privacy policy

1. who processes the data

off.clinic is operated by EXPAND TECHNOLOGIES SRL (VAT/CUI: RO 28673660, Trade Register: J35/2921/2015), headquartered at Str. Piatra Craiului 7, Ghiroda, Jud. Timiș, 307200, Romania. For privacy questions, contact support@off.clinic.

• off.clinic acts as controller for account, security, audit, payment, invoicing, and the technical infrastructure used to collect and deliver the consultation file to the selected clinician.
• The selected clinician acts as an independent controller for the medical service, medical opinion, and professional record-keeping obligations.

2. what data we process and why

a) account and contact data

• Name, email, phone, language, sign-in method, session and security data.
• Where requested in the intake flow, year-of-birth data may be processed to verify age eligibility and block requests that do not meet the minimum 18+ threshold.
• Legal basis: contract performance (Art. 6(1)(b) GDPR) and legitimate interests in security and abuse prevention (Art. 6(1)(f)).

b) consultation and health data

• Symptoms, history, medication, messages, images, uploaded documents, and the final medical report.
• For the platform, the main special-category basis is the patient's explicit consentto collect, store, and transmit the consultation data to the selected clinician (Art. 9(2)(a) GDPR).
• For the clinician, medical processing is carried out for the provision of health care under the responsibility of a professional bound by confidentiality (Art. 9(2)(h) GDPR).

c) payment and billing data

• Billing address, names, company details, tax identifiers, and fiscal documents.
• Legal basis: compliance with accounting and tax obligations (Art. 6(1)(c) GDPR).

d) professional verification data

• Right-to-practice evidence, digital practice data, Stripe identity-verification status, and internal notes confirming the name match between identity checks and the digital practice.
• Legal basis: legitimate interests in credential verification and fraud prevention (Art. 6(1)(f) GDPR).
• We do not routinely host every professional document that may be required by law; the clinician remains responsible for their wider legal and professional obligations.

e) security and audit logs

• IP addresses, user-agent strings, access logs, export/deletion events, and security metadata.
• For application failures we may also keep limited debugging context such as the affected page or route, error digest, technical message, application surface, and, if the user was authenticated, the account email involved.
• Legal basis: legitimate interests in securing the service, investigating incidents, and demonstrating compliance (Art. 6(1)(f) GDPR).

f) aggregated public-traffic measurement

• We measure visits to public pages, including /for-doctors and public doctor profiles, through first-party server-log aggregates and a small number of internal conversion and operational-failure events.
• Within authenticated clinician workspaces, we also measure limited operational timing signals, such as active time spent on a case view and durations between case workflow milestones, to understand workload, package performance, and operational bottlenecks.
• We do not use analytics cookies, session replay, or third-party advertising pixels for this default measurement layer.
• We do not use consultation medical content, messages, uploaded file names, full free-text form content, or full clinician session recordings in analytics datasets.
• Error events used for debugging and reliability do not include consultation medical content and are not used for advertising or commercial profiling.
• Legal basis: legitimate interests in understanding service performance, traffic sources, and operational issues while applying aggregation and data-minimisation safeguards (Art. 6(1)(f) GDPR).

3. special rules for health data

• The doctor still sees the patient's raw submission; any structured view is only a convenience aid and not an automated medical decision.
• off.clinic does not provide automated diagnosis, automated prescribing, or real-time monitoring.
• Where clinician-support summarisation is enabled, relevant consultation content may be processed by Google Cloud Vertex AI to produce an internal draft summary for the treating clinician. This support output is reviewed by the clinician, does not replace the raw record, and is not used for solely automated decisions.
• We do not make solely automated decisions with legal or similarly significant effects on patients.

4. who receives the data

• The selected clinician, strictly for handling the request and delivering the medical opinion.
• Hosting and storage providers, including Google Cloud, for secure application and file hosting.
• Google Cloud Vertex AI, where enabled, acting as a processor for clinician-support summarisation of consultation materials.
• Payment, invoicing, and accounting providers, including Stripe and e-invoicing providers, where needed to process payments and fiscal documents.
• Email and authentication providers where they deliver transactional messages or authenticate your access.
• Public authorities or courts where disclosure is legally required.

Where a provider involves transfers outside the EEA, we rely on appropriate contractual and organisational safeguards, such as standard contractual clauses and the provider's published safeguards. Where supported, we configure Google Cloud services in EEA regions.

5. how long we keep the data

• Account data is kept while the account remains active and afterwards only as needed for security, claims, and legal obligations.
• Consultation and medical materials are kept for the consultation lifecycle and afterwards as long as required for medical-record, complaint-handling, anti-fraud, and legal-defence purposes.
• Fiscal documents are kept for 10 years or the period required by applicable law.
• Technical logs and operational/analytics measurements are kept only as long as reasonably necessary for security, fraud prevention, debugging, service measurement, and compliance evidence, and are then deleted or retained only in aggregated form.
• Temporary unfinished uploads are automatically deleted or removed during workflow cleanup.
• Professional verification data is kept only as long as required for onboarding, verification, audit, and fraud-handling purposes, then deleted or anonymised under the applicable internal policy.

6. your rights

• Access to your data and a copy of it.
• Rectification of inaccurate data.
• Erasure or anonymisation where there is no overriding legal or professional retention duty.
• Restriction, objection, and portability where GDPR conditions are met.
• Withdrawal of consent for consent-based processing; this does not affect past lawful processing and may prevent the consultation from continuing.
• The right to lodge a complaint with the Romanian DPA (ANSPDCP) or your competent supervisory authority.