Privacy Policy

2.1 Information You Provide Directly

For All Users:

• Account Information: Name, email address, phone number, password (encrypted)
• Profile Information: Professional details, bio, photo, specializations
• Communications: Messages sent through our platform, support requests
• Preferences: Language, notification settings, timezone

For Practitioners:

• Professional Credentials: License numbers, certifications, qualifications
• Practice Information: Address, services offered, pricing, availability
• Verification Documents: Professional licenses, insurance certificates
• Payment Information: Bank account details for subscription billing (processed securely)

For Clients:

• Booking Information: Appointment details, practitioner preferences
• Health Data: Appointment reasons, questionnaire responses (special category data under GDPR)
• Waiting List Information: Interest in specific practitioners, urgency indicators

2.2 Information We Collect Automatically

Usage Data:

• IP address, browser type, operating system
• Device information, screen resolution
• Pages visited, features used, time spent on platform
• Referral sources, search queries
• Appointment booking patterns, cancellation rates

Technical Data:

• Cookies and similar tracking technologies (see Cookies Policy)
• Session data, authentication tokens
• Error logs, performance metrics

Location Data:

• Approximate location based on IP address (for practitioner search)
• Precise location (only if you explicitly grant permission)

2.3 Information from Third Parties

Calendar Integration:

• Google Calendar or Outlook Calendar data (only with your explicit consent)
• Appointment titles, times, and durations for synchronization

Payment Processors:

• Payment confirmation, subscription status (we do NOT store full credit card numbers)

2.4 Special Category Data (Health Data)

Under GDPR Article 9, health data receives enhanced protection. We collect health data only when:

• You explicitly provide it (e.g., appointment reason, questionnaire responses)
• You give explicit consent for us to process it
• It's necessary for healthcare service delivery

Health data we may collect:

• Reason for appointment
• Symptoms or conditions mentioned in messages
• Responses to health questionnaires
• Treatment preferences or restrictions

3.1 Contract Performance (GDPR Article 6(1)(b))

• Creating and managing your account
• Facilitating appointment bookings
• Providing platform features and services
• Processing payments for subscriptions

3.2 Consent (GDPR Article 6(1)(a) and Article 9(2)(a))

• Explicit consent for health data processing
• Email marketing communications
• SMS notifications
• Calendar synchronization
• Location services

You can withdraw consent at any time through your account settings or by contacting us.

3.3 Legitimate Interests (GDPR Article 6(1)(f))

• Platform security and fraud prevention
• Analytics and platform improvement
• Customer support
• Business operations and administration

We balance our legitimate interests against your rights and freedoms.

3.4 Legal Obligations (GDPR Article 6(1)(c))

• Compliance with tax and accounting laws
• Responding to law enforcement requests
• Breach notification requirements
• Record-keeping for regulatory compliance

4.1 Core Platform Services

For Practitioners:

• Display your profile in our practitioner marketplace
• Manage your calendar and appointments
• Facilitate communication with clients
• Process subscription payments
• Provide analytics and insights about your practice

For Clients:

• Enable practitioner search and discovery
• Process appointment bookings
• Send appointment reminders and notifications
• Facilitate secure messaging with practitioners
• Manage waiting list memberships

4.2 Communication

• Transactional emails: Appointment confirmations, reminders, cancellations
• Service updates: Changes to Terms, Privacy Policy, platform features
• Support communications: Responding to your inquiries
• Marketing (with consent): Newsletter, product updates, tips

You can opt-out of marketing emails at any time via the unsubscribe link.

4.3 Platform Improvement

• Analytics: Understand how users interact with the platform
• Bug fixes: Identify and resolve technical issues
• Feature development: Build new features based on user needs
• Performance optimization: Improve speed and reliability

We use aggregated, anonymized data for analytics whenever possible.

4.4 Security and Fraud Prevention

• Detect and prevent unauthorized access
• Identify suspicious activity or policy violations
• Verify practitioner credentials
• Protect against spam, phishing, and abuse

4.5 Legal Compliance

• Comply with legal obligations (taxes, records retention)
• Respond to legal requests (court orders, subpoenas)
• Enforce our Terms of Service
• Protect our rights and property

5.1 With Your Consent

• When you explicitly authorize us to share your information
• When you book an appointment (sharing your contact info with the practitioner)

5.2 Between Practitioners and Clients

• Appointment details: Shared with both parties for bookings
• Messages: Delivered between you and your practitioner
• Contact information: Shared as necessary for appointments

5.3 Service Providers (Data Processors)

We work with trusted third-party service providers who process data on our behalf:

Platform Infrastructure:

• Supabase: Database, authentication, and file storage (EU servers, Frankfurt, Germany)
• Hetzner: Backend hosting (EU infrastructure)
• Vercel: Frontend hosting (EU edge network)
• Cloudflare: CDN, storage, and DNS (Global with EU data residency)

Communication:

• Resend: Email notifications (EU compliant)

Payment Processing:

• Polar: Payment and subscription processing (PCI-DSS compliant, EU)

Calendar Integrations:

• Google Calendar API: Calendar synchronization (only with your explicit consent)
• Microsoft Outlook API: Calendar synchronization (only with your explicit consent)

All service providers:

• Are located in the EU or comply with GDPR adequacy requirements
• Sign Data Processing Agreements (DPAs) with us
• Are contractually obligated to protect your data
• Process data only according to our instructions

5.4 Legal Requirements

We may disclose your information if required by:

• Court orders or legal processes
• Law enforcement requests with proper authorization
• Compliance with mandatory legal obligations
• Protection of our rights, safety, or property

5.5 Business Transfers

If VitaFlow Care is acquired, merged, or reorganized, your data may be transferred to the successor entity. We will notify you and ensure continued data protection.

5.6 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you for:

• Research and publications
• Industry reports and benchmarking
• Marketing and promotional purposes

6.1 EU Data Residency

Your personal data is stored exclusively on servers located in the European Union:

• Primary infrastructure (Database, Auth, Storage): Supabase (Frankfurt, Germany)
• Frontend Hosting: Vercel (EU edge network)

6.2 Third-Party Services

Some service providers (e.g., Resend) are U.S.-based but comply with GDPR through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• EU-U.S. Data Privacy Framework certification
• Data Processing Agreements ensuring GDPR compliance

6.3 No Data Transfers Outside EU

We do NOT transfer your data outside the EU/EEA except where:

• Necessary for service provision (with appropriate safeguards)
• You explicitly request or consent to the transfer
• Required by law

7.1 Active Accounts

Account Data: Retained while your account is active

Appointment Data:

• Active and upcoming appointments: Retained indefinitely while account active
• Past appointments: Retained for 7 years (Belgian medical record retention requirement)

Messages: Retained for 5 years (for potential disputes and legal compliance)

Health Data (Questionnaires): Retained for 7 years after last appointment or as required by practitioner's professional obligations

Analytics Data: Aggregated data retained indefinitely; individual data anonymized after 2 years

7.2 Deleted Accounts

When you delete your account:

• Personal data: Deleted within 90 days
• Legal retention: Some data retained for legal compliance (e.g., financial records for 7 years)
• Backups: Purged from backups within 90 days
• Anonymized data: May be retained indefinitely

7.3 Inactive Accounts

Accounts inactive for 3 years may be automatically deleted after notification.

8.1 Right to Access (Article 15)

You can request a copy of all personal data we hold about you.

How to exercise: Email [email protected] or use [Data Access Request Form]

Response time: Within 30 days (may be extended to 60 days for complex requests)

8.2 Right to Rectification (Article 16)

You can correct inaccurate or incomplete personal data.

How to exercise: Update your profile in account settings or contact us

8.3 Right to Erasure / 'Right to be Forgotten' (Article 17)

You can request deletion of your personal data when:

• Data is no longer necessary for the purpose collected
• You withdraw consent (where consent is the legal basis)
• You object to processing and there are no overriding legitimate grounds
• Data was unlawfully processed
• Required by legal obligation

Exceptions: We may retain data where:

• Required by Belgian law (e.g., financial records for 7 years)
• Necessary for legal claims or defense
• Required for compliance with legal obligations

How to exercise: Email [email protected] or delete your account

8.4 Right to Data Portability (Article 20)

You can receive your personal data in a structured, machine-readable format (JSON, CSV) and transmit it to another service.

How to exercise: [Data Export Tool] in account settings

8.5 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

How to exercise: Email [email protected] or adjust notification preferences

8.6 Right to Restrict Processing (Article 18)

You can request temporary restriction of processing while we verify accuracy or assess your objection.

How to exercise: Email [email protected]

8.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

How to exercise: Account settings or email [email protected]

8.8 Right to Lodge a Complaint

You have the right to file a complaint with the Belgian Data Protection Authority:

Belgian Data Protection Authority (APD/GBA)
Drukpersstraat 35
1000 Brussels, Belgium
Phone: +32 (0)2 274 48 00
Email: [email protected]
Website: www.dataprotectionauthority.be

9.1 Technical Safeguards

Encryption:

• All data encrypted in transit using TLS 1.3
• All data encrypted at rest using AES-256
• Database connections encrypted
• Passwords hashed using bcrypt with salt

Access Controls:

• Role-based access control (RBAC)
• Multi-factor authentication (MFA) for admin accounts
• Principle of least privilege
• Regular access audits

Infrastructure Security:

• Firewalls and intrusion detection systems
• DDoS protection via Cloudflare
• Regular security patching
• Isolated database environments

Application Security:

• Input validation and sanitization
• SQL injection prevention
• Cross-site scripting (XSS) protection
• CSRF token protection

9.2 Organizational Safeguards

Personnel:

• Background checks for employees with data access
• Confidentiality agreements
• Regular security training
• Strict access policies

Processes:

• Regular security audits and penetration testing
• Incident response plan
• Data breach notification procedures
• Vendor security assessments

Monitoring:

• 24/7 security monitoring
• Automated intrusion detection
• Regular log reviews
• Anomaly detection

9.3 Data Breach Response

In the event of a data breach:

1. We will investigate and contain the breach immediately
2. Notify the Belgian Data Protection Authority within 72 hours (if required by GDPR)
3. Notify affected users without undue delay if there is a high risk to your rights
4. Provide information on the nature of the breach and mitigation steps