Privacy Policy

1. Introduction and Scope

This privacy policy explains how orva (hereinafter "we") handles your personal data – whether you visit our website, use our telemedicine platform, access our services, or contact us in any way.

We comply with the Swiss Federal Act on Data Protection (FADP) and – where applicable – the European General Data Protection Regulation (GDPR). Applicability depends on the specific circumstances.

Should we process data for purposes not described here, we will inform you separately.

2. Key Definitions

Personal data refers to any information relating to an identified or identifiable individual – information that allows direct or indirect conclusions about your identity.

Sensitive data receives heightened protection. In the context of our telemedicine services, this particularly includes health-related information.

Processing encompasses any operation involving personal data – from collection and storage to use, disclosure, anonymization, and deletion.

3. Controller and Contact

The controller responsible for the processing described in this policy is:

orva (in formation)
Zurich, Switzerland

For privacy inquiries or to exercise your rights, contact us at:

Email: legal@orva.ch

For certain processing activities, third parties may also be responsible (see sections 6, 13, and 14). Please contact them directly for questions about their processing.

4. Data We Collect

Depending on how you interact with us, we process different categories of data:

Account and Registration Information

To use our services, we need information such as username, email address, encrypted password, your name, and address. Where required, we also collect identification documents. This information is typically retained for five years after the end of use.

Correspondence and Communication

When you contact us via email, form, chat, or other channels, we store the content and associated metadata. The same applies to exchanges with medical professionals through our platform. Email correspondence is retained for at least ten years.

Basic Personal Information

This includes core information like name, contact details, date of birth, gender, and payment information. We receive this directly from you or – where permitted – from third parties. Retention period is typically ten years from last contact.

Contract and Transaction Data

Data arising from contract conclusion and fulfillment: orders, payments, deliveries, invoices, and information from medical questionnaires. For telemedicine services, this may include health data such as prescriptions. Retention: at least ten years after contract end.

Technical Usage Data

When visiting our website, we automatically collect technical information: IP address, browser and device type, operating system, access times, pages visited, and referrer URLs. This data supports functionality and security and is retained for twelve months.

Usage Behavior and Interests

To optimize our offerings, we analyze your usage behavior: click patterns, scroll behavior, time spent, and responses to communications. We use these insights for personalization and market analysis. Data is anonymized or deleted when no longer meaningful – typically after 24 months.

Health-Related Information

Health data is classified as particularly sensitive personal data (Art. 5 lit. c Swiss DPA). In connection with our telemedicine services, we process such data from questionnaires, consultations, and prescriptions. We share this with parties necessary for your treatment, such as physicians and pharmacies. For uses beyond treatment, we obtain your consent.

Medical Confidentiality

Medical professionals using our platform are bound by professional secrecy under Art. 321 of the Swiss Criminal Code. Your health information is shared only within the scope of treatment and in accordance with legal requirements.

If you share data about third parties (such as family members), we assume you are authorized to do so and that the information is accurate. Please inform these individuals about our privacy practices.

5. How We Use Your Data

We process your data for the following purposes:

  • Providing, administering, and developing our services
  • Operating and technically optimizing our website and platform
  • Enabling telemedicine consultations and prescriptions
  • Processing orders, payments, and deliveries
  • Customer communication and support
  • Sending transaction-related notifications
  • Identity verification as required by regulations
  • Advertising and marketing (unless you object)
  • Analysis to improve user experience
  • Fraud prevention and security
  • Fulfilling legal obligations
  • Enforcing or defending legal claims

We base our data processing on applicable legal grounds: contract performance, overriding legitimate interests, legal obligations, or your explicit consent (Art. 6(6)–(7) Swiss DPA). Where the GDPR applies, Art. 6(1)(a)–(f) and Art. 9(2) GDPR apply to health data.

6. Who We Share Data With

We share personal data with third parties where required for providing our services, contract fulfillment, or due to legal obligations. In other cases, we obtain your consent. Recipients act either as processors on our behalf or as independent controllers.

Recipient Categories

  • Medical professionals: Physicians and pharmacies for telemedicine services
  • Technical service providers: Hosting, databases, email delivery, web analytics
  • Payment processors: Payment and subscription processing
  • Identity verification providers: Verification services
  • Marketing partners: Analytics and advertising services
  • Authorities: Where legally required

Our Technology and Service Partners

ProviderPurposeServer LocationPrivacy Info
Supabase Inc.Database, authentication, file storageSwitzerland (Zurich)Link
Vercel Inc.Website hosting, serverless computing, web analyticsEU (Frankfurt)Link
Stripe Inc.Payment processing, subscription managementEU / USALink
Resend Inc.Email deliveryUSALink
Persona Identities Inc.Identity verificationUSALink
Google Ireland Ltd.Web analytics, advertisingIreland / USALink
Meta Platforms Ireland Ltd.Advertising pixel, social media integrationIreland / USALink
LinkedIn Ireland UnlimitedConversion trackingIreland / USALink

All listed partners maintain their own privacy policies and have committed to complying with applicable data protection laws. US-based providers typically rely on EU Standard Contractual Clauses or comparable safeguards.

Although we use European data centers for services like Supabase and Vercel, government data access cannot be entirely excluded for US-headquartered companies.

7. International Data Transfers

Your data may be transferred to countries whose data protection standards do not match Swiss or European levels – particularly the USA.

For such transfers, we ensure adequate protection through contractual agreements. We use the Standard Contractual Clauses approved by the European Commission (available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj).

Despite these safeguards, not all risks can be eliminated – particularly the risk of government access abroad.

8. Automated Processing

In certain cases, we automatically analyze your data to identify usage patterns, create personalized recommendations, or detect security risks.

We may combine different data points to better understand your preferences. This enables us, for example, to suggest relevant products or better tailor future offerings.

In such evaluations, we ensure proportionality and implement safeguards. If automated decisions have legal effects or significantly impact you, you may request review by a person.

9. Retention Periods

We retain your data as long as required for the respective processing purposes, statutory retention periods, or legitimate documentation interests. Details on individual periods can be found in Section 4.

After expiration, your data is deleted or anonymized through our regular processes, unless legal or contractual reasons prevent this.

10. How We Protect Your Data

We implement technical and organizational safeguards to protect your data against loss, unauthorized access, and misuse.

Our security measures include:

  • End-to-end encryption in transit (TLS) and at rest
  • Role-based access controls
  • Logging of access to sensitive data
  • Multi-factor authentication for critical systems
  • Regular security audits
  • Confidentiality agreements with employees and service providers

Despite all measures, absolute security cannot be guaranteed. Please protect your credentials carefully and inform us of any suspicious activity.

11. Your Privacy Rights

Under the Swiss Federal Act on Data Protection (FADP) and, where applicable, the GDPR, you have the following rights:

  • Access (Art. 25 Swiss DPA): You can learn what data we hold about you.
  • Rectification (Art. 32 Swiss DPA): You can request correction of inaccurate or incomplete data.
  • Erasure: You can request deletion of your data, unless retention obligations apply.
  • Restriction: You can have processing of your data limited.
  • Data portability (Art. 28 Swiss DPA): You can receive your data in a common format.
  • Objection: You can object to use of your data for direct marketing.
  • Withdrawal: You can revoke consent at any time for the future.

To exercise your rights, please contact us by email at legal@orva.ch. We will verify your identity and address your request promptly.

Complaint option: If you disagree with our data processing, you can contact the Swiss Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch

12. Cookies and Web Technologies

Our website uses cookies and similar technologies to recognize you during use, provide functionality, and conduct analytics.

Cookies are small text files stored by your browser. Additional methods may also be used – such as browser fingerprinting (combining technical characteristics into an identifier) or tracking pixels.

Cookie Categories

We distinguish:

  • Technically necessary cookies: Required for basic operation (e.g., login status, language settings). Set without consent. Duration: up to 30 days.
  • Analytics cookies: Enable analysis for offer optimization. Active only with consent. Duration: up to 12 months.
  • Marketing cookies: Enable targeted advertising and success measurement. Only with consent. Duration: up to 12 months.
  • Preference cookies: Store your settings for personalized use. Only with consent.

Manage settings: Via the "Cookie Settings" link in the footer, you can adjust or revoke your preferences at any time. Alternatively, cookies can be managed through browser settings.

13. Analytics and Marketing Services

To analyze website usage and optimize our advertising, we employ third-party services. These are activated – except for technically necessary functions – only with your consent.

Google Analytics

We use Google Analytics 4 from Google Ireland Limited (Dublin, Ireland) for web analytics. The service uses cookies and anonymizes IP addresses. With your advertising consent, we additionally activate Google Ads Conversion Tracking, Remarketing, and cross-device features. Data is automatically deleted after two months. Google may transfer data to the USA (basis: Standard Contractual Clauses). Details: Google Privacy

Vercel Analytics

Vercel Analytics collects anonymized usage statistics (page views, load times, device types) without personal reference. Processing occurs in the EU (Frankfurt). Details: Vercel Privacy

Meta Pixel

The Meta Pixel from Meta Platforms Ireland Limited (Dublin) enables measurement of advertising campaigns on Facebook and Instagram as well as targeted ads. Meta may link this data to your account and use it for its own purposes. Data transfer to the USA possible. Object: Facebook Ad Settings. Details: Meta Privacy

LinkedIn Insight Tag

The LinkedIn Insight Tag from LinkedIn Ireland Unlimited Company (Dublin) serves conversion tracking and retargeting. LinkedIn may link data to your profile. Object: LinkedIn Ad Settings. Details: LinkedIn Privacy

14. Our Social Media Presence

We maintain presences on social networks to communicate with you and share information about our offerings. When interacting on these platforms, both we and the operators collect data about you.

Platform operators collect technical information, registration data, communication content, and usage behavior. They also use this data for their own purposes such as marketing and market research.

For certain analytics features (such as page statistics), we share responsibility with platform operators.

Instagram

We operate an Instagram profile. Platform operator is Meta Platforms Ireland Limited (Dublin). For page statistics, we share responsibility with Meta. Data may be transferred to the USA. Details: Instagram Privacy

LinkedIn

We operate a LinkedIn company page. Platform operator is LinkedIn Ireland Unlimited Company (Dublin). For page statistics, we share responsibility under the Joint Controller Addendum. Data may be transferred to the USA. Details: LinkedIn Privacy

15. Updates

This privacy notice applies independently of any contractual agreements. We reserve the right to update it at any time. The current version is always available on our website.

For material changes, we will notify you – if we have your contact details and this is feasible with reasonable effort.

For individual processing activities, the version in effect at the time of collection applies.

Last updated: December 2025

Privacy Policy | orva | orva