Privacy Policy

DataMed® is a mobile and web application developed and operated by OpenHealth SRL that enables users to create, manage, organize and share their health information with doctors and other authorized persons chosen by the user.

This Privacy Policy describes how OpenHealth SRL, as data controller, processes personal data and health data of users of the DataMed® platform, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable data protection laws.

This Policy is provided to inform users about the processing of their personal data. Where required by law, specific consent will be requested separately before the relevant processing takes place.

Data Controller. OpenHealth SRL, VAT IT04177550136, share capital EUR 10,000 fully paid in, registered office at Corso XXV Aprile, 167/B, 22036 Erba (CO), PEC open.health@legalmail.it, email info@datamed.app, operates DataMed® as data controller.

OpenHealth SRL has assessed the requirement to appoint a Data Protection Officer and will update this Policy if such appointment becomes applicable.

Identification and contact data: first name, last name, email address, account identifiers, authentication data, profile information and, for doctors, professional registration details.

Health data: data relating to the user’s physical or mental health, including medical history, diagnoses, therapies, treatments, allergies, medications, reports, prescriptions, laboratory results, imaging reports, clinical parameters, documents uploaded by the user and information entered or updated by doctors or delegates authorized by the user.

Technical and usage data: IP address, device identifiers, operating system, browser/app version, access logs, event logs, pages or functions used, date and time of access, security logs, crash logs and diagnostic data.

Professional data of doctors: professional registration number, professional contact details, declared medical specialization and other information required to verify or manage doctor accounts.

Delegate data: identification and contact details of users authorized by an account holder to access or manage a profile.

Payment and subscription data: where paid plans are available, payment status, subscription plan, billing identifiers and transaction metadata. Payment card data, if any, is processed by payment service providers and not stored by DataMed®, unless otherwise specified.

AI-related data: where AI-enabled features are used, prompts, user instructions, selected health data or documents submitted to the AI feature, generated outputs and related technical logs, only to the extent necessary to provide the requested feature.

We process personal data and, where applicable, health data for the following purposes: account management; clinical record creation and organization; controlled sharing with doctors and delegates; security; support; legal compliance; service improvement; doctor verification; AI-enabled features where available.

To allow users to create, update, organize, consult and share their health profile with doctors or delegates selected by the user.

To prevent abuse, unauthorized access, fraud, security incidents and to maintain audit logs of relevant actions performed on the Platform.

To verify, where applicable, the professional status or registration information provided by doctors.

To provide AI-enabled features requested by Pro users, where available and subject to specific information and consent where required.

The legal basis for processing is linked to each processing purpose under Article 6 GDPR and, for health data, Article 9 GDPR.

Health data is shared only where the user enables, authorizes or requests the sharing function, including by selecting a doctor, appointing a delegate or generating a temporary sharing link or QR code.

DataMed® does not sell health data and does not disclose health data to unauthorized third parties. Health data may be disclosed only to recipients authorized by the user, service providers acting under contractual safeguards, or authorities where required by law.

Doctors selected by the user may access and, where authorized, add or edit information in the user health profile. The scope of access, duration and permissions are managed by the user through the Platform, subject to the technical settings available.

Delegates selected by the account holder may access and manage the health profile within the permissions granted by the account holder. Delegates act under the responsibility and authorization of the account holder. The account holder may revoke delegation at any time.

Health data is stored in the European Union. If any provider or support operation involves access from outside the EEA or an international transfer, DataMed® will rely on appropriate safeguards under Chapter V GDPR, including adequacy decisions, standard contractual clauses and supplementary measures where required.

Users may modify or delete data through the Platform, subject to technical backup cycles, audit logs, legal obligations and data already accessed, copied or independently retained by doctors or delegates.

Data Controller authorizes the following data Processors:

Filli Srl, Viale Gian Galeazzo, 7, 20136 MILANO, IT, REA MI2658601, P. IVA IT12383960965.

Google, LLC, Googleplex, Mountain View, California, U.S.A.

OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland

We implement technical and organizational measures designed to protect personal data and health data against unauthorized access, loss, alteration, disclosure or destruction.

Data is encrypted in transit using TLS and encrypted at rest using industry-standard encryption mechanisms.

Administrative accounts are protected by multi-factor authentication.

Access to production systems and health data is limited to authorized personnel and providers on a need-to-know basis and subject to confidentiality obligations.

The Platform maintains logs of relevant access, sharing, modification and security events to support traceability, abuse prevention and incident investigation.

DataMed® maintains procedures to detect, assess and manage security incidents and personal data breaches. Where required by law, DataMed® will notify the competent supervisory authority and affected users.

Users may exercise the rights provided by GDPR, including the right to access their data, obtain rectification, request erasure, request restriction of processing, object to processing, receive data portability, and withdraw consent where processing is based on consent.

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Users have the right to lodge a complaint with the competent supervisory authority, including the Italian Data Protection Authority - Garante per la protezione dei dati personali.

Requests may be sent to info+privacy@datamed.app. DataMed® may request information necessary to verify the identity of the requester and will respond within GDPR time limits, normally within one month of receipt unless an extension is permitted by law.

Health data is retained for as long as the user account remains active or for the period necessary to provide the service requested by the user, unless earlier deletion is requested or a longer retention period is required by law.

When the user deletes the account, active health data and related documents are deleted from live systems. Residual copies may remain for a limited period in encrypted backups, logs or systems where retention is required for security, legal compliance or dispute management. Aggregated or anonymized data that no longer identifies users may be retained for statistical and service-improvement purposes.

Technical and usage logs are retained for 24 months, unless a longer period is necessary for security, fraud prevention, legal claims or compliance.

Aggregated or anonymized data that no longer identifies users may be retained for statistical, research and service-improvement purposes.

We may update this Privacy Policy to reflect changes in the Platform, law, providers or processing activities. Material changes will be notified through the Platform, email or other appropriate channels before they become effective, where required. Where a change requires consent, DataMed® will request consent before carrying out the relevant processing.

For privacy requests, users may contact OpenHealth SRL via the contact details specified above.

DataMed® will provide AI-enabled features to Pro users or other eligible users. These features may assist users in organizing, summarizing, searching, interpreting or translating information entered into the Platform. AI-enabled features do not provide under any circumstance medical diagnosis, medical treatment, emergency advice or a substitute for professional medical judgment.

The website, web-app and mobile app may use cookies, SDKs or similar technologies for authentication, security, technical functionality, analytics, crash reporting and, where applicable, marketing. Non-essential tools are used only where consent is required and obtained.

DataMed® stores health data in the European Union. Where personal data is transferred outside the EEA through providers, support operations or sub-processors, DataMed® relies on appropriate GDPR safeguards such as adequacy decisions, SCCs and supplementary measures.

Doctors may act as independent professionals and may be subject to their own legal and professional obligations. Delegates act on the basis of authorization granted by the account holder. DataMed® is not responsible for independent processing outside the Platform, except where required by applicable law.