Effective Date: March 1, 2026
1. Introduction
Medisca GmbH (“Medisca”, “we”, “us”, or “our”) is committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (“GDPR”). This Privacy Policy explains how we collect, use, share, and protect your personal data, as well as your rights regarding your information.
2. Who we are?
Medisca GmbH is the data controller responsible for processing your personal data as described in this Privacy Policy.
Company Registration:
Medisca GmbH,
Ermlitzer Chaussee 1b
06258 Schkopau, Germany
3. How to contact us?
For all processing matters, questions about this Privacy Policy, or to exercise your data protection rights, please contact us at:PROLIANCE GmbH.
www.datenschutzexperte.de
Leopoldstraße 21,
80802 Munich, Germany
Email:datenschutzbeauftragter@datenschutzexperte.de
4. What personal data do we collect?
4.1 What is personal data?
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly.
4.2 Categories of personal data
We operate in a B2B environment, and personal data is not at the core of our business activities. To provide our services, we may collect personal data from:
• Customers: name, job title, and business contact details; and, where required, pharmacy licence for authorization verification, which includes personal data when the licence is issued to an individual (the details of personal data included varies by country across Europe).
• Suppliers: name, job title, and business contact details
• Website users and visitors: name, job title, contact details, professional specialty, IP address, and information about how you use our website
• Visitors at trade shows: name, job title, and business contact details
• Job applicants: identification and contact details, information included in a CV or application, professional qualifications
In principle, you are not obliged to provide your personal data. However, if you choose not to provide certain information, we may only be able to offer limited services or may be unable to respond to your inquiries. Where the processing of your personal data is necessary to perform a contract with you, failure to provide the required information may mean that we cannot fulfil the contract. If there is any legal obligation to provide specific data, we will inform you accordingly.
5. How do we collect personal data?
5.1 Direct collection
We collect personal data directly from you through:
• Online account registration
• Email communication
• Web forms and contact requests
• Phone calls
• Business meetings and trade shows
• Job applications
5.2 Automated collection
When you visit our website, we automatically collect certain information through cookies and similar technologies, such as server log files (together “Cookies”).
We use first- and third-party Cookies. First party Cookies come from our platform and send information only to us; third party Cookies are placed on our website by third parties and send information about your device to other companies that recognise the Cookie. We use session Cookies, which are only stored for individual online sessions and are deleted when you close your browser; and persistent Cookies, which are deleted when they reach their expiry date or are deleted by the user.
Cookie Categories:
We use the categories of Cookies described in the table below. Strictly necessary cookies do not require your consent because they are essential for the website to function as requested by you. All other cookies require your consent.
Managing Cookies:
When you first visit our website, you will see a cookie banner allowing you to accept or reject other than strictly necessary Cookies. You can change your cookie preferences at any time through our cookie settings tool or by configuring your browser to notify you about Cookies, allow them selectively, block them entirely, or delete them automatically upon closing the browser. Please note that disabling certain Cookies may limit website functionality. A list of Cookies used by our website can be found in the following:
| Cookie category | Cookie purpose | First / third party | Cookie name | Cookie domain | Cookie lifetime |
| strictly necessary | Enable essential website functions and services. | First party | NEXT_LOCALE | medisca.com | Session |
| First party | Host-next-auth.csrf-token | medisca.com | Session | ||
| First party | Secure-next-auth.callback-url | medisca.com | Session | ||
| First party | Secure-next-auth.session-token | medisca.com | Session | ||
| Google Services (Re-captcha). It will be replaced by a GDPR friendly solution | rc::a, rc::c | google.com | Locale Storage | ||
| Functional | Enhance website performance and provide personalized user experiences. | Algolia / First party | _ALGOLIA | medisca.com | 6 months |
| jsDelivr | jsDelivr.net | ||||
| Sentry / First party | sentry | medisca.com | |||
| Vimeo / Third party | cf_bm | vimeo.com | 30 minutes | ||
| _cfuvid | vimeo.com | session | |||
| player | vimeo.com | 1 year | |||
| vuid | vimeo.com | 2 years | |||
| Performance | Measure website usage for analytics, website improvement and troubleshooting that is not strictly necessary for the function of the website. | Google Analytics / First party | _ga_xxxxxxxxxx | medisca.com | 2 years |
| _ga | medisca.com | 3 years | |||
| Hotjar / First party | _hjTLDTest | medisca.com | session duration | ||
| _hjSession-User_xxxxxx | medisca.com | 1 year | |||
| _hjSession_xxxxxx | medisca.com | 30 minutes duration | |||
| Clarity / Third party | CLID | clarity.ms | 1 year | ||
| SM | clarity.ms | ||||
| ANONCHK | clarity.ms | 10 minutes | |||
| MR | clarity.ms | 7 days | |||
| MUID | clarity.ms | 1 year | |||
| Targeting/Advertising | Support behavioral/personalized advertising and remarketing | Linkedin / Third party | li_sugr | linkedin.com | 90 days |
| bscookie | linkedin.com | 1 year | |||
| lidc | linkedin.com | 24 hours | |||
| AnalyticsSyncHistory | linkedin.com | 30 days | |||
| UserMatchHistory | linkedin.com | 30 days | |||
| ar_debug | linkedin.com | Session | |||
| cf_bm | linkedin.com | 30 minutes | |||
| bcookie | linkedin.com | 1 year | |||
| Facebook / Third party | _fbp | medisca.com | 90 days | ||
| fr | facebook.com | 90 days | |||
| sb | facebook.com | 400 days | |||
| datr | facebook.com | 400 days | |||
| c_user | facebook.com | 365 days | |||
| xs | facebook.com | 365 days |
5.2.2 Server Log Files
When you visit our website, our servers automatically collect and store certain data in server log files. This data is necessary for security purposes and to ensure the proper functioning of our website. The information collected includes:
• Browser type and version
• Operating system
• Referrer URL
• Hostname of the accessing computer
• Time of server request
• IP address
This data is not combined with other personal data sources and is processed solely for technical and security purposes by our IT team.
6. Why do we process your personal data and on what grounds?
We process your personal data for the following purposes:
- Provision of Products and Services: To provide products or services, manage orders, invoices, contracts, and fulfill our contractual obligations.
The legal basis for the above processing is consent, contractual necessity and our legitimate Interests in basic account administration, internal coordination, and service continuity.
- Communication and Relationship Management: To communicate with customers, suppliers, and business partners, respond to inquiries, and maintain client relationships.
The legal basis for the above processing is consent, contractual necessity and our legitimate interests in ensuring we respond to enquiries, provide helpful communications, and tailor communications.
- Compliance and Legal Obligations: To meet regulatory requirements, tax, accounting and reporting obligations, maintain legally required records, comply with workplace safety regulations, and fulfill other legal obligations.
The legal basis for the above processing is legal obligations and our legitimate interests in internal compliance controls.
- Recruitment: To process job applications and carry out candidate selection and hiring.
The legal basis for the above processing is consent, contractual necessity for taking steps at your request before entering into a contract and our legitimate Interests in assessing applications and administering the recruitment process.
- Security and Fraud Prevention: To protect our systems, facilities, and data from unauthorized access, cyber threats, fraud, and misuse.
The legal basis for the above processing is our legitimate Interests and, where applicable, legal obligations.
- Website Analytics: To analyze website usage, understand visitor behaviour, show personalized advertisement and improve our website performance and user experience.
The legal basis for the above processing is consent for non-essential cookies and similar technologies and for personalized advertising and our legitimate Interests for website security and fraud prevention, internal administration and business management, and improving our services and website, to the extent permitted by applicable law.
- Marketing Communications: To send you marketing communications about our products and services.
The legal basis for the above processing is Consent or our legitimate interests in direct marketing to business contacts to the extent permitted by applicable law.
Where we rely on legitimate interests, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms.
7. Website Analytics
We use Google Analytics (provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA, USA) to analyze website usage and improve our services. Google Analytics uses Cookies to collect information about how visitors use our website. This information is transmitted to and stored on Google servers, which may be located in the United States of America (“USA”) or other countries.
We have enabled IP anonymization, which means Google shortens your IP address within the EU or EEA before transmission. Only in rare cases is the full IP address sent to Google servers in the USA and then shortened.
We may also use Google Analytics’ demographics and interests features to better understand our website visitors. After you have provided consent, you can also opt out of this feature through your Google account settings or Google Ads Settings.
For more information about how Google processes data, please visit: https://support.google.com/analytics/answer/6004245?hl=en&sjid=506770104761301936-NA
8. Who receives your personal data and why?
We share personal data only when it is necessary for the operation of our business, to support the services we provide, or to comply with legal obligations. The following recipients may receive personal data:
8.1 Internal Recipients
Internal Departments: Departments within Medisca that need access to personal data to performtheirresponsibilities,includingcustomerservice,finance,HR,compliance,legal,and IT support.
8.2 External Recipients
8.2.1. Categories of recipients acting as processors: We share personal data with external service providers that process data on our behalf and are contractually bound to implement appropriate technical and organizational security measures to protect your data. These providers support the functioning of our business operations and include:
• IT and Cloud Service Providers: such as hosting services, cloud infrastructure, and website functionality
• Enterprise Resource Planning (ERP) Systems: such as order processing, invoicing, contract management, and inventory systems
• Finance and Accounting Partners: such as payment processors
• Marketing and Analytics Tools: such as email marketing platforms and analytics solutions
8.2.2 Categories of recipients acting as controllers:
- Legal and Professional Advisors: such as lawyers, consultants, auditors, taxadvisors
- Legal, Regulatory, and Government Authorities: When required by law, or in response to a valid subpoena, court order, or other request from governmental or law enforcement authorities, wemaydisclose personaldata to legal, regulatoryand government authorities.
8.2.3 Recipients in the course of any reorganisations, mergers, disposals or other transfers of assets: If your personal data is transferred as part of such a transaction, we will ensure that the recipient agrees to process it in compliance with applicable data protection laws and in a way that remains consistent with the original purposes of processing. We will maintain the confidentiality of your personal data and inform you when it is transferred to another controller.
8.3 Affiliates and Group Companies
We may share personal data with our affiliates and group companies when necessary for fulfilling our legal and contractual obligations as well as in accordance with our legitimate interests (e.g. for corporate functions and business operations). Such sharing is governed by appropriate agreements and safeguards, including recognized transfer mechanisms where required.
9. How do we handle international data transfers?
We may transfer personal data to countries outside the European Economic Area (EEA), such as when using global cloud services, HR platforms, marketing tools, or sharing data with our affiliates in Australia, Canada and the USA. These countries may have data protection laws that differ from those in your location and may not provide the same level of protection as under the GDPR.
When we transfer personal data to countries that do not have an adequacy decision from the European Commission, we implement appropriate safeguards to protect your data, including:
- Standard Contractual Clauses(SCCs) approved by the European Commission
- Binding Corporate Rules(BCRs)
10. How long do we keep your personal data?
We retain personal data only as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations. When determining retention periods, we consider:
- The purpose for which we collected the data
- Legal, regulatory, or contractual retention requirements
- Our legitimate business interests
- The need to defend or bring legal claims
10.1 Specific Retention Periods:
We apply the following general retention periods:
- Customer and Supplier Data: Duration of the business relationship plus 10 years to comply with tax and commercial law obligations.
- Marketing Data: Until you withdraw consent or request deletion.
- Website Analytics Data: Typically retained for 14month, after which it is deleted or de- identified.
- Job Applicant Data: 6months after the recruitment process concludes, unless you consentto longer retention for future opportunities.
- Server Log Files: Typically retained for 60-90 days for security purposes.
- Legal Documentation: As required by applicable laws, typically 10years from the date of final resolution.
When data is no longer needed for the purposes described above, we securely delete or anonymize it in accordance with our data retention procedures.
11. How do we protect your personal data?
We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, loss, destruction, alteration, or disclosure.
If you have questions about the handling of your data, please contact us at
PROLIANCE GmbH.
www.datenschutzexperte.de
Leopoldstraße 21,
80802 Munich, Germany
Email:datenschutzbeauftragter@datenschutzexperte.de
12. What are your data protection rights?
To the extent provided for under the GDPR and other applicable data protection laws, you have the following rights regarding your personal data:
Right of Access
You have the right to request confirmation of whether and how we process your personal data and access personal data we hold about you.
Right to Rectification
You have the right to request correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure
You have the right to request deletion of your personal data when:
- It is no longer necessary for the purposes for which it was collected
- You withdraw consent and there is no other legal basis for processing
- You object to processing based on legitimate interests and we have no overriding legitimate grounds
- The data has been unlawfully processed
- Erasure is required to comply with a legal obligation
Right to Restriction of Processing
You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine- readable format and to transmit it to another controller where technically feasible, when processing is based on consent or contract and carried out by automated means.
Right to Object
You have the right to object at any time to processing of your personal data based on grounds relating to your particular situation or at any time for direct marketing purposes. If you object to direct marketing, we will stop processing your data for that purpose.
Right to Withdraw Consent
Where processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right not to be subject to a decision based solely on automated processing, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling. We do not use automated decision-making processes or profiling that would produce legal effects concerning you or similarly significantly affect you within the meaning of Art. 22 GDPR.
Right to Lodge a Complaint
If you believe your personal data is not being handled lawfully, you have the right to lodge a complaint with the competent supervisory authority in your country of residence, place of work, or place of the alleged infringement.
Contact details of the data protection authority responsible for Medisca GmbH:
Landesbeauftragte für den Datenschutz Sachsen‑Anhalt (LfD Sachsen‑Anhalt)
Otto‑von‑Guericke‑Straße 34a
39104 Magdeburg, Germany
Contact details and a list of all European data protection authorities can be found at: https://edpb.europa.eu/about-edpb/board/members_en
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or business operations. When we make material changes, we will update the „Effective Date“ at the top of this policy and, where appropriate, provide additional notice, such as on our website homepage or via email. You can access the previous versions of this Privacy Policy by clicking here.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.