Privacy Policy

Last updated: January 27, 2026

1. Who We Are

VitaFlow Care BV is a Belgian company operating a healthcare practitioner marketplace.

[Address pending - We are currently in the process of requesting official business registration from Belgian authorities]

[Pending - Application in progress with Belgian authorities]

[Pending - Will be registered upon business incorporation]

Email: [email protected]

Note: We are still building our platform. Contact information will be updated once our official registration is complete.

2. Information We Collect

2.1 Information You Provide Directly

For All Users:

  • Account Information: Name, email address, phone number, password (encrypted)
  • Profile Information: Professional details, bio, photo, specializations
  • Communications: Messages sent through our platform, support requests
  • Preferences: Language, notification settings, timezone

For Practitioners:

  • Professional Credentials: License numbers, certifications, qualifications
  • Practice Information: Address, services offered, pricing, availability
  • Verification Documents: Professional licenses, insurance certificates
  • Payment Information: Bank account details for subscription billing (processed securely)

For Clients:

  • Booking Information: Appointment details, practitioner preferences
  • Health Data: Appointment reasons, questionnaire responses (special category data under GDPR)
  • Waiting List Information: Interest in specific practitioners, urgency indicators

2.2 Information We Collect Automatically

Usage Data: IP address, browser type, operating system, device information, pages visited, features used

Technical Data: Cookies and similar tracking technologies, session data, authentication tokens, error logs

Location Data: Approximate location based on IP address; precise location only with explicit permission

2.3 Information from Third Parties

Calendar Integration: Google Calendar or Outlook Calendar data (only with your explicit consent)

Payment Processors: Payment confirmation, subscription status (we do NOT store full credit card numbers)

2.4 Special Category Data (Health Data)

Under GDPR Article 9, health data receives enhanced protection. We collect health data only when you explicitly provide it, you give explicit consent, or it's necessary for healthcare service delivery.

Health data we may collect: Reason for appointment, symptoms or conditions mentioned in messages, responses to health questionnaires, treatment preferences or restrictions.

3. Legal Basis for Processing

3.1 Contract Performance (GDPR Article 6(1)(b))

Creating and managing your account, facilitating appointment bookings, providing platform features and services, processing payments for subscriptions.

3.2 Consent (GDPR Article 6(1)(a) and Article 9(2)(a))

Explicit consent for health data processing, email marketing communications, SMS notifications, calendar synchronization, location services.

You can withdraw consent at any time through your account settings or by contacting us.

3.3 Legitimate Interests (GDPR Article 6(1)(f))

Platform security and fraud prevention, analytics and platform improvement, customer support, business operations and administration.

We balance our legitimate interests against your rights and freedoms.

3.4 Legal Obligations (GDPR Article 6(1)(c))

Compliance with tax and accounting laws, responding to law enforcement requests, breach notification requirements, record-keeping for regulatory compliance.

4. How We Use Your Information

For Practitioners: Display your profile in our practitioner marketplace, manage your calendar and appointments, facilitate communication with clients, process subscription payments, provide analytics and insights about your practice.

For Clients: Enable practitioner search and discovery, process appointment bookings, send appointment reminders and notifications, facilitate secure messaging with practitioners, manage waiting list memberships.

Communication: Transactional emails, service updates, support communications, marketing (with consent).

Platform Improvement: Analytics, bug fixes, feature development, performance optimization.

Security and Fraud Prevention: Detect and prevent unauthorized access, identify suspicious activity, verify practitioner credentials, protect against abuse.

5. How We Share Your Information

We do NOT sell your personal data.

With Your Consent: When you explicitly authorize us to share your information.

Between Practitioners and Clients: Appointment details, messages, and contact information shared as necessary.

Service Providers (Data Processors)

  • Supabase: Database, authentication, and file storage (EU servers, Frankfurt, Germany)
  • Hetzner: Backend hosting (EU infrastructure)
  • Vercel: Frontend hosting (EU edge network)
  • Cloudflare: CDN, storage, and DNS (Global with EU data residency)
  • Resend: Email notifications (EU compliant)
  • Polar: Payment and subscription processing (PCI-DSS compliant, EU)

Legal Requirements: Court orders, law enforcement requests, compliance with legal obligations.

Business Transfers: In the event of a merger, acquisition, or sale, your data may be transferred with notification.

6. International Data Transfers

Your personal data is stored exclusively on servers located in the European Union.

Primary infrastructure: Supabase (Frankfurt, Germany), Frontend: Vercel (EU edge network).

For any transfers outside the EU/EEA, we use Standard Contractual Clauses (SCCs), EU-U.S. Data Privacy Framework certification, and Data Processing Agreements ensuring GDPR compliance.

7. Data Retention

Account Data: Retained while your account is active

Appointment Data: Past appointments retained for 7 years (Belgian medical record retention requirement)

Messages: Retained for 5 years (for potential disputes and legal compliance)

Health Data (Questionnaires): Retained for 7 years after last appointment or as required by practitioner's professional obligations

Analytics Data: Aggregated data retained indefinitely; individual data anonymized after 2 years

When you delete your account: Personal data deleted within 90 days, legal retention records kept as required, backups purged within 90 days.

8. Your Rights Under GDPR

Right to Access (Article 15): Request a copy of all personal data we hold about you.

Right to Rectification (Article 16): Correct inaccurate or incomplete personal data.

Right to Erasure / 'Right to be Forgotten' (Article 17): Request deletion of your personal data when it's no longer necessary.

Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format.

Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing.

Right to Restrict Processing (Article 18): Request temporary restriction of processing.

Right to Withdraw Consent: Withdraw consent at any time; this does not affect prior lawful processing.

Right to Lodge a Complaint

Belgian Data Protection Authority (APD/GBA)

Drukpersstraat 35, 1000 Brussels, Belgium

Phone: +32 (0)2 274 48 00

Email: [email protected]

Website: www.dataprotectionauthority.be

To exercise your rights: Email [email protected]. Response time: Within 30 days (may be extended to 60 days for complex requests).

9. Data Security

Encryption: All data encrypted in transit using TLS 1.3, all data encrypted at rest using AES-256, passwords hashed using bcrypt with salt.

Access Controls: Role-based access control (RBAC), multi-factor authentication for admin accounts, regular access audits.

Infrastructure Security: Firewalls and intrusion detection systems, DDoS protection via Cloudflare, regular security patching.

Application Security: Input validation and sanitization, SQL injection prevention, XSS protection, CSRF token protection.

Data Breach Response: Investigate and contain immediately, notify Belgian DPA within 72 hours if required, notify affected users without undue delay for high-risk breaches.

10. Children's Privacy

VitaFlow Care is not intended for children under 18. We do not knowingly collect personal data from children without parental consent.

For Clients Under 18: A parent or legal guardian must create and manage the account.

If we learn we have collected data from a child improperly, we will delete it immediately. Contact us at [email protected] if you believe this has occurred.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. See our separate Cookie Policy for detailed information.

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements.

How We Notify You: Email notification to registered users, prominent notice on the platform, 'Last Updated' date update.

For significant changes: 30 days' notice before changes take effect, re-consent required for consent-based processing.

13. Contact Us

Data Protection Officer

Email: [email protected]

Response Time: Within 5 business days for inquiries, 30 days for formal requests.

14. Acknowledgment

BY USING VITAFLOW CARE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY AND AGREE TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR PERSONAL DATA AS DESCRIBED HEREIN.