This privacy policy has been drawn up by the Practice for Integrative Immunology (hereinafter: 'the Practice'). We respect your privacy and handle your personal data with care. This statement has been drawn up in accordance with the General Data Protection Regulation (GDPR) and the Medical Treatment Agreement Act (WGBO).

Article 1. Purpose and Legal Basis for Data Processing

The Practice processes personal data solely for healthcare provision, administration, legal obligations, and – if applicable – scientific research, education, or information.
The legal basis for this is:
- Performance of the treatment agreement (GDPR Art. 6 para 1 sub b);
- Legal obligations, such as notifications under the Public Health Act;
- Legitimate interest, such as quality improvement of care;
- Consent of the client/patient, for example, when exchanging data with third parties.

Article 2. Types of Personal Data Processed

Depending on the treatment and services, the following data may be processed:
- Name, address, place of residence;
- Date of birth, gender;
- Citizen Service Number (BSN);
- Phone number, email address;
- Medical data and treatment data;
- Insurance details;
- Data of general practitioner and other involved healthcare providers;

Article 3. Purposes of Processing

The personal data are processed for:
- Creating and maintaining an (electronic) patient file;
- Scheduling appointments and carrying out treatments;
- Financial administration and invoicing;
- Communication with referrers and other healthcare providers (with consent);
- Complying with legal obligations;
- Quality improvement and scientific research (anonymized and only with consent).

Article 4. Retention Periods

Medical data is generally retained for 15 years from the last treatment, unless a longer retention period is necessary due to the patient's health or legal obligations.
For minors, a retention period applies from the age of 18.

Article 5. Disclosure of Data to Third Parties

Personal data is only provided to third parties:
- If this is necessary for the treatment;
- If a legal obligation requires it;
- If the client/patient has given explicit consent for this.
Data processing agreements are concluded with external processors.

Article 6. Rights of the Client/Patient

You have the following rights:
- Right to access your data;
- Right to rectification or completion;
- Right to erasure or destruction (insofar as legally permitted);
- Right to data portability (transfer of your file);
- Right to restriction of processing;
- Right to object to processing;
- Right to add your own statement to your file.

Article 7. Security of Personal Data

The Practice takes appropriate technical and organizational measures to secure your data against loss, unauthorized access, or unlawful processing. Examples include the use of secure systems and professional secrecy of employees.

Article 8. Digital Storage and Website

Your data is stored digitally in a secure system. The electronic patient file used is NEN7510 and ISO27001 certified. If a website with a contact form or cookies is used, personal data is processed solely for answering questions and scheduling appointments.

Article 9. Complaints and Oversight

If you have questions or complaints about the processing of your data, you can contact the Practice.
If your complaint is not handled to your satisfaction, you can contact the Dutch Data Protection Authority (www.autoriteitpersoonsgegevens.nl).

Article 10. Amendments to this Privacy Policy

The Practice reserves the right to amend this privacy policy. Amendments will be announced to clients/patients via the website or in writing.

Amsterdam, August 28, 2025