Privacy Policy

1. Data Controller

For all data protection enquiries and exercise of rights, please use the email address above. We aim to respond within 30 days as required by Art. 12 GDPR.

2. Categories of Personal Data We Collect

Depending on how you use the Service, we may process the following categories of personal data:

2.1 Account and identity data

• Full name, email address, phone number
• Professional credentials (for healthcare professionals)
• Account login credentials (passwords are stored hashed and are never readable by us)

2.2 Usage and technical data

• IP address, browser type, operating system, device identifiers
• Pages visited, features used, timestamps, session duration
• Error logs and diagnostic information

2.3 Conversation and interaction data

• Messages exchanged with the AI assistant
• Audio recordings of consultations (where the feature is enabled and consent has been given)
• AI-generated summaries and transcripts

2.4 Health data (special category - Art. 9 GDPR)

The Platform may process health-related information you provide voluntarily (e.g., symptoms, diagnoses, medications). This data is classified as a special category under Art. 9 GDPR and is processed only on the basis of your explicit consent (Art. 9(2)(a) GDPR) or, where applicable, for the provision of healthcare services (Art. 9(2)(h) GDPR).

2.5 Payment data

If you subscribe to a paid plan, payment is processed by a PCI-DSS-compliant payment processor. We do not store full card numbers. We retain billing metadata (amount, date, invoice reference) for our legal accounting obligations.

3. Legal Bases for Processing

4. Retention Periods

• Account data: retained for the duration of your account plus 3 years after closure, or as required by applicable law.
• Health data and conversation records: retained for the period you are an active user plus 3 years, unless a longer retention period is required by healthcare regulations or you request earlier deletion.
• Billing and financial records: 10 years, as required by Romanian Accounting Law no. 82/1991 and tax regulations.
• Security and access logs: up to 12 months.
• Marketing consent records: retained until consent is withdrawn, plus 3 years for proof-of-consent purposes.

When a retention period expires, data is securely deleted or irreversibly anonymised.

5. Recipients and Data Sharing

We do not sell your personal data. We share it only in the following circumstances:

• Service providers (processors): cloud hosting, email delivery, payment processing, analytics tools - all bound by Data Processing Agreements under Art. 28 GDPR.
• Healthcare providers: if you are a patient and have given consent, your interaction data may be shared with the healthcare professional facilitating your consultation.
• Legal authorities: when required by a court order, applicable law, or regulatory authority.
• Corporate transactions: in the event of a merger, acquisition, or sale of assets, data may be transferred to the acquirer under equivalent protections.

International transfers

We endeavour to store and process data within the European Economic Area (EEA). Where any processor is located outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR or an adequacy decision under Art. 45 GDPR.

6. Your Rights Under the GDPR

You have the following rights, exercisable free of charge by contacting us at [email protected]:

• Right of access (Art. 15): obtain confirmation of whether we process your data and receive a copy of it.
• Right to rectification (Art. 16): correct inaccurate or incomplete personal data.
• Right to erasure (Art. 17): request deletion of your data where there is no overriding legal basis to retain it.
• Right to restriction (Art. 18): request that we limit our processing in certain circumstances (e.g., while contesting accuracy).
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
• Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing at any time.
• Right to withdraw consent (Art. 7(3)): withdraw any consent given at any time; withdrawal does not affect the lawfulness of prior processing.
• Right not to be subject to solely automated decisions (Art. 22): you have the right not to be subject to a decision based solely on automated processing that produces significant legal or similarly significant effects on you.

We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Romanian supervisory authority:

You may also lodge a complaint with the supervisory authority of the EU member state where you habitually reside or work.

7. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. Measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
• Access controls and role-based permissions;
• Regular security assessments and penetration testing;
• Pseudonymisation of health data where technically feasible.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay as required by Art. 34 GDPR.

8. Cookies and Tracking Technologies

We use strictly necessary cookies required for the operation of the Service (e.g., session management, security tokens). These do not require consent.

Where we use optional cookies (e.g., analytics or preference cookies), we will request your consent via a cookie banner before placing them. You may withdraw consent at any time by adjusting your browser settings or via the cookie preference centre on the Platform.

We do not use tracking cookies for cross-site behavioural advertising.

9. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately at [email protected] and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or via a prominent notice on the Platform at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when this Policy was last revised.

We encourage you to review this Policy periodically.

11. Contact

For any questions, requests, or concerns relating to this Privacy Policy or our data practices: