Legal documents

Privacy policy

Processing of personal data and special-category health data.

Status: draft. This document is currently under review by a healthcare-law attorney. The service is not yet commercialized — the Ukrainian Ministry of Health license for medical practice is pending. Fields shown in angle brackets <...> still need to be filled in or verified.

1. Who we are

Sole Proprietor Oleksandr Viktorovych Berezovskyi (ФОП Березовський Олександр Вікторович, Ukraine), Ukrainian taxpayer ID 3114619894, registered on 16 September 2025, state register entry no. 2010350000000877534, activity code 86.22 (Specialised medical practice), Ukrainian Ministry of Health licence no. <TBD> for medical practice in the specialty of Radiology.

2. Data we collect

Identifying data: full name, date of birth, contact details.
Technical data: IP address, user-agent, Telegram user_id.
Medical data (special category under GDPR art. 9): radiology reports, DICOM images, complaints, medical history.
Payment data: tokenised transaction identifiers only — we do not store card numbers, that data sits with the payment processor.

3. Purposes of processing

Delivering the advisory medical service.
Meeting tax and bookkeeping obligations.
Sending transactional notifications (order status).
Service improvement (aggregated, anonymised analytics).

4. Legal bases for processing

Your explicit consent (GDPR art. 9(2)(a) / art. 11 of Ukrainian Law no. 2297-VI).
Performance of a contract — see the public offer agreement.
Legal obligations (Ukrainian tax and medical-records legislation).
Protection of vital interests (GDPR art. 9(2)(c) — exceptional cases only).

5. Who we share data with

Payment processor (WayForPay / LiqPay / Stripe) — transaction identifiers only.
Hosting provider (Hetzner, Helsinki / Frankfurt) — encrypted at rest.
AI / speech-to-text — self-hosted only; protected health information is never transferred to a third party.

6. Cross-border transfers

Data is stored in the EU (Hetzner).
If a transfer to a third country is required, we rely on Standard Contractual Clauses plus supplementary measures.

7. Retention

Reports: 3 years.
Raw DICOM files: 30 days.
Accounting records: 5 years (Ukrainian Tax Code).
Access logs: 1 year.
Analytics cookies: cookieless or 13 months at most.

8. Your rights

Access to your data.
Rectification.
Erasure (subject to mandatory retention periods).
Restriction of processing.
Data portability.
Objection to processing.
Withdrawal of consent.
Lodging a complaint with the Ukrainian Parliament Commissioner for Human Rights or with your EU Data Protection Authority.

Requests: berezovskiy.a@gmail.com or /forgetme in the Telegram bot.

9. Security

Encryption at rest (S3 SSE-KMS, LUKS).
TLS 1.3 in transit.
Audit log of every access to protected health information.
Pseudonymisation where feasible.
Annual penetration testing.

10. Breach notification

Within 72 hours — notify the Ukrainian Commissioner / the relevant EU Data Protection Authority.
If the breach poses a high risk to the patient — notify the patient without undue delay.

11. Data Protection Officer

DPO: <to be appointed / if self-served, name here>.
DPO email: <...>.

12. Changes to this Policy

The current version is published on the website. For material changes, we notify users through the bot and/or by email.

13. Contact

Email: berezovskiy.a@gmail.com
Tel: <...>
Registered address: <...>

Version: v0.1-draft · updated 2026-04-30