Saltar al contenido

Política de privacidad

Last updated: 13 May 2026

1. Introduction

This Privacy Policy explains how Prescrivia ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our platform. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable EU data protection laws.

2. Data Controller

Prescrivia is the data controller for platform data. Independent doctors and pharmacies act as joint or independent controllers for the medical data they process in the course of providing healthcare services.

3. Data We Collect

3.1 Account Data

When you create an account, we collect name, email address, date of birth, delivery address, and account security information.

3.2 Health Assessment Data

When you submit a health assessment, we collect medical information including symptoms, medical history, current medications, allergies, and lifestyle factors. This data is special category data under GDPR and receives additional protections.

3.3 Payment Data

We collect payment information necessary to process your transaction. Full payment card details are processed by our PSD2-compliant payment provider and are not stored on our servers.

3.4 Technical Data

We collect IP address, browser type, device information, security logs, consent choices, and usage analytics where consent is required and given.

4. Legal Basis for Processing

  • Consent — For health assessment processing, optional analytics, and marketing communications where required
  • Contractual necessity — For providing platform access and routing your request to independent professionals
  • Legitimate interest — For security, fraud prevention, platform reliability, and service improvement
  • Legal obligation — For regulated healthcare, payment, tax, audit, data-protection, and safety records

5. How We Use Your Data

  • Facilitating the connection between you and independent healthcare professionals
  • Processing your health assessments and transmitting them to reviewing doctors
  • Processing payments and managing orders
  • Communicating with you about assessments, orders, safety, and account security
  • Improving platform reliability and security
  • Complying with legal and regulatory requirements

6. Data Sharing, Recipients, and Sub-processors

We share your data only as necessary. We do not sell your personal data to third parties and do not share it for marketing without your explicit consent.

Current recipients and sub-processors are listed below with purpose, processing location, and DPA or safeguard reference.

  • Independent doctors — health assessment for medical review — EU/EEA — independent or joint controller duties under healthcare law
  • Licensed pharmacies — prescription and delivery details — EU/EEA — independent controller duties under pharmacy law
  • Supabase — database, authentication, storage, and edge-function hosting — EEA-hosted project resources where configured — Supabase DPA and EU transfer safeguards
  • Wise — payment initiation, status, and reconciliation support — EEA/UK payment infrastructure — Wise data processing and financial-services terms
  • Didit — identity and KYC verification — EEA/approved subprocessors — Didit DPA and verification-data retention controls
  • Anthropic — de-identified AI-assisted assessment pre-screening — United States / approved transfer mechanism — DPA, no-training terms, and transfer impact assessment required before production use
  • Resend — transactional email delivery — United States / approved transfer mechanism — Resend DPA and transfer safeguards
  • Apify — regulated-data collection and enrichment workflows — EEA/approved subprocessors — Apify DPA and processor controls
  • Sentry — error monitoring, security diagnostics, and reliability telemetry — EU ingest endpoint where configured — Sentry DPA and EU ingest configuration

7. Data Security

We protect your data using technical and organisational controls.

  • Encryption for sensitive data at rest and in transit
  • EU/EEA-first hosting choices where configured
  • Role-based access controls with multi-factor authentication for sensitive roles
  • Security logging, audit trails, and access review
  • Automatic session timeouts for clinical data access

8. Your Rights

Under GDPR, you have the following rights. Some rights may be limited where legal retention, healthcare, safety, fraud, tax, or audit duties require restricted retention.

  • Right of access — Request a copy of your personal data
  • Right to rectification — Correct inaccurate or incomplete personal data
  • Right to erasure — Request deletion where retention is not legally required
  • Right to restriction of processing — Ask us to restrict processing in specific cases
  • Right to object — Object to certain processing activities
  • Right to data portability — Receive data you provided in a structured, machine-readable format
  • Right to withdraw consent — Withdraw consent at any time without affecting earlier lawful processing
  • Right to lodge a complaint — Contact your local data protection authority

9. Data Retention

We retain personal data only as long as necessary for platform operation, legal obligations, healthcare documentation, payment reconciliation, fraud prevention, audit, and safety. KYC provider responses are minimised; raw document fields are not kept in routine webhook history.

10. International Transfers

We prefer EEA processing. Where a provider processes outside the EEA, we use appropriate safeguards such as a data processing agreement, standard contractual clauses where needed, and transfer risk review.

11. Children and Minors

Prescrivia is intended for adults aged 18 and over. We do not knowingly collect health assessment data from children or minors, and prescription-treatment assessment flows must not be used by anyone under 18. If we learn that a minor has submitted personal data, we restrict the account and handle deletion or retention according to applicable legal duties.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will publish the updated date and notify users of material changes where required.

Para ejercer cualquiera de estos derechos, por favor contáctanos.

AI-assisted assessment pre-screening

Prescrivia may use Anthropic Claude, with OpenAI available only as a documented fallback, to support initial platform pre-screening of submitted assessment answers before a request is routed to an independent doctor. The AI output is used as a routing support signal and does not prescribe, diagnose, treat, or replace independent doctor decision-making.

Before any assessment data is sent for this pre-screening, Prescrivia removes direct identifiers such as name, date of birth, age, address, email, phone number, user IDs, order IDs, and similar platform identifiers. Anthropic and fallback OpenAI processing for production require a data processing agreement, no-training or Zero Data Retention equivalent terms, and a documented Transfer Impact Assessment.

If platform pre-screening prevents a request from proceeding, you may contact support or the Data Protection Officer to request review of the decision-support record.

13. Contact

For privacy-related enquiries, email us at dpo@prescrivia.com or visit our contact page.