Privacy Policy (Non-Binding English Translation)

Last updated: May 6, 2026

This English version is a non-binding convenience translation of the German privacy policy. The German version is the legally binding version. If this translation differs from the German version, the German version prevails to the extent permitted by mandatory law.

This privacy policy explains how HebaMama processes personal data when you use the website, registration, login functions, Mama and Maia dashboards, search, request, course, booking, document and security functions. HebaMama is a platform for arranging and organising contacts between Mamas and midwives. The platform is not an emergency or acute care service.

1. Controller and Privacy Contact

The controller responsible for data processing is:

HebaMama UG (haftungsbeschränkt)
Mondstraße 28
81543 Munich
Germany
Email: info@hebamama.com

Privacy requests may be sent to the email address above. If a data protection officer is required by law or appointed, the relevant contact details will be added to this policy.

2. Scope

This policy applies to all web functions provided by HebaMama, in particular public pages, registration, login, email verification, password and email change, Mama profiles, Maia profiles, Mama requests, Maia courses, course bookings, daily info emails, document uploads, admin checks, support and security functions.

3. Principles and Legal Bases

We process personal data only where this is necessary to provide, secure, administer and improve the platform, or where there is a legal obligation, consent or legitimate interest.

• Article 6(1)(b) GDPR: performance of a contract and pre-contractual steps, in particular registration, account, profile, matching, requests, bookings and platform communication.
• Article 6(1)(a) GDPR: consent, in particular where voluntary special categories of personal data are processed or consent is required by law.
• Article 6(1)(c) GDPR: compliance with legal obligations, for example commercial, tax, documentation or information obligations.
• Article 6(1)(f) GDPR: legitimate interests in IT security, abuse prevention, error analysis, legal enforcement, platform administration and operational improvement.

Where Mamas or midwives voluntarily provide information relating to health data, pregnancy, birth, postpartum care, breastfeeding, child data or similarly sensitive information, special categories of personal data within the meaning of Article 9 GDPR may be affected. Processing takes place only to provide the expressly requested platform functions and, where required, on the basis of explicit consent pursuant to Article 9(2)(a) GDPR. Consent may be withdrawn at any time with effect for the future. Withdrawal may mean that individual platform functions can no longer be provided.

4. Hosting, Website Delivery and Server Log Files

The website is operated on servers of Hetzner Online GmbH. The servers are located within the European Union. Server and proxy log files are processed for the technical delivery of the website and to secure operations.

In particular, the following data may be processed:

• IP address of the requesting device,
• date and time of access,
• requested URL, HTTP method, status code and transferred data volume,
• referrer URL, if transmitted by the browser,
• browser, device and operating system information, if transmitted by the browser.

The purpose of processing is to provide the website, analyse errors, detect misuse and attacks and ensure availability. The legal basis is Article 6(1)(f) GDPR. Server log files are generally stored only for as long as required for these purposes; the current operational standard period is no more than 14 days, unless a security review or legal obligation requires longer storage.

5. Registration, User Account and Authentication

When registering and managing a user account, we process in particular:

• first name and last name,
• email address,
• account role, in particular Mama, Maia/midwife or Babo/admin,
• password hash; the password is not stored in plain text,
• customer reference, verification status, registration time, update time and deletion status,
• times and technical states of login, last activity and session,
• acceptance of Terms and Conditions and privacy notices with timestamp,
• security tokens for email verification, password reset, password change, email change and admin OTP.

Email addresses, names and further profile content are stored encrypted according to the technical protection concept; an additional hash of the email address is used for unique login and lookup. Passwords are stored using a password hashing procedure. Verification and reset tokens are stored only as hashes and are time-limited. The current validity periods are 15 minutes for email verification and password reset links and 5 minutes for OTP codes for account changes and admin login. Access tokens are time-limited; refresh tokens are technically limited to 7 days and are additionally restricted by the configured inactivity timeout.

The purpose is to create, secure and manage the account. The legal basis is Article 6(1)(b) GDPR; for security and abuse protection additionally Article 6(1)(f) GDPR.

6. Mama Profile and Child Data

If you use the platform as a Mama, we process the profile and contact data you enter, in particular:

• address, phone number, preferred search radius and languages,
• date of birth of the Mama, number of pregnancies, number of born children and information about multiple pregnancy,
• voluntary free-text information about you and your situation,
• information about the child, in particular first name, estimated due date, date of birth and voluntary notes,
• geocoordinates of your address where required for radius search.

This data is used so that midwives can review suitable requests, contact you and organise services or courses. If you enter child data, you confirm that you are authorised to provide this data. The legal basis is Article 6(1)(b) GDPR; for special categories of personal data additionally Article 9(2)(a) GDPR where consent is required.

7. Maia/Midwife Profile and Professional Documents

If you use the platform as a Maia or midwife, we process in particular:

• private contact and address data, phone number, search radius and languages,
• practice data, if provided, including practice address, practice phone, website and IK number,
• professional information, free text, website, social media and information links,
• geocoordinates of private address and practice address where required for radius search,
• uploaded documents such as identity documents, professional diploma/certificate, information material and treatment contract,
• profile completeness status, confirmation status and admin review notes,
• setting whether the daily info email for open Mama requests in the saved search radius is enabled, including saved language and last processing day.

Documents are scanned server-side for malware and then stored encrypted. Identity documents and professional documents serve in particular to review and approve the midwife profile. Treatment contract and information material may be shown to Mamas if there is authorised access under the platform model, for example after an accepted request or course booking. Identity documents and professional diplomas/certificates are not made available for download to Mamas.

The legal basis is Article 6(1)(b) GDPR; for review, security and abuse prevention additionally Article 6(1)(f) GDPR.

8. Requests, Matching, Courses and Bookings

For Mama requests, midwife services, courses and bookings, we process in particular:

• request type, phase, service type, description, preferred date and voluntary notes,
• request status, in particular open, accepted, cancelled or invoiced,
• assignment to a midwife, acceptance time, cancellation time, invoicing status and optional invoice reference,
• course data of the midwife, in particular course type, phase, location or video link, start time, duration, recurrence, participant count, cost information, additional information and arrival information,
• booking status, in particular booked, waitlist, cancelled or finished.

Open Mama requests may be shown to midwives within the search and filter logic. If a midwife enables the daily info email, open Mama requests in the saved search radius may also be summarised once per day in a tabular email. This info email does not include the Mama's email address or phone number. As soon as a request is accepted, a course booking is created or treatment is initiated, the required contact, profile, request and course data may become visible between the respective participating Mamas and midwives. The purpose is matching, organisation, communication, performance and documentation of the requested services. The legal basis is Article 6(1)(b) GDPR; for documentation, security and abuse prevention additionally Article 6(1)(f) GDPR.

9. Location, Radius Search, Geocoding and Maps

For radius search, HebaMama processes addresses, postal codes, search radii and geocoordinates derived from them. During search, temporary search values such as radius and postal code may also be stored in the session without changing the permanently stored profile.

For address search and geocoding, the platform uses Nominatim based on OpenStreetMap. The entered address or postal code, technical request data and an application-related User-Agent are transmitted to the Nominatim service. We do not transmit names, passwords or profile texts to Nominatim. However, if an address is a private address, the address itself may already be personal data.

Maps are displayed using OpenStreetMap tiles. When loading a map, your browser may transmit technical data such as IP address, browser information, referrer and the requested map tiles to OpenStreetMap servers. The legal basis for geocoding and map display is Article 6(1)(b) GDPR where this is required for the requested search and display, and Article 6(1)(f) GDPR for a user-friendly and secure platform display.

10. Email Delivery and Platform Communication

HebaMama sends transactional emails, in particular for registration, email verification, password reset, account changes, admin OTP, legal information, system-related notices and, where enabled by the midwife, the daily info email about open Mama requests in the saved search radius. For this purpose, we process email address, name, language, email content, sending time and technical delivery data.

Emails are sent via Mailjet by Sinch, an email delivery and SMTP service for transactional emails. In particular, recipient address, sender data, subject, message content, PDF attachments where applicable, and technical sending, delivery and error data are transmitted to Mailjet. This may also include events such as bounce, blocked or spam complaint signals where this is required for secure delivery, error analysis and suppression of undeliverable recipient addresses. Mailjet is used only for transactional platform emails, not for advertising tracking.

The legal basis is Article 6(1)(b) GDPR for contract- and account-related emails and Article 6(1)(f) GDPR for security, system and deliverability notices. Where required, contractual data processing terms pursuant to Article 28 GDPR are in place with Mailjet. According to Mailjet's security and privacy information, data is stored in data centres in Frankfurt (Germany) and Saint-Ghislain (Belgium).

11. hCaptcha for Abuse Protection

To protect registration and login functions against automated abuse, HebaMama may use hCaptcha. The provider is Intuition Machines, Inc., USA. When hCaptcha is loaded and solved, technical data such as IP address, browser and device information, interaction data, referrer and the result of the challenge may be transmitted to hCaptcha.

The purpose is to distinguish human use from automated attacks and to protect user accounts and infrastructure. The legal basis is Article 6(1)(f) GDPR. Where hCaptcha requires consent, Article 6(1)(a) GDPR is the legal basis.

12. Cookies, Session Data and Local Browser Data

HebaMama uses technically necessary cookies and session data. These include in particular:

• session cookie for CSRF protection and server-side form security,
• access and refresh token cookies for logged-in users,
• OTP pending cookie during admin login,
• language cookie to store the selected language,
• temporary session values such as search radius and postal code for current search views.

Authentication cookies are set as HTTP-only and SameSite=Lax; in appropriately configured environments they are also set as Secure cookies. Technically necessary cookies and session values are required to provide the expressly requested platform functions, protect logins, prevent CSRF attacks and remember language settings. The legal basis is Article 6(1)(b) GDPR and Article 6(1)(f) GDPR. Access to terminal equipment is used for strictly necessary functions pursuant to Section 25(2) TDDDG without separate cookie consent.

HebaMama currently does not use web analytics, marketing or tracking cookies.

13. Admin Review, Moderation, Support and Audit Logs

For platform administration, authorised admins may access and edit data where this is necessary for review, approval, support, abuse prevention, legal enforcement or technical troubleshooting. When approving or rejecting midwife profiles, review decisions, admin ID, comments and timestamps may be stored in audit logs.

The legal basis is Article 6(1)(b) GDPR where processing is required to provide the platform, Article 6(1)(f) GDPR for security, support and documentation interests and Article 6(1)(c) GDPR where legal obligations are involved.

14. Recipients and Disclosure of Data

Personal data is disclosed only where this is required for platform functions, technical provision, security, legal obligations or enforcement of rights.

• Mamas and midwives each receive only the other party's data that is required and released in the system according to request, booking, treatment or contract status.
• Authorised admins receive access where this is required for review, support, moderation and security.
• Hosting, infrastructure, Mailjet/SMTP and security service providers receive data within the scope of their technical tasks.
• OpenStreetMap/Nominatim and hCaptcha receive the technical data described in the respective sections.
• Authorities, courts, legal advisers or other bodies may receive data where there is a legal obligation or where claims must be asserted, exercised or defended.

Where required, data processing agreements pursuant to Article 28 GDPR are concluded with processors.

15. Transfers to Third Countries

In principle, we operate the core platform within the European Union. According to Mailjet's security and privacy information, email delivery is processed via data centres in Frankfurt (Germany) and Saint-Ghislain (Belgium). When emails are delivered to recipient mailboxes, a transfer to servers outside the European Union or the European Economic Area may nevertheless occur if the relevant recipient mailbox or mail service is operated there. For individual services, in particular hCaptcha, OpenStreetMap/Nominatim or in the context of individual support, operations or security processes of service providers, a third-country connection cannot be fully excluded. Where required, such transfers are based on an adequacy decision, EU Standard Contractual Clauses or other appropriate safeguards pursuant to Articles 44 et seq. GDPR.

16. Retention and Deletion

We store personal data only for as long as required for the respective purposes or for as long as statutory retention, documentation or limitation periods apply.

• Server log files are generally stored for no more than 14 days, unless a security review or legal obligation requires longer storage.
• Registration, account, profile, request, course, booking and document data is generally stored for the duration of use and deleted or restricted after account deletion or a justified deletion request, unless legal obligations or legitimate documentation interests prevent this.
• Verification, reset and OTP tokens are time-limited and become invalid after expiry, use or replacement.
• Session data is generally processed only for the current use or until the session or token validity expires.
• Backups are created for operational and recovery capability and overwritten or deleted according to operational backup periods.
• Admin audit logs are stored for as long as required for review, security and documentation purposes.

17. Security Measures

HebaMama uses technical and organisational measures to protect personal data. These include in particular HTTPS, security headers, CSRF protection, HTTP-only cookies, role-based access controls, inactivity timeouts, hashing of passwords and tokens, encryption of sensitive profile data and documents, virus scans for uploads, access restrictions for admin functions, logging of security-relevant events and regular backups.

18. Your Rights

Subject to the GDPR, you have in particular the following rights:

• access pursuant to Article 15 GDPR,
• rectification pursuant to Article 16 GDPR,
• erasure pursuant to Article 17 GDPR,
• restriction of processing pursuant to Article 18 GDPR,
• data portability pursuant to Article 20 GDPR,
• objection pursuant to Article 21 GDPR,
• withdrawal of consent with effect for the future pursuant to Article 7(3) GDPR.

To exercise your rights, you may contact info@hebamama.com. To process your request, it may be necessary to verify your identity.

19. Objection and Withdrawal

If we process data on the basis of Article 6(1)(f) GDPR, you may object at any time on grounds relating to your particular situation. If we process data on the basis of consent, you may withdraw that consent at any time with effect for the future. The lawfulness of processing carried out before withdrawal remains unaffected.

20. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority may in particular be the authority of your place of residence, place of work or the place of the alleged infringement. For Bavaria, this is usually the Bavarian State Office for Data Protection Supervision, unless another authority is competent.

21. Obligation to Provide Data

The provision of certain data is required for registration, login, profile completeness, search, matching, requests, course bookings or document review. Without this data, individual functions cannot be used or can be used only in a limited way. Voluntary information is required only if you want to use the associated function.

22. Automated Decisions and Sorting

HebaMama does not make solely automated decisions with legal effect or similarly significant effects within the meaning of Article 22 GDPR. Search and table views may be filtered and sorted by criteria such as radius, location, status, time, profile or course characteristics. Admin approvals are not carried out solely automatically.

23. Changes to This Privacy Policy

We may update this privacy policy if technical functions, legal requirements, service providers or processing activities change. The current version is available on the website.