Privacy Policy
Last updated: 5 April 2026
1. Data Controller
The data controller responsible for your personal data is Eureka Medical, LDA (NIPC 514005793), trading as AETHERA Health, part of the HonestGraciosity SGPS group. For any privacy-related enquiries, contact us at info@eurekamedical.eu.
2. Data We Collect
We collect the following categories of personal data:
- Account Information: Name, email address, password (hashed), country of residence, preferred language.
- Health Data (Special Category): Medical history, current medications, health goals, BMI, assessment responses, physician notes, prescriptions, and treatment progress.
- Payment Data: Processed securely by Stripe. We store your Stripe customer ID and subscription status but never your card details.
- Usage Data: Pages visited, features used, device type, browser, IP address (anonymised after 30 days).
- Communications: Messages exchanged with our AI health assistant and physician consultations.
3. Legal Basis for Processing
Under the GDPR (Regulation (EU) 2016/679), we process your data on the following legal bases:
- Consent (Art. 6(1)(a) & Art. 9(2)(a)): For processing health data and AI-assisted health recommendations. You may withdraw consent at any time.
- Performance of Contract (Art. 6(1)(b)): To provide our telehealth services, process subscriptions, and deliver medications.
- Legal Obligation (Art. 6(1)(c)): To comply with healthcare regulations, tax obligations, and record-keeping requirements.
- Legitimate Interest (Art. 6(1)(f)): To improve our services, prevent fraud, and ensure platform security.
4. How We Use Your Data
- To provide physician consultations and personalised treatment plans.
- To process prescriptions and coordinate medication delivery across the EU.
- To power our AI health assistant with relevant context about your health journey.
- To process payments and manage subscriptions via Stripe.
- To send transactional communications (appointment reminders, prescription updates).
- To improve our platform and develop new features (using anonymised, aggregated data).
5. Data Sharing
We share your data only with:
- Licensed EU Physicians: Your health data is shared with the physician reviewing your case, bound by medical confidentiality.
- EU-Licensed Pharmacies: Prescription details and delivery address shared for medication fulfilment.
- Stripe: Payment processing. Stripe is PCI DSS Level 1 certified. See Stripe's Privacy Policy.
- Supabase (Hosting): Database infrastructure hosted in the EU (AWS eu-west-1, Ireland). See Supabase Privacy Policy.
- Anthropic (AI): Anonymised conversation data processed by Claude AI for health assistant functionality. No personally identifiable health data is sent to Anthropic.
We do not sell your personal data. We do not share your data with advertisers.
6. Data Retention
- Account data: Retained for the duration of your account plus 30 days after deletion.
- Health and medical records: Retained for a minimum of 10 years as required by EU healthcare regulations.
- Payment records: Retained for 7 years for tax and accounting purposes.
- Usage analytics: Anonymised and aggregated after 90 days; raw logs deleted after 30 days.
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of Access (Art. 15): Request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): Correct inaccurate or incomplete data.
- Right to Erasure (Art. 17): Request deletion of your data, subject to legal retention requirements.
- Right to Restriction (Art. 18): Restrict processing of your data in certain circumstances.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interest.
- Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting prior processing.
To exercise any of these rights, email info@eurekamedical.eu. We will respond within 30 days.
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including: encryption in transit (TLS 1.3) and at rest (AES-256), Row Level Security on all database tables, role-based access controls, regular security audits, and secure authentication with bcrypt password hashing.
9. International Transfers
Your data is stored and processed within the European Economic Area (EEA). Where data is processed outside the EEA (e.g., Anthropic AI processing in the US), we ensure adequate safeguards are in place through Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Cookies
We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. For details, see our Cookie Policy.
11. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD): www.cnpd.pt, or with the supervisory authority in your EU member state of residence.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email and an in-app notification at least 30 days before taking effect.
Eureka Medical, LDA (NIPC 514005793) · Part of HonestGraciosity SGPS Group · Portugal / European Union