GDPR · ART. 28 DPA · GERMAN SERVERS

GDPR-compliant WhatsApp automation for clinics — safe for patient data, built for growth.

Q: Do I get a Data Processing Agreement (DPA)?

Ja, automatisch beim Signup. Der AVV nach Art. 28 DSGVO ist Teil der AGB und sofort als PDF abrufbar — kein manueller Antrag nötig.

Q: What happens in case of a data breach?

Wir benachrichtigen dich innerhalb 24h. Du musst die Aufsichtsbehörde innerhalb 72h informieren (Art. 33 DSGVO). Wir liefern alle nötigen Informationen für die Meldung.

The only WhatsApp platform for clinics with real GDPR compliance, German servers and Data Processing Agreement (DPA) from day one. Qualify, book and nurture patients — without legal risk.

🚀 Start free trial → 📄 View DPA as PDF

✓ DPA at signup 🇩🇪 German servers 🛡 Art. 28 GDPR 🔒 TLS 1.3 + AES-256

THE PROBLEM

WhatsApp is huge. GDPR is bigger.

You want to acquire patients via WhatsApp. But:

⚠️

Standard WhatsApp = not allowed

For health data without a DPA, this is a GDPR violation — fines up to 4% of annual revenue.

⚠️

US hosting = third-country transfer

Schrems II makes US cloud practically impossible for patient data. Only EU servers are safe.

⚠️

Patient photos = Art. 9 GDPR

Special category data. Requires explicit consent, encryption and audit trail.

⚠️

No audit logs

Without traceability you cannot prove anything in case of dispute. Authorities require documentation.

THE SOLUTION

Compliance is not an add-on. It is the foundation.

Flowmatix was built for GDPR — not retrofitted.

✅

DPA (Art. 28 GDPR)

Automatically at signup as PDF

🇩🇪

German servers

Hetzner Frankfurt, ISO 27001

🔒

TLS 1.3 + AES-256

End-to-end encrypted

🛡

Art. 9 Health Data

Properly processed with consent

📋

Audit logs (10 years)

Every action traceable

👥

RBAC access control

Doctor, coordinator, finance separated

🚫

No AI training

Patient data stays private

🇪🇺

EU data residency

No third-country transfer guaranteed

HOW IT WORKS

Secure and automatic — from first patient to surgery

1

Patient writes on WhatsApp

First reply contains privacy notice and GDPR consent request. Data collection only starts after explicit consent.

2

AI qualifies systematically

Name, medical history, Norwood scale, medications — everything documented in the audit log with timestamp and user trail.

3

Photos stored encrypted

Patient photos stored end-to-end encrypted directly in the patient profile. Not in third-party cloud services.

4

Doctor review (Art. 9 GDPR compliant)

Only authorized doctors see medical data. RBAC strictly separates patient data from administration and finance.

5

Booking & deposit

Stripe (PCI-DSS Level 1) processes payments. The clinic never sees credit card data — automatic audit trail.

6

Audit & deletion

Patients can request deletion at any time (Art. 17 GDPR). Audit log documents all access for 10 years.

LEGAL DOCUMENTS

Download the contracts instantly

All GDPR-relevant documents are directly available — no email needed, no request.

🇩🇪

AVV (German)

Data Processing Agreement under Art. 28 GDPR (German version)

Open PDF →

🇬🇧

DPA (English)

Data Processing Agreement under Art. 28 GDPR

Open PDF →

🇹🇷

DPA (Turkish)

Data Processing Agreement (KVKK compliant)

Open PDF →

📋

DPIA Template (German)

Data Protection Impact Assessment template for your clinic

Open PDF →

CASE STUDY

Hair Transplant Clinic in Berlin

BEFORE

❌ WhatsApp Web on the clinic iPad
❌ Excel with 800 patients
❌ No encryption
❌ First GDPR audit: 14 critical violations
❌ 14% conversion (inquiry → booking)
❌ Fine risk up to 4% of revenue

AFTER 30 DAYS WITH FLOWMATIX

✅ DPA signed, audit passed
✅ All patient data in German data center
✅ TLS 1.3 + AES-256 encrypted
✅ +€18,000 additional revenue/month
✅ 47% conversion (inquiry → booking)
✅ Zero fine risk

DATA PROTECTION & SECURITY

Compliance is non-negotiable.

Here are the technical facts — transparent and verifiable.

🏛 Hosting & Infrastructure

• Hetzner Online GmbH, Frankfurt (Germany)
• ISO 27001 certified
• Art. 44–49 GDPR: no third-country transfer
• Backups encrypted, EU location, 30 days

🔒 Encryption

• In-transit: TLS 1.3 (minimum TLS 1.2)
• At-rest: AES-256 for all patient data
• WhatsApp: end-to-end (Signal Protocol)
• Database: encrypted + Row Level Security

👥 Access Control (RBAC)

• Admin: Clinic management
• Doctor: Patient reviews & medical data
• Coordinator: Appointments, logistics
• Finance: Invoices, payments

📋 Audit & Traceability

• Audit logs: every action (10-year retention)
• Consent tracking with timestamps
• Art. 15–20 GDPR rights directly in CRM
• 72h notification duty (Art. 33 GDPR)

🚫 What we DON'T do

• No advertising with patient data
• No AI training mit deinen Daten
• No data sharing with third parties
• No tracking across clinics

📜 Compliance Contracts

• DPA (Art. 28 GDPR) automatisch beim Signup
• DPIA (Data Protection Impact Assessment) available
• TOM documented
• Privacy policy generator

FREQUENTLY ASKED QUESTIONS

Compliance & Security

Is WhatsApp automation actually GDPR compliant?

By default, no. However, Flowmatix uses the official WhatsApp Business API with DPA under Art. 28 GDPR, German data residency and explicit patient consent. Fully GDPR compliant for clinics.

Where is my patient data stored?

Ausschließlich in Deutschland (Hetzner Frankfurt, ISO 27001 certified). Keine US-Cloud, kein Drittlandtransfer. EU data residency garantiert.

Can patient photos be processed via WhatsApp?

Yes — if the patient has explicitly consented (Art. 9(2)(a) GDPR). Flowmatix documents every consent with timestamp, method and wording.

Do I get a Data Processing Agreement (DPA)?

Yes, automatically at signup. The DPA under Art. 28 GDPR is part of the Terms and immediately available as a PDF — no manual request required.

How is encryption implemented?

TLS 1.3 for all connections, AES-256 for stored data, WhatsApp end-to-end encryption (Signal Protocol), encrypted database backups.

Do you have a DPIA (Data Protection Impact Assessment)?

Yes, we provide a sample DPIA for clinics here as PDF. You can use it as a template for your own DPIA.

What happens when a patient requests data deletion?

In the CRM, click "Delete patient" → all data is deleted in GDPR-compliant manner within 72h (Art. 17 GDPR). Audit log documents the deletion.

Do you train AI models with our patient data?

No. Never. Patient data is used exclusively to provide the service — no training, no sharing, no advertising.

How fast can our clinic go live GDPR-compliant?

Within a few hours. DPA is generated automatically at signup, German servers are active immediately, audit logs start from the first message.

What happens in case of a data breach?

We notify you within 24h. You must then inform the supervisory authority within 72h (Art. 33 GDPR). We provide all the necessary information for the report.

GDPR-compliant WhatsApp automation for clinics — safe for patient data, built for growth.

WhatsApp is huge. GDPR is bigger.

Compliance is not an add-on. It is the foundation.

Secure and automatic — from first patient to surgery

Download the contracts instantly

Hair Transplant Clinic in Berlin

Compliance is non-negotiable.

🏛 Hosting & Infrastructure

🔒 Encryption

👥 Access Control (RBAC)

📋 Audit & Traceability

🚫 What we DON'T do

📜 Compliance Contracts

Compliance & Security

Bereit für GDPR-compliantePatientenakquise?

Bereit für GDPR-compliante
Patientenakquise?