1. General Provisions
1.1. This Privacy Policy (“Policy”) sets out the rules for the processing of personal data by Ferticare Point sp. z o.o., with its registered office at ul. Złota 75A lok. 7, 00-819 Warsaw, entered into KRS: 0001206967, NIP/VAT 1182318380, (“Controller”), in connection with the use of the website available at ferticarepoint.com (“Website”) and the provision of the information and coordination service consisting in supporting communication between patients and medical facilities (“Coordination Service”).
1.2. The Controller processes data in accordance with Regulation (EU) 2016/679 (GDPR), relevant national provisions, and – to the extent applicable – with the UK GDPR, Data Protection Act 2018, and – in relations with entities from the USA – taking into account the principles of the EU–US Data Privacy Framework.
1.3. This Policy implements the information obligations resulting from Art. 13 and 14 of the GDPR.
1.4. The Controller is not a healthcare provider, does not provide medical services, and does not participate in making diagnostic or therapeutic decisions.
1.5. The Controller does not assess the quality of medical services provided by medical facilities and does not guarantee treatment results.
2. Controller and Contact Details
2.1. The Data Controller is Ferticare Point sp. z o.o., ul. Złota 75A lok. 7, 00-819 Warsaw, e-mail: info@ferticarepoint.com, tel.: +48 793 621 533.
2.2. The Controller has appointed a data protection officer. Contact: sanek@mkzpartnerzy.pl.
3. Categories of Processed Data
3.1. The Controller processes data to the extent necessary to achieve the purposes set out in this Policy, including:
a) identification data,
b) contact data,
c) organisational and communication data,
d) health data – exclusively to the extent voluntarily provided and covered by explicit consent,
e) technical data (IP address, browser data, operating system),
f) data regarding activity on the Website,
g) financial data – if the service model provides for payment.
3.2. In connection with the provision of the Coordination Service, the Controller may process information contained in medical records or other information regarding health that has been voluntarily provided by the data subject to enable communication with the selected medical facility.
3.3. Communication between the Controller and the data subject may also take place via electronic communication means, including instant messengers (e.g., WhatsApp, Telegram), if the person voluntarily chooses such a communication channel.
4. Purposes and Legal Bases for Processing
4.1. Data are processed for the following purposes:
a) provision of the Coordination Service – Art. 6(1)(b) GDPR,
b) transfer of data to the Clinic/Partner – Art. 6(1)(a) GDPR,
c) processing of health data – Art. 9(2)(a) GDPR,
d) operational communication – Art. 6(1)(b) GDPR,
e) fulfilment of legal obligations – Art. 6(1)(c) GDPR,
f) marketing – Art. 6(1)(a) GDPR,
g) ensuring IT security, prevention of abuse – Art. 6(1)(f) GDPR.
4.2. In the case of processing based on a legitimate interest (Art. 6(1)(f) GDPR), the Controller has conducted a balancing test (LIA), confirming that the Controller’s interest does not violate the rights and freedoms of the data subjects.
4.3. The Coordination Service may function in a combined model, in which part of the coordination activities is financed by cooperating medical facilities, while additional services may be provided directly to the user in a paid model.
5. Data Recipients
5.1. Data may be transferred to:
a) Clinics/Medical Partners – as separate controllers,
b) providers of IT, hosting, and CRM services – as processors,
c) entities providing accounting, legal, and audit services,
d) public authorities – if it results from a legal obligation.
5.2. If it is necessary for the provision of the Coordination Service, medical records or information regarding health may be transferred to the selected Clinic or Medical Partner based on the explicit consent of the data subject.
5.3. The Controller is not responsible for further data processing by the Clinic/Partner in the scope of health services.
5.4. Medical facilities to which personal data are transferred act as separate data controllers in the scope of health services and bear sole responsibility for data processing related to diagnosis and treatment.
6. International Transfers and TIA
6.1. Data may be transferred outside the EEA in connection with:
a) the location of the Clinic/Partner,
b) the use of global IT providers,
c) operational service in an international model.
6.2. Transfers are carried out using mechanisms compliant with Art. 44–49 of the GDPR, in particular:
a) adequacy decisions,
b) Standard Contractual Clauses (SCC),
c) additional technical and organisational security measures.
6.3. In required cases, the Controller conducts a Transfer Impact Assessment (TIA), analysing, among others:
a) the legal system of the third country,
b) the scope of powers of public authorities,
c) technical measures (encryption, pseudonymisation),
d) the possibility of exercising rights by the data subject.
6.4. In relations with entities from the USA, the Controller verifies participation in the EU–US Data Privacy Framework or applies SCCs.
6.5. In the case of using instant messengers or other communication platforms provided by third parties, sending data may involve additional risks related to data transmission on the Internet. The Controller takes reasonable measures to limit these risks.
7. Retention Period
7.1. Data processed for the purpose of providing the Coordination Service – for the period of service provision and the limitation period for claims.
7.2. Data processed based on consent – until its withdrawal.
7.3. Data processed based on a legal obligation – for the period required by law.
8. Rights of Data Subjects
8.1. The person has the right to:
a) access to data (Art. 15 GDPR),
b) rectification (Art. 16 GDPR),
c) erasure (Art. 17 GDPR),
d) restriction of processing (Art. 18 GDPR),
e) data portability (Art. 20 GDPR),
f) objection (Art. 21 GDPR),
g) withdrawal of consent (Art. 7(3) GDPR),
h) lodge a complaint with the competent supervisory authority.
8.2. In the case of users from the United Kingdom, analogous rights resulting from the UK GDPR apply.
9. Automated Decision-Making
9.1. The Controller does not use automated decision-making that produces legal effects.
10. Security Measures and Standards
10.1. The Controller applies technical and organisational measures adequate to the risk, including:
a) encryption of transmission (TLS),
b) access control and segmentation of permissions,
c) multi-factor authentication (MFA),
d) regular security tests,
e) incident response procedures,
f) risk analysis.
10.2. The Controller may apply international standards, such as ISO/IEC 27001, ISO/IEC 27701, exclusively to the extent actually implemented.
11. Voluntariness of Data Provision
11.1. Providing data is voluntary but necessary for the provision of the Coordination Service.
12. Amendments to the Policy
12.1. The Controller may update the Policy in the event of changes in law, business model, or security requirements.
12.2. The current version is published on the Website.
13. Final Provisions
13.1. In matters not regulated herein, the provisions of the law indicated in the Terms and Conditions shall apply.
13.2. The Policy is effective as of April 7, 2026.