Privacy Policy

Last updated: January 2025

1. Introduction

Health Mediation ("we", "us", "our") is committed to protecting your personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. This Privacy Policy explains how we collect, use, store, and protect your information when you use our platform.

2. Data Controller

The data controller is Health Mediation, based in Plovdiv, Bulgaria. For any data protection inquiries, contact us at info@healthmediation.bg.

3. Data We Collect

• Contact Information: Name, email, phone number, preferred language
• Health Information: Brief health issue descriptions submitted via the contact form
• Medical Documents: Files uploaded to the Document Vault (PDF, JPEG, PNG, DOCX)
• Insurance Details: Provider name, policy number, coverage type
• Payment Data: Processed securely by Stripe; we do not store credit card numbers
• Usage Data: IP addresses, browser type, pages visited (for analytics and rate limiting)

4. Legal Basis for Processing

We process your data based on:

• Consent: When you submit the contact form or accept cookies
• Contract: To provide the mediation services you have purchased
• Legitimate Interest: For security, fraud prevention, and service improvement

5. How We Use Your Data

• To provide medical mediation services
• To communicate with you about your inquiries and services
• To process payments via Stripe
• To send transactional emails (onboarding, payment confirmations, document notifications)
• To improve our platform and user experience

6. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations. Contact inquiries are retained for 2 years. Client profiles and associated documents are retained for the duration of the service relationship plus 5 years for legal compliance.

7. Third-Party Data Sharing

We share data with the following third parties:

• Stripe: Payment processing (PCI-DSS compliant)
• Amazon Web Services (AWS): Cloud infrastructure, data storage, and email delivery

We do not sell your personal data to any third parties.

8. Data Security

All documents are encrypted at rest using AES-256 encryption. Data in transit is protected with TLS/HTTPS. Access to client data is restricted to authorized personnel only, with role-based access controls enforced at the application level.

9. Your Rights

Under GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Request limitation of processing
• Objection: Object to processing based on legitimate interest

To exercise any of these rights, contact us at info@healthmediation.bg.

10. Cookies

We use essential cookies for authentication and session management. Non-essential cookies for analytics are only used with your consent. You can manage your cookie preferences at any time through the cookie consent banner.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date.