Privacy Policy

Last updated: March 2026

drylabs GmbH ("drylabs", "we", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your personal data when you use our website (dry-labs.com), our mobile applications, and our clinical software platforms. As a physician-led company building healthcare software, we hold ourselves to the highest standards of data protection.

1. Data Controller

The data controller responsible for your personal data is:

drylabs GmbH
Straße der Jugend 18
10115 Berlin, Germany
Email: privacy@dry-labs.com
Phone: +49 8744 5934999

2. Data We Collect

2.1 Website Data

When you visit our website, we automatically collect technical access data via server log files:

• IP address (anonymised after processing)
• Browser type and version
• Operating system
• Referral URL
• Date and time of access
• Pages visited

We do not use cookies for tracking or advertising purposes. No third-party tracking scripts are embedded on our website.

2.2 Mobile Application Data

When you use our mobile applications, we may collect:

• Account information: name, email address, and credentials you provide during registration
• Health and clinical data: medical information, health records, treatment data, and other clinical information you enter into the application
• Device information: device model, operating system version, unique device identifiers, and language settings
• Usage data: features used, interaction patterns, and session duration (collected in aggregate, not linked to health data)
• Diagnostic data: crash reports and performance data to improve app stability

2.3 Contact and Inquiry Data

When you contact us via email, phone, or through our website, we collect the information you provide (name, email, message content) to respond to your inquiry.

3. Health and Medical Data

As a healthcare software company, we process health data with the utmost care and in full compliance with applicable regulations. The following principles govern our handling of health and medical data:

• Purpose limitation: Health data is processed solely for the purpose of providing clinical and healthcare services. It is never used for advertising, marketing, or data mining.
• No third-party sharing for non-clinical purposes: We do not share, sell, or disclose health data to third parties for advertising, marketing, analytics profiling, or any purpose unrelated to clinical care.
• Apple HealthKit: If our applications integrate with Apple HealthKit, HealthKit data is used exclusively to provide health-related functionality within the app. HealthKit data is not stored in iCloud, not used for advertising, and not shared with third parties.
• Encryption: All health data is encrypted at rest (AES-256) and in transit (TLS 1.3).
• EU data residency: All health and personal data is stored exclusively on servers located within the European Union.
• Access controls: Health data access is restricted to authorised personnel on a need-to-know basis, consistent with clinical data handling standards.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):

• Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, such as when creating an account or opting into specific features.
• Contractual necessity (Art. 6(1)(b) GDPR): To perform our obligations under a contract with you, such as providing access to our software platforms.
• Legitimate interest (Art. 6(1)(f) GDPR): For website security, fraud prevention, and service improvement, where our interests do not override your rights.
• Health data (Art. 9(2)(h) GDPR): Processing of health data is carried out for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health systems and services.

5. Third-Party Services

We use a limited number of third-party services to operate our platforms. These service providers are contractually bound to process data only on our behalf and in compliance with GDPR:

• Cloud hosting: EU-based infrastructure providers for data storage and processing
• Crash reporting: Anonymised diagnostic data to improve app stability
• Analytics: Aggregated, non-identifiable usage statistics (no health data is included in analytics)

We do not use advertising SDKs, ad networks, or third-party tracking tools. Health data is never shared with analytics or advertising providers.

6. Data Retention

• Server log files: Deleted after 30 days
• Account data: Retained for the duration of your account and deleted within 30 days of account deletion, unless longer retention is required by law
• Health and clinical data: Retained in accordance with applicable medical record retention requirements under German and EU law. Upon request, we will delete health data unless retention is legally mandated.
• Contact inquiries: Retained for the duration of the business relationship plus statutory retention periods

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15): Obtain confirmation of whether we process your data and request a copy
• Right to rectification (Art. 16): Request correction of inaccurate data
• Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Right to restriction (Art. 18): Request restriction of data processing
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal

To exercise any of these rights, contact us at privacy@dry-labs.com. We will respond within 30 days.

8. Data Deletion and Account Removal

You may request deletion of your account and all associated personal data at any time by contacting privacy@dry-labs.com or using the account deletion feature within the application (if available). Upon receiving your request:

• We will verify your identity to prevent unauthorised deletion
• Your account and personal data will be permanently deleted within 30 days
• Health data subject to legal retention requirements will be retained only for the minimum period required by law, after which it will be deleted
• Anonymised and aggregated data that cannot identify you may be retained for statistical purposes

9. Children's Privacy

Our applications and services are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected data from a child under 16, we will promptly delete that data. If you believe a child has provided us with personal data, please contact us at privacy@dry-labs.com.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data at rest (AES-256) and in transit (TLS 1.3)
• Role-based access controls and multi-factor authentication
• Regular security audits and vulnerability assessments
• Secure development practices aligned with OWASP guidelines
• Incident response procedures for potential data breaches

11. International Data Transfers

All personal data is stored and processed within the European Union. We do not transfer personal data to countries outside the EU/EEA unless an adequate level of data protection is ensured (e.g., through an EU adequacy decision or Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR).

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. For material changes, we will notify you via email or through a notice in our application prior to the changes taking effect. The "Last updated" date at the top of this policy indicates when it was last revised.

13. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for drylabs GmbH is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin, Germany
www.datenschutz-berlin.de

14. Contact

For any questions about this Privacy Policy or to exercise your data protection rights, please contact us:

drylabs GmbH
Straße der Jugend 18
10115 Berlin, Germany
Email: privacy@dry-labs.com
Phone: +49 8744 5934999