1. Introduction

About our privacy policy

When you use DoctorTora’s services, we understand the importance of your privacy and are
committed to safeguarding your personal data. As a telehealth provider, we recognize the
sensitive nature of the information we handle and are dedicated to protecting the privacy of our
users. Our Privacy Policy applies to the services provided by us to our users/patients,
encompassing our mobile and web applications.

As a company operating in the European Union, we operate under the European Parliament
General Data Protection Regulation (GDPR)’ (EU) 2016/679 as detailed in Hellenic Law
4624/2019 (Data Protection Law), a comprehensive data protection framework that sets
guidelines for the collection and processing of personal information in general and health data in
particular. We also compy with Hellenic Law 3471/2006 regarding the protection of personal
data and privacy in the field of electronic communications.

Our policy is designed to comply with GDPR, the Data Protection Law, and other relevant
regulations, and to explain how we handle your data.

2. Definitions

• Personal Data: Any information related to an identified or identifiable individual,
  including but not limited to name, contact details, and medical information.
• Data Processing: Any operation performed on personal data, whether automated or not,
  including collection, use, storage, and dissemination.
• Data Controller: , Swedish Care DoctorTora Greece AE (DoctorTora) as we are the
  legal entity determining the purposes and means of processing your personal data.
  Data Processor: An entity that processes data on behalf of us, the data controller.
• Data Subject: Any individual whose personal data is being processed by DoctorTora.

3. Our Principles of Data Processing

We adhere to the following principles in our operations:

• Lawfulness, Fairness, and Transparency: We process personal data legally, fairly, and
  in a transparent manner.
• Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes
  and not further processed in a manner incompatible with those purposes.
• Data Minimization: We only collect data that is necessary and relevant to our provided
  services.
• Storage Limitation: Data is retained only for as long as necessary for the purposes for
  which it is processed.
• Integrity and Confidentiality: We ensure appropriate security of personal data,
  including protection against unauthorized or unlawful processing and accidental loss.

4. What data do we collect?

• Personal Details: This includes your name, phone number, email address, and
  identification documents such as passport and AMKA, along with photos and other
  information from IDs or passports. We collect these details when you register and use
  with our services.
• Technical Information: We gather information like your IP address, device type, and
  settings. This is automatically collected when you use our app or visit our website.
• Usage Information: This covers how you use our app, such as the pages you visit, the
  features you use, and the time you spend in the application. This is automatically
  collected when you use our app or visit our website.
• Medical Information: We collect information about your symptoms, diagnoses, and
  other medical information that you or your doctor provide through the app.

5. Why do we collect data?

• Performing Medical Services: We use your personal and medical information to
  provide you with medical services.
• Providing Support: To offer customer service and address any issues you might face
  while using our services.
• Improving Our Services: We analyze technical and usage information to enhance the
  functionality and user experience of our app.
• Marketing Communication: With your explicit consent, we may use your personal
  details for sending promotional messages and updates.
• Fulfilling Legal Obligations: We process certain data to comply with Greek healthcare
  laws and regulations.
• Preventing Misuse and Crime: To detect and prevent fraudulent activities or misuse of our services.

6. Your rights

As a user of our services, GDPR and the Data Protection Law grants you certain rights regarding
your personal data. Here’s an overview of these rights and how you can exercise them:

1. The Right to be Informed: You have the right to be informed about how your personal
   data is being used. This Privacy Policy serves that purpose, but you can always ask us for
   more details.
2. The Right of Access: You can request access to your personal data to see what
   information we hold about you.
3. The Right to Rectification: If you believe that any personal data we hold about you is
   incorrect or incomplete, you have the right to request its correction.
4. The Right to Object to Processing: You have the right to object to the processing of
   your personal data, especially if it’s for direct marketing purposes. Consents (if requested
   and given), can be withdrawn on the same platform(s) as it was given, like our app, or
   website.
5. The Right to Restrict Processing: In certain circumstances, you can request that we
   restrict the processing of your personal data.
6. The Right to Data Portability: You have the right to receive your personal data in a
   structured, commonly used, and machine-readable format, and to request the transfer of
   this data to another controller.
7. The Right to be Forgotten: Also known as the right to erasure, you can request the
   deletion of your personal data when it’s no longer necessary for the purposes for which it
   was collected.
8. Rights in Relation to Automated Decision Making and Profiling: You have the right
   to not be subject to decisions based solely on automated processing, including profiling,
   which has legal or similarly significant effects on you.

Exercising Your Rights

To exercise any of these rights, please contact our Data Protection Officer at dpo@doctortora.gr.
We will respond to your request in accordance with GDPR guidelines.

7. Legal Basis for Processing Your Personal Data

We ensure that the processing of your personal data is always backed by a solid legal basis. Here
are the key grounds on which we rely:

1. Consent: For certain types of data processing, particularly those not directly related to
   the provision of our medical services (like marketing communications), we seek your
   explicit consent. Remember, you have the freedom to withdraw this consent at any time.
2. Legitimate Interest of the Company: In some instances, we process your data based on
   our legitimate interests. This includes activities like analyzing how you use our app to
   improve our services. We balance our interests with your rights to ensure there's no
   undue impact on your privacy.
3. Performance of a Contract: Much of the data we process is necessary for us to fulfill
   our contractual obligations to you. This includes using your personal and medical details
   to provide you with the healthcare services you've signed up for.
4. Legal Obligation: There are times when we need to process your data to comply with
   legal requirements, particularly in relation to healthcare laws and regulations.
5. Vital Interests: On rare occasions, we might process personal data when it's necessary to
   protect someone's life, such as in medical emergencies.
6. Public Interest: If necessary, we may process data for tasks that are in the public
   interest, especially those relating to public health.
   For Children
   Consent and Authorization: Article 21 of The Data Protection Law (4624/2019) sets the age of
   consent at 15 years. For users under the age of 15 (or a different age as stipulated by relevant
   laws), we collect and process personal data only with parental or guardian consent, except where
   permitted by law.

8. Sharing Your Data

We understand the importance of keeping your personal data confidential. There are certain
scenarios where we need to share your information:

1. With Data Processors: To provide our services effectively, we share data with trusted
   third-party service providers. These partners help us with various aspects of our service,
   including data storage, app functionality, and customer support. They are contractually
   bound to protect your data and use it only for the purposes we specify through Data
   Protection Agreements (DPAs). They are not allowed to use the data for any purpose
   other than as a processor for us, within the scope of processing outlined in this document.
2. Employers, Insurance Companies & Other Sales Partners: In our collaborations with
   employers, insurance companies and other sales partners, we may share usage data for
   patients who has received free or discounted services in connection to our contracts with them. This does not include your medical information. It’s mainly for administrative, contractual and invoicing purposes. As a patient, it will be evident to you, and optional, to utilise our services in connection with one of these partners. However, if you specifically request from us (and consent to it), we can share your medical data with one of these partners, for example in connection with an insurance claim you are making.
3. Aggregated and Anonymized Health Data: We may share health data in an aggregated and anonymized form for research, statistical analysis, or public health purposes. This is done only if we are confident that it does not compromise the interests or privacy of our patients. We ensure that such data cannot be used to identify any individual patient.

9. Transfers to Third Countries

In certain situations, we may transfer personal data to countries outside of the European Union
(EU) and the European Economic Area (EEA). These transfers occur only when necessary for
the provision of our services or for other legitimate business purposes.

• Safeguards: We ensure that appropriate safeguards, as required by GDPR and other
  relevant laws, are in place. This includes using standard contractual clauses approved by
  the European Commission or relying on a country's adequacy decision.

10. Duration of Data Storage

We retain your personal data only as long as necessary for the purposes it was collected or as
required by law.

• Criteria for Determination: The duration of data storage is based on legal requirements,
  the nature of our relationship with you, and the necessity of the data for providing our
  services.
• Deletion: Upon the expiration of the retention period, personal data is securely deleted or
  anonymized.
• Right to be forgotten: If you exercise your right to be forgotten, your data will be
  deleted or anonymised the latest within 3 months of your request.
  Certain personal data might be kept for longer, if we are legally obligated, but will no longer be
  processed for any other reason.

11. Security

We implement a range of technical and organizational measures designed to ensure the ongoing
confidentiality, integrity, availability, and resilience of processing systems and services. These measures are crafted to safeguard your data against unauthorized access, alteration, disclosure, or
destruction.

• Encryption: We employ strong encryption technologies to protect data during
  transmission and while it is stored.
• Access Control: Access to personal data is strictly controlled and limited to only those
  employees and partners who require access to perform their duties.
• Regular Auditing: Our security measures are regularly reviewed and audited to ensure
  they are up to date and effective.
• Incident Response Plan: We have a robust incident response plan in place to quickly
  address any potential data breaches or security incidents.
• Staff Training: All staff are trained in data protection and security, ensuring they
  understand the importance of safeguarding personal data and are aware of our security
  policies and procedures.
• Data Minimization: We ensure that only the necessary amount of personal data is
  processed, accessed, and stored.

12. Contact Information

Your Questions, Our Answers: For any questions, concerns, or requests regarding your
personal data, please contact our Data Protection Officer at dpo@doctortora.gr.

Feedback is Welcome: We value your input and feedback on our data protection practices and
encourage you to reach out to us.