Privacy Policy

Last updated: 01.06.2026

This Privacy Policy informs you about how personal data is processed when you visit vykea.com, communicate with the data controller, or place an order in the online shop.

1. Data Controller

Epicode GmbH Unterer Schrannenplatz 1, 88131 Lindau (Bodensee), Germany Email: service@vykea.com

Data Protection Officer Veit Hemmeter Email: dataprivacy@vykea.com Reachable by post via the data controller's address stated above.

2. What is personal data?

Personal data is any information relating to an identified or identifiable person (e.g. name, address, email, order or payment information).

3. Legal bases for processing

Depending on the occasion, processing is carried out in particular on the basis of:

  • Art. 6(1)(b) GDPR (contract/order, customer account, pre-contractual inquiries)
  • Art. 6(1)(c) GDPR (legal obligations, e.g. retention)
  • Art. 6(1)(f) GDPR (legitimate interests, e.g. IT security, prevention of misuse)
  • Art. 6(1)(a) GDPR (consent, e.g. optional statistical and convenience functions)

Which information must be provided follows, among other things, from the information obligations under Art. 13 GDPR.

A) Website use

4. Hosting & operation (Medusa Cloud, Vercel)

The shop is technically operated via Medusa Cloud. The provider is MedusaJS, Inc., 2261 Market Street, STE 5380, San Francisco, CA 94114, USA. The processing of customer data within the scope of the cloud services is generally carried out as processing on behalf of the controller (Art. 28 GDPR) in accordance with the DPA provided there.

Hosting takes place in the Frankfurt am Main region (EU/Germany) in accordance with the configuration applied. Support and maintenance access may, depending on the service provider's structure, also take place across locations and in particular from the USA. Insofar as processing takes place in the USA in this context, it is safeguarded by appropriate guarantees (e.g. EU Standard Contractual Clauses pursuant to the Medusa DPA).

The website (frontend) is delivered via Vercel. The provider is Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA. In doing so, Vercel processes technical connection data (e.g. IP address, time, requested resources) as a processor (Art. 28 GDPR) on the basis of the Vercel DPA. Delivery takes place, in accordance with the configuration applied, via locations in the EU (including Frankfurt, Amsterdam, Paris). Insofar as processing takes place in the USA in this context, it is safeguarded by the EU-US Data Privacy Framework (Vercel's certification) and additionally by EU Standard Contractual Clauses.

5. Server log files

When the website is accessed, data is processed for technical reasons, e.g.:

  • IP address (where applicable shortened/encapsulated depending on the infrastructure)
  • date/time of access
  • requested page/file
  • referrer URL
  • browser/OS, language, device information

Purpose: delivery of the website, stability, error analysis, IT security (e.g. defence against attacks). Legal basis: Art. 6(1)(f) GDPR. Legitimate interest: technically error-free, stable, and secure operation of the website as well as protection against misuse and attacks.

5a. Error analysis and stability monitoring (Sentry)

To detect and resolve technical errors, to monitor stability, and to defend against attacks, we use the service Sentry. The provider is Functional Software, Inc. d/b/a Sentry, 132 Hawthorne Street, San Francisco, CA 94107, USA, with European data processing via the Sentry EU region (Frankfurt, Germany).

Information that arises for technical reasons relating to errors that occur is processed, in particular:

  • error message and technical stack information
  • accessed URL (without personal path parameters)
  • browser, operating system, device type
  • shortened IP address (anonymisation on the server side)
  • release identifier of the application
  • time of the error

We have configured Sentry such that no session recordings, no keystrokes, and no form contents are captured. No identification of natural persons is carried out on the basis of the data collected; a technical reference to sessions exists exclusively for error analysis and is automatically deleted after 90 days.

Legal basis: Art. 6(1)(f) GDPR. Legitimate interest: stability, security, and error-free operation of the website as well as the timely detection of security and availability problems. Any transfer to the USA is safeguarded by EU Standard Contractual Clauses pursuant to the Sentry DPA. The storage period in Sentry is 90 days.

You may object to the processing pursuant to Art. 21 GDPR, stating your reasons (for contact, see point 1).

5b. Bot and misuse defence (Vercel BotID)

To protect security-relevant forms (in particular sign-in, registration, password reset, address and email change, as well as checkout), the service Vercel BotID is used, which distinguishes automated access (bots) from human inputs. The provider is Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA.

In doing so, technical information about the end device and the connection is evaluated, e.g.:

  • browser and device characteristics
  • technical interaction and connection characteristics
  • IP address

The service runs invisibly in the background and is technically necessary for submitting the forms mentioned. The contents of input fields are not evaluated in this process; no profiling for advertising purposes takes place.

Purpose: defence against automated attacks and abusive requests, protection of accounts and ordering processes. Legal basis: Art. 6(1)(f) GDPR. Legitimate interest: protection against automated misuse, fraud, and attacks on security-relevant functions. Insofar as processing takes place in the USA in this context, it is safeguarded by the EU-US Data Privacy Framework (Vercel's certification) and additionally by EU Standard Contractual Clauses.

6. Cookies & consents

Cookies/similar technologies are used that are either:

  • technically necessary (e.g. shopping cart function), or
  • optional (e.g. statistics), only if you consent.

Optional technologies are (where used) activated only after consent; you can withdraw/change this at any time via the cookie settings. In Germany, the storage of and access to information on end devices is additionally governed by the TDDDG (German Telecommunications Digital Services Data Protection Act).

In addition to technically necessary cookies, optional analysis technologies of the analytics service Mixpanel (EU project) are used. These are activated exclusively after your consent via the cookie consent tool; without consent, no analysis takes place. You can withdraw your consent at any time with effect for the future via the cookie settings. Details on the analysis are described in section 11a. The further optional services that are active only after consent are described in sections 6a, 6b, and 6c.

6a. Reach and performance measurement (Vercel Analytics, Vercel Speed Insights)

If you activate the statistics category in the cookie consent tool, the services Vercel Analytics and Vercel Speed Insights are used. The provider is Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA. Vercel Analytics collects aggregated usage statistics (e.g. page views), Vercel Speed Insights measures technical performance values (e.g. loading times and interactivity). Collection is carried out in aggregated form and without storing directly personal data.

Purpose: reach measurement as well as analysis and optimisation of the technical performance of the website. Legal basis: Art. 6(1)(a) GDPR as well as Section 25(1) TDDDG (consent). Without consent, no collection takes place. You can withdraw your consent at any time with effect for the future via the cookie settings. Insofar as processing takes place in the USA in this context, it is safeguarded by EU Standard Contractual Clauses.

6b. Live chat (Intercom)

If you activate the functional category in the cookie consent tool, a chat widget of the service Intercom is provided, via which you can communicate with customer service. The provider is Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 Saint Stephen's Green, Dublin 2, Ireland.

In doing so, in particular the contents you transmit in the chat are processed, as well as, for logged-in customers, contact data (e.g. name, email address, where applicable telephone number). Without consent, the chat remains deactivated.

Purpose: customer communication and support via a live chat. Legal basis: Art. 6(1)(a) GDPR as well as Section 25(1) TDDDG (consent). You can withdraw your consent at any time with effect for the future via the cookie settings. Intercom processes data partly in the USA; this transfer is safeguarded by EU Standard Contractual Clauses.

6c. Address autocomplete at checkout (Google Maps Places)

If you activate the functional category in the cookie consent tool, an address autocomplete via the Google Maps Places API is offered at checkout. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; a transfer to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, may take place.

In doing so, the address data you enter is transmitted to Google in order to determine suitable suggestions. Without consent, the function is not available; in that case you enter your address manually.

Purpose: convenient and low-error entry of delivery and billing addresses. Legal basis: Art. 6(1)(a) GDPR as well as Section 25(1) TDDDG (consent). You can withdraw your consent at any time with effect for the future via the cookie settings. Any transfer to the USA is safeguarded by the EU-US Data Privacy Framework (Google's certification) and additionally by EU Standard Contractual Clauses.

B) Shop, orders, communication

7. Orders & contract processing

When you place an order, data is processed that is necessary for the conclusion and performance of the purchase contract, e.g.:

  • name, billing/delivery address
  • email, where applicable telephone number
  • ordered products, quantities, prices, times
  • status/communication data (e.g. shipping status, inquiries)

Purpose: performance of the contract, shipping, returns/refunds, customer service. Legal basis: Art. 6(1)(b) GDPR. Provision of the data: The provision of the data required for the order (in particular name, delivery/billing address, email) is necessary for the conclusion and performance of the purchase contract. Without this data, the order cannot be processed and the contract cannot be performed.

8. Customer account (if offered)

When a customer account is created, the data necessary for this (e.g. login/contact data as well as order history within the account) is stored.

Purpose: account functions (order overview, faster checkouts). Legal basis: Art. 6(1)(b) GDPR.

9. Contacting us

When you contact us (email/form), the contents of your message and the contact data are processed.

Purpose: handling of your inquiry. Legal basis: Art. 6(1)(b) GDPR (pre-contractual/contractual) or Art. 6(1)(f) GDPR (general inquiries).

9a. Newsletter

If you subscribe to the newsletter, the email address you provide as well as the status and the times of your subscription and unsubscription are processed. The subscription is carried out using the double opt-in procedure: after your entry, a confirmation email is sent, and the newsletter is activated only after confirmation via the link contained therein. Subscription and confirmation are stored as evidence of your consent. The newsletter and the confirmation email are sent via the email service provider Resend (see point 14).

Purpose: regular information about products, offers, and news. Legal basis: Art. 6(1)(a) GDPR (consent) as well as Section 7 of the German Act Against Unfair Competition (UWG). You can unsubscribe from the newsletter at any time and withdraw your consent with effect for the future, e.g. via the unsubscribe link at the end of every newsletter email; unsubscribing is possible with a single click. The lawfulness of the processing carried out up to the withdrawal remains unaffected.

10. Product reviews

When you submit a product review, the data you provide (in particular first and last name, review text, and rating/stars) as well as the product reference is processed.

When the review is publicly displayed on the respective product page, the first name is shown in full, whereas the last name is abbreviated to only the first letter (example: Anna Mustermann becomes Anna M.). The full last name is not published. Please do not provide any data that you do not wish to make public.

Purpose: presentation of product reviews, information for other customers. Legal basis: Art. 6(1)(a) GDPR (consent through the voluntary submission of the review) as well as Art. 6(1)(f) GDPR (legitimate interest in meaningful product information). You can withdraw any consent granted at any time with effect for the future; the review will then be removed.

11. Referrals / refer-a-friend

When you participate in the referral program, the data required for this is processed, e.g. a referral code assigned to you, the link between the referring and the referred person, as well as the status of any rewards/credits.

Purpose: operation and settlement of the referral program, granting of rewards. Legal basis: Art. 6(1)(b) GDPR (operation of the program) as well as Art. 6(1)(f) GDPR (legitimate interest in promoting the offer via referrals). If you actively invite another person, please ensure that you are authorised to do so.

11a. QR code scans at partner physicians

When a QR code of a partner physician is scanned, the data processing takes place in two stages.

1. Aggregated, consent-free counting. A count is kept of how often each partner QR code is scanned. For this purpose, a salted hash of an anonymous browser cookie is used, which changes monthly. No email address or name is stored. From the IP address, only the country code is derived and stored; the IP address itself is not stored. The hash changes every calendar month, so that no permanent profile is created. The aggregated figure is stored in our own database as well as additionally in the analytics service Mixpanel (EU project) on the same legal basis, without personal data and without the analytics service setting cookies on your device. Legal basis: performance of the contract within the scope of the partner program (Art. 6(1)(b) GDPR) as well as the legitimate interest in operation (Art. 6(1)(f) GDPR).

2. Analysis for consenting visitors. Visitors who have accepted the analysis cookie category allow their interaction with the promo page, the product pages, the shopping cart, and the checkout to be captured in Mixpanel, under the same consent category. These downstream events supplement the consent-free counting; they run additionally on consenting devices. On devices with analysis consent granted, page views as well as a session recording (Session Replay) are additionally captured in order to understand the use of the pages and to improve them. Input fields, passwords, and contents marked as confidential are automatically masked in this process and not recorded. The legal basis is your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time with effect for the future.

C) Payments & fraud prevention

12. Payment processing via Stripe

Stripe is used for payment processing. In Europe, Stripe Payments Europe, Limited is regularly the provider/contracting party.

In doing so, depending on the payment method chosen, in particular the following data is processed/transmitted:

  • master data (e.g. name, email)
  • transaction data (amount, currency, times, shopping cart/order references)
  • where applicable billing/delivery data
  • technical data (e.g. IP address, device/browser information) that is necessary for payment processing and security

Purpose: execution of the payment, prevention of misuse/fraud, security. Legal basis: Art. 6(1)(b) GDPR (contract) as well as, where applicable, Art. 6(1)(f) GDPR (security interests).

Depending on the context, Stripe may also process data under its own responsibility; details follow from the Stripe privacy notices and the Privacy Center. Insofar as Stripe acts as a processor, the Stripe DPA applies; it also describes protective mechanisms for possible third-country transfers (e.g. Standard Contractual Clauses).

No complete card/account data is stored; as a rule, only information that is necessary for confirmation/assignment is received (e.g. payment status, reference/token).

D) Shipping & service providers

13. Shipping/logistics

For delivery, the data required for shipping is passed on to shipping/logistics service providers (e.g. name, address, where applicable shipment data). Legal basis: Art. 6(1)(b) GDPR.

14. Email dispatch (Resend)

For sending transaction-related emails (e.g. order and shipping confirmations, account and password emails, invoice dispatch) as well as the newsletter (point 9a), the service Resend is used. The provider is Plus Five Five, Inc. (Resend), 2261 Market Street #5039, San Francisco, CA 94114, USA.

In doing so, the data required for dispatch (in particular email address, name, and the content of the respective notification) is processed. Resend acts as a processor (Art. 28 GDPR).

Purpose: delivery of contract-related and account-related notifications. Legal basis: Art. 6(1)(b) GDPR (contract processing) as well as Art. 6(1)(f) GDPR (secure and reliable communication).

Insofar as processing takes place in the USA in this context, it is safeguarded by the EU-US Data Privacy Framework (certification of Resend/Plus Five Five, Inc.) and additionally by EU Standard Contractual Clauses pursuant to the Resend DPA.

15. Invoice creation & archiving

To create invoices and cancellation invoices, a PDF document is generated from the order data. The service PDF Generator API is used for the generation. The provider is Actual Reports OÜ, Tõnismägi 11a, 10119 Tallinn, Estonia (commercial register no. 12318670). In accordance with the processing region used, the documents are generated on servers in the USA.

The invoices created are subsequently archived in an audit-proof and unalterable manner in Google Cloud Storage. The provider is Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland. The storage location used is within the EU (region europe-west3, Frankfurt). The services mentioned act in this respect as processors (Art. 28 GDPR).

In particular, invoice data such as name, address, invoice items, amounts, and tax details is processed.

Purpose: creation, provision, and legally required archiving of invoices. Legal basis: Art. 6(1)(b) GDPR (contract processing) and Art. 6(1)(c) GDPR (fulfilment of commercial and tax law retention obligations).

Insofar as processing takes place in the USA during PDF generation, it is safeguarded by the EU-US Data Privacy Framework and additionally by EU Standard Contractual Clauses pursuant to the respective DPA. Further information on these guarantees is provided on request via the contact details stated above.

16. Processors & recipients

Carefully selected service providers are used that process personal data on behalf of the data controller or, depending on the constellation, under their own responsibility:

  • Hosting/IT operation: Medusa Cloud (MedusaJS, Inc., backend/shop infrastructure) and Vercel Inc. (delivery of the website)
  • Payment processing: Stripe (Stripe Payments Europe, Limited)
  • Email dispatch: Resend (Plus Five Five, Inc.)
  • Invoice creation/archiving: PDF Generator API (Actual Reports OÜ) as well as Google Cloud Storage (Google Cloud EMEA Limited)
  • Shipping/logistics: commissioned shipping service providers
  • Bot and misuse defence: Vercel BotID (Vercel Inc.)
  • Product analysis (only with consent): Mixpanel (Mixpanel, Inc.)
  • Reach and performance measurement (only with consent): Vercel Analytics and Vercel Speed Insights (Vercel Inc.)
  • Live chat/support (only with consent): Intercom (Intercom R&D Unlimited Company)
  • Address autocomplete at checkout (only with consent): Google Maps Places (Google Ireland Limited / Google LLC)

These process data either as processors under Art. 28 GDPR (e.g. hosting/shop infrastructure, email dispatch, invoice archiving) or as independent controllers (e.g. certain payment/shipping constellations). With processors, corresponding agreements pursuant to Art. 28 GDPR are in place; insofar as processing takes place in third countries (in particular the USA), it is safeguarded by appropriate guarantees (EU-US Data Privacy Framework and/or EU Standard Contractual Clauses).

E) Storage period

17. How long is data stored?

Personal data is stored only for as long as is necessary for the respective purposes. Beyond that, data is stored where legal retention obligations exist. In Germany, depending on the document type, typically 6, 8, or 10 years apply (e.g. commercial/tax law obligations; since 2025, certain accounting documents must in many cases be retained for 8 years).

Invoices and tax-relevant documents are archived for the duration of the statutory retention periods.

F) Your rights

18. Data subject rights

Depending on the requirements, you have the following rights:

  • Access
  • Rectification
  • Erasure
  • Restriction of processing
  • Data portability
  • Objection to processing based on legitimate interests
  • Withdrawal of consents granted, with effect for the future

These rights arise from the GDPR; the information obligations are described in Art. 13 GDPR.

19. Right to lodge a complaint with the supervisory authority

You can lodge a complaint with a data protection supervisory authority. For private companies in Bavaria, this is generally the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) (Bavarian State Office for Data Protection Supervision).

G) Miscellaneous

20. Automated decision-making

A decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR) does not take place. No profiling for such purposes is carried out.

Within the scope of payment processing, the payment service providers used may carry out automated checks for fraud and misuse prevention (e.g. risk assessment of a transaction). These checks serve the security of payment transactions; the legal basis is Art. 6(1)(b) and (f) GDPR.

21. Minors

The offer is generally directed at adults. If it is recognised that data of minors is being processed without the consent of those with parental authority, this data is deleted within the scope of the legal possibilities.

22. Changes to this Privacy Policy

This Privacy Policy is adapted when processes, technology, or the legal situation change. The respective current version on vykea.com applies.