Privacy Policy

The Controller has appointed a Data Protection Officer: Karol Zaczek, tel. +48 791 083 441. All questions, requests or complaints regarding personal data processing by the Controller ("Notifications") should be sent to the Data Protection Officer at dpo@synappse.pl or in writing to the Controller’s address: ul. Kopalniana 14A/11, 01-321 Warsaw. A Notification should clearly indicate:

a) the data of the person(s) concerned,

b) the event forming the basis of the Notification,

c) the requests and their legal basis,

d) the expected resolution.

In our Website/Mobile Application we collect the following personal data:

a) first and last name – required to use the services of our Website and the SynappseHealth "Electronic Health Records" Mobile Application so that we can provide services and contact you;

b) date of birth – required to verify whether the person using the Website and the SynappseHealth "Electronic Health Records" Mobile Application can independently consent to personal data processing;

c) email address – used to contact you. If you subscribe to our newsletter, we may send marketing information a few times a month; the email address is also the login for the Website and the SynappseHealth "Electronic Health Records" Mobile Application;

d) device IP address – general Internet connection data such as IP address (and other information in system logs) used by the Website administrator for technical purposes. IP addresses may also be used for statistical purposes, including gathering demographic information (e.g. region of connection) and in the Controller’s legitimate interests, including content personalisation/direct marketing of own services;

e) Cookies – our Website uses cookies to tailor its operation to your individual needs. You may consent to storing the data you enter so it can be reused during future visits without re-entry. Owners of other sites will not have access to this data. If you do not agree to personalisation, please disable cookies in your browser settings.

f) Other personal data are provided voluntarily by the data subject.

g) Using the "Talk to a Doctor" Mobile Application is fully anonymised and does not require registration or creating an Account; however, to use certain functionalities, especially the doctor e-consultation service, it is necessary to give consent to processing special categories of personal data, including data on health, racial and ethnic origin and genetic data, which are necessary to provide the e-consultation.

h) Using the SynappseHealth "Electronic Health Records" Mobile Application additionally requires Users to provide information on their nationality. The functionalities of this Mobile Application are also available via the Website.

i) A data subject may, at their discretion and with explicit consent, share in a conversation with "MedAI" their personal data, including special categories of data, in particular regarding health, medications, test results or other medical information from the Application/Website.

j) Such data are transmitted only as a result of a conscious and voluntary action by the User, e.g. by selecting the option "Attach my medical data to the conversation".

k) Data shared during a conversation with "MedAI" are processed:

• by the Controller to provide the chat service and maintain the conversation history,

• and by the artificial intelligence technology provider – Microsoft Azure. Data transfer to Microsoft Azure is based on a data processing agreement. Data are processed solely in Microsoft data centres in the European Union. Microsoft does not use user data to train AI models and acts only as a processor within the meaning of Article 28 GDPR. Special-category personal data transmitted to "MedAI" always result from the User’s active action and sole decision, while the Controller provides the ability to delete conversation history in "MedAI".

l) SynappseHealth does not share the User’s medical data without consent, and conversations held within "MedAI" are stored only to the extent necessary to ensure chat functionality and may be deleted after each AI chat session unless the User chooses to store data within "MedAI" functionalities.

Providing the data indicated above is necessary in the following cases:

a) to use functionalities of our Website and Mobile Applications managed by the Controller;

b) to set up an Account on the Website, which is voluntary; in that case, we store your data to facilitate future use of services on our Website;

c) to perform the newsletter service (subscription) – if you wish to receive news and marketing offers, you may subscribe to our newsletter; subscription is voluntary and you may unsubscribe at any time;

d) special-category personal data (health, racial and ethnic origin, genetic data) are processed by the Controller only with the explicit consent of the data subject. Such data are processed when using the SynappseHealth "Dokumentacja Medyczna" Mobile Application, which allows storing health-related information of registered Users, and the "Talk to a Doctor" Mobile Application, which allows asking a doctor an anonymous question to obtain an online medical opinion. In the above situation, the doctor receiving the inquiry does not obtain information or personal data that would allow identification of the person asking the question via the Mobile Application.

Each person using our Website/Mobile Application can choose whether and to what extent they wish to use our services and share information and data about themselves as specified in this Privacy Policy.

Personal data may be entrusted for processing to processors acting on behalf of the Controller. In such cases, the Controller enters into a data processing agreement with the processor. The processor processes the entrusted data solely for the needs, scope and purposes specified in that agreement. Without such entrustment we could not operate the Website/Mobile Applications. The Controller entrusts data for processing to:

a) the hosting provider for the Website and Mobile Applications: DigitalOcean, LLC, 101 Avenue of the Americas, New York, New York 10013;

b) if necessary, the legal service provider to the Controller, i.e. Data Protection Officer Karol Zaczek conducting business under REGIDO Karol Zaczek, ul. Czarnuszkowa 10/19, 51-180 Wrocław, NIP: 6631856943, REGON: 381485195, phone number: +48 791 083 441;

c) a company providing business analytics and user engagement/retention measurement services covered by Privacy Shield; subcontractor website https://mixpanel.com; address: One Front Street, 28th floor, San Francisco, CA 94111;

d) within the "MedAI" function, data voluntarily transmitted by the data subject during use of this functionality and chat with artificial intelligence may be processed by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland, VAT Reg. No. PL5262967763 – as operator of Microsoft Azure used to generate "MedAI" responses – for the purpose of generating responses. The Controller has concluded a data processing agreement (DPA) with Microsoft Ireland Operations Limited under the Microsoft Products and Services Data Protection Addendum. Data are processed exclusively in Microsoft data centres in the European Union. Microsoft does not use user data to train AI models. Microsoft acts solely as a processor within the meaning of Article 28 GDPR. Special-category personal data sent to "MedAI" always result from the User’s active action and sole decision, while the Controller provides the ability to delete conversation history in "MedAI".

Personal data are not subject to profiling by the Controller within the meaning of Article 22 GDPR. Information about the user collected via the "Talk to a Doctor" Mobile Application and the SynappseHealth "Electronic Health Records" Mobile Application will be used to study trends in user behaviour.

In accordance with GDPR, each person whose personal data we process as Controller has the right to:

a) access their personal data, as per Article 15 GDPR – by providing us with personal data, you have the right to view and access it; this does not mean you are entitled to access all documents containing your data, as they may contain confidential information; you do have the right to know what data of yours we process and for what purpose, and to obtain a copy of your personal data; the first copy is free, and for each subsequent one we charge an administrative fee corresponding to the cost of preparing the copy,

b) rectify, supplement, update and correct personal data, as per Article 16 GDPR – if your personal data change, please inform us so that the data we hold are accurate and current; also, if your data have not changed but are incorrect or were recorded improperly (e.g. due to a clerical error), please let us know to correct them,

c) erase data (right to be forgotten), as per Article 17 GDPR – you have the right to request deletion of data held by us as Controller and to request that we inform other controllers to whom we have disclosed your data of the need to erase them. You may request erasure in particular when:

• the purposes for which personal data were collected have been achieved,
• the legal basis for processing was solely consent, which has been withdrawn and there is no other legal basis (e.g. you unsubscribe from the newsletter and do not otherwise use our services),
• you have objected under Article 21 GDPR and believe there are no overriding legal grounds for further processing,
• your personal data were processed unlawfully (for illegal purposes or without a basis) – you must substantiate such a request,
• erasure is required by law,
• you are under 13 years of age,

d) restrict processing, as per Article 18 GDPR – you may request that we restrict processing (meaning that until the matter is clarified we primarily store the data) if:

• you contest the accuracy of your personal data, or
• you believe we process your data without a legal basis but do not want us to erase it (i.e. you do not exercise the right above), or
• you have lodged an objection referred to in item f below, or
• your data are needed to establish, exercise or defend claims, e.g. before a court,

e) data portability, as per Article 20 GDPR – you have the right to obtain your data in a format that can be read on a computer and the right to transmit those data in such format to another controller; this right applies only when the processing is based on consent (e.g. newsletter subscription) or is carried out by automated means,

f) object to processing of personal data, as per Article 21 GDPR – you may object if you do not agree to our processing of personal data for legitimate interests pursued by us,

g) not be subject to profiling, as per Article 22 in conjunction with Article 4(4) GDPR,

h) lodge a complaint with the supervisory authority (President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw), as per Article 77 GDPR – if you believe we process your personal data unlawfully or in any way infringe rights arising from generally applicable personal data protection laws.

With respect to the right to erasure (right to be forgotten), under GDPR you may not exercise this right if:

a) processing your personal data is necessary to exercise the right to freedom of expression and information,

b) processing is necessary for us to comply with legal obligations – we cannot erase your data for the period needed to fulfil legal duties imposed on us,

c) processing is carried out for the establishment, exercise or defence of legal claims.

If you wish to exercise the rights referred to above, please use the appropriate tabs in the Website/Mobile Application to delete your account and data stored in our Website/Mobile Application, or send an email to the Data Protection Officer at dpo@synappse.pl or contact the Data Protection Officer by phone at +48 791 083 441.