Data protection information

I. Name and Address of the Controller

The controller within the meaning of Art. 4 (7) GDPR for this website is: 

HFO Health Facility Operations Services GmbH (hereinafter: HFO)
If you have any questions regarding the processing of your data by HFO, you are welcome to contact us as follows: 
Address: Am Europlatz 5 / 2.OG, 1120 Vienna, Austria 
Phone: +43 1 3931000  
E-Mail: datenschutz@vitrea-health.com
Contact details regarding data protection for the respective companies (e.g., rehabilitation facilities) can be found on the corresponding websites of the companies.

II. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing 

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. 

The following data is collected:

• Information about the browser type and the version used 
• The user's operating system 
• The user's internet service provider 
• The user's IP address 
• Date and time of access 
• Websites from which the user's system reaches our website 
• Websites accessed by the user's system via our website 

2. Legal Basis for Data Processing 

The legal basis for the temporary storage of data is Art. 6 (1) (f) GDPR (legitimate interest).

3. Purpose of Data Processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. In addition, log files are stored temporarily to make access traceable for reasons of website security. IP addresses are anonymized in the log files. 

These purposes also constitute our legitimate interest in data processing according to Art. 6 (1) (f) GDPR.

4. Duration of Storage 

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For data collected to provide the website, this is the case when the respective session has ended. In the case of log files, these are deleted after 14 days.

5. Right to Object and Removal Options 

The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website.

 III. Use of Cookies

1. Description and Scope of Data Processing 

Our website uses cookies. Cookies are text files stored in the Internet browser or by the Internet browser on the user's computer system. If a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string that allows for the unique identification of the browser when the website is accessed again.

Technically Necessary Cookies: 

Some elements of our website require that the accessing browser can be identified even after a page change.

The following data is stored and transmitted in the cookies:

• Hiding the cookie notice, saving settings regarding non-technically necessary cookies 
• Anonymous ID as proof of cookie consent 
• Accessibility settings 
• Language settings 

Non-Technically Necessary Cookies: 

When accessing our website, users are informed about the use of cookies via an info banner and referred to this privacy policy. In this context, the option to deactivate non-technically necessary cookies is also offered. With the user's consent, the following cookies are set (more information in Section IV):

• Matomo: Analysis of user surfing behavior, access statistics 
• Google Analytics: Analysis of user surfing behavior, access statistics 
• YouTube: Analysis of usage behavior, identification of the user across multiple Google services 

Consent to non-technically necessary cookies is stored in a consent log to provide proof of consent in the event of access requests. An anonymous unique ID, the time of consent, and the category(ies) of cookies for which consent was given are stored in our database. A cookie containing the same unique ID is set in the user's browser. Based on this ID, the user can request proof of consent from us if necessary. Consent data including the cookie are automatically deleted after 365 days.

2. Legal Basis for Data Processing 

The legal basis for processing data using technically necessary cookies is Art. 6 (1) (f) GDPR. For non-technically necessary cookies, the legal basis is your consent according to Art. 6 (1) (a) GDPR

3. Purpose of Data Processing 

Cookies are used for various purposes:

• Enabling functions that require the browser to be recognized after a page change (e.g., saving that the cookie notice was hidden) 
• Simplifying website use, accessibility 
• Fulfilling legal requirements (proof of cookie consent) 
• Improving website quality and content based on analysis of page views and visitor behavior (only optional cookies) 
• Personalizing recommended content and advertisements (only optional cookies)

4. Storage Duration, Objection, and Removal 

For non-technically necessary cookies, visitors can decide via the cookie banner which cookies should be set. A given consent can be withdrawn at any time via the link: 

Visitors can also prevent the setting of technically necessary cookies. Cookies are generally stored on the user's computer. Therefore, you have full control over the use of cookies. By changing settings in your browser, you can deactivate or restrict the transmission of cookies. Already stored cookies can be deleted at any time. Most browsers' "Help" button shows you how to stop accepting cookies, how to be notified of new cookies, and how to block them. If you block cookies, it may not be possible to register, log in, or use services in full.

 IV. Use of Plugins and Components from External Providers

1. Matomo – Web Analysis 

We use "Matomo" (www.matomo.org) to analyze visitor behavior. Matomo generates evaluations (e.g., number of visitors, bounce rates) that allow us to optimize the site and fix errors.

Matomo processes:

• IP address, truncated by the last two bytes (anonymized) 
• Title, URL, time of access 
• Location (rough geographic region due to IP anonymization) 
• Referrer URL 
• Browser, language, operating system, screen resolution 
• Duration of stay 
• External links and downloads

Data is stored on our own webspace in the EU and not shared with third parties except for the hosting provider. The legal basis is Art. 6 (1) (a) GDPR (consent).
Data is used to optimize user-friendliness (legitimate interest under Art. 6 (1) (f) GDPR). Users are never personally identified.
Data is deleted after 365 days.

2. Google Analytics – Web Analysis

We use the web analysis service Google Analytics from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google") on our website to analyze the behavior of visitors. Once the data has been collected (e.g., which pages are visited frequently, how long users stay on individual pages, which content is particularly relevant, etc.), Google creates evaluations that help us to further improve the website.

Google Analytics processes the following, partly personal data:

• IP address of the visitor, shortened (anonymized) by the function anonymizeIp.
• Title, URL, and time of the page view.
• Browser, language, operating system, and screen resolution.
• Duration of stay on the website.
• Interactions with integrated content (e.g., clicks on buttons, videos, forms).
• Origin source (e.g., search engine, referring page, direct entry).
• Location data based on the IP address (only rough, e.g., region or city).

Cookies are set in this process to recognize returning users and to better analyze usage. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. We use Google Analytics exclusively with activated IP anonymization. This means your IP address will be shortened by Google within the EU or in other contracting states of the Agreement on the European Economic Area beforehand. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

In the event of a link with other Google services (e.g., Google Ads), a merger of usage data across different platforms may take place. The data is processed pseudonymously and is not used for personal identification.

Legal Basis 
The legal basis for the use of Google Analytics is your consent according to Art. 6 (1) (a) GDPR, which you grant via our cookie banner. You can revoke your consent at any time.

Purpose of Data Processing 
We use Google Analytics to gain information about usage behavior on our website. These insights help us to specifically improve the content and functions of the website, to fix errors, and to make the offer more user-friendly. This also constitutes our legitimate interest according to Art. 6 (1) (f) GDPR – however, this interest is only realized within the framework of your prior consent.

Duration of Storage
The data collected via Google Analytics is deleted after 14 months. You can prevent the storage of cookies by a corresponding setting of your browser software or revoke your consent at any time. Additionally, you can install a browser add-on to deactivate Google Analytics:

https://tools.google.com/dlpage/gaoptout

3. YouTube – Video Content

YouTube is a video platform that has been owned by Google since 2006. In our case, Google Ireland Ltd. is responsible for data processing. We use YouTube to provide video content on our website. For this purpose, a player module provided by YouTube in the form of a so-called "embed code" is used, which loads the video data and the video player functionality directly from the servers of YouTube or Google.

According to current knowledge, the following, partly personal data is processed in the process:

• IP address 
• Unique user ID 
• Location 
• Internet bandwidth 

In the case of an existing login to a Google user account:

• Interest profile of the user, along with device ID and user ID, Google account ID usage of the website, and advertisement views 
• Several cookies are used on the visitor's computer for these purposes. 

The collected data is stored on Google servers at various locations, meaning it can be processed both within the EU and in the USA. Further information on data processing by YouTube or Google can be found in Google's privacy policy: https://policies.google.com/privacy?hl=en.

Legal Basis

The legal basis on which we use YouTube is Art. 6 (1) (a) of the GDPR (consent).

Purpose of Data Processing 

YouTube processes personal data, among other things, to create personalized content recommendations and to display relevant advertisements to users. Depending on the privacy settings that the respective user has made on the Google platform, the recorded data can be merged with data collected in the course of using other Google services (e.g., search engine).

Duration of Storage 

The cookies set by YouTube or Google and the data stored therein are kept for different lengths of time. Some are automatically deleted after a short period, others remain for several months or a few years, and individual ones are stored permanently unless a deletion is carried out. In the privacy settings in the visitor's Google user account, individual settings for the storage period can partly be defined.

Note: Data Processing in the USA 

When using Google services, personal data may be transferred to the USA. Google is certified under the EU–US Data Privacy Framework, which ensures an adequate level of data protection.

 V. Contact Form and E-Mail Contact 

1. Description and Scope of Data Processing

A contact form is available on our website, which can be used for electronic contact. If a user takes advantage of this option, the data entered in the input mask is transmitted to us and stored. This data includes:

1. Full name 
2. Salutation (gender) 
3. E-mail address 
4. Telephone number 
5. Message 

At the time the message is sent, the following data is also stored: 

1. The user's IP address 
2. Date and time 

Alternatively, contact can be made via the provided e-mail address. In this case, the user's personal data transmitted with the e-mail will be stored. In this context, the data will not be passed on to third parties. The data will be used exclusively for processing the conversation. 

2. Legal Basis for Data Processing 

The legal basis for processing the data is Art. 6 (1) (a) GDPR if the user has given consent, as well as, if applicable, our legitimate interest pursuant to Art. 6 (1) (f) GDPR to process the information and notes received. 

The legal basis for processing data transmitted in the course of sending an e-mail is Art. 6 (1) (f) GDPR. If the e-mail contact aims at the conclusion of a contract, an additional legal basis for the processing is Art. 6 (1) (b) GDPR. 

3. Purpose of Data Processing

The processing of personal data from the input mask serves us solely to handle the contact. In the event of contact via e-mail, this also constitutes the necessary legitimate interest in processing the data. 

Other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems. 

4. Duration of Storage 

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is stopped when it can be inferred from the circumstances that the matter in question has been finally clarified. 

Personal data additionally collected during the sending process will be deleted after a period of seven days at the latest. 

5. Right to Object and Removal Options

The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued. 

Please notify us of a possible revocation via our e-mail address mentioned above. All personal data stored in the course of contacting us will be deleted in this case. 

VI. Rights of the User (Data Subject Rights) 

If personal data concerning you is processed, you are a data subject within the meaning of the GDPR and you have the following rights against us as the controller: 

1. Right of Access 

You can request confirmation from us as to whether personal data concerning you is being processed by us. 

If such processing exists, you can request information from us regarding: the purposes and categories of personal data being processed, including the recipients or categories of recipients to whom your data has been or will be disclosed, as well as the planned duration of storage. Should we use profiling technologies, we must provide you with meaningful information about the logic involved as well as the scope and the intended effects of such processing for you. 

Furthermore, we must inform you of your right to lodge a complaint with the data protection authority. You also have the right to request information as to whether the data concerning you is transferred to a third country or to an international organization. 

2. Right to Rectification 

You have a right to rectification and/or completion if your processed data is inaccurate or incomplete. If applicable, we will carry out the rectification without delay. 

3. Right to Restriction of Processing 

Under the following conditions, you can request the restriction of the processing of your data: 

1. If you contest the accuracy of the data concerning you for a period that enables us to verify the accuracy of your data; 
2. The processing is unlawful, and you refuse the deletion of your data and instead request the restriction of the use of your data; 
3. We no longer need your data for the purposes of processing, but you need it to assert, exercise, or defend legal claims; or 
4. If you have lodged an objection to the processing and it has not yet been determined whether our legitimate reasons outweigh your reasons.

If the processing of your data has been restricted, this data – apart from its storage – may only be processed with your consent or for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person. 

If the restriction of processing has been restricted according to the above requirements, you will be informed by us before the restriction is lifted. 

4. Right to Erasure

We are obliged to delete your data immediately if one of the following reasons applies: 

• Your data is no longer necessary for the purposes for which it was collected by us; 
• You revoke your consent and there is no other legal basis for the processing; 
• You lodge an objection to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds on our part for the processing, or you lodge an objection to the processing pursuant to Art. 21 (2) GDPR; 
• Your data has been processed unlawfully. 

The right to erasure does not exist insofar as 

• the processing is necessary to fulfill a legal obligation that requires processing (e.g., toward authorities and offices), or to perform a task that is in the public interest and has been assigned to us; 
• to assert, exercise, or defend legal claims.

5. Right to Object

You have the right, for reasons arising from your particular situation, to object at any time to the processing of your data based on Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions.

In this case, we will no longer process your data unless we have compelling legitimate grounds for the processing that outweigh your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims. 

If your data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct marketing. If you object to the processing for direct marketing purposes, the data concerning you will no longer be processed for these purposes. 

6. Right to Withdraw the Declaration of Consent under Data Protection Law

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal. 

7. Right to Lodge a Complaint with the Data Protection Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint pursuant to § 24ff DSG 2018 with the competent data protection authority if you are of the opinion that the processing of your data violates the GDPR. 

The data protection authority informs the complainant about the status and results of the complaint, including the possibility of a judicial remedy. 

 

Vienna, November 2025