 15 GDPR. Emails are automatically transferred to a compliance archive after 180 days. Archived emails are secured with a SHA-256 integrity hash and retained for 10 years. During the retention period, archived emails cannot be modified or deleted. All email content is stored with AES-256 encryption. Access is restricted to authenticated administrators. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in association communication) and Art. 6(1)(c) GDPR (legal retention obligations).

Your data is not shared with third parties. All data processing takes place on our own server. No data is transferred to third countries. Exception: As part of the SEPA direct debit process, the data necessary for collection (name, IBAN, BIC, amount, mandate reference) is transmitted to our bank. This is required for contract performance (Art. 6(1)(b) GDPR).

For membership fee collection, you grant us a SEPA direct debit mandate. Mandate data (IBAN, BIC, mandate reference, mandate date) is retained for the duration of membership and for 36 months after the last collection. You will be notified in advance of each direct debit via email (pre-notification).

You have the following rights regarding your personal data: • **Right of access** (Art. 15 GDPR) • **Right to rectification** (Art. 16 GDPR) • **Right to erasure** (Art. 17 GDPR) • **Right to restriction** (Art. 18 GDPR) • **Right to data portability** (Art. 20 GDPR) • **Right to object** (Art. 21 GDPR) • **Right to withdraw consent** (Art. 7(3) GDPR) You can exercise the following rights directly via our self-service pages: • Request data access: /auskunft • Withdraw consent: /widerruf Alternatively, please contact us at the address listed in the Legal Notice.

• Member data: Duration of membership, then deletion within 6 months • SEPA mandate data: 36 months after last collection • Tax-relevant data: 10 years • Accounting records: 10 years • Email archive (correspondence): 10 years • Email sending logs: 24 months • Contact inquiries: Until final processing, then deletion • Registration drafts: Automatic deletion after 24 hours Compliance with retention periods is automatically monitored. After expiration, data is flagged for deletion and removed after review by an administrator.

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your data violates the GDPR.

This privacy policy may be updated as needed. The current version is always available on this page.