Privacy Policy

Last updated: 27 May 2026

This Privacy Policy describes how AskBefore UG (haftungsbeschränkt) ("AskBefore", "we", "us", or "our") collects, uses, stores, and protects your personal information when you use our services.

This notice applies when you:

  • visit our website at https://www.askbefore.eu/;
  • use our web application at https://app.askbefore.eu/;
  • share STI test results with your partner via the AskBefore Platform;
  • book STI tests with partner testing providers through our Platform (and make payments for medical services directly to our partner testing providers);
  • interact with us in any other way (e.g., support, marketing, events, or feedback).

When you book STI tests through AskBefore, we and the respective testing provider act as joint controllers with regard to this data processing activity (booking medical tests). When you actually receive the medical services you have booked and paid for, partner testing providers act as separate and independent controllers for their own processing of your medical records and test results under their own privacy notices. Under no circumstances do we receive your medical test results from partner testing providers.

What is AskBefore?

AskBefore is a private, secure, and elegant platform for managing STI-related health data. It allows users to:

  • Securely share test results with trusted partners;
  • Find, compare, and book STI testing with participating testing providers.

Our mission is to make sexual health more transparent, stigma-free, and accessible — while respecting your privacy at every step.

Questions or concerns?

We’re committed to protecting your privacy and helping you understand your rights and choices. This Privacy Policy explains how we handle your personal information and the decisions we make as a data controller.

If you have any questions, feedback, or concerns about how your data is processed, we encourage you to contact us at privacy@askbefore.eu.

Summary of key points

This summary highlights the most important parts of our Privacy Policy.

For more detailed information, please, explore specific topics by clicking the links below or navigating through the full Table of Contents at the beginning of this page.

What personal information do we collect?

We collect personal information when you visit our website or app, create an account, book medical tests, submit a partner contact request, or otherwise interact with our services. This may include your email address, name, surname, phone number, IP address, booking details, and information about how you interact with the Platform.

👉 Learn more: Personal information we collect

Do we process sensitive health data?

Yes — if you use our platform to share your STI test results with your partner, it will inevitably mean processing data about your health.

However, all sensitive data (such as STI test results, STI test requested or a custom message you may add to the exchange page) is encrypted (E2EE). We never have access to the contents, cannot decrypt this data, and store it in its encrypted form only.

When you book STI tests through AskBefore, the booking data may also reveal health-related information, for example the selected STI tests or test package. In this case, we process such health-related booking data only to arrange and administer your booking and, where required under the GDPR, based on your explicit consent.

Can AskBefore control what recipients do with shared results?

No — once you have shared the information with your partner, we cannot control how your partner uses these data. Please, share access to your STI test results only with people you trust.

👉 Learn more: Recipients of personal data

Do we get data from third parties?

In most cases — no. We do not obtain personal data about you from third-party sources or public registries. However, when you pay for the medical tests ordered, the payment processor (Stripe) gives us the information on whether the payment was successful.

Why and how do we use your data?

We use your data to:

  • provide you with two types of services: booking STI tests and sharing STI test results with your partner. These two types of services may be used independently,
  • keep your account secure,
  • notify you about actions taken either within your account or in connection with it (e.g., account deletion request, Exchange Page access, etc.).

We do not use your personal data for purposes that are incompatible with the purposes described in this Privacy Policy, and we only process your data where we have a legal basis to do so, such as performance of a contract, your consent or pursuing our legitimate interests.

👉 Learn more: How we use your data

In what situations and with which parties do we share personal information?

We share limited personal information with partner testing providers when you book medical tests with the help of our Platform. We also share a small amount of data with the payment processor to make it possible for you to pay for the medical tests chosen and complete the booking. When we send you email notifications, your email, order details (appointment time and date, total price, order ID) and event type data (“account deletion request”, “password change request”, etc.) are shared with the email notifications provider. When we send you email notifications that are not related to medical test purchases, we use only standardized email texts that do not include personal details, and your medical test results are not transferred to email providers, including in encrypted or otherwise digitally encoded form.

We do not sell your personal information and do not share it with third parties for advertising or marketing purposes.

👉 Learn more: Who we share data with

How do we keep your information safe?

We apply appropriate organizational and technical measures to protect your personal information. This includes end-to-end encryption of STI test results, STI tests requested and custom messages added to the Exchange Page, secure storage, access controls, data minimization, internal review procedures, and retention limits designed to ensure that personal data is deleted or anonymized when it is no longer needed.

However, no system or method of electronic transmission is 100% secure. We cannot guarantee that unauthorized third parties will never be able to defeat our security measures or misuse your data. That said, even in the unlikely event of a system breach, your STI test results, as well as STI test requested and your custom message remain protected. This is because these data are stored using end-to-end encryption (E2EE) — and can only be decrypted using a private passphrase that we do not store and that is only available to your authorized partners. As a result, we cannot read or decrypt your results, and neither can anyone else without that passphrase.

👉 Learn more: How we protect personal data

What are your rights?

Depending on your location, you may have rights under privacy-related laws, subject to legal limits and exceptions. These rights may include:

  • Accessing your personal information
  • Requesting corrections or deletion
  • Withdrawing your consent where our processing is based on consent
  • Limiting how your data is used

Withdrawing consent does not reverse a completed booking or any information already shared with the selected testing provider to arrange or fulfil that booking. Some data may continue to be processed where another legal basis applies.

👉 Learn more: Your privacy rights

How do you exercise your rights?

You can manage most of your privacy preferences at 🔗 https://app.askbefore.eu/account-settings 👀

To exercise your rights of access, rectification, erasure, restriction, objection, portability or withdrawal of consent, you can contact us at 📩 privacy@askbefore.eu. Please, take into consideration that you may delete or change your personal data in your account.

Want to know more?

Read the full Privacy Policy to learn how and why we collect, use, and protect your data.

1) What personal information do we collect? What legal bases do we rely on to process your information? How long do we keep your information?

In this section we describe each and every purpose, for which we process personal data.

If you are an individual using the Platform for your own personal life, we may process your personal data for the following purposes:

  1. 1. Account creation

    We process the following categories of personal data: password (in a hashed form), user ID, user email, age verification data (whether you are above 18), verification email logs (whether we have sent you the registration confirmation email and whether you have confirmed the registration).

    We store these data: for 1 year after your last authorization.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to create an account for you.

  2. 2. Logging in to the user account

    We process the following categories of personal data: password (in a hashed form), user ID, user email.

    We store these data: for 1 year after your last authorization.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to provide you with access to your account.

  3. 3. Password recovery and account access restoration

    We process the following categories of personal data: password (in a hashed form), user ID, user email, verification email logs (whether you have confirmed password change).

    We store these data: for 1 year after your last authorization.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to restore your access to your account.

  4. 4. Changing account email address

    We process the following categories of personal data: user ID, user email, verification email logs (whether you have confirmed change of your account email).

    We store these data: for 1 year after your last authorization.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to change the email you use to access your account.

  5. 5. STI test result sharing (creation and use of the Exchange Page, including uploading STI test results, requesting STI test results and QR code sharing – and QR code scanning and partner verification)

    We process the following categories of personal data: encrypted STI test results document, encrypted STI test results requested from the partner, QR code linking to the Exchange Page, personal message (if a custom message is added, it is also end-to-end encrypted), passphrase*, link between members’ profiles and the Exchange Page, Exchange Page ID, Exchange Page interaction status, the partner’s decision to share her STI test results, user ID.

    *To access the Exchange Page, the passphrase is used locally on the user’s device to unlock the content. The Company does not receive, store, or hash the passphrase. Only encrypted content and limited technical parameters are stored on our servers, and the Company cannot access the underlying content without the passphrase.

    We store these data: either until both parties have viewed the STI test results of each other (in this case the Exchange Page is deleted automatically once the person having created the Exchange Page has viewed the STI test results of the partner) or until the Exchange Page is deleted. The Exchange Page is deleted either manually by the user having created it or automatically 3 months after it was created.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR) and explicit consent (Art. 9(2)(a) of the GDPR). If we cannot process these personal data, we will not be able to provide you with this type of service – sharing your STI test results with your partner. Since we process special categories of personal data for this particular purpose, the additional legal basis is your explicit consent to processing your health data (Art. 9(2)(a) of the GDPR).

  6. 6. Purchasing medical tests

    We process the following categories of personal data: user email, first name, surname, phone number, appointment details (services booked, selected medical tests and/or test package in a pseudonymized format, e.g. internal reference codes), appointment date and time, testing provider address, order ID, testing provider name, package price, payment status, and user ID.

    To minimise the use of health-related details, we use neutral internal references where possible instead of descriptive test names.

    We store these data: for 6 months after the tests were ordered.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR) and, where the booking data reveals health-related information, explicit consent (Art. 9(2)(a) of the GDPR). If we cannot process these personal data, we will not be able to provide you with this type of service – ordering and paying for medical tests.

    Before completing the purchase, we ask you to give explicit consent for the processing of health-related booking data through a separate, non-pre-ticked checkbox. The purchase cannot be completed unless this checkbox is actively selected.

  7. 7. Displaying the nearest testing providers using map services

    We process the following categories of personal data: geolocation, IP address, medical tests chosen (this piece of data is needed to ensure that only testing providers that offer the medical services you need are shown on the map).

    We store these data: up to 1 week after the data were collected.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to show you the map with the partner testing providers offering the services you need.

  8. 8. Saving medical tests purchasing history

    We process the following categories of personal data: user email, first name, surname, phone number, appointment details (services booked, selected medical tests and/or test package in a pseudonymized format, e.g. internal reference codes), appointment date and time, testing provider address, order ID, testing provider name, package price, payment status, and user ID.

    We store these data: for 6 months after the tests were ordered.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR) and, where the purchasing history reveals health-related information, explicit consent (Art. 9(2)(a) of the GDPR). If we cannot process these personal data, we will not be able to show you your medical test order history.

    For legal, accounting, and compliance purposes, we may retain a limited subset of transaction-related information for a longer period where required or permitted by applicable law. In such cases, the legal basis for processing is compliance with a legal obligation (Art. 6(1)(c) GDPR).

    Such information is stored exclusively in a neutral, non-medical coded form and does not contain direct references to specific medical tests (e.g. their exact names). The conversion of such codes into human-readable names is performed solely in the user interface for display purposes.

  9. 9. Sending order confirmation emails

    We process the following categories of personal data: user email, appointment details (appointment date and time, testing provider address), order ID, testing provider name, testing provider contact details, and support-related links or actions.

    We store these data: for 3 months after the order confirmation was sent.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to provide you with order confirmation information.

  10. 10. Sending notification emails about actions taken by the user within the Platform and actions taken by the user’s partner with regard to the Exchange Page

    We process the following categories of personal data: user email, Exchange Page interaction status, actions taken within the account (e.g., account deletion request), user ID.

    We store these data: for 3 months after the email notification was sent.

    The legal basis for processing the data: pursuing a legitimate interest (Art. 6(1)(f) of the GDPR). The legitimate interest pursued by AskBefore is maintaining the integrity and security of the user’s account, as well as transparency of result-sharing activity.

  11. 11. Logging user actions when a user links to the Exchange Page

    We process the following categories of personal data: IP address, user ID, session token, event logs.

    We store these data: 48 hours after the link was generated.

    The legal basis for processing the data: pursuing a legitimate interest (Art. 6(1)(f) of the GDPR). The legitimate interest pursued by AskBefore is ensuring the Platform security, preventing unauthorised access to STI test results exchanges, detecting misuse or fraudulent activity, and maintaining the integrity of ordering and sharing workflows within the Platform.

  12. 12. Providing customer support

    We process the following categories of personal data: user email, user ID, support request details.

    We store these data: for up to 6 months after the problem is resolved.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to provide you with customer support and resolve the problem you have.

  13. 13. Collecting data about how you use the Platform for further optimization of the Platform

    We process the following categories of personal data: IP address, events (automatic and custom), heatmaps, device information (browser, OS), inferred geolocation, session recordings (mouse movement, clicks, scroll behaviour), clickstream behaviour.

    We store these data: for up to 3 months after the data is collected.

    The legal basis for processing the data: consent (Art. 6(1)(a) of the GDPR).



If you are a representative or authorized team member of a partner organization and use the Partner Portal on behalf of that organization, we may process your personal data for the following purposes.

A partner organization may include a testing provider or another service provider that works with AskBefore.

  1. 1. Creating a partner organization profile and Partner Admin account

    We process the following categories of personal data: name, email address provided for Partner Portal access, partner organization name, assigned role, invitation status, invitation email logs, password in a hashed form, user ID, and technical logs related to account creation.

    We use these data to create the partner organization profile in the Partner Portal, assign the Partner Admin role, send the account invitation, activate the account, and provide access to the Partner Portal.

    We store these data: until the Partner Agreement is terminated or your Partner Portal access is removed, unless a longer retention period is required or permitted for security, audit, legal, compliance, or legitimate business purposes.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR) and/or our legitimate interests (Art. 6(1)(f) of the GDPR) in providing secure access to the Partner Portal and managing our relationship with partner organizations. If we cannot process these personal data, we will not be able to create an account for you or provide access to the Partner Portal.

  2. 2. Inviting team members and managing access

    A Partner Admin or another authorized team member may invite other users to the Partner Portal.

    We process the following categories of personal data of the invited user: name, email address provided for Partner Portal access, assigned role, partner organization, assigned location or locations, access scope, invitation status, and logs related to the sending, opening, and acceptance of the invitation.

    We use these data to send invitations, create Partner Portal accounts, assign roles and permissions, and ensure that each user can only access information relevant to their assigned role and access scope.

    We store these data: until the Partner Agreement is terminated or the user’s Partner Portal access is removed, unless a longer retention period is required or permitted for security, audit, legal, compliance, or legitimate business purposes.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR) and/or our legitimate interests (Art. 6(1)(f) of the GDPR) in managing access, maintaining security, and supporting operational transparency in the Partner Portal. If we cannot process these personal data, we will not be able to invite the user, create their account, or assign role-based access.

  3. 3. Logging in to the Partner Portal

    We process the following categories of personal data: email address provided for Partner Portal access, password in a hashed form, user ID, assigned role, partner organization, assigned location or access scope, login timestamps, session data, IP address, device and browser information, and security event logs.

    We use these data to authenticate users, provide secure access to the Partner Portal, prevent unauthorized access, detect misuse, and maintain the security of the Partner Portal.

    We store these data: until the Partner Agreement is terminated or the user’s Partner Portal access is removed. Security logs may be retained for a limited additional period where necessary for security, audit, incident investigation, legal, or compliance purposes.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR) and our legitimate interests (Art. 6(1)(f) of the GDPR) in maintaining the security of the Partner Portal. If we cannot process these personal data, we will not be able to provide secure access to the Partner Portal.

  4. 4. Password recovery and account access restoration

    We process the following categories of personal data: email address provided for Partner Portal access, password in a hashed form, user ID, password recovery email logs, and confirmation logs related to password changes.

    We use these data to restore access to your account, allow you to change your password, and protect the account from unauthorized access.

    We store these data: until the Partner Agreement is terminated or the user’s Partner Portal access is removed. Password recovery logs may be retained for a limited additional period for security and audit purposes.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR) and our legitimate interests (Art. 6(1)(f) of the GDPR) in protecting account security. If we cannot process these personal data, we will not be able to restore access to your account.

  5. 5. Partner Portal activity, submitted information, and History Log

    We process the following categories of personal data: user ID, name, email address provided for Partner Portal access, assigned role, partner organization, assigned location or access scope, date and time of action, event type, event details, affected item, submitted content, and, where relevant, before-and-after values.

    This may include activity related to account activation, sign-in, team invitations, role and access management, notification settings, locations, services, sample types, testing methods, prices, packages, discounts, availability, booking settings, expected turnaround or result delivery times, payment provider settings, contact details, suggestions, orders, and other operational actions in the Partner Portal.

    We use these data to provide and secure the Partner Portal, manage role-based access, maintain the History Log, support users, troubleshoot issues, send service-related notifications, maintain operational transparency, and keep an audit trail of important actions.

    The History Log may be available to Partner Portal users depending on their assigned role and access scope. Users can only see activity that is relevant and appropriate for their role, organization, location, or assigned locations.

    We store these data: for the duration of the Partner Agreement and for a limited period after termination where necessary for audit, security, legal, compliance, support, or legitimate business purposes.

    The legal basis for processing the data: our legitimate interests (Art. 6(1)(f) of the GDPR) in maintaining security, auditability, transparency, and support for the Partner Portal, and, where applicable, contract (Art. 6(1)(b) of the GDPR).

  6. 6. Partner Portal email notifications

    We process the following categories of personal data: name, email address provided for Partner Portal access, assigned role, partner organization, assigned location or access scope, notification settings, event type, event details, location name, Order ID where relevant, and email delivery logs.

    We use these data to send service-related email notifications about activity and updates that are relevant to your role and access scope, unless you have changed your email notification settings or the notification is required for your role.

    Some notifications may include another team member’s name, role, and details of the action they performed, where this is relevant to your role and access scope.

    Some service-related notifications may be required for certain roles where they are necessary to perform that role, such as new order notifications for reception roles.

    We store these data: for a limited period necessary to confirm delivery, provide support, maintain auditability, and protect the security of the Partner Portal.

    The legal basis for processing the data: our legitimate interests (Art. 6(1)(f) of the GDPR) in providing operational transparency, security, and service-related communications. For optional product updates or marketing communications, we rely on consent where required by applicable law.

  7. 7. Location contact details

    Partner organizations may provide a contact email address for their locations that users can use to contact the location about bookings, rescheduling, cancellations, visits, orders, or related questions.

    If these contact details relate to an individual person, they may be personal data. The partner organization is responsible for ensuring that the contact details it provides are accurate, current, and appropriate for user communications.

    We may show these contact details to AskBefore users where necessary to help them contact the location about an order, booking, or visit.

    This location contact email may be shown to users who booked or purchased services related to the respective location in order to enable communication regarding bookings, appointments, cancellations, rescheduling, visits, payments, or related operational questions.

    We store these data: for as long as the location remains active in the Partner Portal or until the contact details are changed or removed, unless a longer retention period is required or permitted by law.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR) and our legitimate interests (Art. 6(1)(f) of the GDPR) in enabling communication between users and partner locations.

  8. 8. AskBefore Booking

    AskBefore Booking is an optional feature that may be made available to partner organizations for evaluation, testing, setup, or operational use. Partner organizations may choose whether to use AskBefore Booking and for which locations, services, or purposes.

    When AskBefore Booking is enabled, configured, or tested for a partner organization or location, authorized Partner Portal users may configure booking availability, appointment schedules, capacity, and related booking settings.

    We may process Partner Portal activity related to AskBefore Booking, including the user who made the change, assigned role, partner organization, location, date and time of action, booking settings, before-and-after values where relevant, and related operational logs.

    We use these data to provide AskBefore Booking, show appointment availability to users, manage bookings, maintain the History Log, provide support, and ensure operational transparency.

    We store these data: for the duration of the Partner Agreement and for a limited period after termination where necessary for audit, support, security, legal, compliance, or legitimate business purposes.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR) and/or our legitimate interests (Art. 6(1)(f) of the GDPR) in providing booking functionality, operational support, security, and auditability.

  9. 9. Partner contact requests and partnership enquiries

    If you contact us through a partner landing page, contact form, or similar partner-facing page, we may process the following categories of personal data: first name, surname, business email address, mobile phone number, message content, date and time of submission, and communication history.

    We use these data to receive and respond to your enquiry, contact you about a potential partnership, arrange follow-up communication, assess whether AskBefore may be relevant for your organization, and maintain a record of business communications.

    We store these data: for up to 12 months after the last meaningful interaction, unless the enquiry leads to a partnership or another business relationship, in which case the relevant data may be stored for the duration of that relationship and for a limited period afterwards where necessary for legal, compliance, audit, dispute-resolution, or legitimate business purposes.

    The legal basis for processing the data: our legitimate interests (Art. 6(1)(f) GDPR) in responding to partner enquiries, developing business relationships, and keeping records of business communications. Where your enquiry concerns steps before entering into a contract, the legal basis may also be contract or pre-contractual steps (Art. 6(1)(b) GDPR).

    We do not use the phone number provided through the partner contact form for unrelated marketing calls or messages unless this is permitted by applicable law or you have given any required consent.

  10. 10. Payment provider and payment integration settings

    Some partner organizations may choose to use an integrated payment provider, such as Stripe Connect or another payment provider supported by AskBefore. In these cases, AskBefore may enable payment provider functionality for that partner organization.

    Partner organizations may use different booking and payment flows depending on the setup enabled for them. In some cases, AskBefore may redirect users to a page or link provided by the partner organization, where booking or payment may take place outside AskBefore. In other cases, users may book through the AskBefore Platform and pay directly at the location or through an integrated payment provider supported by AskBefore.

    A partner organization’s payment integration setup may change over time, depending on the partner organization’s preferences, operational needs, or agreement with AskBefore.

    When payment provider or payment integration settings are configured or changed, we may process Partner Portal activity such as the user who made or requested the change, assigned role, partner organization, location or access scope where relevant, date and time of action, payment provider status, payment integration type, link provided for simplified integration, and related operational logs.

    We use these data to manage payment-related settings, provide support, maintain the History Log, ensure operational transparency, and support the correct order and payment flow for users.

    We store these data: for the duration of the Partner Agreement and for a limited period after termination where necessary for audit, support, security, legal, compliance, or legitimate business purposes.

    The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR) and/or our legitimate interests (Art. 6(1)(f) of the GDPR) in managing payment-related functionality, support, security, and auditability.

2) Is automated decision-making used?

We do not use automated decision-making, including profiling, within the meaning of Art. 22 of the GDPR that produces legal effects concerning you or similarly significantly affects you.

3) Who is a data controller?

AskBefore UG (haftungsbeschränkt), c/o Red Tape Translation UG, Berliner Str. 69, 13189 Berlin, Germany, is the “data controller” for almost all data processing activities described in this Privacy Policy, including account data, bookings, email communication, and encrypted uploads. This means we determine the purposes and means of processing this data.

When you book medical tests through AskBefore, partner testing providers act as joint controllers together with AskBefore. However, AskBefore does not participate in the provision of medical services. For this reason partner testing providers act as independent controllers for their own processing of your personal data in the context of medical care, diagnostics and the handling of your test results, in line with their own privacy notices. AskBefore neither has any information about your visit nor receives your test results from testing providers.

We do not process personal data on behalf of partner testing providers or other partners, and we do not act as a data processor for them. If you have questions about how a testing provider handles your personal data, please, refer to that testing provider's privacy policy directly.

4) When and with whom do we share your personal information?

We only share personal information when necessary to operate the Platform and provide you with the services you have requested.

We share certain personal data with trusted third-party service providers who help us deliver our services. These providers act only on our instructions and must comply with strict confidentiality and security obligations. They are not permitted to use or share your data for their own purposes.

⚠️ Important: No third-party providers have access to the contents of your encrypted STI test results, STI test requested and custom message that you may add to your Exchange Page, though, physically, they are stored on a server provided by a third-party provider. These files remain end-to-end encrypted and unreadable by anyone, including AskBefore and our vendors.

Service providers (processors)

We use the services of carefully selected service providers who process personal data on our behalf and only on our documented instructions, subject to confidentiality and security obligations. These include:

  • Vercel, Inc., with its principal place of business at 440 N Barranca Ave #4133, Covina, CA 91723, United States of America – a cloud hosting provider. Vercel, Inc. participates in Data Privacy Framework, which enjoys the adequacy decision of the European Commission;
  • Supabase, Inc, with its principal place of business at 970 Toa Payoh North #07-04, Singapore 318992 – a cloud database provider. The transfer of personal data to Supabase, Inc. is based on Standard Contractual Clauses drafted and adopted by the European Commission;
  • Google Cloud EMEA Limited, with its principal place of business at 70 Sir John Rogerson’s Quay, Dublin 2, Ireland – provider of Google Cloud Storage service;
  • Google Ireland Limited, with its principal place of business at Gordon House Barrow Street, Dublin 4, D04E5W5, Ireland – provider of Google Analytics service;
  • Sendinblue SAS, with its principal place of business at 9-17, rue Salneuve 75017 Paris, France – provider of Brevo email notifications delivery service;
  • Cisco Systems, Inc., with its principal place of business at 170 West Tasman Drive, San Jose, CA 95134, United States of America – provider of Smartlook analytics services. Cisco Systems, Inc. participates in Data Privacy Framework, which enjoys the adequacy decision of the European Commission;
  • PostHog Inc, with its principal place of business at 2261 Market Street #4008, San Francisco, CA 94114, United States of America – provider of PostHog analytics services. PostHog Inc participates in Data Privacy Framework, which enjoys the adequacy decision of the European Commission;
  • Mapbox, Inc., with its principal place of business at 1133 15th St NW, Suite 825, Washington, DC 20005, United States of America – provider of Mapbox map-displaying service. Mapbox, Inc. participates in the Data Privacy Framework, which enjoys the adequacy decision of the European Commission.

Service providers (independent controllers)

Some third parties process personal data as independent controllers for their own purposes, under their own privacy notices, even where their services are integrated into AskBefore. These include in particular:

  • Stripe, Inc., with its principal place of business at 354 Oyster Point Blvd, South San Francisco, CA 94080, United States of America – a payment provider. Stripe, Inc. participates in the Data Privacy Framework, which enjoys the adequacy decision of the European Commission.

Testing providers

When you order medical tests or complete checkout and appointment coordination through AskBefore, we share limited booking/contact information with the selected testing provider so that they can administer and provide the services you have booked.

For the booking and administration of STI testing services purchased through AskBefore, AskBefore and the selected testing provider act as joint controllers. This joint controllership is limited to the booking and administration of the booked service.

AskBefore is responsible for operating the Platform, collecting booking information, making limited booking-related information available through the Partner Portal, sending booking-related notifications, maintaining order history, and responding to privacy requests relating to Platform processing. The selected testing provider is responsible for administering and providing the booked service, verifying your order ID where necessary, performing the test or arranging for it to be performed, providing the test results directly to you, and responding to privacy requests relating to the medical service it provides.

What we share with testing providers when you book or order medical tests:

  • the order ID;
  • first name and last name;
  • phone number;
  • account or contact email;
  • the tests or services booked;
  • the sample type, where applicable;
  • the date and time of the appointment or visit, if scheduled;
  • the order status (pending / completed / canceled);
  • payment confirmation.

The testing provider uses this information to identify and administer your booking, provide the booked services, confirm your attendance, contact you about the appointment, clarify practical details, or reschedule where needed. In order to receive the services you have booked, you may be asked to provide your order ID.

Testing providers access booking/contact data through authenticated, role-gated Partner Portal access, not through ordinary email with full booking payloads.

Where the information shared with the selected testing provider may reveal health-related information, such as the STI tests or services booked, this sharing is covered by the user's explicit consent under Art. 9(2)(a) GDPR.

We do not share your AskBefore user ID, STI test results, diagnostic data, uploaded documents, Exchange Page content, personal messages, or passphrase with the testing provider through AskBefore. Test results are provided to you directly by the testing provider, and any documents you upload to AskBefore remain end-to-end encrypted.

Partner testing providers are not involved in the separate user-controlled functionality for exchanging STI test results between users and their partners.

We may also share your personal data in these limited cases:

Official Request — if an authority orders AskBefore to provide personal data of its users, we may share these data provided that such a request is based on EU Law (either the law of the EU or the law of the EU member state) and AskBefore is legally obliged to obey the respective order;

Business Transfers — if our company is involved in a merger, acquisition, financing, or sale of assets, your data may be transferred as part of the transaction;

With Your Consent — in specific cases, we may share your data with a third party (e.g., a testing provider or partner) only if you have explicitly requested or authorized it. This is especially the case when you use AskBefore for sharing your STI test results with your partner.

5) International data transfers

Some of our service providers and partners are located outside the European Economic Area (EEA) or may access personal data from such locations, including in countries that may not offer the same level of data protection as the EEA.​ Please check the section above to find information about the status of the recipient’s jurisdiction (whether it enjoys the adequacy decision of the European Commission), as well as about the appropriate safeguard used to transfer personal data to a third country.

6) Do we use cookies and other tracking technologies?

We use only essential and privacy-focused tracking technologies to help us operate and improve our services. We do not use cookies for third party advertising, and we do not allow third parties (such as Google Ireland Limited, or PostHog Inc, or Cisco Systems, Inc.) to track you for their own marketing purposes while using our platform.

We use, in particular:

  • strictly necessary cookies, for example to keep you signed in, route traffic correctly, prevent fraud and remember your basic settings;
  • analytics cookies or similar technologies, to understand how often our services are used and which features are most helpful, in order to improve performance and design.

We do not use cookies or tracking tools to show you advertisements, nor do we use behavioral targeting on our platform. While we may use Google Analytics in a privacy-conscious way to understand general traffic trends (such as visit counts or bounce rates), we do not allow Google to use this data for their own advertising or profiling purposes. Our implementation does not grant Google Ireland Limited or Cisco Systems, Inc. access to user-level data or cross-site identifiers.

We do not permit:

  • Google Ireland Limited or Cisco Systems, Inc. to track your behavior on the Platform for their own purposes;
  • retargeting, remarketing, or interest-based advertising on our Platform;
  • personalization of content or ads based on your activity in AskBefore.

Where required by law, we will ask for your consent before placing non-essential cookies or using similar technologies on your device and you can withdraw your consent or change your preferences at any time using your browser settings and our cookie banner or settings interface. For more details on the types of cookies we use, and how you can manage your preferences, please check our Cookie Policy.

7) How do we keep your information safe?

We implement a combination of technical and organizational safeguards to protect your data, but no system can be 100% secure. Still, we do our best and regularly review and update our data protection practices.

We use a variety of security measures designed to protect the personal information we collect and process, including:

  • end-to-end encryption (E2EE) of STI test results, custom personal messages and STI tests requested — encrypted on your device before upload, stored only in encrypted form, and inaccessible to us at any time;
  • access controls and data minimization — we collect only the information strictly necessary to deliver our services. We also make sure that only those employees of AskBefore get access to personal data, who really need this information to perform their work-related tasks (such as, for example, our Support team members);
  • secure infrastructure — we use trusted third-party tools with robust privacy protections;
  • no storage of decryption credentials — only users manage their own passphrases;
  • no third-party QR code generators — the QR code leading to the Exchange Page is generated on the browser level. No third-party solution is used.

Where possible, we use coded/template-based identifiers for STI tests or packages and resolve them only for display purposes within the relevant interface.

8) What can you do to help us keep your data safe?

To help keep your data safe, we encourage you to:

  • use secure and trusted devices;
  • never share your decryption credentials with untrusted parties;
  • use an email that is not shared with other people;
  • log out of your email account, when you finish your session, in case you use the device shared with others;
  • delete AskBefore links after they’ve been viewed (for added privacy).

Our platform enables users to upload and share encrypted documents, for example, STI test results, using end-to-end encryption (E2EE). These files are encrypted on your device before upload and stored in encrypted form only. Due to this encryption model, we:

  • cannot access or decrypt any uploaded file contents;
  • do not verify that the uploaded document contains an STI test result;
  • do not review or validate the accuracy, authenticity, or origin of uploaded files;
  • do not verify the identity of individuals who access a file using both a valid AskBefore link and an authorized, signed-in profile with the correct passphrase.

Once a document is accessed with the correct credentials, our system assumes the access is authorized. We cannot monitor or control what a recipient does with the file after that point.

While we implement strong security measures, including E2EE, users are solely responsible for managing and securely storing their own decryption keys (passphrases). We do not have access to these keys.

We are not responsible for any unauthorized access or data exposure resulting from users:

  • sharing their passphrases with others;
  • storing them insecurely;
  • disclosing or redistributing files (intentionally or unintentionally).

You should never share your passphrase with untrusted parties and you are responsible for keeping it confidential. We cannot recover it, and we cannot protect your data if someone gains access to it using valid credentials.

9) How can you share passphrases via third-party services?

We may suggest that users share decryption passphrases via secure messaging platforms (such as Signal, Telegram secret chats, WhatsApp, Threema, or Session). However, these tools are outside our control, and we cannot guarantee their security.

Users are solely responsible for deciding how and with whom to share their passphrases. AskBefore is not liable for any risks arising from the use of third-party services to transmit sensitive access credentials.

10) Do we collect information from minors?

We do not knowingly collect, solicit, or process data from individuals under 18 years old, nor do we knowingly target or market our Services to them. Our Services are intended for adults only. When registering on the Platform, you are asked to confirm that you are at least 18 years old.

11) What are your privacy rights?

You may have certain rights that allow you to access, manage, or delete your personal data, and object to its processing, such as:

  • the right to request access to your personal data and receive a copy of it;
  • the right to request rectification (correction) of inaccurate or incomplete data;
  • the right to request erasure (deletion) of your personal data in certain circumstances;
  • the right to restrict or object to certain types of processing;
  • the right to data portability;
  • the right to withdraw your consent, if the data processing activity is based on consent. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal and does not affect processing that is based on other legal grounds (such as performance of a contract).

To exercise any of your rights, please contact us at privacy@askbefore.eu. We will respond as soon as possible.

If you are located in the European Economic Area (EEA) and believe that your data is being processed unlawfully, you have the right to lodge a complaint with your local data protection authority.

Account Information

You can access and update your account information by logging into your account settings. If you wish to terminate your account, you can also do so through the Settings section.

Upon your request to delete your account, we will deactivate it and remove associated data from active systems. Some data may be retained in secure backups for a while, but not long.

12) Do we make updates to this Privacy Policy?

We may revise this Privacy Policy when necessary. If we make material changes that significantly affect your rights or the way we use your personal data, we will, where reasonably practicable, inform you in advance, for example, by email or by displaying a prominent notice on the Platform.

We will store the previous versions of this Privacy Policy so that you could check them, if necessary.

13) How can you contact us about this Privacy Policy?

If you have any questions, concerns, or requests related to this Privacy Policy or how we handle your personal information, you can contact us:

By email:
privacy@askbefore.eu

By phone:
+49 152 0795 6419

By sending a letter to:
  1. AskBefore UG (haftungsbeschränkt)
  2. c/o Red Tape Translation UG
  3. Berliner Str. 69
  4. 13189 Berlin, Germany