Privacy Policy - x.doctor

1. Identity of the Data Controller

x.doctor is operated by x.doctor OÜ, located in Harju County, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117, Estonia. We are the data controller responsible for processing your personal data. For questions, contact the Data Protection Officer (DPO) at: support@x.doctor.

2. Collection and Use of Data

2.1 Types of Data Collected

When you use the x.doctor platform, we collect personal data only to the extent necessary for providing the services. These include:

• Identification data: First and last name, phone number, email address;
• Sensitive health data: Medical history, symptoms, diagnoses, prescriptions, and other information relevant to medical consultations (collected only with explicit consent);
• Financial data: Details of payments made through the platform (processed through authorized payment providers);
• Technical data: Login data;
• Other data: Information voluntarily provided in communications or forms.

We do not collect sensitive data without your explicit consent. Data of children under 16 is collected only with parental or legal guardian consent.

2.2 Purposes and Legal Basis for Processing

The collected data is processed based on the following legal grounds (Art. 6 and 9 GDPR):

• Performance of a contract: To facilitate communication between patients and doctors, provide remote medical services, and process payments;
• Explicit consent: For processing sensitive health data and sending non-essential notifications (e.g., marketing, only if opted in);
• Legal obligations: To fulfill legal requirements, such as medical or tax reporting;
• Legitimate interests: For improving services, preventing fraud, and platform security (balanced with your rights).

We do not use data for automated profiling or decisions that significantly affect you without consent.

3. Data Security

We implement strict technical and organizational measures to protect data against unauthorized access, loss, alteration, or destruction. These include:

• End-to-end encryption (SSL/TLS) for all data transmissions;
• Regular security audits and penetration testing;
• Restricted access to data only for authorized personnel, with confidentiality obligations;
• Secure backups and disaster recovery plans.

In the event of a security breach, we will notify you within 72 hours, in accordance with GDPR, if the risk is high.

4. Sharing and Transfer of Data

We do not sell or rent your data. Data may be shared only in the following cases:

• With authorized processors: Service providers (e.g., payment processors, cloud hosting) acting under our instructions and with data processing agreements (DPA);
• With medical professionals: Doctors or specialists involved in your consultations, only with your consent;
• Legal requests: Competent authorities (e.g., police, courts) based on a valid request, including medical reporting obligations;
• In case of merger/sale: With successors, under similar protection conditions.

If data is transferred outside the European Economic Area (EEA), we use standard contractual clauses (SCC) or other GDPR mechanisms to ensure an adequate level of protection.

5. Data Storage and Retention

Data is stored on secure servers in the EU. Retention periods are:

• Medical data: Retained for 10 years from the last interaction, in accordance with legal medical requirements;
• Financial data: 7 years for tax purposes;
• Account data: As long as the account is active, plus 1 year after deletion;
• Technical data: 6 months for security and analysis.

After expiration, data is deleted or irreversibly anonymized.

6. Your Rights

In accordance with GDPR, you have the following rights:

• Right of access: To obtain a copy of the data held;
• Right to rectification: To correct inaccurate data;
• Right to erasure (to be forgotten): To delete data, subject to legal exceptions;
• Right to restriction: To limit processing;
• Right to object: To object to processing based on legitimate interests;
• Right to data portability: To receive data in a structured format;
• Right to withdraw consent: At any time, without affecting prior processing.

To exercise your rights, contact us at support@x.doctor. We respond within a maximum of 1 month. If you are dissatisfied, you can lodge a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP) in Romania or the equivalent authority in your country.

7. Changes to the Privacy Policy

We reserve the right to update this policy. Significant changes will be notified by email or on the platform 30 days in advance. Previous versions are available upon request.

8. Contact

For questions, contact us at:

• Email: support@x.doctor;
• Address: Harju County, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117, Estonia.