Below you will find the automatically translated English version of the privacy policy.
Only the French version of the privacy policy is legally binding.
Scope
Through the services we provide, we collect various personal and sensitive data. We also act as a data processor for our clients, who themselves collect data, in order to process it using our software. In accordance with the provisions of the General Data Protection Regulation (GDPR), this policy explains what data or categories of data we collect, on what legal basis, for what purposes, how long we retain it, with whom we share it, and what the rights of data subjects are. This policy also mentions the data processors we use to process personal data, distinguishing between those who are recipients of your personal data and those who act solely as technical service providers and are not recipients of your personal data.
Data controller
The data controller for the personal and sensitive data covered by this policy is HIPPOCRATE SÀRL. This is a limited liability company under Luxembourg law, registered under number B282221 in the trade and companies register.
Its registered office is located at 10B rue des Mérovingiens L-8070 Bertrange (LUXEMBOURG) and you can contact us by email addressed to privacy@hippocrate.lu
Processing of personal data for which Hippocrate is the data controller
As part of our business activities, the services we offer, and the software you use, we collect and process personal data. Some personal data is processed for multiple purposes, so the following sections may repeat them. Regarding the retention period for personal data, the longest applicable period applies.
Customers
We collect and process the personal data of our customers when we enter into a business relationship.
Based on the legal grounds of contract performance, and in order to manage our relationship with you, we process your identification and contact information. This information is required to create an account for you on our software, to identify you, and to contact you. We retain this information in our active database for the duration of the contract, plus an additional month to allow you to retrieve it. We may continue to store this information in our encrypted backups for six months after the contract ends. You have the right to access, rectify, and erase all or part of this data. You can exercise these rights through the user interface of the software for which you have a user agreement. As this information is necessary to identify you for contract performance, you cannot exercise your right to erasure before the legally mandated period.
Based on the legal grounds of contract performance and legal obligations related to invoicing, we process your identification and contact data to generate invoices for the use of our software. This data is required to create accounting documents related to your use of our software, to track payments, and, if necessary, to send you payment reminders.
We retain this data in our active database for the duration of the contract or for ten years after the invoice date. You have the right to access, rectify, and erase all or part of this data. You can exercise these rights through the user interface of the software for which you have a user agreement. As this information is necessary to identify you for the purposes of contract execution and invoicing, you cannot exercise your right to erasure before the legally mandated period.
Based on the legal grounds of contract performance, and to ensure that the invoices you generate with our software allow your patients to submit them for reimbursement to the Caisse Nationale de Santé, we process additional personal data (such as the practitioner code in the Grand Duchy of Luxembourg). This data is optional for the proper functioning of our software.
We retain this data in our active database for the duration of the contract, plus an additional month to allow you to retrieve the data. We may continue to store this data in our archive database for two years after the contract ends.
You have the right to access, rectify, and erase all or part of this data. These rights can be exercised via the user interface of the software for which you have a user agreement.
Prospects
Before entering into a contractual relationship with our clients, we discuss our software and services with them. For this purpose, we collect and process personal data.
Based on our legitimate interest, and in order to contact you to inform you about our company and software, we process your personal identification and contact data. This data is necessary for us to contact you after assessing which of our software programs are best suited to your profession. We retain this data for three years from the date of collection, three years after our last interaction, or until you withdraw your consent. You have the right to access, modify, and delete this data. These rights can be exercised by contacting us using the methods mentioned at the beginning and end of this policy. We inform you of your rights in our communications and offer you the option to register your choice to no longer be contacted, should you wish to do so. In this case, we limit your data to your initials and the contact information (telephone, postal address, email address) that we have on file, so that we no longer use it to contact you.
Based on our legitimate interest, and in order to respond to your questions and requests regarding our company and software, we process your personal identification and contact data collected through the form you complete on one of our websites. Your name and email address are required so that we can contact you. Your telephone number is optional. We retain this data for three years from the date you provide it to us, three years after our last interaction, or until you withdraw your consent. You have the right to access, rectify, and erase all or part of this data. These rights can be exercised by contacting us using the methods mentioned at the beginning and end of this policy.
Processing of personal data for which Hippocrate acts as a subcontractor
The services and software we provide to our clients allow them to process your personal data, where applicable. In this case, they are the data controllers, and we act as data processors. In accordance with our duty to assist, we support our clients in managing requests to exercise their rights. Whenever possible, we inform you about the data we collect and where to find this policy. We do this through automated messages when we contact you for a legitimate reason related to our clients' use of our services and software. Some personal data is processed for multiple purposes, so the following sections may repeat them. Regarding the retention period for personal data, the longest applicable period applies.
Patients
Our services and software allow our clients to collect and process your personal data as soon as you join their patient base.
Based on the legal grounds of fulfilling the contract we have with our clients and our own legitimate interest in identifying, contacting, and monitoring your medical treatments, we process your personal identification and contact data, as recorded by our clients when they use our services and software. This information is required so that our clients can contact you regarding your treatments and sessions.
We retain this data in our active database for the duration of the contract with our clients, plus an additional month to allow them to return the data. We may continue to store this information in our encrypted backups for six months after the contract ends. Furthermore, if our clients delete this data from our services or software, we retain it in our active database for a maximum of one week after this action.
You have the right to access, rectify, and erase all or part of this data. These rights can be exercised with our clients or by contacting us through the methods mentioned at the beginning and end of this policy. If this data was used to generate invoices, you may not be able to exercise your right to erasure until our clients have confirmed payment of the invoice and saved it in their accounting software. As this information is also necessary for our clients' legitimate interest in identifying you, contacting you, and monitoring your treatment as part of the performance of the contract they have entered into with us, its erasure may not be possible before the completion of your ongoing medical treatments.
Based on the legal grounds of fulfilling the contract we have with our clients and our own legitimate interest, in order to identify you to a health or social security organization, we process your personal identification data with that organization, as recorded by our clients when they use our services and software. This information is optional for the operation of our services and software. We retain this data in our active database for the duration of the contract with our clients, plus one month to allow them to return the data. We may continue to store this information in our encrypted backups for six months after the end of the contract. Furthermore, if our clients delete this data from our services or software, we retain it in our active database for a maximum of one week after this action. If this information has been used to generate invoices, we retain it for ten years from the date of the last invoice.
You have the right to access, rectify, and erase all or part of this data. These rights can be exercised with our clients or by contacting us using the methods mentioned at the beginning and end of this policy. As this information is necessary to generate valid invoices for the health or social security organizations you depend on, its erasure may prevent you from receiving reimbursement or complicate your claims process. If this data was used to generate invoices, you may not be able to exercise your right to erasure until our clients have confirmed payment of the invoice and saved it in their accounting software.
Based on the legal grounds of fulfilling the contract we have with our clients and our own legitimate interest, in order to accurately reflect the treatments performed on your invoices and prevent exceeding the prescribed number of sessions, we process your personal data, namely the prescribing physician's prescription and related treatments, as uploaded and recorded by our clients when they use our services and software. This information is mandatory so that our clients can record the prescribed treatment, track the number of sessions remaining, and generate the corresponding invoices. We retain this data in our active database for the duration of the contract with our clients, plus an additional month to allow them to retrieve the data. We may continue to store this information in our encrypted backups for six months after the contract ends. Furthermore, if our clients delete this data from our services or software, we retain it in our active database for a maximum of one week after this action. You have the right to access, rectify, and erase all or part of this data. These rights can be exercised with our clients or by contacting us through the methods mentioned at the beginning and end of this policy. As this information is necessary to generate valid invoices for the health or social security organizations you depend on, deleting it may prevent you from receiving reimbursement or make your claims more difficult. If this data was used to generate invoices, you may not be able to exercise your right to erasure until our clients have confirmed payment of the invoice and saved it in their accounting software. Furthermore, as this information is necessary for our clients' legitimate interest in identifying you, contacting you, and monitoring your treatment as part of the contract they have with us, its deletion may not be possible before the completion of your ongoing medical treatments.
Based on the legal grounds of fulfilling the contract we have with our clients and our own legitimate interest, in order to prescribe medical treatments (including procedures or medications), we process your personal data related to these treatments, as recorded by our clients when they use our services and software. This information is mandatory so that our clients can record the prescribed treatments and generate the corresponding prescriptions. We retain this data in our active database for the duration of the contract with our clients, plus one month to allow them to retrieve the data. We may continue to store this information in our encrypted backups for six months after the end of the contract. Furthermore, if our clients delete this data from our services or software, we retain it in our active database for a maximum of one week after this action.
You have the right to access, rectify, and erase all or part of this data. These rights can be exercised with our clients or by contacting us using the methods mentioned at the beginning and end of this policy. Because this information is necessary to issue valid prescriptions with regard to the health or social security organizations you depend on, its erasure may prevent you from having a prescription recorded in our client's patient file. Furthermore, because this information is necessary for our clients' legitimate interest in being able to identify you, contact you, and monitor the treatments they prescribe as part of the contract they have entered into with us, its erasure may not be possible before the completion of your current medical treatments.
Based on the legal grounds of fulfilling the contract we have with our clients and our own legitimate interest, we process your personal data relating to your sessions, as recorded by our clients when they use our services and software, in order to inform you of the dates, times, and duration of your sessions, and to allow our clients to track the number of sessions completed for each of your treatments. This information is mandatory so that our clients can prepare your sessions, track the number of sessions in relation to the prescription if applicable, and generate the corresponding invoices. This information is also mandatory for our services and software to confirm the date, time, and location of your future sessions, to remind you of them in a timely manner, and to inform you of any changes. We retain this data in our active database for the duration of the contract with our clients, plus one month to allow them to retrieve the data. We may continue to store this information in our encrypted backups for six months after the end of the contract. Furthermore, if our clients delete this data from our services or software, we only retain it for a maximum of one week in our active database after this operation. You have the right to access, rectify, and erase all or part of this data. These rights can be exercised with our clients or by contacting us through the methods mentioned at the beginning and end of this policy. If this data was used to generate invoices, you may not be able to exercise your right to erasure until our clients have confirmed payment of the invoice and saved it in their accounting software. Moreover, as this information is necessary for our clients' legitimate interest in monitoring your treatment as part of the performance of the contract they have entered into with us, its deletion may not be possible before the completion of your ongoing medical treatments.
Contact persons for patients
Our services and software allow our clients to collect and process your personal data as soon as they have knowledge of your identification and contact information on the one hand, and of your link with one of their patients on the other.
Based on the legal grounds of contract performance, our clients' legitimate interests, and potentially the protection of the vital interests of individuals, we process your personal identification and contact data, as recorded by our clients when they use our services and software, in order to contact a designated contact person for one of their patients. This information is mandatory so that our clients can contact you regarding a patient for whom you are responsible (as a parent or guardian, for example) or about whom you hold information related to their situation or health (as a manager within a care, accommodation, or support organization, for example). We retain this data in our active database for the duration of the contract with our clients, plus one month to allow them to return the data. We may continue to store this information in our encrypted backups for six months after the contract ends. On the other hand, if our customers delete this data from our services or software, we only keep it for a maximum of one week in our active database after this operation.
You have the right to access, rectify, and erase all or part of this data. These rights can be exercised with our clients or by contacting us through the methods mentioned at the beginning and end of this policy. Because this information may be necessary to protect the vital interests of individuals, you may not be able to exercise your right to erase all or part of this data.
Doctors
Our services and software allow our clients to collect and process your personal data as soon as one of your patients presents a prescription for a treatment that you have prescribed.
Based on the legal grounds of contract performance and our legitimate interest in linking prescriptions to prescribing physicians, we process your personal identification and contact data, as recorded by our clients when they use our services and software. This information is mandatory so that our clients can contact you regarding your shared patients and so that your physician code appears on the fee statements generated by our services and software for our clients' patients and the Caisse National de Santé.
We retain this data in our active database for the duration of the contract with our clients, plus an additional month to allow them to return the data. We may continue to store this information in our encrypted backups for six months after the contract ends. Furthermore, if our clients delete this data from our services or software, we retain it in our active database for a maximum of one week after this action.
You have the right to access, rectify, and erase all or part of this data. These rights can be exercised with our clients or by contacting us through the methods mentioned at the beginning and end of this policy. Because this information may be necessary to protect the vital interests of individuals, you may not be able to exercise your right to erase all or part of this data. If this data has been used to generate invoices, you may not be able to exercise your right to erase your doctor code.
Contacts
Our services and software allow our clients to collect and process your personal data as soon as you express the wish to join their patient base.
Based on the legal grounds of contract performance and our legitimate interest in contacting you to offer you a place on our patient list, we process your personal identification and contact information, as recorded by our clients when they use our services and software. This information is mandatory for our clients to contact you and offer you the opportunity to become their patient. We retain this data for three years from the date our clients record it in our services and software, three years after the last interaction our client reports having had, or until you withdraw your consent. We keep this data in our active database for a maximum of one month, plus the duration of the contract with our clients, to allow them to return the data. We may continue to store this information in our encrypted backups for six months after the contract ends. Furthermore, if our clients delete this data from our services or software, we retain it in our active database for a maximum of one week after this action. You have the right to access, rectify, and erase all or part of this data. These rights can be exercised with our clients, or by contacting us through the means mentioned at the beginning and end of this policy.
Cookies
When you visit one of our websites or use one of our software programs, we may place cookies on your web browser.
Our websites use session and preference cookies, which are essential for their proper functioning. Session cookies allow us to count visits to our websites without identifying you personally. Preference cookies allow you to view pages in your selected language when multiple languages are available.
Our services and software use session cookies to identify you and allow you to access features reserved for you.
These cookies comply with the criteria for exemption from consent as defined by the CNPD (https://cnpd.public.lu/content/dam/cnpd/fr/actualites/national/2022/fiche-pratique-CNPD-cookies-2022-01-27.pdf).
Service providers and subcontractors
To provide services and software to our clients, but also for the operational needs of our company, we rely on a limited list of service providers.
Odoo
To operate our websites, create our accounting documents, and manage our customer and prospect database, we use the services of the Belgian company Odoo SA.
You can contact this company by email at privacy@odoo.com or by post sent to:
Odoo S.A. - Data protection
Chaussée de Namur, 40
1367
Grand-Rosière
BELGIQUE
Gandi
To operate the services and software that our clients use, we rely on the IT hosting services of the French company Gandi SAS. All personal data processing is carried out in a data center located in Bissen, in the Grand Duchy of Luxembourg.
You can contact this company by email at dpo@gandi.net or by post sent to:
Gandi SAS
63-65 Boulevard Masséna
75013 Paris
FRANCE
Microsoft
To manage our customer database and certain aspects of our relationship with them (such as email communication and satisfaction surveys), we use the services of the American company Microsoft. To store all of our data, Microsoft uses data centers located entirely within European Union countries.
You can contact this company by telephone at +353 (1) 706-3117 or by mail sent to:
Microsoft's Data Protection Officer in the European Union
One Microsoft Place
South County Business
Park
Leopardstown
Dublin 18
D18 P521
IRLANDE
Cyclop
To store encrypted backups of our active database, we use the services of the Luxembourg company Cyclop Sàrl.
You can contact this company by email at dpo@cyclop.lu, or by mail sent to:
CYCLOP
103, route d’Esch
L-3230 Bettembourg
LUXEMBOURG
Brevo
To send emails from our services and software to our clients and their patients, we use the services of the French company Brevo SAS.
You can contact this company by email at dpo@brevo.com, or by mail sent to:
Brevo SAS — Équipe DPO
106 boulevard Haussmann
75008
Paris
FRANCE
Data transfer outside the European Union or European Economic Area
Generally, the data we process with our own services and software is processed exclusively within the territory of the Grand Duchy of Luxembourg. The personal data of our customers that we process through subcontractors is not necessarily stored within the European Union. Odoo, for example, uses the services of the Irish company Google Cloud EMEA Ltd, a subsidiary of the US company Google LLC, to store data in France and Belgium, but cannot guarantee that backups are also stored there. Microsoft has data centers in Europe; however, it remains subject to US law.
The United States is a country whose level of data protection is only partially aligned with the European GDPR. Only transfers of personal data to entities certified under the certified DPF, therefore authorizing the transfer of personal data, whether it is at our initiative or a consequence of the internal organization of our subcontractors.
Sharing your personal data
Unless explicitly stated otherwise, such as the clauses below, we do not disclose your personal data. This includes selling, exchanging, or transferring your data, whether for free or for payment. However, we reserve the right to share or disclose anonymized or aggregated data, rendering it indistinguishable from personal data, for marketing communications or statistical purposes. We may also be required to share your personal data if compelled to do so by a court order. In such cases, and if the court order authorizes us to do so, we will endeavor to contact you to inform you and allow you to file an appeal if you wish.
Claim
If you believe that the processing of your personal data by Hippocrate Sàrl constitutes a violation of the General Data Protection Regulation (GDPR), you may file a complaint to the CNPD. une réclamation auprès de la CNPD
Updates to our policy
We may update this policy to clarify certain terms. We may also modify its clauses to reflect changes in the operation of our websites or software. Each time a new version is published, the "last updated" date at the top of the policy will be updated, and we will communicate a summary of the changes, to the extent possible, to our software customers and to individuals whose personal data we process as a data processor on behalf of our customers.
Contact us
Despite the care we have taken in drafting this policy, you may still have questions. You can contact us by writing your message in French or English and sending it by email to privacy@hippocrate.lu, or by post sent to:
HIPPOCRATE SÀRL
10B rue des Mérovingiens
L-8070
Bertrange
LUXEMBOURG