PRIVACY POLICY

The site stayontreatment.com is owned and administered by Asociatia Pacientul Digital in partnership with Advanced Ideas Studio SRL, hereinafter referred to as the OWNER, which can be contacted via the contact form.

The OWNER acts with the utmost diligence when processing your personal data, in accordance with the principles set out in the data protection legislation applicable in Romania, including the provisions of the General Data Protection Regulation (EU) 2016/679 concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).

The protection of natural persons with regard to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (“the Charter”) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) set out the right of every person to the protection of personal data concerning them.

The principles and rules relating to the protection of natural persons with regard to the processing of their personal data should, regardless of the nationality or place of residence of natural persons, respect their fundamental rights and freedoms, in particular the right to the protection of personal data.

The principles of personal data processing are the foundation of the activity of every entity that uses personal data in its operations, regardless of the quantity and type thereof.

Every economic operator or public institution that processes personal data must ensure compliance with the rights and obligations laid down by the GDPR, and the OWNER has understood the importance of the principles of personal data processing and has implemented internal policies and procedures that ensure respect for the fundamental rights of the natural persons whose data are processed in its day-to-day activity. In this way, the Company has ensured, and will continue to ensure, that it processes only personal data that are truly necessary, for purposes established in line with its specific activity, and that it can demonstrate such compliance.

Principles of personal data processing

  • Principle of accountability
  • Principle of transparency
  • Principle of purpose limitation
  • Principle of data minimization
  • Principle of data accuracy
  • Principle of storage limitation
  • Principle of integrity and confidentiality

The principle of accountability is the guiding line according to which the data controller must implement compliance policies and processes in accordance with the provisions of the GDPR. The Company has taken steps and has adopted this principle in its activity, being able to demonstrate compliance through the policies and procedures it has implemented.

Processing transparency is the principle under which the controller has clear and specific information obligations toward the data subject, both when obtaining data directly from the data subject and when obtaining them from third parties. This principle is observed by providing complete, correct, and objective information to individuals before processing their personal data or in the event of any subsequent change regarding the personal data collected and the processing carried out.

The OWNER ensures complete, correct, and objective information of data subjects by providing them, upon request, when processing their personal data, with information concerning:

  • The purpose of the processing;
  • Limitations of the processing;
  • The accuracy of the data processed;
  • The period of use of the data processed;
  • The conditions for protecting the data;
  • Any disclosures of data to third parties / transfers of data abroad.

The request for the manifestation of consent for the processing of personal data contains all the information regarding the processing of personal data, the Company using clear and accessible language to provide full information. The Company ensures compliance with this principle, its provisions being implemented through consent forms.

According to the principle of purpose limitation, personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall, in accordance with Article 89(1), not be considered incompatible with the initial purposes.” The Company has identified the purposes for which it processes each category of data, undertaking, both through the Internal Regulation and through other adopted policies, to process personal data only for the purpose for which they are collected. In cases where processing will take place for a purpose other than the initial one, the Company will obtain the prior and express consent of the data subject. Obtaining consent for secondary purposes will be carried out through consent forms, in accordance with the provisions of the GDPR.

According to the principle of data minimization, the data processed “must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” To comply with this principle, the Company analyzed the personal data it processes, starting from the purpose of processing, and determined which of these data are necessary for the purposes established in the Company’s activity, proceeding to delete data for which there is no clear, legitimate, and well-founded purpose. Data for which there is no clear, legitimate, and well-founded purpose for processing have been deleted from the Company’s database.

According to the principle of data accuracy, it is necessary that the data processed be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.” The Company has implemented mechanisms to ensure that the personal data it processes are correct and constantly updated.

According to the principle of storage limitation, the controller is responsible for ensuring that the data it processes are “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.”

Personal data will not be stored for longer than is necessary for the purpose for which they were collected. For their protection, personal data should not be kept by data controllers longer than necessary to fulfil the purpose for which they were processed, except where personal data are kept for:

  • Archiving in the public interest;
  • Scientific or historical research;
  • Statistical purposes.

Keeping personal data for periods incompatible with the purposes of the processing or with the controller’s legitimate interest exposes the controller to data loss and deterioration and to potential sanctions from the Supervisory Authority. Thus, the Company has ensured and continues to ensure that personal data are not kept longer than necessary for the purpose for which they are processed, except where they are kept for archiving in the public interest, for scientific or historical research, or for statistical purposes.

According to the principle of integrity and confidentiality, data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.” The company or institution that processes the data is obliged to process personal data diligently and in good faith, using appropriate technical means to prevent cyberattacks.

The controller has implemented the privacy policy through which it ensures the protection of personal data both against external risks (cyberattacks) and against possible internal incidents (unauthorized access, losses, accidental deletions). The Company also undertakes to process personal data diligently and in good faith, using appropriate technical means to prevent cyberattacks (malware, ransomware). In the event of a security incident involving the loss or theft of personal data, the Company undertakes to promptly inform (no later than 72 hours) both the supervisory authority and the data subjects, in accordance with the provisions of Regulation (EU) 2016/679 and the policy on breach management.

The General Data Protection Regulation seeks to contribute to the achievement of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and convergence of the economies within the internal market, and to the well-being of natural persons.

Personal data means any information relating to an identified or identifiable natural person, and an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more factors specific to that natural person’s physical, physiological, mental, economic, cultural, or social identity.

This Policy concerns the confidentiality of the personal data of clients as well as other persons who contact or visit the site and their representatives, and applies to data collected through our web page, as well as to other personal data that we collect via email service.

What data we process

Depending on how you use the Platform, we may process the following categories of data: Identification and contact data: first and last name, address, profession, role, specialization, email, phone, password (hashed), user ID. Usage data: account settings, access logs, IP addresses, in-app events, feedback. Technical data: device type, operating system, unique identifiers, cookies and similar technologies. Health data (special category): information about treatments/medication, adherence, appointments, symptoms, or health-related goals only if you voluntarily enter them in the Platform. For these special data we apply additional safeguards (see section 2.6).

Purposes and legal bases of processing

Purpose — Legal basis (Art. 6 GDPR) Account creation and administration — performance of the contract with the user (Art. 6(1)(b)) Provision of Platform features (reminders, journal, reports) — performance of the contract (Art. 6(1)(b)) Customer support, service communications — legitimate interest to respond/maintain the service (Art. 6(1)(f)) or contract (b) Usage analytics and product improvement — legitimate interest (Art. 6(1)(f)) with opt-out option Direct marketing — consent (Art. 6(1)(a)) Legal compliance (invoicing, accounting, security) — legal obligation (Art. 6(1)(c)) For health data (Art. 9 GDPR): processing takes place only on the basis of the user’s explicit consent (Art. 9(2)(a)) and solely for the indicated purposes (e.g., reminders, personal journal). Consent may be withdrawn at any time from the account settings, without affecting the lawfulness of processing based on consent before its withdrawal.

Recipients and transfers

We may use processors for hosting, sending emails, analytics, push notifications, or payments. They process data only according to our instructions and under GDPR-compliant agreements. If such transfer takes place outside the EEA, we carry it out on the basis of applicable legal mechanisms and with appropriate safeguards.

Storage periods

We retain data for as long as necessary for the stated purposes or as required by law. As guidance:

  • Account data: for the life of the account + up to 3 years for the defense of rights.
  • Technical logs: 12–24 months.
  • Health data from journal/reminders: until deletion by the user or account closure.

Security and safeguards for sensitive data

We apply appropriate technical and organizational measures: encryption in transit and at rest (where possible), access controls, logging, minimization policies, backups, and periodic testing. Health data are logically segregated, accessible only to authorized personnel on a need-to-know basis.

Your rights (Arts. 15–22 GDPR)

You have the following rights: access, rectification, erasure, restriction, portability, objection, and not to be subject to a decision based solely on automated processing, including profiling, producing legal or similarly significant effects.

To exercise these rights, contact us using the contact form on the website stayontreatment.com.

Cookies and similar technologies

We use strictly necessary cookies for the operation of the Platform and, where applicable, analytics and/or marketing cookies. On your first visit, a cookie consent banner is displayed with options to accept/refuse. You can change your preferences at any time.

Minors

The Platform is not intended for persons under 18 years of age. We do not knowingly collect data from persons under this age. If we learn that we have collected such data, we will promptly delete it.

Automated decisions and profiling

We do not make decisions producing legal effects concerning you based solely on automated processing. If we introduce such mechanisms in the future, we will inform you in advance and obtain consent if necessary.

Changes to the Policy

We may update this Policy periodically. We will publish the updated version and, if the changes are significant, we will notify you through reasonable means. Continuing to use the Platform after the effective date constitutes acceptance of the changes; therefore, we recommend reviewing the Terms and Conditions of access and use, as well as the Privacy Policy, on each visit.

Contact

For any questions regarding data protection, you can contact us using the contact form.