How to contact us:
Managing Directors: Dr. med. Madjid Salimi, Dr. med. Nawid Salimi, Benedikt Hochkirchen
Registered office: Cologne
Commercial Register: AG Cologne, HRB 33282
Our representative and wholly-owned subsidiary in the US:
AMBOSS MD Inc.
234 5th Avenue, 2nd Floor
New York, NY, 10001
Data Protection Officer:
Data Protection Officer
10119 Berlin, Deutschland
AMBOSS GmbH is a young company providing a high quality service by physicians for physicians and medical students, as well as study materials. We want you as a customer of our service to understand how we use your data and which options you have to protect it. We are aware of the importance and sensitivity of your data and thank you for your trust. For us the careful handling of your information is a matter of major concern. If you have any individual questions, please do not hesitate to contact us.
1. Basic Information on Data Processing and Legal Basis
2. Transfer to a Third Party and Third-Party Providers
2.1. In agreement with the applicable legal regulations we are authorised to assign other companies or legal persons to carry out tasks on our behalf, for which the transfer of personal data is required. These include, for example, companies specializing in i.e. payment processing, the transfer of goods or the delivery of newsletters.
2.2. Personal data shall only be transferred to third parties on the basis of legal allowances and within the framework of legal provisions. We are only transferring personal data to third parties if this is necessary on the basis of art. 6 para. 1 lit. b GDPR for the fulfillment of the contract or when we pursue our legitimate interests in accordance to art. 6 para. 1 lit. f GDPR. If third parties are assigned with the processing of data within the scope of a so-called ‘commissioned-processing contract’ this is done on the basis of art. 28 GDPR.
2.3. Provided we are using services of third parties in order to perform a service, we are taking appropriate legal measures as well as technical and organisational measures in order to ensure the protection of personal data according to the relevant legal provisions.
2.4. These measures may include the transfer of personal data to servers outside of the EU or trustworthy third parties based outside the EU for fulfilment of contract. As far as no decision of the EU Commission concerning an adequate level of data protection within the respective country is available, we conclude contracts in accordance with EU data protection requirements with the aim of ensuring that your rights and legal liberties are adequately protected and guaranteed. You should be aware that some countries might not offer the same lawful protection of personal data as EU member states. While your personal data is stored in another country, courts, law enforcement authorities and national authorities of the respective country may in some circumstances access this data in conformity with the national laws. Subject to legal regulations we promise that every third party processing your personal data outside of the EU must take measures to ensure maximum security of your data according to our instructions as well as EU legislation. Therefore we only have data processed in a third country if the requirements according to art. 44 ff. GDPR are fulfilled.
Purposes of data processing and legal bases
3. Fulfillment of Contractual Agreements / User-Account
3.1. We are processing basic data (i.e. name, address and further contact data), contractual data (i.e. payment information, services received and/or used) for the fulfillment of the contractual obligations and services in accordance with art. 6 para. 1 lit. b GDPR as well as for the fulfillment of a legal obligation to which we are subject, pursuant to art. 6 para. 1 lit. c GDPR in conjunction with commercial, trade or tax law, insofar as we are obliged to record and store your data.
3.2. In order to fully use our service a registration is required. During the creation of the corresponding user-account you will be required to provide personal information (i.e. email address) and specify a password. This information serves as the basis for the login as well as the secure identification on AMBOSS. Users who try to register and/or login to AMBOSS using an organization’s (e.g., university or clinic) single sign-on (SSO) will be redirected to that organization’s login page, and the user’s email address will be transmitted. Upon successful login, the organization will transmit to AMBOSS the user information (i.e., first and last name, institution affiliation, and email address) required for user identification and data processing in accordance with Art. 6(1)(b) GDPR to enable the functionality of our product. This data will be associated with the user’s AMBOSS account.
3.3. In addition we will possibly ask you for further personal data such as the desired specialization, university, address or gender, i.e. as part of a survey or within your user-account. If this information is not required for the fulfillment of the contract it is provided on a voluntary basis. We will use this information to tailor our services to your needs.
3.4. During the registration and each time the user logs in and uses the online service, we save the IP address as well as the timestamp of the respective user action. The storage is done due on the basis of our legitimate interests and the interest of the user to be protected from misuse and unauthorized usage in accordance with art. 6 para. 1 lit. f GDPR.
4. Contact Form
In case of questions of any kind we are offering you the opportunity to contact us via a contact form on our website. In order to use the contact form a valid email address must be given enabling us to identify who has sent the request and answer it. Further information can be provided on a voluntary basis. The processing of data for the purpose of establishing contact with us is carried out in accordance with art. 6 para. 1 p. 1 lit. a GDPR based on your voluntarily given consent. para.
5.1. Providing you have given your consent in accordance to art. 6 para. 1 p. 1 lit. a GDPR we will send periodic email newsletters to the email address you have provided. Where the registration for the newsletter included a concrete description of the newsletter content this description is authoritative for your consent. Newsletters include information on our products, offerings, special offers and our company. For the reception of our newsletters the provision of a valid email address is sufficient.
5.2. For the newsletter registration we use the so-called double opt-in procedure, i.e. you need to confirm the provided email address before being added to our email list and receiving newsletters. In order to confirm the newsletter registration we will send you an email with a confirmation link, which you need to click in order to confirm your newsletter registration.
5.3. With a registration for the newsletter we store your IP address and the date of your registration. The storage of this information shall serve as the proof of your newsletter registration.
5.4. You may withdraw your registration for the newsletter at any time with effect for the future via a link in the newsletter itself, in your user-account or via email to the address given above.
5.5. If you have made a purchase of goods or services from us, we are entitled to send you information about our own similar goods or services to the email address given to us during the conclusion of the contract. You may object to this use of your email address at any time with effect for the future via a link in the newsletter, in your user-account or via e-mail to the address given above.
6.1. You have the possibility to make individual personal data in your user profile (i.e. first name, last name, email address, university, clinic) as well as further information (i.e. personal notes) findable for other users. When doing so, it is possible to limit the availability or findability to certain user groups.
6.2. The release of your personal data and information for other users is performed on a voluntary basis, i.e. providing you have given your consent in accordance to art. 6 para. 1 lit. a GDPR. You can revoke or modify the consent, limit the availability or findability to certain user groups and the released data at any time in your user profile.
6.3. If you have enabled (partial) findability for personal data as well as further information, we will notify you via email or directly in the user profile in case of a contact request by another user.
6.4. You may revoke your consent for making individual personal data as well as further information findable any time with effect for the future via your user-account or via e-mail to the address given above.
7. Comments and Contributions
Users of AMBOSS may post comments, personal notes or other content. If users decide to do so their IP address is stored based on our legitimate interests in accordance to art. 6 para. 1 lit. f GDPR, namely: for our security in the event a user posts illegal content.
8. Access Data and Log Files
8.1. When you visit AMBOSS, our server automatically collects certain browser or device generated information. The access data includes the name of the website accessed, file, date and time of access, volume of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requested provider.
8.2. If you have created a user account and use AMBOSS, we automatically collect usage statistics on question results as well as visited pages within our learning platform. This information is collected, processed and used in order to tailor our services to your needs. Therefore anonymous, aggregated statistics are created.
8.3. The processing and storage of this data is based on our legitimate interests in accordance to art. 6 para. 1 lit. f GDPR, namely: the maintenance and improvement of our services, as well as for security reasons (i.e. the investigation of misappropriation).
We process your personal data for cookie management of our website on the following legal bases:
- for the fulfillment of a contract or for the implementation of pre-contractual measures pursuant to art. 6 para. 1 lit. b GDPR, insofar as you visit our website to obtain information about our services;
- for the use of cookie management in order to comply with a legal obligation to which we as the controller are subject pursuant to art. 6 para. 1 lit. c GDPR. The legal obligation lies in your information about cookies used by us as well as obtaining and documenting your consent to data processing; and
- to protect our legitimate interests pursuant to art. 6 para. 1 lit. f GDPR in order to be able to provide you with the cookie management technically. Our legitimate interest is to be able to provide you with an appealing, technically functioning and user-friendly cookie management and to take measures to protect the cookie management from cyber risks and to prevent cyber risks for third parties from the cookie management.
10.1. We are using cookies on our website. A cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile device browser from our website’s server or the servers of third parties and is stored on your device’s hard drive for later access.
10.3. Insofar as the cookies are necessary to provide you with our website with its technical functions, their use is based on our legitimate interests in this according to art. 6 para. 1 lit. f GDPR.
10.4. Most browsers accept cookies automatically. However you can configure your browser to refuse to accept cookies or display a warning whenever a website tries to store a cookie on your device. However, the complete deactivation of cookies may mean that you cannot use all the functions of our website to their full extent.
11. Facebook Social Plugins
11.1. Based on your consent, in accordance to art. 6 para. 1 lit. a GDPR, we are employing Social Plugins (‘Plugins’), a service by the social network facebook.com, operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Irland (‘Facebook’). These Plugins are indicated by the Facebook logo (‘f’).
11.2. Whenever you access a page of our website that contains the Plugin, your browser establishes a direct connection to the servers of Facebook. The content of the plug-in is transferred from the respective provider directly to your browser and integrated into the page. The integration of the plug-in allows the provider to receive notification that your browser has accessed the corresponding page of our website, even if you do not have a profile on the corresponding social network or are not logged in. This information (including your IP address) is transferred from your browser directly to a server of the respective provider and stored there. If you are logged in to one of the social networks, the providers can directly associate the visit to our website with your Facebook profile. If you interact with the plug-ins by clicking ‘like’, for example, the corresponding information is also transferred directly to a server of the provider and stored there. The information is also published on the social network and displayed to your contacts there.
AMBOSS is jointly responsible with Facebook for data processing via social plugins. You can therefore contact both us and Facebook with any data protection-related inquiries.
11.4. If you do not want Facebook to associate your data collected via our website directly with your profile on the social network, you must log out of the corresponding network and delete your cookies before visiting our website. Further settings and options to object can be accessed via the Facebook profile settings:
12. Facebook Remarketing-Services / Custom Audience
12.1. Based on your express consent, in accordance to art. 6 para. 1 lit. f GDPR, we use the so-called ‘Facebook-Pixel’, a service by the social network facebook.com, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or for users from the EU, Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”).
12.2. We use pixel tags from Facebook, and the information collected is to help us to display placed advertisements (so-called ‘Facebook-Ads) only to users that have shown a clear interest in our services or have certain characteristics that have been transferred to Facebook (so-called ‘Custom Audiences’). By using the Facebook-Pixel we can trace, whether a user has clicked on a Facebook-Ad and has thereby been redirected to our website (so-called ‘Conversion’).
12.3. Every time you visit AMBOSS, Facebook creates a cookie (as described under clause 10). If you are logging in to the Facebook website or visit the Facebook website in the logged in state your visit to AMBOSS is stored in your Facebook profile. The data gathered and evaluated will remain anonymous and the identity of the user cannot be traced.
However, the respective data is stored and processed by Facebook, whereby a connection to the Facebook user profile is possible and this data can be used for market-research and advertising.
12.4. Based on your consent, in accordance to art. 6 para. 1 lit. f GDPR, we are employing the ‘Advanced Matching’ feature provided by using the Facebook-Pixel. In this case personal data, i.e. country, university or Facebook-ID, is used to create target groups (so-called ‘Custom-Audiences’) is transferred to Facebook. Further information on ‘Advanced Matching’ can be found here:
12.5. Based on our legitimate interests in accordance to art. 6 para. 1 lit. f GDPR, namely: the correct, lawful and purposeful display of advertisements in the context of Facebook Custom Audience services, we are employing the ‘Custom Audience from File’ service provided by Facebook. We are only uploading e-mail addresses of users that have registered for our newsletter. The upload of these addresses is made in encrypted form.
12.6. Processing of personal data by Facebook takes place within the framework of the Facebook data policies. Further details on the display of Facebook-Ads can be found in the Facebook data policy here:
Details on the Facebook-Pixel as its functioning can be found in the support area of Facebook’s website:
12.7. You may refuse the storage of the information through the Facebook-Pixel and the use of your data to display Facebook-Ads and/or change the types of ads that are displayed within Facebook here:
13. Facebook Login
13.1. We offer you the ability to register and login to AMBOSS with Facebook Login. This only takes place with the explicit consent in accordance with art. 6 para. 1 lit. a GDPR. Facebook Login is a service provided Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Thereby no further and separate registration or login is required. In order to complete the registration or login you will be redirected to the Facebook website where you can login with your Facebook credentials. By linking your Facebook account we automatically receive the following data from Facebook Inc.:
First and Last Name
Your Facebook Username
13.2. We only use personal data provided, which is required for the completion of your user profile in accordance with those named under clause 3. This information is absolutely necessary for our service in order to identify you.
The Facebook Inc. terms of service can be found here:
14. Google Sign-In
14.1. We offer you the ability to register and login to AMBOSS with Google Sign-In. This only takes place with the explicit consent in accordance with art. 6 para. 1 lit. a GDPR. Google Sign-In is a service provided by Google LLC („Google“), Amphitheatre Parkway, Mountain View, CA 94043, USA. Thereby no further and separate registration or login is required. In order to complete the registration or login you will be redirected to the Google website where you can login with your Google credentials. By linking your Google account we automatically receive the following data from Google LLC:
First and Last Name
Your Google Username (if different from your E-Mail Address)
14.2. We only use personal data provided, which is required for the completion of your user profile in accordance with those named under clause 3. This information is absolutely necessary for our service in order to identify you.
The Google LLC terms of service can be found here:
15. Google Analytics
15.1. Based on your consent, in accordance to art. 6 para. 1 lit. a GDPR, we are employing Google Analytics, a service by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, („Google“). In this context pseudonymous user profiles are created and cookies are used (as described under clause 10). The information stored by the cookie, such as browser-type/-version, operating system, referrer-URL (the previously visited site), hostname of the accessing device (IP address) and the timestamp of the server request are transferred to a server operated by Google for storage.
15.2. The information generated relating to our website is used to create reports about the use of AMBOSS in order to improve our website and tailor our services to your needs. The IP addresses are anonymised (ip-masking) and used for statistical purposes; person-related evaluation of the IP addresses is impossible.
15.3. We use Google analytics to display placed advertisements by Google and its partners only to users that have shown a clear interest in our services or have certain characteristics that let assume on an interest in our services (so-called ‘Google-Analytics-Audiences’)
15.5.In addition, you may refuse the storage of the information generated by the cookie that allows for conclusions about your use of the website (incl. your IP address) as well as the processing of this data by Google. In order to do so you need to download and install a browser-addon provided by Google that can be found here:
16. Google Remarketing
16.1. Based on your express consent, in accordance to art. 6 para. 1 lit. a GDPR, we are employing Google Remarketing, a service by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, („Google“).
16.2. The Google Remarketing services allow for displaying advertisement based on user interest. For this purpose so-called ‘Remarketing-Tags’ are placed on AMBOSS websites as well as the websites of other participants of the Google Remarketing service. Through these Remarketing-Tags a cookie is stored on the device of the user, containing information such as browser-type/-version, operating system, referrer-URL (the previously visited site), hostname of the accessing device (IP address) and the timestamp of the server request. The IP addresses of AMBOSS users is not combined with with other Google data. Nevertheless, Google may combine other aforementioned information with information from other sources. If the user visits another website participating in the Google Remarketing service afterwards, the user can be targeted with advertisements according to his or her individual interests.
16.3. This website uses the online advertising tool ‘Google AdWords’, a service provided by Google. In this context the so-called ‘Conversion-Tracking’ is used. The conversion tracking cookie is set when a user clicks on a Google advertisement. These cookies are invalidated after 30 days and are not used for personal identification.If this cookie has not yet expired when the user visits certain pages of AMBOSS, Google and AMBOSS GmbH will be able to tell that the user clicked on a specific advertisement and proceeded to that page. Every customer of Google Adwords receives an individual cookie. Therefore cookies cannot be tracked across the websites of different Google AdWords customers. The information collected through the conversion-cookie serves to generate statistics for Google AdWords customers that are using the Google AdWords service. Google AdWords customers are able to retrieve the total number of users clicks on advertisements that have been marked for conversion tracking. However the data gathered and evaluated will remain anonymous and the identity of the user cannot be traced. Users that do not want to participate in Conversion-Tracking can easily delete the cookies stored on their device through their browser. These users are will not be included in the conversion tracking statistics.
16.5. Furthermore we use “Google Tag Manager”, a service that allows us to embed Gogole Analytics and Google Remarketing into our website.
16.6. The personal data collected by Google Remarketing services is transferred to a server operated by Google in the USA. The processing of data within the scope of Google Remarketing services will only be done in strictly pseudonymous form. This shall not be the case, if the user has given his or her explicit consent to process the personal data without pseudonymization.
16.7. Further information on the Google Remarketing service can be accessed here:
16.8. You may refuse the display of advertisements through the Google Remarketing service and the use of your data to display advertisements and/or change your preferences for the service here:
Our application uses the technology Google Firebase, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Firebase”). Google Firebase uses servers located in Europe for its services wherever possible. However, it cannot be ruled out that data may also be transferred to the USA.
We have concluded an order processing contract with Google, which contains so-called standard contractual clauses, in which Google undertakes to process user data only in accordance with our instructions and to comply with the EU data protection level. The legal basis for the use of this cloud service is a legitimate interest according to art. 6 para. 1 lit. f GDPR, as the processing of your data is protected by an order processing contract. More information about Google Firebase and data protection can be found here:
For the integration of different tools, we use Zapier, a service of Zapier Inc., 548 Market St #62411, San Francisco, California 94104, USA (“Zapier” Inc.”), on the basis of your consent in accordance to art. 6 para. 1 lit. a GDPR. Zapier is used in the interest of an efficient structuring of the tools we use. This constitutes a legitimate interest within the meaning of art. 6 para. 1 lit. f GDPR. In the event that personal data is transferred to the USA, Zapier Inc. has signed the EU-US Privacy Shield and the standard contractual clauses. In addition, we have concluded a contract processing agreement with Zapier Inc. Further information on data protection at Zapier can be found at
19.1. Based on your consent, in accordance to art. 6 para. 1 lit. f GDPR, we are employing ‘Blueshift’ a web-analytics tool by Blueshift Labs, Inc., 231 Sansome St Suite 300, San Francisco, CA 94104, USA.
19.2. We use Blueshift to display advertisements to pseudonymous users or groups of users. These advertisements are individually aligned and interest-based. Additionally we are also able to see, whether users have clicked on an advertisement and subsequently made purchases.
19.3. Every time you visit AMBOSS Blueshift creates a cookie (as described under clause 10) that stores pseudonymous user data such as browser-type/-version, operating system, referrer-URL (the previously visited site), hostname of the accessing device (IP address) and the timestamp of the server request. This information is transferred to a server operated by Blueshift in the USA for storage.
19.5. You may object to receive mail or email through the remarketing services by using the opt-out service provided by Blueshift that can be accessed here:
20.1. We use Hotjar, a web analytics tool provided by Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe (website: https://www.hotjar.com). Hotjar is a service that analyzes user behavior and feedback on websites through a combination of analytics and feedback tools. From the data processed by Hotjar, it is generally not possible to establish a reference to your person; in particular, Hotjar processes your IP address only in anonymized form. If personal data is nevertheless processed, this is done on the basis of your consent in accordance with art. 6 para. 1 lit. a GDPR.
On this website, we use the software of Segment.io, Inc. 101 15th St San Francisco, CA 94103 USA on the basis of your consent in accordance to art. 6 para. 1 lit. a GDPR. Data is collected and stored, from which usage profiles are created using pseudonyms. These usage profiles are used to analyze visitor behavior and are evaluated to improve our offer. Cookies can be used for this purpose, which enable recognition when our website is visited again. The pseudonymized usage profiles are not combined with personal data about the carrier of the pseudonym without a separate, express consent.
We use Twitter Pixel for analytics. The provider is Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The provider processes usage data (e.g. web pages visited, interest in content, access times) in the USA.
The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses (Art. 46 para. 2 lit. c GDPR) adopted by the EU Commission in accordance with the examination procedure under Art. 93 para. 2 of the GDPR, which we have agreed to with the provider.
23. Use of Contents and Services of Third Parties
23.1. Based on our legitimate interests in accordance to art. 6 para. 1 lit. f GDPR, namely: the statistical analysis of user behavior, optimization and operation of our online services as well as the fulfilment of contract according to art. 6 para. 1 lit. b GDPR we are using contents or services of third parties. The consequence is that the third parties providing these contents or services receive the IP address of the user accessing the website employing the content or service. We try to only employ contents and services of providers that limit the use of the IP address in order to make the contents and services available.
23.2. We are using content and services of the following providers:
24. Data Security
24.1. The entire communication of your browser with AMBOSS is ensured through a TLS-secured connection in order to protect your information against the unauthorised access by third parties. Only selected administrators have access to your data as far as this is indispensable to the fulfillment of the contract.
24.2. We apply appropriate technical and organisational security measures in order to protect your personal data against manipulation, partial or full loss and against unauthorised access by third parties. The standards shall be kept up to date in the light of technological progress and the developments in good engineering practice in safety matters
25. Deletion of Data
We will immediately delete the personal data we have stored after the contract has been fulfilled or unless otherwise indicated by provisions of law. If user data is not deleted due to provisions of law, the processing of this data is constrained, i.e. not used for other services. This applies for example for user data stored due to commercial or tax law provisions.
26. Rights of the Persons Affected
You have the right:
- to withdraw your consent at any time for future effect, in accordance with art. 7 para. 3 GDPR
- to request information concerning the personal data stored about them at any time, free of charge, in accordance with art. 15 GDPR ;
- to request rectification of any incomplete or inaccurate information, in accordance with art. 16 GDPR;
- to request the deletion of your personal data stored with us unless it opposes the processing for the fulfillment of contract, the right to freedom of expression and information, grounds of public interest or the establishment, exercise or defence of legal claims, in accordance with art. 17 GDPR;
- to request the restriction of the processing of your personal data, in accordance with art. 18 GDPR ;
- to request your personal data stored with us the personal data stored in a structured, standardized and machine-readable format or request the delivery to another authorized party, in accordance with Art. 20 GDPR;
- to complain to the responsible supervisory authority, in accordance with Art. 77 GDPR.
27. Right of Refusal
27.1. In case your personal data is processed based on legitimate interests in accordance to art. 6 para. 1 lit. f GDPR, you have the right to refuse the processing of your personal data, based on art. 21 GDPR, if there are legitimate reasons or the refusal is directed towards direct advertising. In the latter case you have a general right of refusal without being required without having to offer a legitimate reason.
27.2. If you would like to exercise your right of refusal or revocation, please do so via e-mail to the address given above.
Last Update: November 2022