EfficiU
Privacy Notice
This notice explains how personal data is processed for the EfficiU website, the core service, and the companion applications.
Last updated: March 6, 2026
1. Data Controller and Role Allocation
Controller (Art. 4(7) GDPR):
- EfficiU GbR
- Marktplatz 18
- 69469 Weinheim
- Email: info@efficiu.com
Role allocation depends on the processing context:
- EfficiU acts as controller for website, public support, contract, account, and security-related processing.
- For operational data that a professional customer enters into the service for its own patients, staff, or business processes, that customer organization typically determines the purposes of processing within its own legal framework.
- Where EfficiU processes operational customer data on behalf of that customer organization, this is done under the applicable contractual and data-processing arrangement.
2. Categories of Data Processed
Depending on how you interact with EfficiU, we may process:
- Interest-registration and contact data, including
email, optional name/company/message fields, consent state, source, submission ID, and timestamps. - Account and identity data such as name, business email address, password hash, account status, verification status, and last-login information.
- Authentication and security data such as login attempts, lock status, password-reset requests, short-lived reset tokens, revoked token hashes, IP addresses, and user-agent information.
- Organization, group, role, and permission data used to provision access and restrict workflows to authorized users.
- Service content entered or generated in professional workflows, including patient or case profiles, records, summaries, anamneses, planning notes, billing ledgers, documents, conversations, tasks, and worklog entries.
- Uploaded or generated files and media, including document extracts, binary artifacts, audio input, transcription metadata, and related storage paths.
- Derived output and workflow metadata, such as AI-assisted drafts, extracted text, transcripts, summaries, execution history, background messages, and audit log details.
- Support and operational correspondence, such as inbound enquiries, password-reset emails, security notices, and troubleshooting context you provide to us.
- Technical request, response, runtime, and error-log data required to operate, secure, and troubleshoot the website, APIs, applications, and storage layer.
- Locale selection persisted in browser storage key
efficiu.website.locale
Because EfficiU is intended for professional healthcare workflows, service content may contain health data or other sensitive information entered by the professional customer.
3. Purposes and Legal Bases
| Purpose | Data | Legal basis |
|---|---|---|
| Handle website enquiries and interest registration | email, optional contact/profile fields, consent, source, submission ID, timestamp |
Art. 6(1)(a) GDPR and/or Art. 6(1)(b) GDPR |
| Provision accounts, authenticate users, activate access, and manage roles/groups | Account, identity, organization, role, session, and access-control data | Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR |
| Provide the requested website service and professional workflow functions | Operational service content, workflow history, uploaded files, generated documents, planning, summaries, and billing-related materials | Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR |
| Generate transcriptions, extracts, summaries, drafts, and other AI-assisted outputs requested in the service | Audio input, uploaded files, prompts, workflow context, generated output, and related processing metadata | Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR |
| Protect the form against abuse and bots | Authentication and security logs, audit entries, IP address, user-agent, token status, runtime/error logs, and anti-bot signals | Art. 6(1)(f) GDPR and, where applicable, Art. 6(1)(c) GDPR |
| Send transactional emails and provide support or incident handling | Business contact data, account data, support correspondence, password-reset/security notices, and troubleshooting context | Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR |
| Comply with legal obligations, enforce rights, and retain/delete records appropriately | Relevant account, contract, audit, security, and service records | Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR |
If service content includes special-category data, such processing only occurs within the applicable legal and contractual framework for the professional customer workflow.
4. Recipients and Processors
- Google Cloud for hosting, database/storage infrastructure, and runtime logging in Europe.
- Google-hosted AI processing services, including Vertex AI related processing paths for transcription, extraction, generation, and uploaded artifact handling when AI features are used.
- Google reCAPTCHA Enterprise for anti-bot verification on the interest form.
- Configured email infrastructure or mail relays used for password-reset, security, onboarding, or support emails.
- Authorized administrators and users within the respective professional customer organization, according to assigned roles and permissions.
- Authorized internal personnel and carefully selected service providers that need access for hosting, support, security, or compliance purposes.
5. International Transfers
Some processing components are provided by Google and may involve transfers outside the EEA / Switzerland, particularly for anti-bot and AI-related processing. Where applicable, transfers rely on lawful safeguards (for example SCCs) as documented by the provider.
6. Storage and Retention
Retention depends on the data category, the relevant workflow, contractual arrangements, and applicable law. In particular:
- Interest submissions and related website-processing metadata are retained for up to 2 years after collection, unless longer statutory retention is required.
- Account, organization, and support data are generally retained for the duration of the business relationship and afterwards as needed for support, security, legal claims, or statutory obligations.
- Security-related records such as audit logs, login history, revoked-token hashes, and short-lived password-reset records are retained for security, incident investigation, and access-control purposes and removed when no longer needed under the applicable lifecycle.
- Patient records and session artifacts can be versioned and, depending on the configured retention model, older versions may first be moved into a deleted area and later permanently purged.
- Audio input artifacts are subject to a configured hard-delete retention window and are removed after that period.
- Other service documents, summaries, planning notes, anamneses, billing ledgers, tasks, and worklogs are retained according to the relevant workflow, customer instruction, contract, and applicable legal obligations.
- If deletion is temporarily impossible or inadvisable because of statutory obligations, dispute handling, or evidence preservation, processing may be restricted instead of immediate erasure.
7. Security Measures
The backend and related service components are designed to use layered technical and organizational controls, including:
- Authentication, password hashing, token invalidation, account-lock controls, and role/group-based access restrictions.
- Tenant-scoped storage and access separation for customer data and service artifacts.
- Audit logging and runtime/security logging for relevant account actions, API usage, and troubleshooting.
- Retention and deletion jobs for selected artifact classes, including configurable cleanup of old records, sessions, and audio input.
8. Your Rights
Subject to applicable law, you may request:
- Access to your personal data
- Rectification of inaccurate data
- Erasure
- Restriction of processing
- Data portability
- Objection to processing based on legitimate interests
- Withdrawal of consent at any time (without affecting prior processing)
Contact: info@efficiu.com.
9. Complaint Right
You may lodge a complaint with a competent data protection authority. In particular:
- For our company location: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI BW), Lautenschlagerstraße 20, 70173 Stuttgart, Germany, Email: poststelle@lfdi.bwl.de.
- If Swiss data protection law is applicable to your case, you may also contact the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland.
10. Requirement to Provide Data
Providing personal data is not generally mandated by law. However, some data is technically or contractually required if you want to use specific features or services.
- For the interest form,
email,consent,antiBotToken, andsourceare required. Other fields are optional. - For account provisioning, login, activation, and support, required identity, access, and contact data must be provided.
- If a professional customer wants to use workflow features, the service necessarily processes the operational content entered, uploaded, or generated for that workflow.
- Where information is marked optional, choosing not to provide it may limit convenience or support quality but will not automatically prevent basic website browsing.
11. Automated Decision-Making and AI Assistance
EfficiU uses AI-assisted functions to support professional workflows, for example for transcription, text extraction, summaries, drafting, search, task creation, or other requested outputs.
EfficiU does not perform solely automated decision-making that produces legal effects or similarly significant effects for individuals. Professional users remain responsible for reviewing and using outputs within their own workflow and legal responsibilities.