General Terms and Conditions
and Information

The following General Terms and Conditions (hereinafter referred to as “GTC”) apply to all business relationships between

DPV Analytics GmbH

represented by the managing directors Dr. Stephan Kranz, Stefan Gazinski, and Kai Nikolaizig, Schloßstrasse 12, 22041 Hamburg, VAT ID No.: DE320954971

Registered office: Hamburg, Registry court: Hamburg Local Court, Registration number: HRB 153940

– referred to as “DPV” in Parts A and B –

and the customer

– referred to as “Purchaser” in Part A and “Company” in Part B –

and collectively referred to as the “Parties” in the version valid at the time of conclusion of the contract.

The Processor processes personal data on behalf of the Controller within the meaning of Article 4(8) and Article 28 of Regulation (EU) 2016/679 – the General Data Protection Regulation (“GDPR”). This Data Processing Agreement (“Agreement”) sets out the data protection obligations of the contracting parties arising from the data processing described in the main contract. This Agreement applies to all activities related to the main contract in which the Processor’s employees or third parties commissioned by the Processor may come into contact with personal data provided by the Controller.

§ 1 Definitions

1.1 Personal data means any information provided by the Controller that relates to an identified or identifiable natural person (‘data subject’); a natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).

1.2 Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure or destruction (Art. 4(2) GDPR).

1.3 Instructions refer to all directives issued by the Controller to the Processor, requesting the Processor to process personal data. The instructions are initially set out in the main contract and may subsequently be amended, supplemented or replaced by the Controller through individual instructions (‘individual instructions’).

1.4 The Processor’s external data protection officer is a solicitor and specialist in information technology law at ARTANA PartG mbB, Alstertwiete 3, 20099 Hamburg

§ 2 Subject Matter of the Contract, Responsibility

The Processor offers the Controller the analysis and medical assessment of long-term ECGs that are transmitted to the Processor. The Processor processes the personal data on behalf of the Controller. The Controller is solely responsible for compliance with the statutory provisions of data protection laws, in particular for the lawfulness of the transfer of personal data to the Processor and the lawfulness of the processing thereof (‘Controller’ within the meaning of Article 4(7) of the GDPR).

§ 3 Term

The term of this contract shall correspond to the term of the main contract. This shall not affect the right to terminate the contract without notice.

§ 4 Scope, nature and purpose of the intended processing of personal data

The scope, nature and purpose of the processing of personal data by the Processor on behalf of the Controller are set out in detail in the main contract and the service specification.

 

§ 5 Types of data

The processing of personal data concerns the following types/categories of data (list/description of data categories):

• Patient data
• Health data

§ 6 Data subjects

The data subjects whose personal data is processed include:

Controllers Patients

§ 7 Rectification, erasure, blocking and disclosure of data

7.1 The Controller may, at any time during and after the termination of this contract or the main contract, request the rectification, erasure, blocking and disclosure of personal data by means of a lawful specific instruction.

7.2 The Controller shall specify the measures for the handover of the data carriers provided and/or the erasure of the stored personal data following the termination of the contract, either contractually or by means of a specific instruction.

§ 8 Technical and organisational measures

8.1 The Processor shall implement technical and organisational measures to adequately protect personal data against misuse and loss, in accordance with the requirements of Articles 24 and 32 of the GDPR. This includes, in particular, where appropriate,

– preventing unauthorised persons from gaining access to data processing facilities used to process

and utilise personal data (access control),

– preventing data processing systems from being used by unauthorised persons (access control),

– ensuring that persons authorised to use a data processing system can only access data covered by their access authorisation and that personal data

cannot be read, copied, altered or removed without authorisation during and after processing

(access control),

– to ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transmission, transport or storage on data media, and that it is possible to verify and determine to which destinations the transmission of personal data via data transmission facilities is intended (transfer control),

– ensure that it is possible to subsequently verify and determine whether and by whom personal data has been entered into, modified, or removed from data processing systems (input control),

– ensure that personal data can only be processed in accordance with the Controller’s instructions (task control),

– to ensure that personal data is protected against accidental destruction or loss (availability control),

– to ensure that data collected for different purposes can be processed separately (separation control),

– the pseudonymization and encryption of personal data,

– the ability to ensure the confidentiality, integrity, availability, and resilience of the systems and services related to processing on an ongoing basis,

– the ability to quickly restore the availability of personal data and access to it in the event of a physical or technical incident,

– a procedure for regularly reviewing, assessing, and evaluating the effectiveness of the technical and organizational measures to ensure the security of processing.

 

8.2 Technical and organizational measures are subject to technological progress and further development. In this regard, the Processor is permitted to implement alternative, adequate measures. However, the security level of the specified measures must not be compromised. Significant changes that could compromise the integrity, confidentiality, or availability of personal data must be documented.

 

§ 9 Directives

9.1 The Controller has the right to issue specific directives to the Processor at any time regarding the nature, scope, and procedures for the processing of personal data. Specific instructions must be provided in writing.

9.2 The Processor may process personal data only within the scope of the main contract, this contract, and specific instructions, unless the Processor is obligated to process the personal data under Union law or the law of the Member States.

9.3 Provisions regarding any compensation for additional expenses incurred by the Processor as a result of specific directives from the Controller remain unaffected.

9.4 The Processor must inform the Controller of any exceptions to the obligation to follow directives based on the law applicable to the Processor, unless such law specifically prohibits such notification due to an important public interest.

 

§ 10 Other obligations of the Processor

10.1 The Processor shall appoint – where required by law – a data protection officer who may carry out their duties in accordance with Articles 37, 38 and 39 of the GDPR. The data protection officer’s contact details shall be provided to the Controller upon request for the purpose of direct contact.

10.2 The Processor shall ensure that employees involved in the processing of personal data are bound by data confidentiality (Article 29 GDPR) and have been instructed in the protective provisions of the GDPR. Data confidentiality shall continue even after the termination of employment.

10.3 The Processor shall notify the Controller in the event of serious disruptions to operations, suspected data breaches or other irregularities in the processing of personal data. This also applies to any inspections and measures taken by the supervisory authority pursuant to Articles 51–59 of the GDPR or investigations pursuant to Articles 83 and 84 of the GDPR.

10.4 It is understood that, pursuant to Article 33 of the GDPR, the Processor may be subject to information obligations in the event of the unlawful transmission of, or unauthorised access to, certain personal data. Therefore, such incidents must be reported to the Controller without delay, regardless of the cause. The Processor’s notification to the Controller must, in particular, include the following information:

– A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, the categories of personal data concerned and the approximate number of personal data records concerned;

– A description of the measures taken or proposed by the Processor to remedy the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

The Processor must take appropriate measures to secure the data and to mitigate any possible adverse consequences for data subjects.

10.5 The Processor is obliged to provide the Controller with information at any time insofar as its data and documents are affected by a breach of personal data protection. The Processor shall undertake the destruction of material in accordance with data protection regulations on the basis of a specific instruction from the Controller and at the Controller’s expense. In specific cases, to be determined in writing by the Controller, the material shall be retained or handed over.

 

§ 11 Rights and obligations of the Controller

11.1 The Controller is solely responsible for assessing the lawfulness of the processing of personal data and for safeguarding the rights of data subjects.

11.2 The Controller must inform the Processor immediately and in full in writing if, upon reviewing the results of the contract, it discovers any errors or irregularities relating to data protection regulations.

11.3 The obligation to maintain the record of processing activities pursuant to Article 30 of the GDPR lies with the Controller.

11.4 The Controller is responsible for the information obligations arising from Article 33 of the GDPR.

 

§ 12 Requests from data subjects

12.1 If, under applicable data protection laws, the Controller is obliged to provide an individual with information regarding the processing of their personal data, the Processor shall, where necessary, assist the Controller in providing this information, provided that the Controller has requested the Processor to do so in writing.

12.2 The Processor shall inform the Controller if data subjects exercise their rights vis-à-vis the Processor.

 

§ 13 Cooperation with the supervisory authority

The Controller and the Processor, and where applicable their representatives, shall cooperate with the supervisory authority upon request in the performance of its duties.

 

§ 14 The Controller’s monitoring obligations

The Controller shall verify, prior to the commencement of data processing and thereafter at regular intervals, the technical and organisational measures implemented by the Processor and shall document the results. To this end, the Controller may, for example, request self-declarations from the Processor or have an audit carried out at its own expense. In the event of an audit, the Controller shall also bear the costs of the Processor’s employees who are required to participate in the audit.

 

§ 15 Subcontractors

15.1 The engagement of subcontractors is permitted within the scope of this contract and the activities specified in §§ 3, 4, 5 and 6, provided that the Processor ensures that the subcontractor assumes the obligations under this contract vis-à-vis the Processor. In particular, the requirements regarding confidentiality, data protection and data security set out in this contract shall apply.

15.2 The Controller shall be granted rights of control and inspection in accordance with § 14. Upon written request, the Controller is entitled to receive information from the Processor regarding the essential content of the contract and the implementation of the subcontractor’s data protection obligations, including, where necessary, by inspecting the relevant contractual documents.

15.3 The subcontractors engaged by the Processor are listed in Annex 2. The Processor is entitled to engage further subcontractors, provided that they meet the requirements set out in clauses 15.1 and 15.2 and the Processor informs the Controller thereof and the Controller does not object in writing within seven days.

 

§ 16 Duty of Confidentiality

The Processor is obliged to maintain confidentiality when processing personal data. The Processor undertakes to observe the same confidentiality rules as those applicable to the Controller. The Controller is obliged to notify the Processor in writing of any specific confidentiality rules.

 

§ 17 General Provisions, Duty to Provide Information, Requirement for Written Form, Choice of Law

17.1 Should personal data held by the Processor be at risk due to attachment or seizure, insolvency or composition proceedings, or other events or measures taken by third parties, the Processor must inform the Controller of this without delay. The Processor shall immediately inform all parties responsible in this context that sovereignty and ownership of the personal data lie exclusively with the Controller as the “controller” within the meaning of the GDPR.

17.2 The processing of personal data shall take place exclusively within the territory of the Federal Republic of Germany, in a Member State of the European Union or in another State party to the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the Controller and may only take place if the specific conditions of Articles 44, 45 and 46 of the GDPR are met. Insofar as the processing is carried out by a third party named in Annex A, the Controller hereby grants its consent.

17.3 Any amendments or additions to this contract and all its components – including any representations made by the Processor – must be set out in writing and must expressly state that they constitute an amendment or addition to this contract. This also applies to any waiver of this formal requirement.

17.4 German law shall apply, with the exception of conflict of laws provisions.

17.5 The place of jurisdiction shall be that specified in the main contract, provided that it is located within the Federal Republic of Germany. Otherwise, the exclusive place of jurisdiction shall be the Processor’s registered office.

 

Appendix A to the Patient Information and Consent: List of subcontractors

1. ÜBAG Cardiologicum Hamburg GbR
2. Team Viewer Germany GmbH
3. Zoho Corporation GmbH
4. IONOS SE
5. Viakom GmbH
6. Microsoft Ireland Operations Ltd.

 

Date: 6 March 2026

1. Conclusion of the Contract and Contract Information

The presentation and advertising of services in the online shop do not constitute a binding offer to enter into a contract but rather serve to invite the purchaser to submit a binding offer to enter into a contract.

DPV will confirm receipt of the submitted order in writing. Such a confirmation does not yet constitute a binding acceptance of the order, unless it contains both the confirmation of receipt and a declaration of acceptance.

Upon conclusion of the contract, DPV will store the contractual provisions, including the Terms and Conditions, in compliance with data protection regulations, and will send it to the purchaser in the form of a web link to the email address provided after the purchaser submits their order. The purchaser must ensure that the email address provided for order processing is accurate so that emails from DPV can be received at this address. In particular, if using spam filters, the purchaser must ensure that all emails sent by DPV or by third parties commissioned by DPV to process the order can be delivered.

2. Scope of the Contract and Services to Be Provided

DPV evaluates ECG data—the service—recorded by so-called “smart devices” such as watches, scales, thermometers, etc., or by DPV’s own “myritmo” device. The evaluation is performed by medical technicians or physicians who are specially trained in the rhythmological analysis of data. The evaluation of ECG data does not constitute a medical service. The evaluation is not a medical diagnosis, but rather an initial assessment that does not replace the consultation of a physician. The evaluation is intended solely for informational purposes and is neither suitable nor intended for decision-making in acute situations nor for real-time monitoring of vital signs. Under no circumstances does the evaluation replace a personal medical diagnosis, consultation, care, or treatment by a physician.

3. Right of Withdrawal

The purchaser has the right to withdraw from this contract within fourteen days without giving any reason.

The withdrawal period is fourteen days from the date the contract is concluded.

To exercise the right of withdrawal, a clear statement must be submitted to DPV, e.g., by sending a letter via mail to DPV Analytics GmbH, Schloßstrasse 12, 22041 Hamburg, or via email to service@myritmo.de, clearly stating that the contract is being canceled. The sample cancellation form included in the order confirmation may be used for this purpose. If the right of withdrawal is exercised, a confirmation of receipt of the withdrawal will be sent immediately to the email address provided during the order process. To meet the withdrawal deadline, it is sufficient that the notification of the exercise of the right of withdrawal is sent to DPV before the withdrawal period expires.

Notice Regarding Cancellations, No-Shows, and the Right of Withdrawal for Teleconsultations

Purchasers have the right to withdraw from the booking of a teleconsultation within 14 days without giving a reason, in accordance with statutory provisions (Section 355 of the German Civil Code (BGB)), provided that the service has not yet been fully rendered.

The right of withdrawal expires prematurely if the teleconsultation has already been fully conducted within the withdrawal period at the express request of the purchaser and the purchaser has expressly agreed prior to the start of the service that the right of withdrawal thereby expires (Section 356(4) of the German Civil Code (BGB)).

Regardless of the statutory right of withdrawal, the following applies:

1. The agreed appointment may be canceled free of charge up to 24 hours before the start of the teleconsultation.
2. If the appointment is canceled less than 24 hours in advance or if the purchaser fails to show up (no-show), the fee already paid will not be refunded.
3. Rescheduling after the cancellation deadline is only possible in exceptional cases and by prior arrangement.

By booking an appointment, the purchaser expressly accepts these terms and conditions.

Note on Costs and Coverage by Health Insurance

Booking a teleconsultation is initially a self-pay service.

By booking an appointment, the purchaser agrees to bear the costs directly.

The costs for teleconsultations may be reimbursed in full or in part, depending on the individual health insurance provider and the type of service.

Since regulations may vary among statutory health insurance providers, DPV recommends that the purchaser check with their health insurance provider before booking to determine whether and to what extent coverage is available.

For privately insured individuals: Reimbursement is based on the client’s individual plan and the applicable fee schedules (e.g. German schedules of fees for physicians GOÄ).

Consequences of Withdrawal

If the purchaser withdraws from this contract, DPV must refund to the purchaser all payments received from the purchaser up to that point, including delivery costs (with the exception of any additional costs resulting from the purchaser’s choice of a delivery method other than the least expensive standard delivery offered by DPV), no later than fourteen days from the day on which DPV received notice of the withdrawal from this contract. For this refund, DPV will use the same payment method that the purchaser used for the original transaction, unless expressly agreed otherwise with the purchaser.

If the purchaser has requested that the services begin during the withdrawal period, the purchaser must reimburse DPV for the costs incurred by DPV up to that point in connection with the provision of the service. The purchaser must return or hand over the hardware provided to them (rental equipment including accessories) to DPV immediately and in any case no later than seven days from the day on which the purchaser notified DPV of the cancellation of this contract. The deadline is met if the purchaser sends the goods to DPV before the seven-day period expires.

Sample cancellation form
(If you wish to cancel the contract, please fill out this form and send it back.)

To
DPV Analytics GmbH, Schloßstrasse 12, 22041 Hamburg, service@myritmo.de– I/we (*) hereby withdraw from the contract concluded by me/us (*) for the purchase of the following goods (*)/the provision of the following service (*)
– Ordered on (*)/received on (*)
– Name of consumer(s)
– Address of consumer(s)
– Signature of consumer(s) (only for paper notifications)
– Date
__________
(*) Delete as applicable

 

4. Delivery, Ownership, Delivery Time, Delayed Delivery, Return of Goods

Loaned equipment and accessories – “hardware” – shall be shipped to the delivery address provided by the purchaser, unless otherwise agreed upon by the parties. The delivery address provided by the purchaser during the ordering process in the online store shall be deemed valid.

DPV retains ownership of the provided hardware at all times. The hardware provided to the purchaser on loan is intended for one-time, temporary use.

The purchaser must begin wearing the hardware within 5 days of delivery. The wearing period lasts for a maximum of 72 hours, unless otherwise agreed in the offer. Upon completion of the wearing period, the purchaser must return the hardware in full and undamaged within 3 days. The date of handover to the shipping carrier is decisive. A return label is included with the delivery, which the purchaser must use; in this case, DPV bears the costs of the return shipment. If the purchaser chooses a return method other than the free DPV return procedure, they must bear the costs themselves.

If the hardware is not returned to DPV within the specified time, it is considered lost. In such a case, DPV is entitled to demand compensation from the purchaser for the resulting damage in accordance with statutory provisions. Notwithstanding the above, the return is in any case considered late if the hardware is not delivered to DPV within 14 days. The purchaser will be billed for the lost hardware in the amount of its current replacement value.

5. Shipping Damage and Default of Acceptance

If hardware arrives with obvious shipping damage, the purchaser is requested to immediately report the damage to the delivery carrier and contact DPV without delay. The purchaser must handle the hardware with care and strictly in accordance with the instructions. Transfer to third parties is prohibited.

6. Prices, Shipping Costs, and Payment Terms

Unless otherwise stated in the offer, the prices listed are total prices. The total prices are quoted in EURO and are gross prices, including the statutory value-added tax applicable on the date of invoicing, plus any applicable delivery and shipping costs. The amount of any applicable delivery and shipping costs is specified separately in the respective service descriptions.

The purchaser may make payment using the payment methods available at that time.

To complete the payment, the purchaser will be redirected to the corresponding pages to enter payment details. Payment is processed automatically via one of the payment service providers connected at that time.

7. Liability for Defects

DPV is liable for defects in accordance with statutory provisions.

8. Liability for Damages

In the event of a breach of duties due to slight negligence, the fulfilment of which is essential for the proper performance of the contract and on the observance of which the contracting party may regularly rely (cardinal duties), liability is limited to foreseeable damages typical for this type of contract. Otherwise, DPV’s liability is excluded.

The purchaser is liable for damage to the hardware that exceeds normal, contractual use. DPV may demand that the purchaser cover the repair costs to the extent that the purchaser is responsible for them. If a repair is not economically feasible, DPV may demand compensation in the amount of the replacement value, i.e., €700. In the event of loss or theft of the hardware, DPV may demand compensation in the amount of the replacement value of €700, provided the purchaser is responsible for the loss or theft. The purchaser must report loss or theft immediately and, to the extent reasonable, cooperate in the investigation.

9. Data Protection

DPV collects and stores the purchaser’s data necessary for processing the order. When processing the customer’s personal data, DPV complies with applicable legal provisions. DPV is authorized to transfer this data to third parties commissioned to fulfil the order, to the extent necessary to fulfil the contract. Further details are provided in the privacy policy. Upon request, the purchaser may at any time obtain information regarding the data stored about them.

10. Purchaser Service

Purchaser service is available on weekdays from 9:00 a.m. to 4:00 p.m. by phone at +49 40 350313-31 or by email at service@myritmo.de.

Appendix: Patient information and consent

DPV is a company founded by doctors. Below, we explain what happens to your ECG data and what rights you have in this regard.

The ECG data collected via the ‘recorder’ attached to the skin is fed directly into DPV’s CE-certified IT system via a USB interface and analysed diagnostically by DPV. All DPV employees are bound by a duty of confidentiality and are instructed accordingly. DPV uses ECG data in pseudonymised and anonymised form as part of its own research to develop and improve its services. We store the ECG data as medical records for a period of ten (10) years, unless a longer statutory retention period applies.

You may have rights in relation to your data pursuant to Article 15 (right of access), Article 16 (right to rectification), Article 17 (right to erasure), Article 18 (right to restriction of processing), Article 20 (right to data portability), Article 21 (right to object) and Article 77 (right to lodge a complaint with a supervisory authority) of the EU General Data Protection Regulation (GDPR).

I hereby consent to the processing of health data in the context of the analysis of my ECG data. I may withdraw my consent at any time.

Appendix: Data Processing Agreement