offclinic

Privacy Policy - off.clinic

Last updated: February 28, 2026

off.clinic respects your privacy and is committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (GDPR).

1. Data Controllers

  • off.clinic (Platform): Controller for account data, billing data (as invoicing agent), and technical usage data.
  • The Doctor (Partner): Independent controller for health data and medical activity.

The off.clinic platform is operated by EXPAND TECHNOLOGIES SRL (VAT/CUI: RO 28673660, Trade Reg: J35/2921/2015), headquartered at Str. Piatra Craiului 7, Ghiroda, Jud. Timiș, 307200, Romania. DPO contact: support@off.clinic.

2. Categories of Data Processed

a) Identification and Contact Data

  • First name, last name, email, phone.
  • Legal basis: Contract performance (Art. 6.1.b GDPR).

b) Billing and Financial Data

  • Billing address, VAT/company data (for legal entities), card details (securely processed by Stripe).
  • Legal basis: Compliance with legal obligations (Fiscal Code) (Art. 6.1.c GDPR).
  • Retention period: 10 years (as required by accounting law).

c) Health Data (Special Category Data)

  • Symptoms, medical history, uploaded medical files, conversation with the doctor.
  • Legal basis:
    • Explicit patient consent (Art. 9.2.a GDPR).
    • Provision of health or social care (Art. 9.2.h GDPR), under a licensed professional bound by confidentiality obligations (the doctor).

d) Account and Authentication Data

  • Chosen sign-in method, profile details returned by your selected login provider, and session/security data used to protect account access.
  • Legal basis: Contract performance (Art. 6.1.b GDPR) and legitimate interests in securing the platform and preventing abuse (Art. 6.1.f GDPR).

3. Data Recipients

  • Partner Doctors: Access identification and medical data strictly as needed to deliver the consultation.
  • Tax Authorities (ANAF): Billing data is reported through the e-Factura system where legally required.
  • Payment Processors (Stripe): For secure payment processing and fraud prevention. Stripe.js is loaded only on payment pages.
  • IT Providers (Google Cloud): Secure data hosting infrastructure.
  • Authentication Providers (Google, Apple, Facebook): Receive the minimum data needed to authenticate your account when you choose those sign-in methods.

4. Cookies and Similar Technologies

  • Essential authentication cookies: Used to keep you signed in, route sign-in requests, and protect account access.
  • Language preference storage: If you actively choose a language, we store that preference in browser localStorage and a session cookie so pages can render in your selected language.
  • Payment security technologies: Stripe may use cookies or similar technologies on payment pages when you initiate checkout.
  • No analytics or advertising cookies: off.clinic does not currently use analytics, advertising, or retargeting cookies on the public site.

Where cookies or similar technologies are strictly necessary to provide a service you request, they may be used without prior opt-in where permitted by applicable EU law. If we add non-essential analytics or advertising technologies in the future, we will request consent before enabling them.

5. Your Rights

You have the right to access, rectify, erase ("right to be forgotten"), restrict processing, and data portability. To exercise these rights, contact us at support@off.clinic.

Note: Billing records cannot be erased before the legal retention term expires (10 years).