top of page

Privacy Policy

1. Controller

Nutri-Medix Ltd
86 Main Street, St Julian’s STJ 1015, Malta
Email: info@nutri-medix.com
Represented by the Director and Medical Director: Shari Katharina Münstermann
Registered in the Malta Business Registry (C113146)
Responsible within the meaning of the General Data Protection Regulation (GDPR) and the Maltese Data Protection Act (Cap. 586).

A Data Protection Officer has not been appointed as this is not legally required.
For any questions about data protection, please contact us using the details above.

​

2. General Information on Data Processing

We process personal data only to the extent necessary to provide our website, tele-medical services, and nutrition or supplement consultations.

Processing is carried out in accordance with the principles of lawfulness, transparency and data minimisation (Art. 5 GDPR) on the following legal bases:

  • Art. 6 (1)(b) GDPR – performance of a contract

  • Art. 6 (1)(a) GDPR – consent

  • Art. 6 (1)(f) GDPR – legitimate interest (e.g. secure IT operation)

  • Art. 9 (2)(h) GDPR – processing of special categories of data for medical purposes

  • Art. 9 (3) GDPR – processing by or under the responsibility of a health professional

Our services are intended for adults only.

​

3. Categories of Data Processed

  • General data: name, email address, billing address, payment information

  • Usage data: IP address, browser type, operating system, access time, cookies, server log files

  • Health data (special category): information on weight, nutrition, lifestyle, medication use, laboratory values

  • Communication data: information from contact forms, tele-medical sessions, messengers or emails

Video or audio recordings are not created or stored during tele-medical consultations.

​

4. Purposes of Processing

  • Booking and management of tele-medical appointments

  • Medical consultation, diagnosis and prescription issuance

  • Creation of individual nutrition and supplement plans

  • Billing of our services

  • Communication with patients

  • Improvement of our website and services (statistics, security, marketing only with consent)

  • Optional information or newsletter distribution (only with consent)

Processing of special categories of data is carried out solely by medical doctors or under their responsibility.

 

5. Storage Period

Personal data is stored only as long as necessary for the respective purpose or as required by law:

  • Health records: at least 10 years under Maltese law (Health Records Regulations, S.L. 528.58)

  • Contract and billing data: 10 years (tax retention)

  • Communication and usage data: usually 6 months

  • Server log files: usually 14 days, up to 6 months if needed for security

After the legal retention periods expire, data is securely deleted or anonymised.

​

6. Data Disclosure

Data is shared only if necessary for service provision or based on your consent. Possible recipients include:

  • Tele-medicine platforms (details provided in the patient agreement)

  • Pharmacies (for prescription transmission)

  • Laboratories (for blood tests)

  • Payment providers (e.g. Stripe, PayPal, Revolut Business)

  • Hosting and IT providers (website hosted via Wix, domain via IONOS, servers within the EU)

All service providers are bound by data-processing agreements pursuant to Art. 28 GDPR.
Data transfers outside the EU take place only in accordance with Art. 44 et seq. GDPR.

​

7. Data Transfers to Third Countries

Personal data is transferred to third countries (e.g. the USA) only if appropriate safeguards exist, such as:

  • EU Commission Standard Contractual Clauses,

  • an EU adequacy decision, or

  • your explicit consent.
    Example: use of analytics or marketing tools (Google, Meta).

Remote Access from Third Countries
For organisational reasons, occasional remote access to personal data may occur from locations outside the European Union. All data is processed exclusively on EU-based servers; no transfer or local storage in third countries takes place. Access is performed solely through encrypted connections (VPN, two-factor authentication) and complies with the requirements of the GDPR and the Maltese Data Protection Act (Cap. 586).

 

8. Cookies and Tracking

Our website uses cookies.

  • Essential cookies: technically necessary for functionality

  • Statistics and marketing cookies: used only with your consent (which can be withdrawn at any time via the cookie banner)

Processing is carried out in accordance with the ePrivacy Directive 2002/58/EC, implemented in Malta through the Electronic Communications Regulations (S.L. 586.09).
Further details are provided in our cookie policy via the cookie banner.

​

9. Social Media

We operate public profiles on social networks (e.g. Instagram, Facebook).
When visiting these profiles, the privacy policies of the respective platform apply.
We process data when you interact with us via our social media pages (e.g. comments, messages).
Processing is based on Art. 6 (1)(f) GDPR (our legitimate interest in public communication) or your consent (Art. 6 (1)(a) GDPR).
We have no control over data processing by the platform providers.

​

10. Data Subject Rights

You have the following rights at any time:

  • Access to your stored data (Art. 15 GDPR)

  • Rectification of inaccurate data (Art. 16 GDPR)

  • Erasure (“right to be forgotten”, Art. 17 GDPR)

  • Restriction of processing (Art. 18 GDPR)

  • Data portability (Art. 20 GDPR)

  • Objection to processing (Art. 21 GDPR)

  • Withdrawal of consent (Art. 7 (3) GDPR)

 

11. Right to Complain

You have the right to lodge a complaint with a supervisory authority.
The competent authority for us is:

Office of the Information and Data Protection Commissioner (IDPC)
Level 2, Airways House, High Street, Sliema SLM 1549, Malta
Website: https://idpc.org.mt

You may also contact any other data protection authority within the EU.

​

12. Security

We implement technical and organisational measures to protect your data, including:

  • TLS/SSL encryption

  • Access restrictions

  • Two-factor authentication

  • Storage on EU servers (IONOS, Berlin)

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.
All medical decisions are made exclusively through professional assessment during tele-medical consultations.

​

13. Changes

We reserve the right to update this Privacy Policy in line with changes to our services or legal requirements.
The current version is always available on our website.
Significant changes will be clearly indicated.

bottom of page