direct.doctordirect.doctor

Privacy Policy

Last updated: April 4, 2026

1. Introduction

DUCES CONSULTING S.R.L. (Tax ID 25748784, J40/7566/2009), headquartered in Bucharest, Sector 3, Basarabia Street no. 256, as the personal data controller, respects the privacy of users of the direct.doctor platform (www.direct.doctor) and is committed to protecting personal data in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and applicable national legislation.

2. Personal Data Collected

We collect the following categories of personal data:

Patients:

  • Identification data: name, email address, phone number
  • Health data: medical information shared during consultations, uploaded medical documents
  • Financial data: digital wallet information, transaction history
  • Technical data: IP address, browser type, session data

Doctors:

  • Identification data: name, email, phone
  • Professional data: professional title, specializations, experience, education
  • Verification documents: diploma, CMR certificate, practice license, malpractice insurance, ID card
  • Availability data: weekly schedule, exceptions

3. Purpose of Processing

Personal data is processed for:

  • Providing telemedicine services and intermediating consultations
  • Creating and managing user accounts
  • Verifying doctor identity and qualifications
  • Processing payments and managing the digital wallet
  • Service communications and Platform updates
  • Legal compliance

4. Legal Basis

Data processing is based on:

  • Consent (Art. 6.1.a GDPR) — for account creation and service usage
  • Contract performance (Art. 6.1.b GDPR) — for providing requested services
  • Legal obligation (Art. 6.1.c GDPR) — for financial record keeping
  • Legitimate interest (Art. 6.1.f GDPR) — for platform security and fraud prevention

5. Data Storage

Data is stored on secure servers in the European Union (Oracle Cloud, Frankfurt). Storage duration:

  • Account data: for the duration of the account + 14 days after deletion request
  • Medical data: anonymized upon account deletion, kept anonymized per medical regulations
  • Financial data: 10 years per fiscal legislation
  • Attached files: for the duration of the consultation + retention period

6. Security

We implement technical and organizational measures to protect data:

  • Encryption in transit (TLS/HTTPS) and at rest (AES-256)
  • JWT authentication with time-limited tokens
  • Medical file access restricted to consultation participants
  • Secure document storage in Oracle Cloud Object Storage

7. Cookies

The Platform uses essential cookies for functionality (authentication, language preferences, sidebar state). We do not use marketing or third-party tracking cookies.

8. User Rights

Under GDPR, you have the following rights:

  • Right of access — you can request a copy of your data
  • Right to rectification — you can correct inaccurate data
  • Right to erasure — you can request account deletion and data anonymization
  • Right to portability — you can request data export
  • Right to restriction — you can request processing limitation
  • Right to object — you can refuse processing in certain situations

9. Complaints

You have the right to file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP), Gheorghe Magheru Boulevard no. 28-30, Sector 1, Bucharest, www.dataprotection.ro.

10. Data Sharing with Third Parties

Data may be shared with:

  • Revolut — payment processor, for wallet transactions
  • Oracle Cloud — infrastructure provider, for data storage
  • Competent authorities — when required by law

11. Modifications

We reserve the right to update this policy. Users will be notified through the Platform.

12. Contact

For exercising your rights or questions regarding data protection:

DUCES CONSULTING S.R.L.
Basarabia Street no. 256, Sector 3, Bucharest
Pagina de contact