Privacy Policy

1. Data Controller

The data controller for your personal data is ToubibTrip SAS, a simplified joint-stock company registered with the Paris Trade and Companies Register, with its registered office located in Paris, France. For any questions regarding the processing of your data, you may contact our Data Protection Officer (DPO) at dpo@toubibtrip.com.

2. Scope of Application

This policy applies to all services offered by ToubibTrip, whether through our website (toubibtrip.com), our mobile applications (iOS and Android), or any other digital medium. It covers data from all users: patients, healthcare professionals, partners, and visitors.

3. Data Collected

As part of our services, we collect various categories of personal data:

• Identity data: last name, first name, date of birth, gender, nationality, profile photo (optional), identity document (for healthcare professional verification).
• Contact data: email address, phone number, postal address, country of residence.
• Health data: reason for consultation, medical history shared when booking appointments, uploaded medical documents, teleconsultation reports. This data is processed with enhanced protection in accordance with Article 9 of GDPR.
• Financial data: payment information (processed by our provider Stripe, PCI-DSS certified), transaction history, invoices.
• Technical and browsing data: IP address, browser type and version, operating system, device identifiers, pages visited, visit duration, geolocation data (with your consent).

4. Legal Basis for Processing

In accordance with GDPR, each data processing operation is based on a specific legal basis:

• Performance of contract (Article 6.1.b): creation and management of your account, processing of bookings, billing, connection with practitioners.
• Explicit consent (Article 6.1.a and 9.2.a): processing of health data, sending marketing communications, use of non-essential cookies, geolocation.
• Legal obligation (Article 6.1.c): retention of invoices and accounting data, response to court orders, fraud prevention.
• Legitimate interest (Article 6.1.f): improvement of our services, fraud prevention, platform security, anonymized aggregate statistics.
• Protection of vital interests (Article 6.1.d): medical emergency situations requiring transmission of information to healthcare professionals.

5. Purposes of Processing

Your personal data is processed for the following purposes:

• Management of your user account and secure authentication.
• Connection with healthcare professionals and appointment management.
• Provision of secure medical teleconsultations.
• Payment processing and billing management.
• Sending confirmations, appointment reminders, and service notifications.
• Continuous improvement of our services and user experience.
• Marketing communications and newsletters (with your prior consent).
• Compliance with our legal and regulatory obligations, particularly in healthcare matters.

6. Processing of Health Data

As a healthcare services platform, ToubibTrip processes health data within the meaning of Article 9 of GDPR. This data benefits from enhanced protection: it is collected only with your explicit consent, encrypted at rest and in transit, accessible only to the concerned healthcare professionals and authorized personnel, and hosted by HDS-certified (Health Data Hosting) providers in compliance with Article L.1111-8 of the French Public Health Code. You may withdraw your consent to the processing of your health data at any time, without affecting the lawfulness of processing carried out before such withdrawal.

7. Data Recipients

Your personal data may be shared with the following categories of recipients:

• Healthcare professionals: the doctors and practitioners with whom you book appointments, strictly limited to the information necessary for your care.
• Technical subcontractors: hosting providers (HDS-certified), payment service provider (Stripe, PCI-DSS certified), email and notification sending services.
• B2B partners: insurance companies and mutual insurers, only as part of your healthcare coverage and with your consent.
• Public authorities: tax administration, judicial or health authorities, only upon legally founded request.
• ToubibTrip never sells, rents, or transfers your personal data to third parties for commercial or advertising purposes.

8. International Data Transfers

Your data is primarily hosted and processed within the European Union. In cases where a transfer to a third country is necessary (for example, for the use of certain technical service providers), we ensure that this transfer is governed by appropriate safeguards: adequacy decision by the European Commission, standard contractual clauses (SCCs) of the European Commission, or approved certification mechanisms. You may obtain a copy of these safeguards by contacting our DPO.

9. Data Security

ToubibTrip implements state-of-the-art technical and organizational security measures to protect your data:

• TLS/SSL encryption for all communications and AES-256 encryption for data at rest.
• Multi-factor authentication (MFA) available for all accounts.
• Strict role-based access control (RBAC) and least privilege principle.
• Regular security audits and penetration testing conducted by independent third parties.
• Logging and monitoring of access to sensitive data.
• Incident response plan and notification to CNIL (French data protection authority) within 72 hours in case of data breach in accordance with Article 33 of GDPR.

10. Retention Period

We retain your personal data for the following periods:

• Active account data: for the duration of your registration, then 3 years after your last activity on the platform.
• Health data: 20 years from the last consultation, in accordance with Article R.1112-7 of the French Public Health Code.
• Billing data: 10 years from the closing of the fiscal year, in accordance with the French Commercial Code.
• Browsing data and cookies: 13 months maximum in accordance with CNIL recommendations.

11. Your Rights

In accordance with GDPR and the French Data Protection Act, you have the following rights regarding your personal data:

• Right of access (Article 15): obtain confirmation that your data is being processed and receive a copy.
• Right to rectification (Article 16): correct inaccurate data or complete incomplete data.
• Right to erasure (Article 17): request deletion of your data, subject to legal retention obligations.
• Right to restriction (Article 18): temporarily restrict the processing of your data.
• Right to data portability (Article 20): receive your data in a structured, machine-readable format.
• Right to object (Article 21): object to the processing of your data, particularly for direct marketing purposes.
• Right to withdraw your consent at any time, without affecting the lawfulness of prior processing.
• Right to define directives regarding the fate of your data after your death.

12. Cookies

Our use of cookies and similar technologies is detailed in our Cookie Policy accessible from the footer of our website. You can modify your cookie preferences at any time via the consent banner.

13. Protection of Minors

ToubibTrip services are intended for individuals aged 16 and over. For minors under 16, account creation and appointment booking must be performed by a parent or legal guardian via the "family member" feature. We do not knowingly collect personal data from minors under 16 without the consent of their legal representative.

14. Policy Modifications

ToubibTrip reserves the right to modify this Privacy Policy at any time. In case of substantial modification, we will inform you by email and/or by notification on the platform at least 30 days before the modifications take effect. The date of last update is indicated at the top of this page.

15. Data Protection Officer

Our Data Protection Officer (DPO) is your primary contact for any questions regarding the protection of your personal data.

16. Filing a Complaint

If you believe that the processing of your data does not comply with regulations, you may file a complaint with the competent supervisory authority.