Last updated: 16 January 2026
This Privacy Policy describes how AskBefore UG (haftungsbeschränkt) ("AskBefore", "we", "us", or "our") collects, uses, stores, and protects your personal information when you use our services.
This notice applies when you:
When you book STI tests through AskBefore, we and the respective clinic act as joint controllers with regard to this data processing activity (booking medical tests). When you actually receive the medical services you have booked and paid for, partner clinics and laboratories act as separate and independent controllers for their own processing of your medical records and test results under their own privacy notices. Under no circumstances do we receive your medical tests results from partner clinics and laboratories.
AskBefore is a private, secure, and elegant platform for managing STI-related health data. It allows users to:
Our mission is to make sexual health more transparent, stigma-free, and accessible — while respecting your privacy at every step.
We’re committed to protecting your privacy and helping you understand your rights and choices. This Privacy Policy explains how we handle your personal information and the decisions we make as a data controller.
If you have any questions, feedback, or concerns about how your data is processed, we encourage you to contact us at privacy@askbefore.eu.
This summary highlights the most important parts of our Privacy Policy.
For more detailed information, please, explore specific topics by clicking the links below or navigating through the full Table of Contents at the beginning of this page.
What personal information do we collect?
We collect personal information when you visit our website or app, create an account, book medical tests, or otherwise interact with our services. This may include your email address, IP address, and booking details, as well as the information about how you interact with the Platform.
👉 Learn more: Personal information we collectDo we process sensitive health data?
Yes — if you use our platform to share your STI test results with your partner, it will inevitably mean processing data about your health.
However, all sensitive data (such as STI test results, STI test requested or a custom message you may add to the exchange page) is encrypted (E2EE). We never have access to the contents, cannot decrypt this data, and store it in its encrypted form only.
Can AskBefore control what recipients do with shared results?
No — once you have shared the information with your partner, we cannot control how your partner uses these data. Please, share access to your STI test results only with people you trust.
👉 Learn more: Recipients of personal dataDo we get data from third parties?
In most cases — no. We do not obtain personal data about you from third-party sources or public registries. However, when you pay for the medical tests ordered, the payment processor (Stripe) gives us the information on whether the payment was successful.
Why and how do we use your data?
We use your data to:
We do not use your personal data for purposes that are incompatible with the purposes described in this Privacy Policy, and we only process your data where we have a legal basis to do so, such as performance of a contract, your consent or pursuing our legitimate interests.
👉 Learn more: How we use your data
In what situations and with which parties do we share personal information?
We share limited personal information with partner clinics when you book medical tests with the help of our Platform. We also share a small amount of data with the payment processor to make it possible for you to pay for the medical tests chosen and complete the booking. When we send you email notifications, your email, order details (appointment time and date, total price, order ID) and event type data (“account deletion request”, “password change request”, etc.) are shared with the email notifications provider. When we send you email notifications that are not related to medical tests purchase, we use only standardized email texts that lack personal details, so your STI test results will never be transferred to an email provider.
We do not sell your personal information and do not share it with third parties for advertising or marketing purposes.
👉 Learn more: Who we share data with
How do we keep your information safe?
We apply appropriate organizational and technical measures to protect your personal information. This includes data encryption, secure storage (STI test results, as well as STI test requested and a custom message added to the Exchange Page are stored separately from other account data: different cloud storages are used), access control, and internal review procedures.
However, no system or method of electronic transmission is 100% secure. We cannot guarantee that unauthorized third parties will never be able to defeat our security measures or misuse your data. That said, even in the unlikely event of a system breach, your STI test results, as well as STI test requested and your custom message remain protected. This is because these data are stored using end-to-end encryption (E2EE) — and can only be decrypted using a private passphrase that we do not store and that is only available to your authorized partners. As a result, we cannot read or decrypt your results, and neither can anyone else without that passphrase.
👉 Learn more: How we protect personal data
What are your rights?
Depending on your location, you may have rights under privacy-related laws. These rights may include:
👉 Learn more: Your privacy rights
How do you exercise your rights?
You can manage most of your privacy preferences at 🔗 https://app.askbefore.eu/account-settings 👀
To exercise your rights of access, rectification, erasure, restriction, objection, portability or withdrawal of consent, you can contact us at 📩 support@askbefore.eu. Please, take into consideration that you may delete or change your personal data in your account.
Want to know more?
Read the full Privacy Policy to learn how and why we collect, use, and protect your data.
In this section we describe each and every purpose, for which we process personal data.
If you are an individual using the Platform for your own personal life, we may process your personal data for the following purposes:
1. Account creation
We process the following categories of personal data: password (in a hashed form), user ID, user email, age verification data (whether you are above 18), verification email logs (whether we have sent you the registration confirmation email and whether you have confirmed the registration).
We store these data: for 1 year after your last authorization.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to create an account for you.
2. Logging in to the user account
We process the following categories of personal data: password (in a hashed form), user ID, user email.
We store these data: for 1 year after your last authorization.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to provide you with access to your account.
3. Password recovery and account access restoration
We process the following categories of personal data: password (in a hashed form), user ID, user email, verification email logs (whether you have confirmed password change).
We store these data: for 1 year after your last authorization.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to restore your access to your account.
4. Changing account email address
We process the following categories of personal data: user ID, user email, verification email logs (whether you have confirmed change of your account email).
We store these data: for 1 year after your last authorization.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to change the email you use to access your account.
5. STI test result sharing (creation and use of the Exchange Page, including uploading STI tests results, requesting STI tests results and QR code sharing – and QR code scanning and partner verification)
We process the following categories of personal data: encrypted STI test results document, encrypted STI test results requested from the partner, QR code linking to the Exchange Page, personal message (if a custom message is added, it is also end-to-end encrypted), passphrase*, link between members’ profiles and the Exchange Page, Exchange Page ID, Exchange Page interaction status, the partner’s decision to share her STI test results, user ID.
*To access the Exchange Page, the passphrase is used locally on the user’s device to unlock the content. The Company does not receive, store, or hash the passphrase. Only encrypted content and limited technical parameters are stored on our servers, and the Company cannot access the underlying content without the passphrase.
We store these data: either until both parties have viewed the STI test results of each other (in this case the Exchange Page is deleted automatically once the person having created the Exchange Page has viewed the STI test results of the partner) or until the Exchange Page is deleted. The Exchange Page is deleted either manually by the user having created it or automatically 3 months after it was created.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR) and explicit consent (Art. 9(2)(a) of the GDPR). If we cannot process these personal data, we will not be able to provide you with this type of service – sharing your STI test results with your partner. Since we process special categories of personal data for this particular purpose, the additional legal basis is your explicit consent to processing your health data (Art. 9(2)(a) of the GDPR).
6. Generating personal message with the help of AI technologies
We process the following categories of personal data: description of emotions as provided by the user, custom message generated, user ID.
We store these data: as a part of the Exchange Page either until both parties have viewed the STI test results of each other (in this case the Exchange Page is deleted automatically once the person having created the Exchange Page has viewed the STI test results of the partner) or until the Exchange Page is deleted. The Exchange Page is deleted either manually by the user having created it or automatically 3 months after it was created. For the purpose of generating the optional AI-assisted custom message, certain user-provided input data are temporarily processed and stored in our internal systems for up to 30 days. After this period, such operational data are permanently deleted and no longer retained outside the Exchange Page.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). Please, be informed that this feature is turned on only by you clicking on the respective button. WE DO NOT USE AI FEATURES BY DEFAULT. If we cannot process these personal data, we will not be able to provide you with this type of service – generating a personal message with the help of AI technologies.
7. Purchasing medical tests
We process the following categories of personal data: user email, appointment details (services booked, selected medical tests and/or test package in a pseudonymized format (e.g. internal reference codes), appointment date and time, clinic address), order ID, clinic name, package price, user ID.
We store these data: for 6 months after the tests were ordered.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to provide you with this type of service – ordering and paying for medical tests.
8. Displaying the nearest clinics using map services
We process the following categories of personal data: geolocation, IP address, medical tests chosen (this piece of data is needed to ensure that only those clinics are visible on the map that provide the medical services you need).
We store these data: up to 1 week after the data were collected.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to show you the map with the partner clinics providing the services you need.
9. Saving medical tests purchasing history
We process the following categories of personal data: user email, appointment details (services booked, selected medical tests and/or test package in a pseudonymized format (e.g. internal reference codes), appointment date and time, clinic address), order ID, clinic name, package price, user ID.
We store these data: for 6 months after the tests were ordered.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to provide you with information about the tests you have ordered and paid for.
For legal, accounting, and compliance purposes, we may retain a limited subset of transaction-related information for a longer period where required or permitted by applicable law. In such cases, the legal basis for processing is compliance with a legal obligation (Art. 6(1)(c) GDPR).
Such information is stored exclusively in a neutral, non-medical coded form and does not contain direct references to specific medical tests (e.g. their exact names). The conversion of such codes into human-readable names is performed solely in the user interface for display purposes.
10. Sending order confirmation emails
We process the following categories of personal data: user email, appointment details (appointment date and time, clinic address), order ID, clinic name, package price, user ID.
We store these data: for 3 months after the order confirmation was sent.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to provide you with order confirmation information.
11. Sending notification emails about actions taken by the user within the Platform and actions taken by the user’s partner with regard to the Exchange Page
We process the following categories of personal data: user email, Exchange Page interaction status, actions taken within the account (e.g., account deletion request), user ID.
We store these data: for 3 months after the email notification was sent.
The legal basis for processing the data: pursuing a legitimate interest (Art. 6(1)(f) of the GDPR). The legitimate interest pursued by AskBefore is maintaining the integrity and security of the user’s account, as well as transparency of result-sharing activity.
12. Logging user actions when a user links to the Exchange Page
We process the following categories of personal data: IP address, user ID, session token, event logs.
We store these data: 48 hours after the link was generated.
The legal basis for processing the data: pursuing a legitimate interest (Art. 6(1)(f) of the GDPR). The legitimate interest pursued by AskBefore is ensuring the Platform security, preventing unauthorised access to STI test results exchanges, detecting misuse or fraudulent activity, and maintaining the integrity of ordering and sharing workflows within the Platform.
13. Providing customer support
We process the following categories of personal data: user email, user ID, support request details.
We store these data: for up to 6 months after the problem is resolved.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to provide you with customer support and resolve the problem you have.
14. Collecting data about how you use the Platform for further optimization of the Platform
We process the following categories of personal data: IP address, events (automatic and custom), heatmaps, device information (browser, OS), inferred geolocation, session recordings (mouse movement, clicks, scroll behaviour), clickstream behaviour.
We store these data: for up to 3 months after the data is collected.
The legal basis for processing the data: consent (Art. 6(1)(a) of the GDPR).
If you are a representative of a medical clinic or laboratory and use the Platform to on behalf of this clinic or laboratory, we may process your personal data for the following purposes:
1. Clinic account creation
We process the following categories of personal data: password (in a hashed form), account email, verification email logs (whether we have sent you the registration confirmation email and whether you have confirmed the registration).
We store these data: until the agreement between AskBefore and the clinic is terminated.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to create an account for you.
2. Logging in on the clinics portal
We process the following categories of personal data: password (in a hashed form), account email.
We store these data: until the agreement between AskBefore and the clinic is terminated.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to provide you with access to the account you use.
3. Password recovery and account access restoration
We process the following categories of personal data: password (in a hashed form), account email, verification email logs (whether you have confirmed password change).
We store these data: until the agreement between AskBefore and the clinic is terminated.
The legal basis for processing the data: contract (Art. 6(1)(b) of the GDPR). If we cannot process these personal data, we will not be able to restore your access to your account.
We do not use automated decision-making, including profiling, within the meaning of Art. 22 of the GDPR that produces legal effects concerning you or similarly significantly affects you.
AskBefore UG (haftungsbeschränkt), c/o Red Tape Translation UG, Berliner Str. 69, 13189 Berlin, Germany, is the “data controller” for almost all data processing activities described in this Privacy Policy, including account data, bookings, email communication, and encrypted uploads. This means we determine the purposes and means of processing this data.
When you book medical tests through AskBefore, partner clinics and laboratories act as joint controllers together with AskBefore. However, AskBefore does not participate in the provision of medical services. For this reason partner clinics and laboratories act as independent controllers for their own processing of your personal data in the context of medical care, diagnostics and the handling of your test results, in line with their own privacy notices. AskBefore neither has any information on your visit to the clinic or laboratory nor receives your test results from clinics.
We do not process personal data on behalf of clinics or partners, and we do not act as a data processor for them. If you have questions about how a clinic handles your personal data, please, refer to that clinic's privacy policy directly.
We only share personal information when necessary to operate the Platform and provide you with the services you have requested.
We share certain personal data with trusted third-party service providers who help us deliver our services. These providers act only on our instructions and must comply with strict confidentiality and security obligations. They are not permitted to use or share your data for their own purposes.
⚠️ Important: No third-party providers have access to the contents of your encrypted STI test results, STI test requested and custom message that you may add to your Exchange Page, though, physically, they are stored on a server provided by a third-party provider. These files remain end-to-end encrypted and unreadable by anyone, including AskBefore and our vendors.
Service providers (processors)
We use the services of carefully selected service providers who process personal data on our behalf and only on our documented instructions, subject to confidentiality and security obligations. These include:
Service providers (independent controllers)
Some third parties process personal data as independent controllers for their own purposes, under their own privacy notices, even where their services are integrated into AskBefore. These include in particular:
Medical clinics and laboratories
What we share with clinics or laboratories, when you order medical tests:
No personal identifier (including an email) is shared with the clinic or laboratory. In order to get the services you have booked, you will have to provide the clinic or laboratory with your order ID. Test results are provided to you directly by the clinic and any documents you upload to AskBefore remain end-to-end encrypted.
We may also share your personal data in these limited cases:
Official Request — if an authority orders AskBefore to provide personal data of its users, we may share these data provided that such a request is based on EU Law (either the law of the EU or the law of the EU member state) and AskBefore is legally obliged to obey the respective order;
Business Transfers — if our company is involved in a merger, acquisition, financing, or sale of assets, your data may be transferred as part of the transaction;
With Your Consent — in specific cases, we may share your data with a third party (e.g., a clinic or partner) only if you have explicitly requested or authorized it. This is especially the case when you use AskBefore for sharing your STI test results with your partner.
Some of our service providers and partners are located outside the European Economic Area (EEA) or may access personal data from such locations, including in countries that may not offer the same level of data protection as the EEA. Please, check the section above to find information about the status of the recipient’s jurisdiction (whether it enjoys the adequacy decision of the European Commission), as well as about the appropriate safeguard used to transfer personal data to a third country.
We use only essential and privacy-focused tracking technologies to help us operate and improve our services. We do not use cookies for third party advertising, and we do not allow third parties (such as Google Ireland Limited, or PostHog Inc, or Cisco Systems, Inc.) to track you for their own marketing purposes while using our platform.
We use, in particular:
We do not use cookies or tracking tools to show you advertisements, nor do we use behavioral targeting on our platform. While we may use Google Analytics in a privacy-conscious way to understand general traffic trends (such as visit counts or bounce rates), we do not allow Google to use this data for their own advertising or profiling purposes. Our implementation does not grant Google Ireland Limited or Cisco Systems, Inc. access to user-level data or cross-site identifiers.
We do not permit:
Where required by law, we will ask for your consent before placing non-essential cookies or using similar technologies on your device and you can withdraw your consent or change your preferences at any time using your browser settings and our cookie banner or settings interface. For more details on the types of cookies we use, and how you can manage your preferences, please, check our Cookie Policy.
We implement a combination of technical and organizational safeguards to protect your data, but no system can be 100% secure. Still, we do our best and regularly review and update our data protection practices.
We use a variety of security measures designed to protect the personal information we collect and process, including:
To help keep your data safe, we encourage you to:
Our platform enables users to upload and share encrypted documents, for example, STI test results, using end-to-end encryption (E2EE). These files are encrypted on your device before upload and stored in encrypted form only. Due to this encryption model, we:
Once a document is accessed with the correct credentials, our system assumes the access is authorized. We cannot monitor or control what a recipient does with the file after that point.
While we implement strong security measures, including E2EE, users are solely responsible for managing and securely storing their own decryption keys (passphrases). We do not have access to these keys.
We are not responsible for any unauthorized access or data exposure resulting from users:
You should never share your passphrase with untrusted parties and you are responsible for keeping it confidential. We cannot recover it, and we cannot protect your data if someone gains access to it using valid credentials.
We may suggest that users share decryption passphrases via secure messaging platforms (such as Signal, Telegram secret chats, WhatsApp, Threema, or Session). However, these tools are outside our control, and we cannot guarantee their security.
Users are solely responsible for deciding how and with whom to share their passphrases. AskBefore is not liable for any risks arising from the use of third-party services to transmit sensitive access credentials.
We do not knowingly collect, solicit, or process data from individuals under 18 years old, nor do we knowingly target or market our Services to them. Our Services are intended for adults only. When registering on the Platform, you are asked to you confirm that you are at least 18 years old.
You may have certain rights that allow you to access, manage, or delete your personal data, and object to its processing, such as:
To exercise any of your rights, please contact us at privacy@askbefore.eu. We will respond as soon as possible.
If you are located in the European Economic Area (EEA) and believe that your data is being processed unlawfully, you have the right to lodge a complaint with your local data protection authority.
Account Information
You can access and update your account information by logging into your account settings. If you wish to terminate your account, you can also do so through the Settings section.
Upon your request to delete your account, we will deactivate it and remove associated data from active systems. Some data may be retained in secure backups for a while, but not long.
We may revise this Privacy Policy, if we need to. If we make material changes that significantly affect your rights or the way we use your personal data, we will, where reasonably practicable, inform you in advance, for example, by email or by displaying a prominent notice on the Platform.
We will store the previous versions of this Privacy Policy so that you could check them, if necessary.
If you have any questions, concerns, or requests related to this Privacy Policy or how we handle your personal information, you can contact us: