Privacy Policy
How we collect, use, and protect your personal data on medtopdoc.com — effective March 2026.
In Plain Language
- We are an informational platform about medical excellence — we do not provide medical advice or sell anything directly on this website.
- We store a session token in your browser only if you enter the site through our access gate. It is deleted when you close your tab.
- When you submit a form, the data goes to HubSpot, our CRM processor, which also sets analytics cookies.
- We use Google Analytics, Google Tag Manager, and Google Ads for analytics and advertising. These tools are loaded only after you consent to non-essential cookies.
- You can exercise all your GDPR rights — access, correction, deletion, and more — at any time by emailing us.
1. Controller & Data Protection
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data-protection laws is:
CB & Partner Consulting GmbH
Beta-Straße 10A (Eingang Haus A)
85774 Unterföhring
Germany
As a company with fewer than 20 employees regularly engaged in automated data processing, we are not legally required to appoint a data protection officer under Art. 37 GDPR in conjunction with § 38 BDSG. For any data-protection inquiries, please contact us at the email address above.
2. Data We Collect
a) Server Log Files
When you visit medtopdoc.com, our hosting provider automatically collects and stores information in server log files that your browser transmits:
- IP address (anonymised after 7 days)
- Date and time of access
- Page requested (URL) and referrer URL
- Browser type and version, operating system
- HTTP status code and data volume transferred
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in ensuring website security, stability, and abuse prevention.
b) Session Storage (Access Gate)
This website uses an access gate. When you enter the correct access phrase, a SHA-256 hash is stored in your browser’s sessionStorage under the key medtopdoc_auth. This value:
- Contains only a cryptographic hash — no personal data
- Is stored client-side only and never transmitted to our server
- Is automatically deleted when you close the browser tab or window
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in controlling access to pre-launch content. § 25(2) TDDDG (formerly TTDSG) — technically necessary storage exempt from consent.
c) Contact and Application Forms (HubSpot)
When you submit a form on this website, the data you enter (e.g., name, email, organisation, message) is transmitted to and processed by HubSpot, Inc. via their embedded forms (portal ID 8182227). Data processed includes:
- All form-field values you provide voluntarily
- Your IP address (collected by HubSpot on submission)
- Timestamp of submission
- Page URL where the form was submitted
Legal basis: Art. 6(1)(a) GDPR (consent, given by actively submitting the form) and Art. 6(1)(b) GDPR (pre-contractual measures where applicable).
d) HubSpot Analytics & Tracking
HubSpot’s tracking script may collect usage data such as pages visited, session duration, referring sources, and browser metadata. This data is used to understand how visitors interact with our content and to improve the Platform.
HubSpot sets non-essential cookies (see Section 3 below) that store information on your device. Under § 25(1) TDDDG (formerly TTDSG), storing or accessing information on a user’s terminal equipment requires the user’s consent unless the storage is strictly necessary for the provision of a telemedia service explicitly requested by the user.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in analysing website usage to improve our content and services. You may block these cookies at any time via your browser settings (see Section 3). Blocking analytics cookies will not affect core site functionality. We are in the process of implementing a consent-management platform (CMP) that will place HubSpot analytics processing on an explicit Art. 6(1)(a) consent basis. This notice will be updated accordingly once the CMP is deployed.
e) Google Tag Manager
We use Google Tag Manager (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to manage tracking scripts on this website. Google Tag Manager is a tag-management system that does not itself collect personal data or set cookies. It serves as a technical container that triggers other tools (such as Google Analytics or Google Ads) based on defined rules and, where applicable, your consent settings.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in the efficient and centralised management of website scripts. Google Tag Manager loads in a restricted, cookieless mode by default. Full tracking and data collection via managed tags activate only after consent is granted.
Data transfer: Google Ireland Limited may transfer data to Google LLC in the United States. Transfers are safeguarded by the EU–US Data Privacy Framework and Standard Contractual Clauses. Privacy Policy: policies.google.com/privacy
f) Google Analytics 4 (GA4)
We use Google Analytics 4 (Google Ireland Limited) to analyse website traffic and user behaviour. Google Analytics collects:
- Pages visited and time spent on each page
- Device type, browser, and operating system
- Approximate geographic location (based on anonymised IP)
- Referral source (how you reached our website)
- User interaction events (clicks, scrolls, form submissions)
IP anonymisation is enabled. Google Analytics does not collect personally identifiable information through our implementation.
Legal basis: Art. 6(1)(a) GDPR — consent. Google Analytics is loaded only after the user accepts non-essential cookies via our consent mechanism. § 25(1) TDDDG applies. Data retention: 14 months. You may opt out at any time by rejecting non-essential cookies or by installing the Google Analytics Opt-out Browser Add-on.
g) Google Ads (formerly AdWords) & Conversion Tracking
We use Google Ads (Google Ireland Limited) to place advertisements on Google Search and the Google Display Network, and to measure the effectiveness of those advertisements through conversion tracking. When you click on a Google ad and visit our website, a conversion cookie is set by Google. This cookie:
- Does not contain personally identifiable information
- Allows us to determine whether a user who clicked an ad completed a specific action on the website (e.g., form submission)
- Expires after 30 days and is not used for personal identification
Google may also use remarketing tags to display personalised advertisements based on your prior visits to our website. You can opt out of personalised advertising at adssettings.google.com.
Legal basis: Art. 6(1)(a) GDPR — consent. Google Ads tracking and remarketing scripts are loaded only after the user accepts non-essential cookies. § 25(1) TDDDG applies. Data transfer to the USA is safeguarded by the EU–US Data Privacy Framework and Standard Contractual Clauses. Privacy Policy: policies.google.com/privacy
h) Google Search Console
We use Google Search Console (Google Ireland Limited) to monitor and optimise the visibility of our website in Google Search results. Google Search Console does not set cookies on your device and does not collect personal data from visitors. It provides the website operator with aggregated, anonymised performance data (search queries, impressions, click-through rates, indexing status). No legal basis under the GDPR is required for Google Search Console, as no personal data of website visitors is processed.
3. Cookies & Browser Storage
The following cookies and storage mechanisms are used on this website:
medtopdoc_auth
Essential
Type: sessionStorage · Duration: Browser session (tab) · Purpose: Stores a SHA-256 hash to validate access-gate entry. No personal data. Client-side only.
__hstc
Analytics (HubSpot)
Type: HTTP cookie · Duration: 13 months · Purpose: Main HubSpot tracking cookie. Tracks visitor identity, first visit, previous visit, current visit, and session count.
hubspotutk
Analytics (HubSpot)
Type: HTTP cookie · Duration: 13 months · Purpose: Stores a unique visitor identifier. Used to associate form submissions with the visitor’s browsing session.
__hssc
Analytics (HubSpot)
Type: HTTP cookie · Duration: 30 minutes · Purpose: Keeps track of sessions. Used to determine whether HubSpot should increment the session number and timestamps in the __hstc cookie.
__hssrc
Analytics (HubSpot)
Type: HTTP cookie · Duration: Browser session · Purpose: Detects whether the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
_ga
Analytics (Google)
Type: HTTP cookie · Duration: 2 years · Purpose: Distinguishes unique users for Google Analytics. Set only after consent.
_ga_[ID]
Analytics (Google)
Type: HTTP cookie · Duration: 2 years · Purpose: Maintains session state for Google Analytics 4. Set only after consent.
_gcl_au
Advertising (Google Ads)
Type: HTTP cookie · Duration: 90 days · Purpose: Stores a unique identifier for conversion tracking and ad attribution. Set only after consent.
_gac_[ID]
Advertising (Google Ads)
Type: HTTP cookie · Duration: 90 days · Purpose: Stores campaign information for Google Ads conversion linking. Set only after consent.
You can delete or block cookies at any time via your browser settings. Blocking analytics and advertising cookies will not affect core site functionality. Essential cookies (sessionStorage) are required for the access gate to function.
4. Data Sharing & Third-Party Processors
We share personal data only where strictly necessary and on a proper legal basis. Our third-party processors are:
HubSpot, Inc.
25 First Street, Cambridge, MA 02141, USA
- Processes form-submission data and analytics data on our behalf
- DPA concluded per Art. 28 GDPR
- US transfers: EU–US Data Privacy Framework (certified) + SCCs per Art. 46(2)(c)
- Privacy: legal.hubspot.com/privacy-policy
Google Ireland Limited / Google LLC
Gordon House, Barrow Street, Dublin 4, Ireland / 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
- Provides Google Analytics 4 (website analytics), Google Tag Manager (tag management), and Google Ads (advertising & conversion tracking)
- Google Ads data processing terms apply per Art. 28 GDPR
- US transfers: EU–US Data Privacy Framework (Google LLC is certified) + SCCs per Art. 46(2)(c)
- Privacy: policies.google.com/privacy
We do not sell, rent, or otherwise disclose your personal data to third parties for their own independent purposes. No data is shared with data brokers. Where Google processes data for its own purposes (e.g., improving Google products), this is governed by Google’s own privacy policy and the applicable data-processing terms.
5. Your Rights Under the GDPR
As a data subject, you have the following rights. To exercise any of them, email us at hello@consulting.barbier.de.
Right of Access (Art. 15 GDPR)
You may request confirmation of whether we process your personal data and obtain a copy of said data.
Right to Rectification (Art. 16 GDPR)
You may request correction of inaccurate personal data or completion of incomplete data.
Right to Erasure (Art. 17 GDPR)
You may request deletion of your personal data, provided no legal obligation requires us to retain it.
Right to Restriction of Processing (Art. 18 GDPR)
You may request that we restrict the processing of your data under certain circumstances (e.g., while accuracy is being contested).
Right to Data Portability (Art. 20 GDPR)
You may receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to Object (Art. 21 GDPR)
You may object to processing based on legitimate interest (Art. 6(1)(f)) at any time. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. The competent authority for our registered office is the Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht — BayLDA), Promenade 18, 91522 Ansbach, Germany — www.lda.bayern.de.
6. Data Security
We implement appropriate technical and organisational measures in accordance with Art. 32 GDPR to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include, but are not limited to:
- TLS/SSL encryption for all data in transit (HTTPS)
- Access controls and authentication for administrative systems
- Regular security updates and monitoring of our hosting infrastructure
- Contractual data-security obligations with all processors (Art. 28 GDPR)
7. Children’s Privacy
Medical Top Doctors is a business-to-business (B2B) information platform directed at medical professionals, healthcare institutions, and industry partners. It is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a minor has submitted personal data to us, please contact us immediately so we can delete it.
8. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our data practices, legal requirements, or technical setup. The revised version will be published on this page with an updated effective date. We encourage you to review this page periodically. Material changes will be highlighted on the website.
9. Contact
If you have any questions about this privacy policy or wish to exercise your data-protection rights, please contact us:
This privacy policy is effective as of March 2026. Last updated: March 2026.