App Privacy Policy

1. Data Controller

In relation to the medical data created during a Consultation, DocNow and your treating Doctor are Joint Controllers within the meaning of Article 26 GDPR. The allocation of responsibilities is described in the Joint Controller Agreement signed between DocNow and each Doctor.

2. Data We Collect

3. Purposes and Legal Bases

• ·Account creation, service provision, booking/conducting a Consultation, payment processing — Article 6(1)(b) GDPR (performance of a contract).
• ·Processing of medical data and keeping the medical record — Article 9(2)(h) GDPR (provision of healthcare), in conjunction with Law 3418/2005.
• ·Accounting, invoicing, settlement of Doctor fees, myDATA submission — Article 6(1)(c) GDPR (legal obligation).
• ·System security, action logging, fraud prevention — Article 6(1)(f) GDPR (legitimate interest).
• ·Operational notifications (confirmations, reminders, policy changes) — Article 6(1)(b) GDPR.
• ·Marketing and promotional messages — Article 6(1)(a) GDPR (consent/opt-in).
• ·Establishment or defence of legal claims — Article 6(1)(f) and Article 9(2)(f) GDPR.

4. Data Recipients — Processors

To operate the Platform we work with the following providers, who process data on our behalf under a Data Processing Agreement (DPA):

• ·Railway — server and database hosting (PostgreSQL); all account and medical data; EU.
• ·Cloudflare R2 — storage of medical photographs; EU.
• ·Daily.co — video call system (WebRTC), live audio/video that is not stored; EU/US (SCCs).
• ·Stripe — payment processing; transaction data, not card numbers; Ireland / global Stripe network.
• ·Resend — email delivery (confirmations, notifications); emails and names; Ireland.
• ·Sentry — technical error monitoring with PII scrubbing enabled; user IDs only; Frankfurt.
• ·Better Stack — application logs, technical logs without medical data; EU.
• ·Netlify — hosting of the admin and doctor portals, static content without patient data; global CDN.
• ·Apple — app distribution (App Store) and push notifications; push tokens; US (SCCs).

We do not sell, rent or share your data with third parties for marketing purposes, or with any third party other than the providers above.

5. International Transfers

Where data is transferred outside the EEA (specifically to Daily.co and Apple for certain functions), the transfer is covered by Standard Contractual Clauses under European Commission Implementing Decision 2021/914.

6. Data Retention

• ·Medical data (record, notes, prescriptions, diagnoses): 10 years from last contact — Article 14, Law 3418/2005.
• ·Minors' medical data: 10 years from reaching adulthood — Article 14, Law 3418/2005.
• ·Accounting data and receipts: 10 years — Article 5, Law 4308/2014.
• ·Account (administrative) data: for as long as you keep an active account — performance of a contract.
• ·Access logs (audit logs): 12 months — legitimate interest in security.
• ·Technical logs (Sentry, Better Stack): 30-90 days — legitimate interest in security.
• ·Authentication tokens (refresh): 30 days, renewable — performance of a contract.

After the retention period expires, data is permanently deleted or anonymised. The ten-year obligation to retain medical data applies regardless of deletion of your account.

7. Your Rights

Under Articles 15-22 GDPR you have the right to: access (Art. 15), rectification (16), erasure (17, except medical data retained for 10 years by law), restriction (18), portability (20), objection (21), and withdrawal of consent where processing is based on it (e.g. marketing).

To exercise your rights, send a request to privacy@docnow.gr from your registered address. We respond within one month (Article 12(3) GDPR), extendable by two months in complex cases. You also have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA), Kifisias 1-3, 11523 Athens, tel. 210 6475600, www.dpa.gr.

8. Data Security

We apply technical and organisational measures under Article 32 GDPR: encryption in transit (TLS 1.3) and at rest; two-factor authentication (2FA) for doctors and administrators; password hashing with bcrypt (non-recoverable); role-based access controls; audit logs of medical record access; PII scrubbing in Sentry; and an architecture that does not allow cascade deletion of medical data when a doctor leaves.

9. Data Breach

In the event of a breach likely to result in a risk to your rights, we notify the HDPA within 72 hours (Article 33 GDPR) and notify you directly where there is a high risk (Article 34 GDPR).

10. Minors

The Platform is not intended for registration by persons under 18. Consultations for minors take place through a parent or guardian account, and the parent/guardian must be present with the minor during the Consultation.

11. Cookies and Similar Technologies

The app uses only technically necessary storage (JWT tokens, session data) to function. We do not use analytics cookies, marketing cookies or third-party tracking.

12. Marketing Communications

For promotional emails or push notifications we ask for separate consent. Operational communications (confirmations, reminders, policy changes) are sent without consent as necessary for performance of the contract. You may opt out of marketing at any time, through the app or at privacy@docnow.gr.

13. Doctor Leaving the Platform

If a Doctor stops working with DocNow, your medical record is NOT deleted. It remains with DocNow under the ten-year retention obligation and available to you and to new treating Doctors you choose.

14. Changes to this Policy

DocNow may update this Policy. Material changes are notified by email and in-app. The current version is always available in the app and at docnow.gr.

15. Contact