PRIVACY POLICY - VELORA CARE

1. INTRODUCTION

Velora Care ("we," "our," or "us") is committed to protecting the privacy and security of personal information. This Privacy Policy explains how we collect, use, and protect information when healthcare clinics and their patients use our patient communication platform.

2. DATA CONTROLLER AND PROCESSOR ROLES

• Healthcare clinics using our platform are the Data Controllers
• Velora Care acts as a Data Processor on behalf of clinics
• For website visitors and clinic accounts, Velora Care is the Data Controller

3. INFORMATION WE COLLECT

3.1 Patient Information (as Data Processor)

• Identity Data: Name, date of birth, gender
• Contact Data: Email, phone number, address
• Health Data: Treatment records, appointments, medications, allergies
• Communication Data: Messages, preferences, consent records

3.2 Clinic Staff Information (as Data Controller)

• Account Data: Name, email, role, login credentials
• Usage Data: Access logs, feature usage, IP addresses

3.3 Technical Information

• Device Data: Device type, operating system, app version
• Log Data: Access times, features used, error reports
• Location Data: None

4. LEGAL BASIS FOR PROCESSING

We process personal data based on:

• Consent: For patient personal data and marketing communications
• Contract: To provide services to clinics
• Legal Obligations: To comply with healthcare and data protection laws
• Legitimate Interests: For security, fraud prevention, and service improvement

5. HOW WE USE INFORMATION

5.1 Patient Data Uses

• Deliver appointment reminders and treatment instructions
• Enable communication between patients and clinics
• Send treatment-related notifications and alerts
• Provide personalized care journeys

5.2 We DO NOT

• Sell personal data to third parties
• Use patient data for advertising
• Share patient data between different clinics
• Process data beyond clinic instructions

6. DATA SHARING AND DISCLOSURE

We share data only with:

6.1 Service Providers

• Supabase Inc. - Database hosting (EU servers)
• Vercel Inc. - Web application hosting
• Google Firebase - Push notifications

6.2 Legal Requirements

We may disclose data if required by law, court order, or government request

6.3 Business Transfers

In case of merger or acquisition, with appropriate confidentiality measures

7. DATA SECURITY

We implement industry-standard security measures:

• Encryption: All data encrypted in transit (TLS) and at rest (AES-256)
• Access Controls: Role-based access, multi-factor authentication available
• Monitoring: Regular security audits and vulnerability assessments
• Incident Response: 24-hour breach notification to affected clinics

8. DATA RETENTION

• Patient Data: Retained according to clinic's retention policy and legal requirements
• Deleted Patient Data: Permanently removed within 30 days of deletion request
• Backup Data: Retained for 90 days for disaster recovery
• Clinic Account Data: Retained for duration of service plus the prescribed amount of time for tax purposes

9. YOUR RIGHTS (GDPR)

Data subjects have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion ("right to be forgotten")
• Portability: Receive data in machine-readable format
• Object: Object to certain processing activities
• Restrict: Request processing limitations
• Withdraw Consent: At any time for consent-based processing

To exercise these rights, contact your healthcare clinic or email us at info@velora.care

10. CHILDREN'S PRIVACY

Our service may process children's data when they are patients of clinics. We require clinics to obtain appropriate parental consent for minors under 16.

11. INTERNATIONAL TRANSFERS

We store and process data within the European Union. Any international transfer would only occur with appropriate safeguards (Standard Contractual Clauses or adequacy decisions).

12. COOKIES AND TRACKING

12.1 Essential Cookies

• Session management
• Security tokens
• User preferences

12.2 Analytics (Optional)

• Usage statistics (anonymized)
• Performance monitoring

Users can control cookies through browser settings.

13. AUTOMATED DECISION-MAKING

We use AI/automated systems for:

• Answering routine patient questions via chatbot
• Scheduling optimization suggestions

No automated decisions are made regarding patient treatment or care without human oversight.

14. DATA BREACH PROCEDURES

In case of a breach:

• We notify affected clinics within 24 hours
• We assist with regulatory notifications
• We provide detailed incident reports
• We implement measures to prevent recurrence

15. COMPLAINTS

You have the right to lodge a complaint with your local supervisory authority:

• Ireland: Data Protection Commission (dataprotection.ie)
• Other EU countries: Find your authority at edpb.europa.eu

16. CHANGES TO THIS POLICY

We will notify users of material changes via email or platform notification at least 30 days before the change takes effect.

17. SPECIFIC PROVISIONS FOR HEALTH DATA

As we process special category (health) data:

• Explicit consent is required
• Enhanced security measures are implemented
• Access is strictly limited to authorized personnel
• Regular privacy impact assessments are conducted

18. YOUR RESPONSIBILITIES (FOR CLINICS)

Clinics using our platform must:

• Obtain valid patient consent
• Ensure data accuracy
• Inform patients of their rights
• Report any suspected breaches immediately