XHR Logo
Alpha XHR Network is currently in alpha.

Privacy Policy

This is a courtesy translation. The German version is the legally binding document.

1. Data Controller

ASCEND GmbH
Kaiserstraße 5, 40479 Düsseldorf
Email: support@globalascend.org

2. Collection and Storage of Personal Data

2.1 When Visiting the Website

When you access our website, information is automatically sent to our server. This information is temporarily stored in a log file:

  • IP address of the requesting device (anonymised)
  • Date and time of access
  • Name and URL of the retrieved file
  • Website from which access is made (referrer URL)
  • Browser used and, where applicable, the operating system

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in technical provision).

2.2 Upon Registration

During registration, we collect:

  • Email address
  • Name (optional)
  • Password (stored as a bcrypt hash)

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

2.3 Health Data

XHR Network processes special categories of personal data (health data) pursuant to Art. 9(2)(a) GDPR exclusively on the basis of your explicit consent. Health data is:

  • Stored with end-to-end encryption
  • Processed exclusively on servers in Germany (Open Telekom Cloud, Frankfurt)
  • Not shared with third parties
  • Fully deleted at your request (Art. 17 GDPR)

3. Data Sharing

Your data will not be transmitted to third parties unless:

  • You have given explicit consent (Art. 6(1)(a) GDPR)
  • Sharing is necessary for the performance of a contract (Art. 6(1)(b) GDPR)
  • There is a legal obligation (Art. 6(1)(c) GDPR)

4. Cookies

We use only technically necessary cookies for:

  • Session management (authentication)
  • Language preference
  • Dark/light mode preference

We use no tracking cookies, no third-party analytics tools, and no cross-site tracking. Further details can be found in our Cookie Policy.

5. AI Processing

XHR Network uses AI models (Claude, MedGemma) to analyse your health data. This processing takes place exclusively on our own servers. No data is transmitted to external AI providers. AI processing is based on your explicit consent and can be revoked at any time.

6. Your Rights

You have the following rights:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR) — complete data deletion including backups within 30 days
  • Restriction (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR) — export as JSON/PDF
  • Objection (Art. 21 GDPR)
  • Withdrawal of consent (Art. 7(3) GDPR)

To exercise your rights, contact us at support@globalascend.org or use the in-app GDPR tools under Settings → Privacy.

7. Data Security

  • AES-256-GCM encryption (at rest + in transit)
  • TLS 1.3 for all connections
  • Forced TURN relay for video consultations (IP privacy)
  • Row Level Security at the database level
  • Multi-factor authentication (TOTP)
  • Daily encrypted backups with 30-day retention

8. Hosting

Our servers are operated exclusively in the Open Telekom Cloud in Frankfurt am Main, Germany. No data is transferred to third countries. A data processing agreement (Auftragsverarbeitungsvertrag) with T-Systems is in place.

9. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority:
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
Kavalleriestraße 2–4, 40213 Düsseldorf
ldi.nrw.de

Last updated: 10 April 2026