1. Introduction

This Privacy Policy describes how eHealthGPT (“the Platform”, “we”, “us”) processes personal data solely in its capacity as a processor on behalf of its clients (“Controllers”), in accordance with the General Data Protection Regulation (GDPR) and other applicable laws.

The Platform does not determine the purpose or legal basis for processing patients’ personal data. All data is processed exclusively on the instructions of the Controller, in accordance with the concluded Data Processing Agreement.

2. Identity and Contact Details of the Processor

Name: eHealth Group SA
Address: Route de la Corniche 4, 1066 Epalinges, Switzerland
E-mail: contact@ehealthgroup.ch
Data Protection Officer: dpo@ehealthgroup.ch

3. Role in Processing

The Platform acts solely as a processor on behalf of the Controller. The Controller determines:

• what data is collected,
• the purposes of processing,
• the legal basis,
• the data retention period.

The Platform provides technical infrastructure, data storage, modification, and deletion exclusively on the Controller’s instructions.

4. Types of Data Processed

4.1. Data about Users (Platform Users)

• First and last name
• E-mail address
• Username and password
• Technical data (IP address, access logs)

4.2. Data about Third persons (entered by physicians)

• General data (name, surname, date of birth, gender – if entered by the User)
• Special categories of data (diagnoses, test results, medical images, therapies, medical history) – Article 9 GDPR

5. Purposes of Processing

The Platform processes personal data exclusively for the following purposes, as instructed by the Controller:

Registration and Management of User Accounts – to create, authenticate, and maintain accounts for authorized users, manage account settings, and ensure secure access to the Platform’s services.

Enabling the Entry, Storage, Modification, and Deletion of Third-persons Data – to provide a secure environment in which authorized users can input, update, correct, or remove third-persons information, including special categories of personal data, in compliance with applicable healthcare and data protection laws.

Technical Support to the Controller – to troubleshoot issues, provide user assistance, maintain service availability, and ensure the proper functioning of the Platform in line with the agreed service level.

Security Monitoring of the System – to collect and analyze system logs, IP addresses, and other relevant technical data to prevent, detect, and respond to unauthorized access, misuse, data breaches, and other security incidents.

6. Legal Basis for Processing

Processing is carried out solely based on the Data Processing Agreement with the Controller (Article 28 GDPR, Article 45 ZZPL). For special categories of data, the legal basis is provided by the Controller (e.g., Article 9(2)(h) GDPR – provision of healthcare services).

7. Data Transfers

Data is stored on servers within the European Economic Area (EEA) at Hetzner, Germany.

There are no data transfers outside the EEA, except on the Controller’s instructions and subject to appropriate safeguards under Article 46 GDPR.

8. Security Measures

We implement technical and organizational measures, including:

• Encryption of data at rest and in transit
• Password-protected access and multi-factor authentication
• Regular data backups
• Access control and activity logging
• Server protection against unauthorized access

9. Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Data is retained for as long as determined by the Controller. Upon termination of the agreement, data is deleted or returned to the Controller within the timeframe set by the agreement.

10. Rights of Data Subjects

While the Platform acts solely as a processor, we cooperate with Controllers to ensure that data subjects can exercise their rights under the GDPR. Requests should be submitted directly to the Controller. Your rights are:

• Right to be informed – to receive transparent information about how personal data is processed.
• Right of access – to obtain confirmation whether data is processed and receive a copy.
• Right to rectification – to request correction of inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) – to request deletion of data in certain circumstances.
• Right to restriction of processing – to limit processing under certain conditions.
• Right to data portability – to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object – to object to processing based on legitimate interests or direct marketing.
• Rights related to automated decision-making – to not be subject to decisions based solely on automated processing with significant effects.
• Right to lodge a complaint – with a supervisory authority and seek judicial remedy.

11. Contact

For any questions regarding this Privacy Policy, you can contact us at:
E-mail: dpo@ehealthgroup.ch
Address: eHealth Group SA, Route de la Corniche 4, 1066 Epalinges, Switzerland