Privacy policy

Last updated: May 2026

Within ("we", "us", "our") operates this store and website, including all related information, content, features, tools, products and services, in order to provide you, the customer, with a curated shopping experience and specialized healthcare services (the "Services"). The Within website is powered by Shopify, which enables us to provide the Services to you.

This Privacy Policy describes how we collect, use, and disclose your personal information when you visit, use, or make a purchase or other transaction using the Services, book a session, or otherwise communicate with us. If there is a conflict between our Terms of Service and this Privacy Policy, this Privacy Policy controls with respect to the collection, processing, and disclosure of your personal information.

Please read this Privacy Policy carefully. By using and accessing any of the Services, you acknowledge that you have read this Privacy Policy and understand the collection, use, and disclosure of your information as described in this Privacy Policy.

For the purpose of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), we are the data controller of your personal information.

1. Data Controller & Contact Information

The responsible party and data controller for data processing on this website is:

Within Female Health
Astruga & Múgica GbR
Naunynstraße 62, 10997 Berlin, Germany
Email: hello@withinfemalehealth.com

2. Processing of Sensitive Health Data (Art. 9 GDPR)

As a provider of sectoral healthcare practitioner services for physiotherapy (sektorale Heilpraktikerleistung für Physiotherapie), we process special categories of personal data—specifically, your health data (e.g., medical history, symptoms, pregnancy details, and physical limitations provided in the anamnesis form or during consultations).

  • Legal Basis: The processing of your health data is strictly based on Art. 9(2)(h) GDPR in conjunction with § 22(1)(1)(b) of the German Federal Data Protection Act (BDSG), as it is necessary for the purposes of preventive medicine, medical diagnosis, and the provision of health or social care or treatment.
  • Professional Confidentiality: All medical and health-related data is treated under strict statutory therapeutic confidentiality pursuant to § 203 of the German Criminal Code (StGB). Your health data will never be shared with third parties (such as doctors or insurance companies) without your explicit, separate written consent, unless required by a statutory legal obligation.

3. Personal Information We Collect or Process

When we use the term "personal information," we are referring to information that identifies or can reasonably be linked to you or another person. Personal information does not include data that is collected anonymously or that has been de-identified.

Depending on how you interact with the Services, we may collect or process the following categories of personal information:

  • Contact details: including your name, billing address, shipping address, phone number, and email address.
  • Financial information: including credit card, debit card, financial account numbers, payment confirmation, and other payment details.
  • Health and Medical Information: including answers to your anamnesis questionnaire, current physical symptoms, contraindications, and clinical treatment notes.
  • Account information: including your username, password, security questions, and settings.
  • Transaction information: including the items/services you view, put in your cart, purchase, or cancel, and your past transaction history.
  • Communications with us: including the information you include when sending a support inquiry, email, or filling out forms.
  • Device and Usage information: including information about your device, browser, network connection, IP address, and how/when you navigate the Services.

4. Personal Information Sources & Third-Party Tools

We collect personal information directly from you, automatically through cookies, and through integrated service providers that enable our digital workflow. We have concluded Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR with all relevant technical tool providers to ensure a high level of data protection.

A. Shopify (E-Commerce Platform)

Our store is hosted by Shopify International Limited (Ireland). Shopify collects and processes your contact details, financial information, and transaction data to process payments, fulfill orders, and manage the checkout.

  • Legal Basis: Art. 6(1)(b) GDPR (Performance of a contract).

B. Appointo (Appointment Booking)

We use the Appointo application (integrated natively into our Shopify store) to manage appointment scheduling. When you choose a time slot, Appointo collects your name, email address, and booking details to reserve the session.

  • Legal Basis: Art. 6(1)(b) GDPR (Performance of a contract).

C. Google Workspace (Google Meet, Google Forms, Drive & Gmail)

We use Google Workspace, operated by Google Ireland Limited, to conduct and document our healthcare services:

  • Google Meet: Telemedicine video consultations are conducted securely via Google Meet. Sound and video signals are transmitted live. To protect your privacy and personal rights, sessions are explicitly NOT recorded (no audio/video recordings or screenshots). Legal Basis: Art. 6(1)(b) GDPR & Art. 9(2)(h) GDPR.
  • Google Forms: Your health assessment/anamnesis questionnaire is collected securely via Google Forms. Your responses flow directly into a secure Google Sheet within our encrypted Workspace. Legal Basis: Art. 9(2)(h) GDPR.
  • Google Drive & Gmail: Your clinical patient files and our email communications are securely stored on Google Cloud servers. Google is certified under the EU-US Data Privacy Framework, ensuring an adequate level of data protection.

5. How We Use Your Personal Information

We use your personal information for the following distinct purposes:

  • Providing and Tailoring the Services: To perform our contract with you, process payments, schedule and conduct your physiotherapeutic online sessions, and manage your account.
  • Marketing and Advertising: To send promotional communications by email (only if you have opted in) and to display tailored online advertisements based on your activity on our store.
  • Security and Fraud Prevention: To authenticate your account, provide a secure payment experience, and detect or investigate fraudulent, unsafe, or malicious activity.
  • Communicating with You: To provide customer support, respond to inquiries, and maintain our professional relationship.
  • Legal Compliance: To comply with applicable financial, tax, or medical laws, or respond to valid legal processes.

6. How We Disclose Personal Information

In certain circumstances, we may disclose your personal information to third parties for legitimate purposes, including:

  • With Shopify and vendors who perform technical services on our behalf (IT management, payment processing, data analytics, cloud storage).
  • With business and marketing partners to show you targeted advertisements (subject to your privacy choices and regional residency rules).
  • When you explicitly direct, request, or consent to our disclosure to a third party.
  • In connection with a business transaction (such as a merger), or to comply with mandatory legal obligations or protect our legal rights.

7. Security and Retention of Your Information

Please be aware that no security measures are perfect or impenetrable, and we cannot guarantee "perfect security." Any information you send to us may not be secure while in transit; we recommend against using unsecured channels to communicate highly sensitive medical information.

Specific Medical Retention Periods

How long we retain your data depends on its nature:

  • General Store Data: General account or purchase data is stored as long as necessary to maintain your account or provide the Services.
  • Patient Files and Health Data: Pursuant to the German Patients' Rights Act (§ 630f of the German Civil Code - BGB), we are legally mandated to retain all medical documentation, anamnesis forms, and clinical notes for a minimum period of 10 years after the completion of the treatment. This health data cannot be deleted prematurely, even upon a deletion request.

8. International Data Transfers

We may transfer, store, and process your personal information outside the country you live in, including the United States. If we transfer your personal information out of the European Economic Area (EEA) or the United Kingdom, we rely on recognized transfer mechanisms like the European Commission's Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, unless the destination country has been officially determined to provide an adequate level of data protection.

9. Your Rights and Choices

If you reside in the UK or the European Economic Area (EEA), you have the following rights under the GDPR:

  • Right to Access / Know (Art. 15 GDPR): You have the right to request a copy of the personal and medical data we hold about you.
  • Right to Correct (Art. 16 GDPR): You have the right to request that we correct inaccurate or incomplete personal information.
  • Right to Delete / Erasure (Art. 17 GDPR): You have the right to request deletion of your data, except where statutory medical retention laws (the 10-year requirement under § 630f BGB) legally obligate us to keep it.
  • Right to Restrict or Object to Processing (Art. 18 & 21 GDPR): You have the right to ask us to stop or restrict our processing of data under certain conditions.
  • Right to Data Portability (Art. 20 GDPR): You have the right to receive your data in a structured, machine-readable format.
  • Withdrawal of Consent: Where we rely on your consent to process data, you have the right to withdraw it at any time without affecting the lawfulness of processing prior to its withdrawal.

To exercise any of these rights, please contact us at hello@withinfemalehealth.com. We will not discriminate against you for exercising your privacy rights. We may require identity verification before processing your request.

10. Complaints

If you have a complaint about how we process your personal information, please contact us directly. If you reside in the EEA or UK and believe our data processing violates data protection laws, you have the right to lodge a formal complaint with your local data protection supervisory authority.

For Germany, you can contact the respective state data protection commissioner (e.g., Berliner Beauftragte für Datenschutz und Informationsfreiheit).

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our operational, technical, or legal practices. We will post the revised policy on our website and update the "Last updated" date at the top.