Skip to Content

Privacy Policy

(Status of review: April 27, 2025) This updated version replaces all previous versions. In the event of discrepancies between the German and English versions, the German version shall prevail.

1. Responsible body

A data protection officer is not required for our company in accordance with Art. 37 GDPR and has therefore not been appointed. The controller responsible for data processing is:

Lab E GmbH
Carola Epple
Kupfergasse 4/1
73728 Esslingen
E-Mail: [email protected]
Telefon: +49 (711) 9533 8642

2. Visiting the website and server log files

When you visit our website, the following data is automatically collected and stored in server log files:

  • IP address of the requesting device
  • Date and time of access
  • Name and URL of the retrieved file
  • Website from which the access is made (referrer URL)
  • Browser type and version
  • Operating system and name of the internet provider

This data will be deleted as soon as your request has been fully processed and there are no legal obligations to retain it, usually after three months.

Purpose of the processing:

  • Ensuring a smooth connection to the website
  • Ensuring a comfortable use of our website
  • Evaluation of system security and stability
  • Administrative purposes

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest).

3. Cookies and tracking technologies

We use cookies and similar technologies on our website.

3.1 Technically necessary cookies

These cookies are essential for the basic functions of the website (e.g. session management, navigation) and are used without your consent.

Legal basis: Art. 6 para. 1 lit. f GDPR and § 25 para. 2 no. 2 TTDSG (no consent required).

3.2 Optional cookies

We only use optional cookies (e.g. for analytics or marketing) with your prior consent, which you give via our cookie banner.

Legal basis: Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TTDSG (consent).

Our website uses a GDPR-compliant cookie manager. You can use this to change your cookie settings at any time or revoke any consent you have already given (opt-out).

The following cookies are used: (name - type - provider/domain - purpose - storage duration - category)

  • PHPSESSID - Session cookie - First-party provider - Saves session ID, necessary for login and shopping cart - until end of session - Essential
  • _ga - Persistent cookie - First-party provider (Google) - Google Analytics: Differentiation of visitors - 2 years - Statistics/analysis
  • _gid - Persistent cookie - First party (Google) - Google Analytics: Distinction of visitors - 1 day - Statistics/Analysis
  • _gat - Persistent cookie - First-party provider (Google) - Google Analytics: Throttling the request rate - 1 minute - Statistics/Analysis
  • _fbp - Persistent cookie - Third party (Facebook) - Used by Facebook for advertising and tracking purposes - 90 days - Marketing
  • CONSENT - Persistent cookie - Third-party provider (Google) - Saves the user's consent settings - approx. 16 years - Functionality
  • _uetsid - Persistent cookie - Third party (Microsoft/Bing) - Tracking of users for advertising purposes - 1 day - Marketing
  • _uetvid - Persistent cookie - Third party (Microsoft/Bing) - Tracking of users for advertising purposes - 1 year - Marketing
  • __cf_bm - Session cookie - Third-party provider (Cloudflare) - Protection against bots and abuse - 30 minutes - Security
  • vuid - Persistent cookie - Third party (Vimeo) - Stores user data for embedded Vimeo videos - 2 years - Functionality
  • YSC - Session cookie - Third-party provider (YouTube) - Stores a unique ID for embedded YouTube videos - until the end of the session - Functionality
  • __atuvc - Persistent cookie - Third-party provider (AddThis) - Social sharing: Counts how often content is shared - 13 months - Marketing
  • session_id - session cookie - first provider (Odoo) - management of the user session (login, shopping cart) - until the end of the session - Essential
  • frontend_lang - Session cookie - First provider (Odoo) - Saves the language selected by the user - until the end of the session - Functionality
  • visitor_uuid - Persistent cookie - First party (Odoo) - Identifies returning visitors - up to 1 year - Statistics/Analysis
  • odoo_utm_source - Persistent cookie - First-party (Odoo) - Stores UTM parameters for campaign tracking (source) - up to 1 year - Marketing/Analytics
  • odoo_utm_medium - Persistent cookie - First-party (Odoo) - Stores UTM parameters for campaign tracking (Medium) - up to 1 year - Marketing/Analytics
  • odoo_utm_campaign - Persistent cookie - First-party (Odoo) - Stores UTM parameters for campaign tracking (campaign) - up to 1 year - Marketing/Analytics

4. Contacting us

If you contact us by e-mail or via a contact form, we will process the personal data you provide (e.g. name, e-mail address, content of the message) in order to process and respond to your request. This data will be deleted after your request has been processed, provided there are no legal obligations to retain it.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment or pre-contractual measures).

5. Newsletter

When you register for our newsletter, we use the double opt-in procedure. This means that you will first receive a confirmation e-mail to verify your registration. We log the registration, the confirmation, the IP address used and the time stamp in order to be able to prove consent. When sending our newsletter via the Odoo newsletter tool, the opening and clicking behavior is recorded anonymously. It is recorded whether and when a newsletter was opened and which links were clicked on within the email. This information is used exclusively for statistical analysis and to optimize future newsletters.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent).

You can unsubscribe from the newsletter at any time via the unsubscribe link contained in every newsletter e-mail or by contacting us directly. The data collected for sending the newsletter will be stored until you unsubscribe. Proof of your consent (log data) will be stored for 3 years after unsubscribing in order to be able to prove the consent previously given.

6. Integration of third-party services

6.1 Google Analytics

We use Google Analytics (with IP anonymization) to analyse website usage. The personal data collected (e.g. online identifiers such as cookie IDs, shortened IP address, usage data such as page views, length of stay, click behavior, technical information about the browser/end device, approximate location data) are generally stored by Google for 14 months and then deleted.

Purpose of processing: Analysis of user behavior on our website, creation of reports on website activities, optimization of our offer and measurement of the success of marketing campaigns.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent via the cookie banner).

Storage period: 14 months. Further information on data processing by Google can be found here: Google Analytics - Data protection.

6.2 Google reCAPTCHA

Our website uses Google reCAPTCHA to protect the input forms from spam and misuse by bots. When reCAPTCHA is used, the following data is transmitted to Google: IP address, referrer URL, information about the operating system and browser used, language settings, screen resolution, date and time of access as well as mouse movements and keystrokes on our website. If you are logged in to Google, your Google account may also be taken into account.

Purpose of processing: To protect our website from abusive automated use (bots, spam) and to ensure the integrity of our online services.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the security of our website) and § 25 para. 2 TTDSG for the use of technically necessary cookies.

Storage period: The cookies set by reCAPTCHA are generally stored for 6 months. Log data is deleted after approx. 9 months. Further information can be found in Google's privacy policy: Google Privacy Policy.

6.3 YouTube videos

Our website integrates videos via the YouTube platform. Personal data is processed when a YouTube video is played. This includes: IP address, device and browser information, referrer URL, date and time of access and your user behavior in connection with the video (e.g. start, pause, playback duration). If you are logged in to YouTube or Google, your account data (e.g. name, e-mail address) can also be assigned. YouTube uses cookies to identify users, analyze usage behavior and measure reach.

Purpose of processing: Playback of videos, analysis and improvement of our offer and display of personalized advertising by YouTube.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent given via our cookie banner).

Storage period: Depending on the type, YouTube cookies are stored either only for the duration of the session, for up to 8 months or in some cases for up to 2 years. Other data is only stored for as long as is necessary for the stated purposes or until you delete the data.

6.4 Vimeo videos

We also embed videos via the Vimeo platform. If a Vimeo video is played on our website, Vimeo processes the following data: IP address, device and browser information, operating system, referrer URL, date and time of access and your interaction behavior with the video. If you are logged in to Vimeo, your account data (e.g. name, e-mail address) may also be collected. Vimeo uses cookies to identify users and analyze their usage behavior.

Purpose of processing: Provision and playback of the videos, analysis and improvement of the service as well as targeted advertising by Vimeo.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent).

Storage period: Vimeo cookies are generally stored for up to 2 years, some third-party cookies for up to 3 months. All other data is only stored for as long as is necessary to fulfill the stated purposes or until you request deletion.

6.5 Odoo (newsletter, appointment booking, store)

We use the Odoo platform to send our newsletter, book appointments online and for our online store. The following data is processed depending on use:

  • Newsletter: e-mail address and, if applicable, name and voluntary information
  • Appointment booking/purchase: first and last name, address, telephone number, e-mail address, payment information (e.g. bank details; credit card details are not stored on our system), booking/order details (e.g. selected appointment, product, quantity)
  • Technical information: IP address, browser type, device type

Purpose of processing: Processing of newsletter distribution, appointment scheduling and orders. This includes the administration of subscriptions, communication with customers, appointment and order confirmations, payment processing, the delivery of goods or services and the analysis and improvement of our offer.

Legal basis: When sending newsletters, your consent pursuant to Art. 6 para. 1 lit. a GDPR; for appointment bookings and purchases, the fulfillment of the contract pursuant to Art. 6 para. 1 lit. b GDPR and the fulfillment of legal obligations (e.g. retention obligations) pursuant to Art. 6 para. 1 lit. c GDPR.

Storage period: Personal data is only stored for as long as is necessary for the respective purposes. Newsletter data will be stored until you unsubscribe. We store data from appointment bookings and purchase transactions for at least the duration of the statutory retention periods under commercial and tax law (usually 6 to 10 years) and then delete or anonymize them. Further information on data protection at Odoo can be found at Odoo Privacy Policy.

6.6 Social media plug-ins (LinkedIn, Facebook, Instagram)

Social media plug-ins from the LinkedIn, Facebook and Instagram networks are integrated on our website. These plug-ins are only activated after you have given your consent (opt-in via the cookie banner). As soon as they are active, personal data (such as your IP address and information about your user behavior on our site) is transferred to the respective provider. This may include a transfer to the USA.

Data is only transferred if you activate the plug-in:

  • LinkedIn: When you visit a page with an active LinkedIn plugin, a connection to LinkedIn is established. Your IP address and possibly other usage data will be transmitted to LinkedIn. Details can be found in LinkedIn's privacy policy.
  • Facebook: If a Facebook plugin (e.g. the "Like" button) is active, data such as your IP address, browser information and your usage behavior may be transmitted to Facebook and cookies may be set by Facebook after you have given your consent. Details can be found in Facebook's privacy policy.
  • Instagram: If the Instagram plugin is activated, a connection to Instagram servers is established. Personal data (e.g. IP address, usage data) is transmitted to Instagram. If you are logged in to Instagram, your visit can be assigned to your user account. Details can be found in Instagram's privacy policy.

Legal basis: Your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by changing the corresponding cookie settings.

6.7 Hosting by Amazon Web Services (AWS)

Our website is hosted by Amazon Web Services (AWS). The server locations are in Frankfurt am Main, Germany. This means that data processing takes place within the EU. (We have concluded an order processing contract with AWS in accordance with Art. 28 GDPR to ensure the protection of your data).

6.8 Zoom (webinars with certificate)

We use "Zoom" (provider: Zoom Video Communications, Inc.) to conduct webinars with a certificate of participation. Depending on use, the following data is processed from the participants:

  • Name and e-mail address (to identify the participants)
  • Metadata (e.g. IP address, device information, timestamp)
  • Content data (such as chat posts, survey responses or shared screen content, in each case only with appropriate consent)
  • Recording data (if the webinar is recorded - only with express consent in accordance with Art. 6 para. 1 lit. a GDPR)
  • Participation statistics (e.g. duration of participation) for issuing certificates of participation

Purpose of processing: Conducting the webinar and proof of participation for the creation of certificates (fulfillment of contract, Art. 6 para. 1 lit. b GDPR) and fulfillment of professional documentation obligations (§ 15 FAO).

Storage period: Participant lists are stored for 3 years; webinar recordings (if conducted) are stored for a maximum of 12 months.

Security measures: Zoom uses end-to-end encryption (if enabled), password protection for meetings and access restrictions for recordings to ensure confidentiality.

Third country transfer: Data may be processed in data centers in the USA. Zoom guarantees an adequate level of data protection by concluding EU standard contractual clauses.

6.9 PayPal (payment service provider)

For payments via "PayPal" (provider: PayPal (Europe) S.à r.l. et Cie, S.C.A.), the following data is transmitted to PayPal:

  • Order data (items purchased, amount, currency)
  • Contact information (name, billing address)
  • Transaction identifier (transaction ID) for processing

Legal basis: Art. 6 para. 1 lit. b GDPR (contract processing).

Special features: PayPal is PCI-DSS Level 1 certified (highest security standard for payment service providers).

Third country transfer: The data is transferred to PayPal Inc. in the USA, whereby PayPal is certified in accordance with the EU-US Data Privacy Framework.

Storage period: Payment-related data is stored for 10 years due to legal requirements (e.g. Section 147 of the German Fiscal Code).

6.10 Stripe (payment processing)

If you pay by credit card, payment is processed via "Stripe" (provider: Stripe Payments Europe Ltd.). The following data is processed as required:

  • Credit card information (in tokenized form; no plain text of the card data is stored by us)
  • Device information/fingerprints (for fraud prevention)
  • KYC data (Know-Your-Customer data) for corporate customers

Legal basis: Art. 6 para. 1 lit. b GDPR (contract processing) and Art. 6 para. 1 lit. f GDPR (legitimate interest in fraud prevention).

Security measures: Among other things, Stripe uses the 3D-Secure 2.0 process and fulfills the requirements of strong customer authentication (PSD2). In addition, Stripe pursues a data minimization strategy (e.g. no storage of CVV codes).

Third country transfer: Data may be transferred to Stripe, Inc. in the USA. Stripe ensures data protection through EU standard contractual clauses and binding internal data protection rules (Binding Corporate Rules).

Storage period: Payment data is stored for up to 10 years in accordance with the statutory retention periods (e.g. § 147 AO).

6.11 Auth0 (user authentication)

We use the Auth0 service (provider: Okta, Inc.) to register and log in to our website. We also offer login via identity providers (e.g. Google, Apple, Microsoft) via Auth0. The following data is processed:

  • Data from the selected identity provider (e.g. the basic profile data stored with Google/Apple/Microsoft)
  • Log data for multi-factor authentication (if activated)
  • Device-related biometric data (when using biometric login methods on mobile devices)

Purpose of processing: To provide secure and convenient user authentication.

Legal basis: Art. 6 para. 1 lit. b GDPR (implementation of the user login and contractual relationship for the user account) and Art. 6 para. 1 lit. f GDPR (legitimate interest in securing our systems).

Storage period: This data is generally stored by us for up to 6 months after termination of the user relationship (e.g. deletion of the user account) and then deleted.

6.12 UserBack (feedback tool)

We use the UserBack tool to give users the opportunity to provide direct feedback on our website (e.g. through comments and screenshot markers). If you use UserBack to submit feedback, the following data will be transmitted to UserBack:

  • Your feedback content (text comment and, if applicable, screenshot of the current page)
  • Technical information at the time of the feedback (browser type, operating system, screen resolution, time of the feedback)
  • Any contact details you have voluntarily provided (e.g. e-mail address if you wish to receive feedback)

Purpose of processing: To improve our website and our offering by evaluating user feedback and identifying and correcting errors.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the optimization of our website and the user experience).

Storage period: Feedback data is stored for as long as is necessary to evaluate and implement the feedback. It is then deleted or anonymized.

Third country transfer: UserBack is based in Australia. We have agreed EU standard contractual clauses with UserBack to ensure an adequate level of data protection, as there is no EU adequacy decision for Australia.

7. Processors (partner companies)

We use external partner companies that process data on our behalf. An order processing contract has been concluded with all partners in accordance with Art. 28 GDPR.

7.1 Maptara GmbH

Tasks (on our behalf):

  • Hosting of the webshop
  • Operation of the online booking system
  • Maintenance of the website infrastructure (CMS)

Processed data:

  • Order data and history
  • Inventory data (product stocks etc.)
  • Website usage metrics (e.g. page views, click behavior)

Contractual basis: Data processing agreement in accordance with Art. 28 GDPR; regular (monthly) compliance audits to review data security.

7.2 VR Expert GmbH

Tasks (on our behalf):

  • Logistics and shipping processing for VR glasses
  • Processing of warranty and repair cases
  • Service and RMA processes (returns management)

Processed/transmitted data:

  • Delivery addresses of customers
  • Device serial numbers of the VR glasses supplied
  • Usage statistics (aggregated or anonymized)

Contractual basis: Data processing agreement in accordance with Art. 28 GDPR; monthly compliance audits to monitor data protection measures.

8. International data transfers

When using the above-mentioned services, personal data may be transferred to third countries (countries outside the EU/EEA). In such cases, we ensure that an adequate level of data protection is guaranteed, e.g. through an adequacy decision by the EU Commission or the conclusion of standard contractual clauses. The following overview shows the recipient countries and protection mechanisms for the most important international data transfers:

Service

Recipient country

Protection mechanism

Google (Analytics, reCAPTCHA, YouTube)

USA

EU-US Data Privacy Framework (certified)​

Zoom

USA

EU standard contractual clauses​

PayPal

USA

EU-US Data Privacy Framework (certified)​

Stripe

USA

Standard contractual clauses + Binding Corporate Rules

Auth0

USA

EU-US Data Privacy Framework (certified)​

Meta (Facebook, Instagram)

USA

EU-US Data Privacy Framework (certified)​

LinkedIn

USA

EU standard contractual clauses​

Vimeo

USA

EU standard contractual clauses​

UserBack

Australia

EU standard contractual clauses​

We have concluded contracts in accordance with Art. 28 GDPR with all of the external service providers mentioned who work for us as processors. If these providers process data outside the EU/EEA, this is done exclusively using the aforementioned security mechanisms (in particular EU standard contractual clauses) to ensure an adequate level of data protection.

9. No automated decisions in individual cases (no profiling)

Our company does not make any decisions based solely on automated processing (including profiling) which produce legal effects concerning you or similarly significantly affect you (see Art. 22 GDPR).

Should we use procedures in the future that involve profiling or automated decisions in this sense, we will inform you of this in advance and ensure that all legally prescribed measures are taken to protect your rights. In particular, in such a case you have the right not to be subject to such a decision in accordance with Art. 22 GDPR and Section 37 BDSG. You could then request a review of the decision by a person at any time, present your own point of view and contest the automated decision.

10. Your rights as a data subject

As a data subject, you have the following rights:

  • Right to information (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7 (3) GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Please note that we can only provide certain information in pseudonymized form (e.g. by means of a transaction ID) in the case of requests for information on payment data (PayPal, Stripe). Complete deletion of such payment data can only take place after the statutory retention periods have expired (e.g. after 10 years in accordance with Section 257 HGB).

Note for webinar certificates: Any claims for correction of certificate data must be made within 14 days of the event. Please also note that the deletion of your webinar participation data will result in the loss of your participation certificate, as we will then no longer be able to provide proof of your participation.

You also have the right to contact a supervisory authority if you have a data protection complaint. In Germany, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) is responsible for this in particular:

The Federal Commissioner for Data Protection and Freedom of Information (BfDI)

Graurheindorfer Str. 153, 53117 Bonn

Website: https://www.bfdi.bund.de

11. Data security

We use technical and organizational security measures in accordance with Art. 32 GDPR to protect your personal data from loss, misuse, unauthorized access or disclosure. This includes in particular the transmission of your data via an encrypted connection (SSL/TLS, recognizable by "https://" in the URL).

Our security measures include the encryption and pseudonymization of personal data, regular security checks of our IT systems, data protection training for our employees and strict access restrictions. We also have emergency and recovery plans in place so that we can react appropriately in the event of security incidents.

12. Changes to this privacy policy

We reserve the right to update this Privacy Policy as necessary to reflect legal changes or improvements to our services. The current version is available on this website. In the event of significant changes (in particular with regard to the purposes of processing or the categories of data processed), we will notify you on the website.

You will find the date of the last update at the end of the privacy policy. All changes come into force with the publication of the new privacy policy.

13. Contact

If you have any questions about this privacy policy or the processing of your personal data by us, you can contact us at any time:

Lab E GmbH 
Kupfergasse 4/1 
73728 Esslingen
E-Mail: [email protected]
Telefon: +49 (711) 9533 8642

Privacy Policy for the VT VR App of the VT System

(Stand: 5. Mai 2025)

1. Verantwortliche Stelle

Lab E GmbH
Kupfergasse 4/1
73728 Esslingen
Deutschland

E-Mail: [email protected]

2. General Information on Data Processing in the VR App

Our VR application "VT VR App" is available on the Pico Store for businesses and the Meta Quest platform, and is designed to provide therapeutically supportive VR experiences. We place the highest value on protecting your privacy and only collect the technically necessary, non-sensitive data required for operation.

3. What data does the app process?

The app temporarily processes the following data:

  • Email address as username:
    Used to access your account and the associated content (purchased VR content) through a secure API. This information is cached locally on the device and not stored permanently.
  • Own Content (licensed VR videos):
    Your selection is loaded only for functionality within the app. There is no permanent storage or transmission to servers or third parties.

4. No sharing, no storage on servers

  • No personal data is transmitted to or stored on servers.
  • No sharing with third parties will occur.
  • No cloud services, external databases, or servers are used for processing or storage.

5. No analysis, tracking, or advertising technologies

Our app does not use analytics tools, user tracking, advertising, profiling, or cookies.

6. Storage duration

The temporarily cached information (e.g., username) is stored exclusively locally and only for the duration of use. When closing or restarting the app, this data may be overwritten or deleted. There is no permanent storage.

7. Your Rights

As no personal data are stored or processed, your rights under the GDPR (e.g., the right to access, rectification, or deletion) are generally not affected. If you have any questions, you can contact us at any time.

8. Contact for Data Protection Inquiries

For any concerns regarding data protection, please feel free to contact us:

E-Mail: [email protected]
Telefon: +49 (711) 9533 8642

9. Changes to this Privacy Policy

This privacy policy may be updated in the event of changes to the app functionalities. The current version will be provided via a link on the website www.virtuallytheremedia.com/datenschutzerklärung in the VR App Store (e.g., Meta, Pico).

Appendix:

Sample withdrawal form (for the withdrawal of consent)

If you wish to withdraw your consent, you can complete this form and return it to us.

To: Lab E GmbH, Kupfergasse 4/1, 73728 Esslingen, e-mail: [email protected]

I hereby revoke my consent to the processing of my personal data for the following processing activity:

(Example: sending the newsletter)

Granted on (date of consent):

Name of the person concerned:

Address of the person concerned

E-mail address of the person concerned:

Date:

Unterschrift: