Privacy Notice

This Privacy Notice explains how orva (hereinafter "we") handles your personal data, whether you visit our website, use our telemedicine platform, access our services, or contact us in any way.

This Privacy Notice follows Swiss law only, in particular the Swiss Federal Act on Data Protection (FADP).

Should we process data for purposes not described here, we will inform you separately.

Personal data refers to any information relating to an identified or identifiable individual – information that allows direct or indirect conclusions about your identity.

Sensitive data receives heightened protection. In the context of our telemedicine services, this particularly includes health-related information.

Processing encompasses any operation involving personal data – from collection and storage to use, disclosure, anonymization, and deletion.

The controller responsible for the processing described in this policy is:

For privacy inquiries or to exercise your rights, contact us at:

Email: privacy@orva.ch

For certain processing activities, third parties may also be responsible (see sections 6, 13, and 14). Please contact them directly for questions about their processing.

Depending on how you interact with us, we process different categories of data:

Account and Registration Information

To use our services, we need information such as username, email address, encrypted password, your name, and address. Where required, we also collect identification documents. This information is typically retained for five years after the end of use.

Correspondence and Communication

When you contact us via email, form, chat, or other channels, we store the content and associated metadata. The same applies to exchanges with medical professionals through our platform. Email correspondence is retained for at least ten years.

Basic Personal Information

This includes core information like name, contact details, date of birth, gender, and payment information. We receive this directly from you or – where permitted – from third parties. Retention period is typically ten years from last contact.

Contract and Transaction Data

Data arising from contract conclusion and fulfillment: orders, payments, deliveries, invoices, and information from medical questionnaires. For telemedicine services, this may include health data such as prescriptions. Retention: at least ten years after contract end.

Technical Usage Data

When visiting our website, we automatically collect technical information: IP address, browser and device type, operating system, access times, pages visited, and referrer URLs. This data supports functionality and security and is retained for twelve months.

Usage Behavior and Interests

To optimize our offerings, we analyze your usage behavior: click patterns, scroll behavior, time spent, and responses to communications. We use these insights for personalization and market analysis. Data is anonymized or deleted when no longer meaningful – typically after 24 months.

Health-Related Information

Health data is classified as particularly sensitive personal data (Art. 5 lit. c FADP). In connection with our telemedicine services, we process such data from questionnaires, consultations, and prescriptions. We share this with parties necessary for your treatment, such as physicians and pharmacies. For uses beyond treatment, we obtain your consent.

Medical Confidentiality

Medical professionals using our platform are bound by professional secrecy under Art. 321 no. 1 of the Swiss Criminal Code. orva employees may be involved as assistants to the extent necessary and are bound to confidentiality accordingly. Your health information is shared only within the scope of treatment and in accordance with legal requirements.

If you share data about third parties (such as family members), we assume you are authorized to do so and that the information is accurate. Please inform these individuals about our privacy practices.

We process your data for the following purposes:

• Providing, administering, and developing our services
• Operating and technically optimizing our website and platform
• Enabling telemedicine consultations and prescriptions
• Processing orders, payments, and deliveries
• Customer communication and support
• Sending transaction-related notifications
• Identity verification as required by regulations
• Marketing communications (where permitted and unless you object)
• Analysis to improve user experience
• Fraud prevention and security
• Fulfilling legal obligations
• Enforcing or defending legal claims
• Preparing and executing corporate transactions (e.g. financing rounds, sale or purchase of business divisions)

We base our data processing on the applicable justification grounds under the FADP: contract performance, overriding private or public interests, legal obligations, or your explicit consent where required.

We share personal data with third parties where required for providing our services, contract fulfillment, or due to legal obligations. In other cases, we obtain your consent. Depending on the setup, recipients act as processors, independent controllers, or joint controllers.

Recipient Categories

• Medical professionals: Physicians and pharmacies for telemedicine services
• Technical service providers: Hosting, databases, email delivery, web analytics
• Payment processors: Payment and subscription processing
• Identity verification providers: Verification services
• Analytics partners: web analytics services
• Authorities: Where legally required

Our Technology and Service Partners

We maintain data processing agreements or equivalent privacy arrangements with processors. Processors may, in turn, engage sub-processors who are contractually bound to equivalent data protection and security obligations. For joint controllers or independent controllers, their own privacy notices also apply.

Although we prefer Swiss or Frankfurt data centers for services such as Supabase and Vercel, government access abroad cannot be entirely excluded for internationally active providers.

Personal data may be transferred to countries whose data protection level is not considered adequate from a Swiss perspective, in particular the USA.

For such transfers, we use contractual arrangements, Standard Contractual Clauses (SCC) of the European Commission with Switzerland addendum, or comparable safeguards to ensure an adequate level of protection, unless a statutory exception applies.

Despite these safeguards, not all risks can be eliminated, particularly the risk of government access abroad.

In certain cases, we automatically analyze data to identify usage patterns, maintain security, prevent misuse, or technically improve our platform.

Such analyses do not serve medical diagnosis, therapy recommendation, or automated treatment selection. Medical decisions are made exclusively by physicians.

If automated individual decisions with legal effect or significant impact are used, we will inform you separately and provide the legally required review options.

We retain your data as long as required for the respective processing purposes, statutory retention periods, the duration of any potential limitation periods for claims against orva, or legitimate documentation interests.

After expiration, data is deleted or anonymized unless legal, contractual, or evidentiary reasons prevent this.

We implement technical and organizational safeguards to protect your data against loss, unauthorized access, and misuse.

Our security measures include:

• End-to-end encryption in transit (TLS) and at rest
• Role-based access controls
• Logging of access to sensitive data
• Multi-factor authentication for critical systems
• Regular security audits
• Confidentiality agreements with employees and service providers

Despite all measures, absolute security cannot be guaranteed. Please protect your credentials carefully and inform us of any suspicious activity.

To enable us to provide you with platform access and services, you must provide the personal data required to establish and operate the platform relationship and to fulfill the related contractual obligations. There is generally no statutory obligation for you to provide such data.

Without this data, we cannot conclude a contract with you, cannot perform the telemedicine intermediation, and cannot deliver the platform services. The website also cannot be used to its full extent if certain technical information (e.g. IP address) is not disclosed.

Under the Swiss Federal Act on Data Protection (FADP), you have in particular the following rights:

• Access (Art. 25 FADP): You can learn what data we hold about you.
• Rectification (Art. 32 FADP): You can request correction of inaccurate or incomplete data.
• Erasure: You can request deletion of your data, unless retention obligations apply.
• Restriction: You can have processing of your data limited.
• Data portability (Art. 28 FADP): You can receive your data in a common format.
• Objection: You can object to use of your data for direct marketing.
• Withdrawal: You can revoke consent at any time for the future.

To exercise your rights, please contact us by email at privacy@orva.ch. We will verify your identity and address your request promptly.

Complaint option: If you disagree with our data processing, you can contact the Swiss Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch

Our website uses cookies and similar technologies to recognize you during use, provide functionality, and conduct analytics.

Cookies are small text files stored by your browser. Additional methods may also be used – such as browser fingerprinting (combining technical characteristics into an identifier) or tracking pixels.

Cookie Categories

We distinguish:

• Technically necessary cookies: Required for basic operation (e.g., login status, language settings). Set without consent. Duration: up to 30 days.
• Analytics cookies: Enable analysis for offer optimization. Active only with consent. Duration: up to 12 months.
• Marketing measurement cookies: Enable Google Ads conversion measurement on public marketing pages. Active only with consent. No remarketing, no ad personalization, and no cross-device advertising.
• Preference cookies: Store your settings for personalized use. Only with consent.

Manage settings: Via the "Cookie Settings" link in the footer, you can adjust or revoke your preferences at any time. Alternatively, cookies can be managed through browser settings.

To analyze website usage, improve the onboarding funnel, and measure conversions on public marketing pages, we employ third-party services. These are activated, except for technically necessary functions, only with your consent.

Google Analytics

We use Google Analytics 4 from Google Ireland Limited (Dublin, Ireland) for web analytics. The service uses cookies and anonymizes IP addresses. Google Signals, remarketing, ad personalization, and Enhanced Conversions are disabled. Medical answers are not sent to Google Analytics. Data is automatically deleted after two months. Google may transfer data to the USA (basis: Standard Contractual Clauses). Details: Google Privacy

Google Ads Conversion Measurement

We use Google Ads conversion measurement from Google Ireland Limited (Dublin, Ireland) to understand whether campaigns generate visits and interactions on public marketing pages. Measurement is activated only on public marketing pages and only with your consent to marketing measurement. Google Signals, remarketing, ad personalization, and Enhanced Conversions are disabled. Medical answers are not sent to Google Ads. Google may transfer data to the USA (basis: Standard Contractual Clauses). Details: Google Privacy

Vercel Analytics

Vercel Analytics collects anonymized usage statistics (page views, load times, device types) without personal reference. Processing occurs in Frankfurt. Details: Vercel Privacy

We maintain presences on social networks to communicate with you and share information about our offerings. When interacting on these platforms, both we and the operators collect data about you.

Platform operators collect technical information, registration data, communication content, and usage behavior. They also use this data for their own purposes such as marketing and market research.

For certain analytics features (such as page statistics), we share responsibility with platform operators.

Instagram

We operate an Instagram profile. Platform operator is Meta Platforms Ireland Limited (Dublin). For page statistics, we share responsibility with Meta. Data may be transferred to the USA. Details: Instagram Privacy

LinkedIn

We operate a LinkedIn company page. Platform operator is LinkedIn Ireland Unlimited Company (Dublin). For page statistics, we share responsibility under the Joint Controller Addendum. Data may be transferred to the USA. Details: LinkedIn Privacy

This Privacy Notice applies independently of any contractual agreements. We may update it when our data processing, providers, or legal requirements change. The current version is always available on our website.

For material changes, we notify registered users in an appropriate form, generally at least 60 days before they take effect, by email or in-platform notice. This notification is not an acceptance request; Privacy Notices are not accepted as consent.

If a change affects an accepted document such as the Terms of Use or Patient Information, separate re-confirmation may be required.