Informativa sulla Privacy di Ippocra

Below you can find an automatic translation from the italian version. This is provided only to help our users, but you should always refer to the Italian version available at /legal/policy/.

PRIVACY POLICY

Last updated: 2025/02/17

1. INTRODUCTION

2. WHO IT APPLIES TO

3. PURPOSE OF THE NOTICE

4. GENERAL INFORMATION FOR ALL USERS

Definitions
1. Principles Applicable to Data Processing
2. Lawfulness of Processing
3. Source of the Data
4. Identity of the Data Controller
5. Data Protection Measures
6. Sharing Data with Third Parties
7. International Data Transfers
8. The Rights You Can Exercise Over Your Personal Data
9. Legal Basis for Processing
10. Automated Processes and Profiling
11. Contacts
12. DPO and Relevant Contact Information
13. 4.14. Links to Other Websites

5. SPECIFIC INFORMATION FOR FINAL USERS

Purpose of Processing, Legal Bases, and Retention Periods
1. Creating an Account, Including for Third Parties
2. Including Third-Party Data in the Final User’s Account
3. The Company’s Role as Data Processor for Healthcare Professionals or Health Structures

6. SPECIFIC INFORMATION FOR PROFESSIONALS

7. SPECIFIC INFORMATION FOR VISITORS

8. COOKIES AND OTHER SIMILAR TECHNOLOGIES

What Are Cookies
1. Other Technologies Similar to Cookies Used
2. Types of Cookies Used
3. How to Give Consent to Cookies, Withdraw It, or Modify Preferences
4. Managing Cookies through the Browser
5. Cookie Retention

1. INTRODUCTION

IPPOCRA S.R.L., VAT number 03010040420, innovative start-up under the provisions of D.L. 179/2012 converted into Law 221/2012, subsequently amended by D.L. 76/2013 effective from June 28, 2013, and by Article 3, paragraph 10-bis of D.L. January 24, 2015, no. 3, converted, with amendments, by Law 24 March 2015, no. 33, headquartered in Ancona, Via Podgora 47, (hereinafter referred to as “The Company”) is the data controller of your personal data, the protection and security of which is an absolute priority.

This privacy policy on the processing of personal data and cookies (“Policy”) applies to the processing of personal data that occurs for users of the website ippocra.com (“Site”), the related service provided through the “web responsive” platform (currently not an app, but this may happen, and its use is accepted from now on), and any digital environment used by Ippocra S.R.L. to deliver its services (“Services”).

The user is invited to carefully read this policy and the section “Terms and Conditions”(LINK) before using any of our services and creating an account on our site ippocra.com (“Account”).

2. WHO IT APPLIES TO

This policy applies to anyone who uses the site or the app or who uses one of the services provided by the Company. For the purposes of this document, the following definitions apply:

“Visitor” refers to anyone who accesses the site but does not register or possess an account and does not use the Services;
“Private User” refers to any natural and/or legal person who registers or uses the Site or the App in order to manage and store their own and their plan members’ medical records or other health documentation;
“Professional” refers to any independent doctor or other healthcare professional working in the private sector who uses the services;
“Health Structure” refers to any medical, laboratory, and/or any healthcare facility, whether private or public, that uses the services;
“User” or “Final User” refers, depending on the case, to a Private User, a Professional, a Health Structure, or a Visitor.
“Beneficiary” refers to a third person within the family unit, on behalf of whom the Final User may create an account (typically a minor under guardianship or parental authority, or an elderly person under the Final User’s care, a relative, etc.) or use our paid storage plans to also include the data of these persons along with their own.

The nature of the personal data collected and used, as well as the purposes of processing and the related legal bases, depend on the type of User, as defined above.

3. PURPOSE OF THE NOTICE

The main purpose of this notice is to provide complete information on how the Company collects, uses, stores, processes, and discloses personal data of Users when acting as the Data Controller (“Data Controller”). The Data Controller is the entity that determines the purposes, means, and methods of personal data processing, deciding how, for what purpose, and for how long to use your personal data.

The categories of Users “Professionals” and “Health Structures” themselves process personal data as Data Controllers, particularly the data of their patients and individuals who undergo any type of healthcare or diagnostic service with them. In these cases, the Company acts as the Data Processor.

In this case, it is the Professionals and Health Structures that determine the purposes and methods of processing, while the processor carries out processing activities on behalf of the Professional, following the relevant instructions and guidelines in the appointment document.

The information provided in this notice, where it indicates general information on how personal data is processed and our role as Data Processor for data processed by Professionals and Health Structures as Data Controllers, does not replace the notice that must be provided by the professional or health structure as the Data Controller.

This document is prepared by the Company to comply with the EU REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL of April 27, 2016, on the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data. It also constitutes a valid tool for adopting the appropriate measures required by the regulation in accordance with the “accountability” principle (accountability) for data controllers and processors, meaning the adoption of proactive behaviors that demonstrate the concrete adoption of measures aimed at ensuring compliance with the regulation (see Articles 23-25, in particular, and the entire Chapter IV of the regulation). In essence, it represents the tool entrusted to controllers for defining the methods, guarantees, and limits of personal data processing in compliance with legal provisions and in light of some specific criteria indicated in the regulation.

4. GENERAL INFORMATION FOR ALL USERS

4.1. Definitions

For the purposes of this document, the following definitions are provided:
1) “Personal data”: any information relating to an identified or identifiable natural or legal person (“data subject”); such as name, company name, identification number, location data, online identifier (email) and phone contact details, health and biometric data. NOTE: In the case that data of family members or other individuals belonging to the final User’s household (“Beneficiaries”) are uploaded, the same data referred to these individuals will be processed and treated as “Data Subjects” and will have the same rights attributed to them. Please refer to point 5.2 for further details on this matter.
2) “Processing”: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, extraction, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3) “Restriction of processing”: marking stored personal data with the aim of limiting their future processing;
4) “Profiling”: any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects related to a natural person, particularly to analyze or predict aspects concerning the person’s professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;
5) “Pseudonymization”: processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;
6) “Archive”: any structured set of personal data accessible according to determined criteria, whether centralized, decentralized, or functionally or geographically dispersed;
7) “Data controller”: the natural or legal person, public authority, service, or other body which, alone or jointly with others, determines the purposes and means of processing personal data; when the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria applicable to their designation may be established by Union or Member State law;
8) “Data processor”: the natural or legal person, public authority, service, or other body that processes personal data on behalf of the data controller;
9) “Recipient”: the natural or legal person, public authority, service, or another body to whom personal data are communicated, whether or not they are third parties. However, public authorities who may receive personal data in the context of a specific investigation pursuant to Union or Member State law are not considered recipients; the processing of such data by these public authorities is in accordance with the applicable data protection laws for the purposes of processing;
10) “Third party”: a natural or legal person, public authority, service, or other body that is not the data subject, the data controller, the data processor, or persons authorized to process the personal data under the direct authority of the data controller or processor;
11) “Data subject’s consent”: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which they, by statement or clear affirmative action, signify agreement to the processing of personal data relating to them;
12) “Personal data breach”: a security breach that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

4.2. Principles applicable to the processing of personal data

Personal data must be:
a) processed lawfully, fairly, and transparently in relation to the data subject (“lawfulness, fairness, and transparency”);
b) collected for specified, legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving in the public interest, scientific or historical research, or statistical purposes is not considered incompatible with the initial purposes in accordance with Article 89, paragraph 1 (“purpose limitation”);
c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
d) accurate and, where necessary, kept up to date; all reasonable measures must be taken to erase or rectify inaccurate data without delay (“accuracy”);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be stored for longer periods if processed solely for archiving purposes in the public interest, scientific or historical research, or statistical purposes in accordance with Article 89, paragraph 1, subject to the implementation of appropriate technical and organizational measures required by this regulation to safeguard the rights and freedoms of the data subject (“storage limitation”);
f) processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”). The necessary information to define the processing activities is contained and detailed in the Register of Processing Activities.

4.3. Lawfulness of processing

The processing of personal data by the Company is lawful as at least one of the following conditions applies:

the data subject has consented to the processing of their personal data for one or more specific purposes;
the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject’s request;
the processing is necessary for compliance with a legal obligation to which the data controller is subject;
the processing is necessary to protect the vital interests of the data subject or another natural person;
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
the processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, provided that these interests are not overridden by the data subject’s rights and freedoms, especially when the data subject is a minor.

4.4. Source of data

All data is collected when the Account is created and/or through forms filled out by Users in the context of using the Services and, in general, in connection with the use of the Services provided by the Company. Specifically, all health and biometric data contained in images and/or scans of reports, medical records, and exams that you decide to upload will be automatically collected and stored. The Site and App also collect data automatically when Visitors browse or use the Services, through tracking technologies such as cookies (see point 8).

If data of family members or other individuals belonging to the final User’s household (“Beneficiaries”) is uploaded, the same data will be processed as described above. The processing of health and biometric data is based on your consent. In the case that data of family members or other individuals from the final User’s household are uploaded, the consent is deemed extended to include the processing of data relating to these individuals, whom the final User confirms to have informed about this privacy notice and who the final User confirms, under their responsibility, has provided all necessary consent for the processing of their respective data.

Please refer to point 5.2 for further details on this matter.

4.5. Identity of the Data Controller

The Data Controller is IPPOCRA S.R.L., VAT number 03010040420, an innovative start-up according to D.L. 179/2012 converted into Law 221/2012 and subsequently amended by D.L. 76/2013 in force from June 28, 2013 and by Article 3, paragraph 10-bis of D.L. 24 January 2015 n. 3 converted, with modifications, by Law 24 March 2015 n. 33, with registered office in Ancona, Via Podgora 47.

4.6. Data protection measures

The Company considers the protection of your personal data to be a top priority, especially given that it relates to health and other biometric data, and adopts adequate technical and organizational security measures in line with the highest standards required by the GDPR to protect them from any type of leakage, destruction, unauthorized access, etc.

These protection measures may include, by way of example, choosing server allocation and maximum-level security measures; additionally, data is encrypted during transit using the https protocol, and it is also encrypted on disk; backups are automatically performed on a scheduled basis. In the event of a Data Breach, the data would remain unreadable as it is encrypted. The platform is regularly tested for its security levels.

In any case, the User must use secure internet connections and keep their devices’ security measures up to date to prevent the theft or damage/destruction of data during transmission.

4.7. Sharing data with third parties

Your personal data may be shared between the Site users, particularly between Private Users, Professionals, and Healthcare Facilities regarding patient health data and their treatment plans, or with third parties to whom the user decides to send their data by creating a ippolink generated for the individual transfer (“IppoLink”).

Professionals and healthcare facilities, regarding the data they collect and later store on the Site and share with patients, act as Data Controllers.

Data may also be shared with service providers with Data Processors and Sub-processors (such as accountants/work consultants, hosting/service providers), as well as with the designated DPO, but only to the extent necessary to perform their respective roles and purposes.

Data may be shared, upon request, to comply with legal obligations, with law enforcement, the judiciary, and other public authorities.

4.8. International data transfer

Some of the third parties mentioned above may be located outside the European Union. In such cases, we ensure that the legal requirements established by applicable data protection laws are met for the safe transfer of such data, ensuring that the highest security standards are adopted for any international data transfer.

4.9. Rights you can exercise over your personal data

The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed and, if so, to obtain access to personal data and the following information (“Right to be informed”):
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
d) where possible, the retention period for the personal data or, if not possible, the criteria used to determine that period;
e) the existence of the right of the data subject to request the rectification or erasure of personal data or restriction of processing of personal data concerning them or to object to the processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the data were not collected from the data subject, all available information as to their source;
h) the existence of automated decision-making, including profiling, and at least in such cases, meaningful information about the logic involved, as well as the significance and consequences of such processing for the data subject. Where personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the existence of appropriate safeguards relating to the transfer. The data controller provides a copy of the personal data being processed. If further copies are requested by the data subject, a reasonable fee based on administrative costs may be charged. If the data subject submits the request electronically, the information will be provided in a commonly used electronic format, unless otherwise requested.

4.10. Legal basis for processing

You are not required to provide your personal data to the company. However, if you want to create an account and use the services, you need to provide us with some personal data. If you do not provide us with the necessary data to provide the requested services, and/or if you object to such processing, we may not be able to provide the requested Services.

The Company bases the conditions of consent on the following points:
a. If the processing is based on consent, the data controller must be able to demonstrate that the data subject has consented to the processing of their personal data.
The registration of an account will always be considered as valid and free consent for the processing of personal data and the use of cookies.
NOTE: In the case where the end user uploads data of family members or other individuals belonging to the end user’s household, the same data mentioned above will be processed for those individuals. The processing of health and biometric data is based on your consent. If data from family members or other individuals in the end user’s household are uploaded, the consent is also considered extended and granted for the processing of the data of these individuals, whom the end user declares to have informed about the contents of this privacy notice and to have received all necessary consent for the processing of their data under their responsibility.

Continuing to browse the site will always be considered free consent to the use of cookies.
b. If the data subject’s consent is given in the context of a written declaration that also covers other matters, the request for consent must be presented in a way that is clearly distinguishable from the other issues, in a comprehensible and easily accessible form, using simple and clear language. No part of such a declaration that constitutes a violation of this regulation is binding.
c. The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The data subject is informed of this before giving consent. Consent can be withdrawn as easily as it was given.
d. When evaluating whether consent has been freely given, consideration must be given to, among other things, the possibility that the performance of a contract, including the provision of a service, may be conditional on consent to the processing of personal data not necessary for the execution of that contract. Specific details on consent for various processing activities are provided in the Record of Processing Activities.
For more information on the purposes of processing and the related legal bases, see points 5) and 6).

4.11. Automated processes and profiling

We do not process personal data that involve decisions based solely on the automated processing of your data, nor do we use fully automated decision-making processes based on your personal data that produce legal effects or similarly significantly affect your rights.

4.12. Contacts

To send us questions or requests, you can use the email address: info@ippocra.com, or use the contact form available on the Site, or write to us at: IPPOCRA S.R.L. Via Podgora 47, CAP 60124, Ancona.

4.13. DPO and related contacts

The DPO (Data Protection Officer) is the professional responsible for assisting the data controller in fulfilling the obligations arising from the GDPR. The DPO provides advice and support to the data controller in matters of personal data protection and serves as a point of contact for supervisory authorities and data subjects. The DPO must:

Possess adequate knowledge of the laws and practices regarding the management of personal data;
Perform their duties independently and without any conflict of interest;
Work on the basis of a contract;

The DPO must carry out the following tasks:

Monitor compliance with the regulation;
Assist the controller in all activities related to personal data processing, including maintaining a record of processing activities;
Support impact assessments on data protection;
Inform and raise awareness among the data controller or processor, as well as employees, about the obligations of the Regulation;
Cooperate with supervisory authorities and act as a point of contact.

The Company has appointed DPO Avv. Tommaso Rossi, with an office in Ancona, Via Baccarani 4, tel. 3403947151, email t.rossi@rpcstudiolegale.it.

4.14. Links to other websites

The site and app may contain links to other websites, applications, or platforms, including through “social” buttons. While we strive to ensure that such links are to tools that share our high standards in terms of privacy, we are not responsible for the content, security, or privacy policies of other websites, for which you should verify and adhere to the third-party service provider’s terms of service, including their privacy policy, and continue browsing only if you freely choose to do so and if this aligns with your security expectations for the processing of your data.

5. SPECIFIC INFORMATION FOR INDIVIDUAL USERS

5.1 Purpose of processing, legal bases, and retention periods

The purposes of processing, its legal bases, and the retention periods of the data processed by the Company as Data Controller are indicated in the following table.

Your data is stored by the Company, as the Data Controller, for the time necessary to fulfill the purposes indicated in this privacy notice and/or to comply with the legal and contractual obligations we are subject to.

The retention period for your data varies depending on the type of data and the purpose for which it is processed. In the event of a change to the retention periods, this privacy notice will be updated.

The following indications do not apply to data processed by Professionals and Healthcare Facilities as independent Data Controllers, for which their respective rules, regulations, and data retention policies apply.

If your account remains inactive for 3 years, your account will be considered inactive, and the company may delete your personal data before the retention period indicated, unless otherwise specified by you.

PURPOSE OF THE PROCESSING	TYPE OF DATA PROCESSED	LEGAL BASIS	STORAGE PERIOD
Creation and management of the Account upon registration on the website or app.	First name, last name, email address, phone number, identity document (number and copy), tax code. Gender, IP address, access data, consents, etc. - To proceed with subscription plan payments, we use an external provider and can only view the last 4 digits of your credit card used.	Processing personal data is necessary to provide you with the Services offered by the Company.	For the entire period during which your Account is active. In case of deletion of your Account, or if you request the deletion of your data, we will keep it for a period not exceeding 10 years to comply with legal obligations and to defend ourselves in case of claims.
Storage of health data, biometric data, medical records, reports, exams, etc. (including images) and their extraction. Receiving reminders about the need to perform and/or repeat medical exams and tests.	-Identification data, all health and biometric data contained in the images and/or scans of reports, medical records, exams, etc… that you decide to upload or provide to us, such as pathologies, allergies, ongoing treatments, medications taken, exams performed, surgeries undergone. -In case data of family members or other individuals in the private User’s household (“Beneficiaries”) are uploaded, the same data mentioned above related to these individuals will also be processed.	The processing of health and biometric data is based on your consent. If data of family members or other individuals in the private User’s household are uploaded (“Beneficiaries”), consent is considered extended to the processing of the aforementioned data, related to persons whom the final User declares to have informed about the content of this notice and has obtained the necessary consent for the processing of their data.	For the entire period during which your Account is active. In case of deletion of your Account, or if you request the deletion of your data, we will keep it for a period not exceeding 10 years to comply with legal obligations and to defend ourselves in case of claims.
Sending health and biometric data from Professionals and Structures to the private User, medical records, exams performed, reports, etc. (including images) and the extraction of all data contained therein. Sending reminders to patients about the need to perform and/or repeat medical exams and tests.	-Identification data of the patient, all health and biometric data contained in the images and/or scans of reports, medical records, exams, etc… that the final User/patient decides to receive from Professionals/Structures, such as pathologies, allergies, ongoing treatments, medications taken, exams performed, surgeries undergone. -In case data of family members or other individuals in the private User’s household (“Beneficiaries”) are uploaded, the same data mentioned above related to these individuals will also be processed. -Data of the Professional and the Structure, as well as the Staff who performed the exams.	The processing of health and biometric data is based on the consent of the final User, whether a patient or a Professional. If data of family members or other individuals in the private User’s household are uploaded (“Beneficiaries”), consent is considered extended to the processing of the aforementioned data, related to persons whom the private User declares to have informed about the content of this notice and has obtained the necessary consent for the processing of their data. The private User is aware that the Professional and healthcare structure also process their data as the Data Controller and have been authorized to transmit them to the Company Ippocra SRL to perform the services provided by it.	For the entire period during which your Account is active. In case of deletion of your Account, or if you request the deletion of your data, we will keep it for a period not exceeding 10 years to comply with legal obligations and to defend ourselves in case of claims. We are not responsible for the data retention policy of Professionals and Healthcare Structures.
Sending communications (reminders, information about Structures and professionals, promotions, etc.). These communications may be sent by us.	-Identification data of the patient, all health and biometric data contained in the images and/or scans of reports, medical records, exams, etc… that the private User/patient decides to receive from Professionals/Structures, such as pathologies, allergies, ongoing treatments, medications taken, exams performed, surgeries undergone. -In case data of family members or other individuals in the private User’s household (“Beneficiaries”) are uploaded, the same data mentioned above related to these individuals will also be processed. -Exam history. -Content of the communication.	The legal basis varies depending on the type of communication. For all communications, processing is necessary to provide you with our services, and there is no option to object. For additional communications, not strictly related to the execution and use of the Services on our platform, specific consents may be requested, or they may be based on our legitimate interest. In any case, you always have the right to object to receiving them or not provide your consent.	For the entire period during which your Account is active. In case of deletion of your Account, or if you request the deletion of your data, we will keep it for a period not exceeding 10 years to comply with legal obligations and to defend ourselves in case of claims.
Processing aggregated data, metrics, analytics related to your activity on the website or app, to perform internal analysis, obtain metrics and data to improve our services or detect malfunctions; for managing business activities. Some of these processes may be carried out through cookies or similar technologies.	Information about your device, unique identifiers normally stored in cookies on your device. IP address, language, browser, time zone. Information related to the times, modes, and duration of service use, data related to activity on the site.	We process this data based on our legitimate interest in conducting internal analysis to measure the metrics of our activity in order to provide you with better service.	For the entire period during which your Account is active. In case of deletion of your Account, or if you request the deletion of your data, or in case of a user who does not register their account, we will keep it for a period not exceeding 3 years to comply with legal obligations and to defend ourselves in case of claims.
Provide assistance to End Users in case of technical problems with the platform.	Identification data and the content of the request.	The processing is necessary to provide you with our services.	For the entire period during which your Account is active. In case of deletion of your Account, or if you request the deletion of your data, or in case of a user who does not register their account, we will keep it for a period not exceeding 3 years to comply with legal obligations and to defend ourselves in case of claims.
Display third-party advertising content	Information about your device, unique identifiers, IP address, time zone and language, browser used	For non-personalized advertising content, we process the data based on our legitimate interest in promoting our websites and those of Professionals and Structures using the service. For personalized advertising content, we process the data based on your consent to the use of third-party advertising cookies.	For the entire period during which your Account is active. In case of deletion of your Account, or if you request the deletion of your data, or in case of a user who does not register their account, we will keep it for a period not exceeding 3 years to comply with legal obligations and to defend ourselves in case of claims.
Ensure security and protect your personal data from cyberattacks or other types of intrusions	- Technical data related to the connection and use of the site; - Information about the browser and hardware used.	The processing is necessary to fulfill our legal obligations under GDPR regulations.	Unless the data needs to be retained for another processing activity mentioned in this table, we will keep your data for a period not exceeding 3 years from the moment the processing occurred, to comply with legal obligations.
Manage your requests to exercise data subject rights	-Identification data of the person submitting the request and any third parties involved; -Content of the request.	The processing is necessary to fulfill our legal obligations under GDPR regulations.	We will keep your data for a period not exceeding 10 years from the date of response to your request, to comply with legal obligations and to defend ourselves in case of legal actions or claims.
Manage your complaints	-Identification data of the complainant and any third parties involved; Any data related to the content of the complaint and/or data we may need to exercise our right of defense.	The processing is necessary to provide you with the services and to defend ourselves from any complaints.	We will keep your data for a period not exceeding 10 years from the date of response to your complaint, to defend and protect ourselves in any legal venue.
Manage consents (Cookie banner)	-Identification data in the form of a randomly generated unique ID associated with your browser; -Decisions regarding consents	The processing is necessary to fulfill our legal obligations under GDPR regulations.	We will keep your data for a period not exceeding 1 year from the moment the processing occurred and you interacted with our cookie banner.

Here is the translated text, with markdown formatting retained:

``` 5.2. Creating an account also for or on behalf of third parties

The private User can create an account in the name and on behalf of a third party (usually a minor under guardianship or parental authority, an elderly person under the care of the final User, a relative, etc.) or use our paid storage plans where they can also enter the data of the same people (“Beneficiaries”) in addition to their own.

This can happen provided that the private User has been previously and expressly authorized by the Beneficiary, or is legally authorized to act on behalf of the Beneficiary.

In these cases, the private User may create an account or store data in the plan linked to their account only if they have a valid basis for transmitting the Beneficiary’s personal data to the Company, professionals, and healthcare facilities, and they undertake to provide accurate, correct, complete, and truthful information about the Beneficiary.

In case the healthcare data is provided and/or uploaded by uploading healthcare documentation of family members or other subjects of the final User, the same data mentioned above relating to these subjects will also be processed. The processing of health and biometric data is based on your consent. If the data of family members or other individuals belonging to the final User’s household are uploaded, the consent is deemed extended to the processing of such data, relating to persons that the final User declares to have informed about the content of this privacy notice and for whom the final User confirms they have received all necessary consent for processing the relevant data.

If the data of family members or other individuals belonging to the private User’s household are uploaded, the same data mentioned above will be processed regarding those individuals, who will be equally considered “Data Subjects,” and will have the same rights attributed to them.

By providing the Beneficiary’s personal data, the private User declares to be legally authorized or expressly authorized by the Beneficiary to manage, store, receive, or transmit on their behalf the data, including healthcare data, that concern them.

If the private User, for any reason, loses the basis upon which they are responsible for the Beneficiary’s data, they must immediately delete the Beneficiary’s account or remove the Beneficiary’s data from their account and plan. If the Beneficiary themselves decides to assert their rights to deletion, correction, withdrawal of consent, or if they wish to transfer their data to a new personal account, the company should be contacted.

5.3. Inclusion of third-party data in the Final User’s account

The private User may include personal data of their family members in their profile, including health data (for example, if such data are relevant to your medical history) and share such data with professionals and healthcare structures, only where you have previously informed them of your intention, the purpose of the processing, and our data protection policies, and if you have obtained their consent.

5.4. Role of the Company as Data Processor for Professionals or Healthcare Structures

When the Professional or Healthcare Structure acts as an independent data controller of the personal data of the final User or Beneficiary – also using the data for their own purposes – and the same data is exchanged/stored using the services of our website, Ippocra SRL will act as the Data Processor for the personal data of the private User or the Beneficiary, in line with the privacy policy of the Professional or Healthcare Structure.

6. SPECIFIC PROVISIONS APPLICABLE TO PROFESSIONALS

If the final User is a professional or a Healthcare Structure using the Services and has an account, this means that they have established a contractual relationship with Ippocra SRL and have accepted all our terms and conditions for using the Site and related services and/or have entered into a contract for this purpose, and that they have read and accepted the privacy notice.

Many of the purposes of processing, the legal bases, and the related retention periods for the data processed are the same as those detailed in section 5.

The following are specific:

PURPOSE OF PROCESSING	TYPE OF DATA PROCESSED	LEGAL BASIS	STORAGE PERIOD
Creation and management of the Account during registration on the website or app.	Name of the professional or the structure, first name, surname of the legal representative, Tax Code/VAT, address, email address, phone number, identity document (number and copy) of the professional or the legal representative. Gender, IP address, login data, consents, etc. - To process payments for subscription plans, we use an external provider, and we can only view the last 4 digits of the credit card used.	The processing of personal data is necessary to provide the services offered by the Company.	For the entire period during which your account is active. In case of deletion of your account, or if you request the deletion of your data, we will retain them for a period not exceeding 10 years to comply with legal obligations and to defend ourselves in case of claims.
Storage of health data, biometric data, medical records, reports, tests, etc. (including images) and the extraction of data from these. Sending reminders about the need to perform and/or repeat health checks and exams.	- Identification data, all health and biometric data contained in images and/or scans of reports, medical records, tests, etc… that you decide to upload or provide us, such as pathologies, allergies, ongoing treatments, medications taken, exams performed, surgeries undergone. - In case data of family members or other persons belonging to the private user’s household (“Beneficiaries”) are uploaded, the same data will be processed concerning those individuals.	The processing of health and biometric data is based on the consent of the data subject, previously obtained by the professional or the healthcare structure as the data controller. If data of family members or other individuals belonging to the private user’s household (“Beneficiaries”) are uploaded, consent is considered extended and granted for the processing of said data, regarding people whom the final user declares to have informed about the contents of this notice and whom they declare to have received all necessary consent for the processing of their data.	For the entire period during which your account is active. In case of deletion of your account, or if you request the deletion of your data, we will retain them for a period not exceeding 10 years to comply with legal obligations and to defend ourselves in case of claims.
Sending health and biometric data from professionals and structures to the private user, medical records, reports, exams performed, etc. (including images) and the extraction of all data contained therein. Sending patients reminders about the need to perform and/or repeat health exams and checks.	- Patient identification data, all health and biometric data contained in images and/or scans of reports, medical records, tests, etc… that the final user/patient decides to receive from professionals/structures, such as pathologies, allergies, ongoing treatments, medications taken, exams performed, surgeries undergone. - In case data of family members or other individuals belonging to the private user’s household (“Beneficiaries”) are uploaded, the same data will be processed concerning those individuals. - Data concerning the professional and the structure, as well as the personnel who performed the exams.	The processing of health and biometric data is based on the consent of the final user, whether they are a patient or a professional. In case data of family members or other individuals belonging to the private user’s household (“Beneficiaries”) are uploaded, consent is considered extended and granted for the processing of said data, regarding people whom the private user declares to have informed about the contents of this notice and whom they declare to have received all necessary consent for the processing of their data. The private user is aware that the professional and healthcare structure process their data also as data controllers and have been previously authorized to transmit it to the Company Ippocra SRL to provide the service it offers.	For the entire period during which your account is active. In case of deletion of your account, or if you request the deletion of your data, we will retain them for a period not exceeding 10 years to comply with legal obligations and to defend ourselves in case of claims. We are not responsible for the data retention policy of professionals and healthcare structures.
Sending communications (reminders, information related to structures and professionals, promotions, etc.). These communications may be sent by us.	- Patient identification data, all health and biometric data contained in images and/or scans of reports, medical records, tests, etc… that the private user/patient decides to receive from professionals/structures, such as pathologies, allergies, ongoing treatments, medications taken, exams performed, surgeries undergone. - In case data of family members or other individuals belonging to the private user’s household (“Beneficiaries”) are uploaded, the same data will be processed concerning those individuals. - History of performed exams. - Content of the communication.	The legal basis is different depending on the type of communication. For all communications, processing is necessary to provide you with our services, and no opposition is allowed. For additional communications not strictly functional to the execution and enjoyment of the active services on our platform, specific consents may be required, or they may be based on our legitimate interest, and in any case, you will always have the right to oppose receiving them or not providing your consent.	For the entire period during which your account is active. In case of deletion of your account, or if you request the deletion of your data, we will retain them for a period not exceeding 10 years to comply with legal obligations and to defend ourselves in case of claims.
Processing aggregated data, metrics, analytics related to your activity on the website or app, to perform internal analysis, obtain metrics and data to improve our services or detect malfunctions; to manage commercial activities. Some of these processes may be carried out through cookies or similar technologies.	Information about your device, unique identifiers usually stored in cookies on your device. IP address, language, browser, time zone. Information related to the time, mode, and duration of using services, data related to activity on the site.	We process this data based on our legitimate interest in conducting internal analysis to measure our business metrics in order to provide you with an increasingly better service.	For the entire period during which your account is active. In case of deletion of your account, or if you request the deletion of your data, or in case of a user who does not register their account, we will retain them for a period not exceeding 3 years to comply with legal obligations and to defend ourselves in case of claims.
Providing assistance to end users in case of technical problems with the platform.	Identification data and content of the request.	The processing is functional to providing you with our services.	For the entire period during which your account is active. In case of deletion of your account, or if you request the deletion of your data, or in case of a user who does not register their account, we will retain them for a period not exceeding 3 years to comply with legal obligations and to defend ourselves in case of claims.
Displaying third-party advertisements	Information about your device, unique identifiers, IP address, time zone and language, browser used	For non-personalized advertisements, we process the data based on our legitimate interest in promoting our websites and those of professionals and structures using the service. For personalized ads, we process data based on your consent to use third-party advertising cookies.	For the entire period during which your account is active. In case of deletion of your account, or if you request the deletion of your data, or in case of a user who does not register their account, we will retain them for a period not exceeding 3 years to comply with legal obligations and to defend ourselves in case of claims.
Ensuring security and protecting your personal data from cyberattacks or other types of intrusions	- Technical data related to the connection and use of the site; - Information about the browser and hardware used.	The processing is necessary to fulfill our legal obligations arising from GDPR regulations.	Unless the data needs to be retained for another processing activity mentioned in this table, we will retain your data for a period not exceeding 3 years from the time the processing occurred, to comply with legal obligations.
Managing your requests to exercise the rights of data subjects	- Identification data of the person submitting the request and any third parties involved; - Content of the request.	The processing is necessary to fulfill our legal obligations arising from GDPR regulations.	We will retain your data for a period not exceeding 10 years from the date of response to your request, to fulfill legal obligations and to defend ourselves in case of legal actions or claims.
Handling your complaints	- Identification data of the complainant and any third parties involved; any data related to the content of the complaint and/or any data we may need to exercise our right to defense.	The processing is necessary to provide you with services and to defend ourselves from potential complaints.	We will retain your data for a period not exceeding 10 years from the date of response to your complaint, to defend and protect ourselves in any forum.
Managing consents (Cookie banner)	- Identification data in the form of a random unique ID associated with your browser; - Decisions regarding consents	The processing is necessary to fulfill our legal obligations arising from GDPR regulations.	We will retain your data for a period not exceeding 1 year from the time the processing occurred and you interacted with our cookie banner.
Offering our services to professionals or healthcare structures	Name, surname, company name, address, email (“Identification data of the professional or healthcare structure”)	Legitimate interest or Consent.	We will retain your data for a period not exceeding 3 years from the time you were contacted, expressed interest in our service, or interacted with our cookie banner.
Managing and sending communications as a customer of the Company, you may be informed about services and new initiatives that may interest you	- Identification data of the professional and/or structure; - Content of the communication	Legitimate interest, unless you have the right to object to receiving such commercial communications.	For the entire period during which your account is active. In case of deletion of your account, or if you request the deletion of your data, or in case of a user who does not register their account, we will retain them for a period not exceeding 3 years to comply with legal obligations and to defend ourselves in case of claims.
Communicating data to judicial bodies or other public authorities, if requested by them and due to the obligation to provide the requested data, including your personal data, after analyzing the legitimacy and validity of the request, and transmitting only the strictly necessary data to satisfy the request	- Identification data of the professional and structure, as well as any other medical staff of the same structure; - Names and data related to patients (private users) in our possession; - Documents and files exchanged with private users	Legal duty to comply with legal obligations	We will retain your data for a period not exceeding 10 years to comply with legal obligations.

7. SPECIFIC PROVISIONS APPLICABLE TO VISITORS

If you are a Visitor, we may process the following personal data about you:

- information about the device used;

- IP address (and its geolocation);

- time zone and language;

- browser in use;

- date and time of access to our site;

- duration of connection on our site;

- information on interaction with our site.

The processing of this data is necessary to access our Site and services (those for which creating a User Account is not required) in a reliable and secure manner.

This data is sent directly from your browser to our servers during navigation on the site and is used to document access to our servers, where it is stored securely.

Although these data do not directly reveal your identity, some of this information may indirectly reveal it, and therefore may be processed as personal data.

Some of this data may be collected through cookies or similar technologies: we therefore invite you to consult the section related to our Cookie Policy for more information.

Your data will be stored for a period not exceeding 1 year from the moment the processing occurred and you interacted with our cookie banner.

To exercise your rights, see point 4.9.