Skip to main content
Anyone who keeps the ability to see beauty will never grow old.
Franz Kafka

Privacy Policy

Any collection, use, storage, deletion, or other use (hereinafter “processing”) of data serves solely to provide our services. Our services are designed with the aim of using as little personal data as possible. “Personal data” (hereinafter also referred to as “data”) is defined as any individual information concerning the personal or factual circumstances of a specific or identifiable natural person (the so-called “data subject”).
The following information regarding data protection describes which types of personal data are processed when you access our website, what happens to this personal data, and how you may object to data processing if applicable.

1 General Information on Data Processing on This Website

1.1 Controller

The controller within the meaning of the EU General Data Protection Regulation (GDPR) is:
Peyman Bamdad Plastic & Aesthetic Surgery
Address: Clayallee 175, 14195 Berlin
Phone: +49 30 8450 9600
Email: praxis@bamdad.de
Homepage: https://www.bamdad.de/

1.2 Protection of Your Data

We have implemented technical and organizational measures to ensure compliance with the GDPR both by our team and by any external service providers working with us.
If, to provide our services, we cooperate with other companies like email or server providers, this only happens after a comprehensive selection process. Each service provider is carefully assessed for its suitability regarding technical and organizational data protection capabilities. This process is documented in writing, and a contract pursuant to Art. 28 (3) GDPR on processing personal data on our behalf (data processing agreement) is only concluded if it meets the requirements of Art. 28 GDPR.
Your information is stored on particularly protected servers. Access to this data is only possible for a select few specially authorized persons.
Our website is SSL/TLS encrypted, recognizable by the “https://” at the beginning of the URL. If personal data is involved in email communication, emails are sent encrypted from our side. We use the built-in SSL certificate for this as well.

1.3 Deletion of Personal Data

We only process personal data as long as it is necessary. Once the purpose of data processing is fulfilled, blocking and deletion are carried out according to our deletion policy, unless legal requirements prevent such deletion.

2 Data Processing on This Website and Creation of Log Files

2.1 Description and Scope of Data Processing

When you visit our website, our web servers temporarily store each access in a log file. The following personal data is collected and stored until automated deletion:
• IP address of the requesting computer
• Date and time of access
• Name and URL of the accessed file
• Transferred data volume
• Message if access was successful
• Identifying data of the browser and operating system used
• Website from which the access took place
• Name of your internet access provider
We use the hosting provider All-inkl.com, which uses cookies. These cookies help make our website usable by enabling basic functions like page navigation and access. The data processing is handled by:
ALL-INKL.COM – Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany. More information can be found in All-inkl.com’s data privacy policy: https://all-inkl.com/datenschutzinformationen/

2.2 Legal Basis for Data Processing

The processing of this data is based on Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest is to make the website accessible to you.

2.3 Purpose of Data Processing

Data processing is carried out to enable use of the website (establishing connection), for system security, technical administration of network infrastructure, and for optimizing the website. The IP address is only evaluated in the event of attacks on our network infrastructure or that of our internet provider.

2.4 Duration of Data Storage

Personal data is deleted as soon as it is no longer required for the aforementioned purposes. This is the case when you close the website. Our hosting provider may use the data for statistical purposes; however, the data is anonymized for this purpose.

2.5 Elimination Option by the Data Subject

The collection and storage of data in log files is essential for the website to operate. Therefore, users cannot object to this. For information about data processing at All-inkl.com and to exercise your rights, you can contact them with the subject “…” (including your name, address, and date of birth) at:
ALL-INKL.COM – Neue Medien Münnich, Owner: René Münnich, Hauptstraße 68, 02742 Friedersdorf

3 Use of Cookies

3.1 Description and Scope of Data Processing

Our website uses cookies, which are stored on your device when you use our website. Cookies are small text files stored on your hard drive associated with the browser you use, and certain information flows to us or the party that sets the cookie. Cookies cannot execute programs or transmit viruses. We use them to analyze the use of our website in anonymized or pseudonymized form and to present you with relevant offers. The following data may be transmitted:
• Frequency of website visits
• Which features of the website you use
• Search terms used
• Your cookie setting
When accessing the website, a cookie banner informs you about the use of cookies and refers you to this privacy policy.
Note regarding data processing in the USA by Google:
By clicking “Accept all” you consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR to your data being processed in the USA. According to the ECJ, the level of data protection in the USA is inadequate and your data may be accessed by US authorities for monitoring purposes, possibly without legal remedy. If you only agree to essential cookies, data is not transferred. Consent can be withdrawn at any time.

3.2 Legal Basis for Data Processing

The legal basis for the use of cookies not solely serving website functionality is Art. 6 para. 1 sentence 1 lit. a) GDPR.
The legal basis for cookies solely serving the functionality of this website is Art. 6 para. 1 sentence 1 lit. f) GDPR.

3.3 Purpose of Data Processing

Our legitimate interest is to ensure a seamless connection and comfortable use of the website, as well as for evaluating system security and stability. Data is also processed for statistical analysis of website usage.

3.4 Duration of Data Storage

There are two types of cookies, both used on this website:
• Transient cookies (see a)
• Persistent cookies (see b)
a) Transient cookies are automatically deleted when you close the browser. These include session cookies, which store a session ID that associates various browser requests with a single session. This allows your device to be recognized upon returning to our website. Session cookies are deleted when you log out or close the browser.
b) Persistent cookies are automatically deleted after a set period, which may vary depending on the cookie.
Data from the cookie banner is only stored as long as necessary for verification, unless legal requirements demand longer retention. Borlabs deletes your consent after 6 months.

3.5 Elimination Option by Data Subject

You can revoke consent to data processing by non-essential cookies at any time. Cookies are only set after you have given consent when visiting the website. You can delete cookies at any time via your browser’s security settings. You can also withdraw consent via the Borlabs cookie called “borlaps-cookie.” Note that some functionalities may not be available if you block cookies. Setting cookies can also be prevented by adjusting your browser settings.

3.6 Borlabs Cookies

Borlabs helps ensure GDPR and other data protection compliance for cookie use on our website and when integrating analytics tools. If you give consent through the cookie banner, the following data is processed:
• Your IP address
• Details of your consent
• URL of the consented website
• Date and time of consent
• Date and time of last website access
Processing is based on Art. 6 para. 1 sentence 1 lit. c) GDPR.
The provider is Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany.
More info: https://de.borlabs.io/datenschutz/

4 Contact

4.1 Description and Scope of Data Processing

You can contact us via email or contact form through our website. Certain data is required to respond to your inquiry and is automatically saved for this purpose. The following information is collected via the contact form (mandatory fields):
• Name
• Email address
Voluntary information:
• Mobile number
• Message text
Data is not shared with third parties.

4.2 Legal Basis for Data Processing

The legal basis is Art. 6 para. 1 sentence 1 lit. b) GDPR.

4.3 Purpose of Data Processing

Your data is processed solely for handling your inquiry.

4.4 Duration of Data Storage

Your data is deleted once it is no longer needed for the stated purpose, usually immediately after responding. In rare cases, the data might be kept longer due to legal, regulatory, or contractual obligations.

4.5 Elimination Option by Data Subject

You may contact us at any time to object to further processing of your data. In such cases, we can no longer communicate with you. All personal data processed in connection with your inquiry will then be deleted unless legal retention obligations apply.

5 Appointment Booking – Doctolib

5.1 Description and Scope of Data Processing

You can book an appointment with us online via Doctolib GmbH, https://www.doctolib.de/. When you click “Book appointment,” you will be redirected to Doctolib to complete the online booking.
To book an appointment, you must register with Doctolib and provide certain personal data. Doctolib is the controller as defined by Art. 4 (7) GDPR. More information: https://media.doctolib.com/image/upload/v1690558649/legal/B2C-PrivacyPolicy-Aug-23-DE.pdf
To book an appointment, you must answer questions that Doctolib sends us as part of data processing. The following data is processed:
• Name
• Health insurance status (public or private)
• Type of appointment (e.g., consultation, results discussion, etc.)
• Date and time of the appointment
More info about Doctolib’s privacy policy: https://www.doctolib.de/gesundheit/privatsphaere/?utm_button=footer&utm_website=doctolib_b2b

5.2 Legal Basis and Scope of Data Processing

Registration and appointment booking via Doctolib is based on your consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR.
Our use of Doctolib as appointment management software is based on legitimate interests under Art. 6 para. 1 lit. f) GDPR. Our interest is in optimizing and simplifying appointment scheduling and enabling booking outside office hours.

5.3 Purpose of Data Processing

Data processing serves to organize appointments and prepare for them accordingly.

5.4 Duration of Data Storage

Data is stored until the purpose has been fulfilled and no statutory, contractual or regulatory retention obligations prevent deletion.
You may request deletion of your Doctolib account at any time. If your account is unused, Doctolib will delete it after 3 years from your last booking.

5.5 Elimination Option

You may withdraw your consent to data processing at any time by contacting Doctolib. If you do not wish to use Doctolib, you may also book appointments with us by phone or email.

6 Social Media Links

We have embedded links to social media platforms on our website, which may result in these platforms receiving data from you. If you click a social media link, the provider’s website opens, and the provider is notified that you visited us.
Information about data processing in the USA: 
If you click a social media link, your data may be processed in the USA by the provider. According to the ECJ, the US data protection standard is inadequate and your data may be processed for monitoring and surveillance by US authorities without legal recourse. If you do not click these links, no data transfer occurs.
More info regarding data processing by the social media providers:
Facebook: https://de-de.facebook.com/help/pages/insights,
https://de-de.facebook.com/about/privacy,
https://de-de.facebook.com/full_data_use_policy
Instagram: https://help.instagram.com/155833707900388 https://www.instagram.com/about/legal/privacy/

7 Trackers and Analytics Tools

To continuously improve our website, we use the following analytics tools. Details on what data is processed and how to contact the providers follow:

7.1 Google Analytics 4

7.1.1 Description and Scope of Data Processing

Our website uses Google Analytics 4, a website analytics service by Google LLC (“Google”) to help us improve our offering. Data processing for the EEA and Switzerland is performed by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Data collected includes:
• IP address
• Access time
• Duration of visit
• Referrer website
• Website interactions
• Demographic information (if the user is logged into their Google account)
• Device category, browser type, operating system, screen resolution

and is transmitted to and stored on Google servers in the USA. Website activity reports are provided to us. Google may also transfer this info to third parties where required by law or where third parties process data on behalf of Google. IP anonymization is enabled by default in Google Analytics 4, so IPs are only processed in shortened form to rule out direct identification. More information at: https://www.google.de/intl/de/policies/, Privacy – Google Analytics Help, and privacy controls in Google Analytics Help.

7.1.2 Legal Basis for Data Processing

Processing is based on your consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

7.1.3 Purpose of Data Processing

Processing your personal data allows us to analyze user behavior to improve and optimize the website and enhance user-friendliness. IP anonymization sufficiently safeguards users’ interest in data protection.

7.1.4 Duration of Data Storage

Data is deleted 2 months after your last visit to our website.

7.1.5 Elimination Option by Data Subject

You may withdraw your consent at any time by contacting our data protection officer. You can also block Google Analytics cookies via your browser settings, but this may prevent full use of all website features. Browser extensions (e.g., http://tools.google.com/dlpage/gaoptout?hl=de) allow you to deactivate Google Analytics.

7.2 Google Tag Manager

7.2.1 Description and Scope of Data Processing

Google Tag Manager enables us to manage website tags (such as analytic or marketing tools) via one interface. It functions as a “manager” of these tags, allowing us to centrally control integrated tools. Loaded tags track your online activity. By using our website, the Google Tag Manager is loaded and your IP is sent to Google. Further processing of personal data is explained under the specific Google services. Processing for the EEA and Switzerland is by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Tag Manager policy: https://www.google.com/intl/de/tagmanager/use-policy.html

7.2.2 Legal Basis for Data Processing

Processing is based on your consent, Art. 6 para. 1 sentence 1 lit. a) GDPR.

7.2.3 Purpose of Data Processing

Google Tag Manager simplifies administration and organization of analytics tools for the website. It allows us to manage code snippets for third-party tools in one place.

7.2.4 Duration of Data Storage

Google Tag Manager stores temporary data for 2 years. Data is then deleted.

7.2.5 Elimination Option by Data Subject

You can withdraw consent for processing at any time by contacting the respective data protection officers of the tools. For more information on managing your data, refer to each tool’s privacy policy.

8 Other Tools from Third-Party Providers

We also use third-party providers to support website design and functionality. These are listed below:

8.1 Google Maps

8.1.1 Description and Scope of Data Processing

This website uses Google Maps from Google LLC. Data processing for the EEA and Switzerland is performed by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
When a page loads, your browser downloads required geo-information in its cache to display maps correctly. This requires your browser to connect to Google servers, informing Google of your IP and which map has been displayed. Google Maps terms: https://www.google.com/intl/de_de/help/terms_maps.html

8.1.2 Legal Basis for Data Processing

The legal basis is your consent under Art. 6 para. 1 sentence 1 lit. a) GDPR.

8.1.3 Purpose of Data Processing

The use of Google Maps makes it easier for you to find our location and interact with it, for example, planning a route.

8.1.4 Duration of Data Storage

Your data is deleted as soon as it is no longer required, unless laws or regulations provide otherwise.

8.1.5 Elimination Option by Data Subject

You may withdraw consent at any time by contacting our data protection officer. If you don’t use Google Maps, some website features may be unavailable.

9 Our Social Media Accounts as Joint Controllers

We operate the following social media accounts:
• Facebook: https://www.facebook.com/praxispeymanbamdad
• Instagram: https://www.instagram.com/peymanbamdadmd/

We use:
• Meta Platforms Inc., 1 Hacker Way, Menlo Park, CA 94025, USA or Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”)
• Meta Platforms Inc., 1 Hacker Way, Menlo Park, CA 94025, USA or Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Instagram”)
Based on the European Court of Justice (ECJ) ruling of June 5, 2018 (see http://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=298398), social media account operators and social media providers are considered joint controllers of data processing.
Please note you use our social media presence and their features at your own risk, including interactive features (e.g., commenting, sharing, rating). Alternatively, you can find the same information on our own website.
You can contact the data protection officers for these networks via:
Facebook and Instagram’s contact form: https://www.facebook.com/help/contact/540977946302970

9.1 Data Processed by Social Media Platforms

When you visit our accounts, the providers collect your IP and other information (e.g., cookies) for use and statistical reporting. Data may be processed outside the EU. Account providers’ data usage and retention policies can be found in their privacy statements, including contact details. More details at:
Facebook: https://de-de.facebook.com/help/pages/insights
https://de-de.facebook.com/about/privacy
https://de-de.facebook.com/full_data_use_policy
Instagram: https://help.instagram.com/155833707900388
https://www.instagram.com/about/legal/privacy/

The way social media operators use data from your visits for their own purposes, associate them with individual users, retention duration, and sharing with third parties is not fully disclosed, and is unknown to us.
Accessing our social media pages transmits your device’s IP to the provider. Providers also store device info (e.g., “login notification” features); operators may thus match IPs to users.
If you’re logged in to the platform, a cookie associates usage with your account. Content and ads may be tailored to your browsing history. To avoid this, log out of the platform, delete cookies, and restart your browser—thereby removing directly identifiable login info. Interactive features (like, comment, share) require login, at which point you may again be identified.
Details on managing and deleting info are in each provider’s help pages above.

9.2 Data Processed by Us

9.2.1 Type and Scope of Data Processing

Data you enter on these platforms, especially your username and publicly posted content, may be processed by us for responding to your messages. Your posts and comments reference your account and may be shared on our site. If you mention us with @ or #, this mention may be published under your username on our page. Your public data may be included in our offer and made available to users of the network. If you like or follow our page, we are notified of your username and profile link.

9.2.2 Legal Basis

Our data processing is based on Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest is in the promotional use of social media to increase the company’s visibility.

9.2.3 Purpose

Any data you provide or that we can access is processed solely to facilitate customer and prospect communications. Our interest is in providing a platform to share current info and quickly handle your requests.

9.2.4 Retention

Your data is deleted insofar as possible if we discontinue use of the social media platform.

10 Data Transfer to Third Countries

To provide our services, we use service providers from both the EU and third countries. To ensure the protection of your personal data during third country transfers, we conclude special data processing agreements with all carefully selected providers, who must provide sufficient proof of technical and organizational security measures. Our non-EU providers are either based in countries with EU Commission-recognized data protection (Art. 45 GDPR) or provide appropriate safeguards (Art. 46 GDPR).
Adequate level: Providers are in a country with adequate data protection per EU Commission. See: Adequacy decisions (europa.eu)
EU Standard Contractual Clauses: Providers use EU SCCs to ensure secure data transfers. Info: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en
Binding Corporate Rules: The GDPR allows data protection via binding corporate rules for third-country transfers, reviewed and approved by supervisory authorities per Art. 63 GDPR.
Consent: Data transfer to a third country without adequate protection only occurs if you have given consent per Art. 49 para. 1 lit. a) GDPR or another exception under Art. 49 GDPR applies.

11 Your Rights

You have the following rights regarding your personal data processed by us:

11.1 Right to Withdraw Consent (cf. Art. 7 GDPR)

If you have given consent for data processing, you may withdraw it at any time. Revocation only affects future processing. It can be made verbally or in writing by mail or email to us.

11.2 Right of Access (cf. Art. 15 GDPR)

To receive information, you must provide sufficient proof of identity. Access covers:
• purposes of processing;
• categories of personal data processed;
• recipients or categories of recipients to whom personal data has been or will be disclosed;
• planned retention duration or criteria for setting the duration;
• existence of rights to rectification or deletion, restriction of processing, or objection;
• right to lodge a complaint with a supervisory authority;
• available info on data origin if not collected from the data subject;
• existence of automated decision-making, including profiling, under Art. 22 para. 1 and 4 GDPR and, at least in these cases, meaningful information about the logic involved and the significance and expected consequences.

11.3 Right to Rectification or Deletion (cf. Art. 16, 17 GDPR)

You have the right to rectification and/or completion if the processed data concerning you is incorrect or incomplete. We must correct this promptly.
You may also request deletion under one of the following:
• The data is no longer needed for processing purposes.
• You withdraw consent per Art. 6 para. 1 sentence 1 lit. a) or Art. 9 para. 2 lit. a) GDPR and there’s no other basis for processing.
• You object to processing per Art. 21 para. 1 or 2 GDPR.
• Your data was processed unlawfully.
• Deletion is required to comply with EU or Member State law to which we are subject.
• Data was collected regarding information society services under Art. 8 para. 1 GDPR.
If we have made your data public and we are required to delete it under Art. 17 para. 1 GDPR, we will take reasonable steps to inform any other controller processing your data that you have requested deletion of all links to it or copies/replications thereof.
The right to deletion does not apply if processing is necessary:
• for exercising the right to freedom of expression and information;
• for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority;
• for reasons of public interest in the area of public health under Art. 9 para. 2 h and i and Art. 9 para. 3 GDPR;
• for archiving in the public interest, scientific or historical research purposes, or statistical purposes per Art. 89 para. 1 GDPR, as long as deletion likely renders the intended purposes impossible or seriously impairs them, or
• for asserting, exercising, or defending legal claims.

11.4 Right to Restriction of Processing (cf. Art. 18 GDPR)

You may request restriction under the following:
• you contest the accuracy of the data for a period to allow verification;
• processing is unlawful and you oppose erasure and request restriction;
• we no longer need the data, but you need it to assert, exercise, or defend legal claims; or
• you have objected under Art. 21 para. 1 GDPR and we are assessing whether our legitimate grounds override yours.
If processing is restricted, data may only be processed (aside from storage) with your consent or for legal claims, safeguarding third-party rights, or for reasons of important public interest. We will inform you before any restriction is lifted.

11.5 Right to Notification (cf. Art. 19 GDPR)

If you’ve exercised your right to rectification, erasure, or restriction, we must notify all recipients of your data about this, unless impossible or unreasonably burdensome. You have the right to be informed of the recipients.

11.6 Right to Data Portability (cf. Art. 20 GDPR)

You have the right to receive your personal data in a common, machine-readable format to transmit to another controller, if:
• processing is based on consent under Art. 6 para. 1 sentence 1 lit. a) GDPR or contract under Art. 6 para. 1 sentence 1 lit. b) GDPR; and
• processing is carried out by automated means.
You may request direct transfer from us to another controller, where technically feasible.
The right does not apply to processing required for public interest tasks or the exercise of official authority.

11.7 Right to Object to Processing (cf. Art. 21 GDPR)

You may object if we process your data on the basis of legitimate interest (Art. 6 para. 1 sentence 1 lit. f) GDPR) or on Art. 6 para. 1 sentence 1 lit. e) GDPR. When exercising this right, please explain why you object to processing. We will review the case and either cease or modify processing, or explain our compelling legitimate grounds to continue.

11.8 Right to Complain to the Supervisory Authority (cf. Art. 77 GDPR)

You have the right to lodge a complaint with the relevant authority (especially in your EU country of residence, work, or the place of the alleged violation) if you believe your data processing infringes the GDPR. The authority informs you of the progress and outcome, including possible legal remedy under Art. 78 GDPR.

12 Exercising Your Rights and Right to Changes

To exercise your rights, contact us using the information above.
We reserve the right to update this privacy policy in accordance with legal requirements.

Version as of October 2024