We take the protection of your personal data very seriously. The following privacy notice provides you with an overview of which personal data we collect for which purposes, how we store, process and delete this data and which rights you have as a data subject. This privacy notice applies to all processing of personal data carried out by us in the context of our websites and external online presences, such as our social media profiles.
Onkoplus is a platform that helps cancer patients find suitable clinical trials as an additional treatment option and to check whether these trials are appropriate for them. The Onkoplus platform is operated by iduneo GmbH. Status: 25 November 2025
Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions for this website is iduneo GmbH:
iduneo GmbH
Amtsgericht Hamburg, HRB 187960
Oberstr. 9
20144 Hamburg
Germany
E-mail: datenschutz@iduneo.com
Representative in the United Kingdom pursuant to Art. 27 UK GDPR
If you are habitually resident in the United Kingdom, the following representative in the United Kingdom is also your point of contact for data protection matters: tbd
Legal basis under the GDPR
We process personal data on the basis of the following legal grounds under the GDPR. In addition, further provisions of the country of your residence may apply.
- Consent to the processing of personal data (Art. 6 (1) (a) GDPR)
- Processing for the performance of a contract and for pre-contractual enquiries or measures (Art. 6 (1) (b) GDPR)
- Processing for compliance with a legal obligation (Art. 6 (1) (c) GDPR)
- Processing for legitimate interests, provided that these are not overridden by the interests or fundamental rights and freedoms of the data subject (Art. 6 (1) (f) GDPR)
In addition to the GDPR, national data protection provisions such as the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) apply in Germany. This regulates, among other things, your rights to access, erasure and objection, as well as the processing of special categories of personal data. Furthermore, data protection laws of the German federal states may apply.
Additional applicable law for individuals in the United Kingdom (UK)
For data subjects who are habitually resident in the United Kingdom, the applicable British data protection law applies in addition (UK General Data Protection Regulation – “UK GDPR” – and the Data Protection Act 2018).
If you have not yet reached the age of 16 (or, in the United Kingdom, the age of 13), please obtain the consent of your parent or legal guardian before using our service and providing any consent declarations.
Security measures
The security of your data is very important to us. In accordance with the statutory requirements, we implement appropriate technical and organisational measures to ensure a level of protection appropriate to the risk. In doing so, we take into account the state of the art, implementation costs and the nature, scope, context and purposes of processing.
Our measures include in particular:
- Ensuring the confidentiality, integrity and availability of data (control of physical and electronic access to data, encryption of data transmission, ensuring data availability, data separation, etc.)
- Procedures for enabling data subject rights
- Taking into account the protection of personal data when developing and selecting hardware, software and procedures
These measures are intended to ensure that personal data is always handled securely and confidentially and that legal requirements are met.
Business services
We process your data in the context of pre-contractual communication as well as contractual or quasi-contractual services in order to provide you with information about our services, to process your enquiries for further advice and to prepare the consultation during the initial appointment. The type of technologies used by third parties, the type of data collected and the associated business processes and procedures are described in more detail below.
Data processing when visiting onkoplus.de
In this section we explain how we process your data when you simply visit our website www.onkoplus.de
without registering. We only use your personal data to the extent necessary for the operation of our website, the provision of our content and the optimisation of our services. If you would like support in finding suitable trials, you can register on our website for this purpose or contact us by e-mail. The processing of the personal data transmitted in this context is described in detail in a separate section.
Access data
When you visit our websites, we collect the following data:
- Usage data such as page views, time spent on the page, information about device, operating system, browser
- Communication and process data such as IP addresses, time of access, internet service provider, websites from which you accessed our site
Data subjects
All visitors to our websites
Purpose, storage and deletion
The temporary storage of your data enables us to grant you access to our website. Log files may contain, in addition to IP addresses, other data that could make identification possible. We store and process this data pursuant to Art. 6 (1) (f) GDPR to ensure the functionality of our website, optimise it and guarantee the security of our IT systems. This processing serves our legitimate interests in the technical availability and security of our services. Any use of your personal data is solely for the purposes stated and only to the extent necessary to achieve those purposes.
We erase or block your personal data as soon as the purpose of storage no longer applies. For processing carried out to provide the website, this is the case when your session ends. Log files are erased after no more than seven days. Longer storage is possible if the IP addresses are anonymised so that they can no longer be attributed to you.
Hosting
Our online presence is hosted by the service provider Strato (STRATO AG, Pascalstraße 10, 10587 Berlin, Germany, https://www.strato.de / https://www.strato.de/datenschutz/ ). We have signed a data processing agreement with Strato.
Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes data protection law (Art. 77 GDPR and Art. 77 UK GDPR respectively).
The authority with primary responsibility for iduneo GmbH in Germany is in particular:
Hamburg Commissioner for Data Protection and Freedom of Information (Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit).
If you are habitually resident in the United Kingdom, you may also contact the Information Commissioner’s Office (ICO):
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Website: https://ico.org.uk
Cookies
We use cookies in several places when you visit onkoplus.de. When you access our websites, a cookie can be stored on your device. This cookie contains a unique character string that enables your browser to be recognised when you visit our websites again. Users can deactivate or restrict the transmission of cookies by changing the settings in their internet browser. Stored cookies can be deleted at any time. However, deactivating cookies for our websites may mean that not all functions can be used in full.
The processing of personal data using cookies takes place in accordance with Art. 6 (1) (a) GDPR. The purpose of cookies is to make our websites more user-friendly and to serve our legitimate interests in the processing of your personal data.
For users who are habitually resident in the United Kingdom, the collection and management of consent for cookies and similar technologies is based on the UK GDPR and the Privacy and Electronic Communications Regulations (PECR). CookieFirst is configured so that the respective statutory requirements (EU GDPR and/or UK GDPR/PECR) are complied with.
CookieFirst
To obtain and properly document your valid consent to the use and storage of cookies in the browser you use to access our website, we use a consent management platform: CookieFirst. This technology is provided by Digital Data Solutions BV, Plantage Middenlaan 42a, 1018 DH, Amsterdam, Netherlands. Website: https://cookiefirst.com.
When you access our website, a connection to CookieFirst’s server is established so that we can obtain your valid consent to the use of certain cookies. CookieFirst then stores a cookie in your browser in order to activate only those cookies for which you have given your consent and to document this properly. The processed data is stored until the defined storage period has expired or you request the deletion of the data. Different statutory retention periods may apply.
CookieFirst is used to obtain the legally required consent to the use of cookies. The legal basis for this is Art. 6 (1) (c) of the General Data Protection Regulation (GDPR).
CookieFirst automatically collects and stores information in so-called server log files, which your browser automatically transmits. The following data is collected:
- Your consent status or the withdrawal of consent
- Your anonymised IP address
- Information about your browser
- Information about your device
- The date and time of your visit to our website
- The URL of the website on which you saved or updated your consent settings
- The approximate location of the user who saved their consent preferences
- A universally unique identifier (UUID) of the website visitor who clicked the banner cookie
We have signed a data processing agreement with CookieFirst. This is a data protection agreement that ensures that the data of our website visitors is processed only in accordance with our instructions and in compliance with the GDPR.
Google Analytics
Our websites use Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics uses cookies that enable an analysis of your use of our websites. The information generated by the cookies about your use of our websites is usually transmitted to a Google server in the USA and stored there. We would like to point out that, according to the case law of the Court of Justice of the European Union, there is currently no adequate level of data protection in place for the transfer of personal data to the USA. Processing in this context therefore only takes place with your explicit consent in accordance with Art. 6 (1) (a) GDPR.
Google has committed to complying with EU data protection requirements by using standard contractual clauses, which can be viewed at https://policies.google.com/privacy/frameworks.
We use Google Analytics only with IP anonymisation enabled. In exceptional cases, the full IP address may be transmitted to a Google server in the USA and shortened there. Further information on the terms of use and data protection of Google Analytics can be found at https://www.google.com/analytics/terms/
and https://www.google.com/policies/privacy/.
You can prevent the storage of cookies by adjusting your browser software accordingly, or prevent Google from collecting and processing the data generated by the cookie relating to your use of the website by installing appropriate browser plug-ins.
Facebook Pixel
We use the Facebook Pixel on our website, a service of Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA ("Facebook"), a social media network. The code implemented on this page enables us to analyse the behaviour of visitors who have been directed to our website via a Facebook advert. This serves to improve Facebook adverts. The collected data is recorded and stored by Facebook, but is not visible to us and can only be used by us in the context of placing adverts. The Facebook Pixel code also sets cookies.
By using the Facebook Pixel, we inform Facebook that you have visited our website so that you can be shown corresponding adverts on Facebook. If you have a Facebook account and are logged in, your visit to our website can be associated with your Facebook user account.
This processing only takes place with your explicit consent in accordance with Art. 6 (1) (a) GDPR.
Facebook also processes your data in the USA. We would like to point out that, according to the case law of the Court of Justice of the European Union, there is currently no adequate level of data protection in place for the transfer of personal data to the USA. Facebook has committed to complying with GDPR principles by using standard contractual clauses. These clauses are templates provided by the European Commission intended to ensure that European data protection standards are complied with.
Further information on how Facebook Pixel is used in advertising campaigns can be found at:
https://www.facebook.com/business/help/742478679120153?id=1205376682832142
Data processing when registering
If a user completes the contact form on the website, additional data is collected, stored and processed as described below.
Data
When registering via the form, the following information is entered in an input form:
- Your first and last name
- Your e-mail address
- Your telephone number
- Your IP address
- Date and time of submission
After submitting the form, users receive an e-mail to confirm their e-mail address (“double opt-in”).
Data subjects
All users who complete and submit a form.
Purpose
We use this data to contact users. Any other use of the data requires the prior consent of the users. The data is not passed on to third parties.
Transmission, storage and deletion
To protect users’ data from unauthorised access, we use TLS/SSL encryption (HTTPS). These technologies encrypt information transmitted between the website or app and the user’s browser. TLS, the further development of SSL, ensures the highest security standards. A website secured by SSL/TLS can be recognised by “HTTPS” in the URL, indicating to users that their data is being transmitted securely. The form data is transmitted in encrypted form.
The data is erased after 10 years, unless the users have consented to longer storage.
Users can request the erasure of their data at any time by contacting iduneo GmbH, unless statutory retention obligations prevent this.
Legal basis
The legal basis for data processing is Art. 6 (1) (a) and Art. 9 (2) (a) of the General Data Protection Regulation (GDPR). Alternatively, users can contact us using the e-mail addresses and telephone numbers provided in order to arrange an initial consultation. In this case, the same data as for registration via onkoplus.de is collected and processed in the same way.
Form provider
For the forms on our pages, we use technology provided by Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin (referred to as Brevo in the following and in communication with users). The provider’s privacy policy can be found at: https://www.brevo.com/de/legal/privacypolicy/
We have concluded a data processing agreement with Sendinblue GmbH (Brevo).
Data processing for conducting the initial consultation
Users can arrange an appointment for an initial consultation via onkoplus.de, by telephone or by e-mail. We process personal data for scheduling, preparing and conducting this consultation, in particular also medical information. This is done for the purpose of searching for suitable clinical trials and for personalised communication, where requested. The provision of this data is voluntary for users.
We use the information stored at the time of first contact in accordance with Art. 6 (1) (b) GDPR to process your search request. For further processing, we require your consent in accordance with Art. 6 (1) (a) and Art. 9 (2) (a) GDPR. Once your search request has been processed, your personal data will be erased unless statutory retention obligations prevent this or you have consented to a longer storage period. Before using the data for any other purposes, we will obtain your consent in advance.
International Data transfers
Your personal data is generally processed on servers within the European Union (in particular in Germany).
If you are habitually resident in the United Kingdom, we would like to point out that, from the perspective of the European Union, the United Kingdom is considered a third country. At the same time, the European Commission has adopted an adequacy decision for the United Kingdom, so that data exchange between the EU/EEA and the UK is currently possible without additional safeguards.
Conversely, the United Kingdom classifies EU/EEA states as countries with an adequate level of data protection. Your information security required under the UK GDPR is therefore ensured by the level of data protection applicable in the EU.
Where personal data is transferred to recipients in countries outside the EU/EEA (e.g. to service providers in the USA such as Google LLC or Meta Platforms, Inc.), this will only take place if there is either an adequacy decision by the European Commission for the respective country or if we have concluded the European Commission’s standard contractual clauses with these recipients and – where required – agreed additional safeguards. The same applies to the requirements under the UK GDPR.