Privacy Policy
Last updated: 14/05/2026
PratiConnect is committed to protecting your privacy and personal data. This privacy policy explains how we collect, use, store, and protect your information when you use our platform.
Data Controller
The data controller for your personal data is:
Company: PratiConnect SAS
Address: 123 Avenue de la Sante, 75014 Paris, France
DPO Contact: dpo@praticonnect.com
Data Collection
We collect different types of data depending on whether you are a practitioner or a patient:
For Practitioners
- Identity data: surname, first name, professional address, professional email
- Professional data: specialty, qualifications, certifications
- Connection data: IP address, browser type, access logs
- Financial data: bank details for payments
- Usage data: platform usage statistics
For Patients
- Identity data: surname, first name, date of birth, contact details
- Health data: information provided during consultations (managed by the practitioner)
- Connection data: IP address, browser type
- Appointment data: schedule, history
Purpose of Processing
- Providing and managing our services
- Managing appointments and consultations
- Secure storage of health data
- Payment and billing processing
- Improving our services
- Complying with our legal obligations
Legal Basis
- Contract performance: Processing necessary for service delivery
- Consent: For the processing of health data and marketing communications
- Legitimate interest: For improving our services and preventing fraud
- Legal obligation: For complying with our accounting and tax obligations
- Vital interests: Where processing is necessary to protect the vital interests of an individual, particularly when handling health data (Art. 6.1.d and Art. 9.2.c GDPR).
- Public health task: Health data processing by practitioners also relies on Art. 9.2.h GDPR (preventive medicine, diagnosis, provision of care) under the responsibility of the practitioner bound by professional secrecy.
Granular consent management
PratiConnect provides practitioners with a dedicated tab under Settings → My data & privacy (`/practitioner/settings/gdpr`) to manage 8 distinct consents. Each consent is traceable, time-stamped, revocable at any time, and proof of consent is retained for 5 years (Art. 7.1 GDPR).
| Consent key | Purpose | Legal basis | Default status |
|---|---|---|---|
| tos_privacy Terms of Service + Privacy Policy | Acceptance of the service contract | Contract performance (Art. 6.1.b) | Mandatory at signup |
| health_data_processing Patient health data processing | Patient record keeping (HDS) | Public health task + Art. 9.2.h | Mandatory for core functions |
| marketing_emails Marketing emails & newsletter | Newsletter, professional tips, product news | Consent (Art. 6.1.a) | Opt-in, off by default |
| analytics_product Product usage analytics | Analysis of feature usage | Consent (Art. 6.1.a) | Opt-in, off by default |
| anonymized_stats_sharing Anonymized aggregate statistics | Sharing of fully anonymized industry statistics | Consent (Art. 6.1.a) | Opt-in, off by default |
| ai_training_optin Pseudonymized reuse for AI training | Improvement of AI assistance models (transcription, suggestions) | Explicit consent (Art. 6.1.a) | Strict opt-in, off by default |
| third_party_integrations Third-party integrations (Scell, Viva, Google, LiveKit) | Activation of each optional integration | Contract performance (Art. 6.1.b) per integration | Granular opt-in per integration |
| public_directory_listing PratiConnect public directory | Public visibility on the directory (free_listing mode included) | Consent (Art. 6.1.a) | Explicit opt-in at signup |
All consent activations, deactivations, and modifications are time-stamped and retained for 5 years as proof. The complete log is accessible from the GDPR tab of the practitioner account.
Subscription lifecycle and data retention
PratiConnect distinguishes several phases in the lifecycle of a practitioner account, each with a specific data retention policy:
Trial period
Upon signup, the practitioner benefits from a free trial period. All data entered is retained throughout this period.
Post-trial grace window (7 days)
At the end of the trial, in the absence of subscription, the account enters a 7-day grace window during which full data access remains active and a GDPR export can be triggered at any time.
Free visibility mode (free_listing)
Beyond the grace window, the account automatically switches to free_listing mode: the practitioner profile remains visible on the PratiConnect public directory (subject to the public_directory_listing consent), all patient data is preserved intact, the complete GDPR export remains available, and resubscription is possible at any time without data loss. No active management feature is accessible until the subscription is reactivated.
Account deletion request (Art. 17 GDPR)
At any time, the practitioner can request account deletion from the GDPR tab. The request triggers a 30-day cooling-off workflow during which the user may withdraw the request. At the end of the period, data is irreversibly deleted or anonymized, except for data subject to a legal retention obligation (invoices, security logs, eIDAS signatures, health data subject to regulatory retention).
Data Retention Period
We retain your data for the duration necessary to fulfill the purposes for which it was collected:
- Account data: duration of the contractual relationship + 3 years
- Health data: 20 years from the last consultation (legal obligation)
- Billing data: 10 years (legal obligation)
- Connection logs: 1 year
Detail by data category
- Issued invoices: 10 years (France, Art. L123-22 Commercial Code) or 7 years (Israel, Income Tax Ordinance §130)
- Security logs (audit_logs): 1 year minimum (CNIL recommendation + LCEN)
- Qualified eIDAS electronic signatures: permanent retention until expiration of the claim or the legal value of the document
- Teleconsultation recordings: 90 days unless dispute is pending
- Patient data (active account): duration of the contractual relationship plus the legal medical retention obligations
- Patient data (deleted account): immediate anonymization except legal retention (Art. 17 GDPR)
- GDPR consents: 5 years for proof purposes (Art. 7.1 GDPR)
- GDPR requests (export, deletion, rectification): 3 years for compliance traceability
Data Sharing
We may share your data with:
- Service providers: hosting (Scaleway), subscription payment (Viva Wallet ISV), patient payment acceptance (Viva.com / Viva Payment Services S.A.), email delivery (under GDPR data processing agreement)
- Health authorities in case of legal obligation
- Legal advisors in case of litigation
- Certified HDS subcontractors for health data
We never sell your personal data to third parties.
Detailed list of subprocessors
In accordance with Art. 28 GDPR, all subprocessors have signed a Data Processing Agreement (DPA). The up-to-date list is available upon request at dpo@praticonnect.com.
- Scaleway (France) — main hosting and HDS-compliant S3 bucket. EU jurisdiction, no transfer.
- Amazon Web Services (Ireland) — additional object storage services. EU jurisdiction, no transfer; SCCs apply for any US-managed services.
- Viva Wallet & Viva Payment Services S.A. (Greece) — subscription payment and patient payment acceptance. EU jurisdiction.
- Scell.io (France) — compliant electronic invoicing and qualified eIDAS signatures. EU jurisdiction.
- LiveKit (self-hosted on EU infrastructure) — video teleconsultation. No transfer outside the EU.
- Google Ireland Ltd. — Google Calendar synchronization (only upon user OAuth consent). EU jurisdiction for the user account, transfers governed by SCCs + Data Privacy Framework.
- Mistral AI (France) — optional AI assistance services. EU jurisdiction, no transfer outside the EU.
- AssemblyAI (United States) — optional audio transcription. Transfer governed by European Commission SCCs; activation subject to third_party_integrations consent.
- BulkGate (Czech Republic) — transactional SMS sending. EU jurisdiction.
- Resend, Inc. (United States) — transactional email delivery and marketing audience management with granular consent enforcement. DPA compliant with Art. 28 GDPR signed and available on request. Transfer governed by SCCs + Data Privacy Framework.
Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption of data in transit (TLS) and at rest (AES-256)
- HDS certified hosting for health data
- Multi-factor authentication
- Regular security audits
- Ongoing staff training
Cookies
Our site uses cookies to improve your experience. Cookies are small text files stored on your device.
Essential Cookies
Necessary for the site to function properly (authentication, security). Cannot be disabled.
Analytics Cookies
Help us understand how visitors use the site. Can be disabled.
You can manage your cookie preferences at any time via our cookie banner or in your browser settings.
Your Rights
In accordance with GDPR, you have the following rights:
- Right of access: Obtain confirmation of the processing of your data and access it
- Right to rectification: Request correction of inaccurate data
- Right to erasure: Request deletion of your data under certain conditions
- Right to restriction: Limit the processing of your data
- Right to portability: Receive your data in a structured, machine-readable format
- Right to object: Object to the processing of your data for legitimate reasons
- Withdrawal of consent: Withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal
To exercise these rights, contact us at dpo@praticonnect.com or through our contact form.
You can exercise all your GDPR rights directly from your practitioner space: visit Settings → My data & privacy (/practitioner/settings/gdpr) to access: full data export (Art. 20), granular consent management (Art. 7), account deletion request (Art. 17), data access journal (Art. 30), processing register (Art. 30), and history of all past GDPR requests.
International Transfers
Your data is hosted in the European Union. In case of transfer outside the EU, we ensure an adequate level of protection through standard contractual clauses approved by the European Commission.
Complaint to the CNIL
If you believe that the processing of your data violates the applicable regulations, you can lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at www.cnil.fr.
Policy Updates
We may update this privacy policy at any time. The date of the last update is indicated at the top of this page. We encourage you to regularly consult this page.
Disclaimer
This privacy policy is informative in nature and summarizes our GDPR compliance approach. For any specific situation, particular contractual request, or contested exercise of a right, we invite you to consult your legal advisor or contact our Data Protection Officer directly at dpo@praticonnect.com.
Contact
For any questions regarding this privacy policy or to exercise your rights, you can contact us:
Email: dpo@praticonnect.com