Healion Privacy Policy

1. Introduction

HealionMed OÜ (“Healion”, “we”, “our”, or “us”), an Estonian company registered under number 17284775, with registered offices at Tornimäe tn 5, Kesklinna linnaosa, Harju maakond, 10145 Tallinn, Estonia, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you use our telemedicine platform (the “Platform”), which includes the website, mobile application, and any services offered through them (the “Services”).

We process your personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation or “GDPR”) and other applicable privacy and data protection laws.

By using the Platform, registering an account, scheduling or receiving a consultation, or otherwise interacting with our Services, you agree to the terms of this Privacy Policy. If you do not agree, please refrain from using the Platform.

2. Data Controller and Contact Information

The data controller responsible for processing your personal data is:

HealionMed OÜ
Registrikood: 17284775
Address: Tornimäe tn 5, Kesklinna linnaosa, Harju maakond, 10145 Tallinn, Estonia
Email: support@healionmed.com

Healion has not formally appointed a Data Protection Officer (DPO) under GDPR Art. 37; however, we have designated a privacy contact responsible for inquiries regarding this Privacy Policy or our data protection practices. You may reach our privacy contact at the email address above.

3. Categories of Personal Data We Collect

We may collect and process the following categories of personal data:

3.1. Data You Provide Directly

  • Identification Data: Full name, gender, date of birth, nationality.

  • Contact Data: Email address, phone number, physical address.

  • Medical Data: Symptoms, medical history, medications, examination results, medical documents, images (e.g., lesions, scans), and other health-related information you submit during booking or consultation.

  • Insurance Data (if applicable): Insurance provider name, policy number, and relevant authorizations.

  • Billing Information: Payment method, billing address, and transaction records. Payment data is collected and processed through third-party processors (e.g., Stripe).

3.2. Data We Collect Automatically

  • Device Information: IP address, browser type, operating system, language settings, and device identifiers.

  • Usage Data: Pages visited, consultation activity, session duration, referral URLs, and app interactions.

  • Geolocation Data: If enabled, we may collect your real-time geolocation to connect you with local providers.

3.3. Data from Third Parties

  • From physicians: Notes, prescriptions, diagnostic information shared with your consent.

  • From insurance companies or assistance companies (if involved in your care).

4. Purposes of Processing and Legal Bases

We process your personal data for the following purposes:

4.1. Contractual Necessity

To provide our Services and fulfill our obligations, including:

  • Registering and managing your account.

  • Connecting you with healthcare providers.

  • Scheduling consultations.

  • Transmitting medical data to physicians for your care.

  • Processing payments.

  • Sending appointment notifications and support messages.

4.2. Legal Obligation

  • Compliance with tax and financial regulations.

  • Responding to legal requests or lawful court orders.

4.3. Legitimate Interests

  • Monitoring usage trends and improving Platform functionality.

  • Preventing fraud or abuse.

  • Enforcing our Terms of Use.

4.4. Consent

  • Geolocation tracking (when enabled).

  • Marketing communications (when subscribed).

  • Processing of sensitive medical data (when required).

You can withdraw your consent at any time by contacting us.

Processing of your health-related data (sensitive personal data under GDPR Art. 9) is conducted based on your explicit consent (GDPR Art. 9(2)(a)) or because it's necessary for the provision of medical diagnosis and healthcare services (GDPR Art. 9(2)(h)).

5. How We Use and Share Your Data

5.1. With Healthcare Professionals

When you book a consultation, your personal data, including medical history, symptoms, and uploaded files, will be shared with the selected healthcare provider. Providers may access, review, and annotate this data for the purpose of delivering medical advice or treatment.

5.2. With Payment Processors

Payment information is securely collected and processed by third-party providers (e.g., Stripe). Healion does not store full credit card numbers.

5.3. With Insurance or Assistance Companies

If you provide insurance information, we may share relevant personal data with your insurance provider or an assistance company to process claims or cover services.

5.4. With Technology Providers

We may use external hosting, video conferencing, analytics, and customer support services. These service providers process data on our behalf under strict confidentiality agreements.

5.5. With Authorities

Where legally required or necessary for legal protection, we may disclose your data to regulatory bodies, law enforcement, or courts.

5.6. With Your Consent

We may share data with third parties not listed above only with your explicit and informed consent.

6. Data Storage and Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of sensitive data.

  • Secure hosting in data centers located in the EU.

  • Access controls and authentication protocols.

  • Regular system monitoring.

However, no system can guarantee absolute security. By using the Platform, you acknowledge this inherent risk.

In case of a personal data breach that poses a risk to your rights and freedoms, we will notify the Estonian supervisory authority within 72 hours. We will also promptly inform affected individuals if the breach represents a high risk.

7. International Transfers

Healion stores and processes your personal data in the European Economic Area (EEA). If data is transferred to a country outside the EEA that lacks adequate protection, we will implement safeguards such as Standard Contractual Clauses (SCCs).

8. Data Retention

We retain your personal data only for as long as necessary for the purposes outlined in this Policy, unless a longer period is required by law. For example:

  • Medical consultation records are retained to comply with legal obligations.

  • Billing records are kept for accounting and tax purposes.

  • If you delete your account or withdraw consent, we will remove non-essential data, retaining only what is needed to meet legal or contractual obligations.

9. Your Rights

You have the following rights regarding your personal data under the GDPR:

  • Access: Request a copy of your data.

  • Rectification: Request correction of inaccurate or incomplete data.

  • Erasure: Request deletion of your data, under certain conditions.

  • Restriction: Ask us to limit processing.

  • Data Portability: Receive your data in a structured format.

  • Objection: Object to data processing based on legitimate interest.

  • Withdrawal of Consent: At any time, where processing is based on consent.

To exercise any of these rights, contact us at support@healionmed.com. We will respond within one month.

You have the right to lodge a complaint regarding our handling of your personal data with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) via www.aki.ee.

10. Children’s Privacy

The Platform is not intended for individuals under the age of 18. If we learn we have collected personal data from a minor without appropriate consent, we will delete it promptly. Legal guardians may submit data for children where required for treatment.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to improve user experience and analyze traffic. These include:

  • Essential cookies: Needed for login and secure navigation.

  • Analytics cookies: Help us understand usage patterns.

You may manage or disable cookies through your browser settings.

We only use analytics and other non-essential cookies with your explicit consent via our cookie consent banner. You can manage or withdraw this consent through the banner settings at any time.

12. Updates to this Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on our website with the updated effective date. Where appropriate, you will be notified via email or app alert. Continued use of the Platform indicates acceptance of the changes.

13. Contact Us

If you have any questions about this Privacy Policy or your data, please contact:

HealionMed OÜ

Email: support@healionmed.com

Postal Address: Tornimäe tn 5, Kesklinna linnaosa, Harju maakond, 10145 Tallinn, Estonia

Effective Date: July 19, 2025.