Privacy Policy (Privacy Notice)
> DRAFT — pending review and approval by qualified Croatian legal counsel. Not intended for publication in this form. > > This English text is a courtesy translation. The Croatian version is the sole binding version.
This notice explains how the medkit.ltd platform ("Medkit", "we") collects and processes personal data of patients, healthcare professionals and other users, in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and the Croatian GDPR Implementation Act (Zakon o provedbi Opće uredbe o zaštiti podataka, NN 42/18). It is written in plain language because it is addressed primarily to patients.
In short — the essentials:
- Booking an appointment is free for patients and requires no user account. Your only access to your booking data is the confirmation email with your personal cancellation link.
- We never process patient payments. There are no charges, deposits or commissions of any kind on the platform; any payment matters are strictly between you and the clinic.
- We send patients no marketing messages — only messages about your appointment (confirmation with a calendar attachment and a cancellation link).
- To measure overall site usage we use privacy-preserving, cookieless analytics (Vercel Web Analytics): it sets no cookies, uses no persistent identifiers, and does not track individuals across other sites or collect data that directly identifies you (PII). We show no advertising, do not track you across other sites, and build no marketing profiles. Anonymous visitors (including patients) receive no login cookies.
- We do not keep your medical records. We process only booking data: name, contact details, appointment time, the chosen practitioner and an optional reason for the visit.
- Data is processed and stored in the European Union. The content delivery network (CDN) is global, and some of our service providers are US-headquartered companies — see Section 9.
1. Controller and contact details
The controller for the Medkit platform is:
[ legal entity name and form] Registered seat: [ registered address] Court register: [ court of registration and MBS number] OIB (personal identification number): [ OIB] Authorised representative: [ representative name]
(referred to in this notice as "Medkit"). For the role of individual healthcare providers as independent controllers, see Section 4.
2. Privacy contact
For all privacy questions and to exercise your rights, contact us at privacy@medkit.ltd or by post at our registered seat.
Data Protection Officer (if appointed): [ DPO name and contact, if appointed].
3. Who this notice covers
We process personal data of the following categories of data subjects:
- patients who book an appointment or join a waiting list,
- review authors,
- clinic staff with user accounts (administrators, reception, practitioners),
- healthcare professionals and providers listed in the public directory (including unclaimed listings imported from a public registry),
- persons submitting requests to claim or remove a directory listing,
- website visitors (technical data).
4. Roles: Medkit and healthcare providers
- For operating the booking marketplace (collecting data through the booking form, transmitting it to the chosen clinic, sending transactional emails, security and abuse prevention), Medkit is an independent controller.
- The clinic you book with is an independent controller for the provision of healthcare. It relies on its own legal bases (including Art. 9(2)(h) GDPR) and is bound by professional secrecy. For medical records and data about your treatment, contact the clinic directly.
- For the calendar and patient-management module used by clinics (including appointments entered manually by clinic staff, e.g. phone bookings), Medkit acts solely as the clinic's processor under a data processing agreement (Art. 28 GDPR) that is made available to clinics as part of the service terms. In those cases the clinic collects the data.
- For the public directory of unclaimed listings (Section 5.4), Medkit is the sole controller.
5. What we process, why, and on which legal basis
Recipients common to all categories are listed in Section 8; for bookings, the chosen clinic is also a recipient.
5.1 Booking an appointment
When you book through Medkit, we collect:
- first and last name (required),
- email address (required),
- phone number (required),
- reason for the visit (optional, free text); if you answer the optional question whether you are a new or returning patient, that answer is added to the reason for the visit,
- the chosen clinic, practitioner, appointment type and time, and the booking channel,
- interface language,
- a record of the consent you gave (type, version and time),
- a unique secret token that lets you cancel and view your appointment via the link in your email.
Why this data can reveal health information. The mere fact that you booked an appointment with a particular practitioner or specialist, as well as any reason for the visit you type in yourself, can indirectly reveal information about your health. Under the GDPR, such data is a special category of personal data ("data concerning health").
Legal basis: Art. 6(1)(b) GDPR (steps taken at your request to arrange the appointment) for ordinary data, plus your explicit consent (Art. 9(2)(a) GDPR) for the elements that can reveal health information (an appointment with a named practitioner or specialist; the reason for the visit). You give consent by ticking a dedicated, pre-unticked checkbox in the booking form. You may withdraw consent at any time (Section 7); withdrawal does not affect the lawfulness of processing before withdrawal. Without your consent we cannot arrange the booking, because this data is genuinely necessary for the very service you are requesting.
Purposes: arranging the appointment with the chosen clinic, sending the confirmation and cancellation link, abuse prevention.
Appointment emails: from noreply@medkit.ltd we send a confirmation with a calendar attachment (.ics) and your personal cancellation link. We send only transactional messages about your appointment; we send no marketing messages and collect no marketing consent.
If clinic staff enter an appointment on your behalf (e.g. a phone booking), the clinic collects the data as controller and Medkit processes it as the clinic's processor (Section 4).
5.2 Waiting list
If you join a waiting list for an earlier appointment, the form collects: first and last name, email address, and optionally a phone number. The entry is tied to the chosen practitioner and, where applicable, to an appointment type. Because it is tied to a named practitioner or specialist, a waiting-list entry can likewise indirectly reveal information about your health (special-category data under Art. 9 GDPR — see Section 5.1). The waiting-list form currently contains no separate consent checkbox. Purpose: to notify you when a slot becomes available. Legal basis: the same as for bookings (Section 5.1). You currently cannot remove your waiting-list entry yourself in the app — you can request removal at any time at privacy@medkit.ltd (Section 7).
5.3 Reviews
A review can be submitted only for an appointment that has taken place (i.e. after the appointment has ended, provided it was not cancelled or marked as a no-show), and only via the secure personal link tied to that appointment — reviews are therefore tied to appointments actually booked through the platform. We collect: a rating (1–5), an optional free-text comment, and an optional publicly displayed name. Reviews are publicly visible on the clinic's profile. As the review's author you can update it later via the same link; to have it deleted, contact us by email (Section 7). Legal basis: your consent (Art. 6(1)(a)) — we publish the review at your request. Please do not include health details in your comment that you do not wish to share publicly.
5.4 Public directory of healthcare providers (notice under Art. 14 GDPR)
Medkit publishes a directory of approximately 3,700 Croatian healthcare providers. Unclaimed listings were imported from the public registry of healthcare providers maintained by the Croatian Institute of Public Health (National Registry of Healthcare Providers) — [ exact registry citation and snapshot date]. These listings contain: the practice/institution name (which, for private practices, may contain the practitioner's personal name), address, town, postal code, category of activity, and the date the registry snapshot was taken. We add no contact details from other sources — we neither import nor invent phone numbers, email addresses or websites. Listings contain no health data.
Legal basis: legitimate interest (Art. 6(1)(f)) — public availability of official information about healthcare providers and easier findability of care. Retention: for as long as the listing is published. Your rights: objection to the processing (Art. 21) and removal of the listing via the form available on each unclaimed listing's profile page (removal requests are currently processed manually); rectification of inaccurate data; and "claiming" the listing if you are an authorised person of the provider and wish to manage it. A listing removed on request is placed on an internal suppression list so that future registry imports do not republish it.
Because individually notifying approximately 3,700 entities would involve disproportionate effort, we rely on Art. 14(5)(b) GDPR and this public notice serves in place of individual notification.
For listings that providers have claimed and manage themselves: practitioner data (name, title, biography, languages, specialties) is entered by the provider and is publicly visible on the platform; the provider is responsible for its accuracy and for the legal basis of publishing its staff members' data.
5.5 Claim and removal requests
- Claim request: name, email address, phone number, and a note/evidence of authorisation. Purpose: verifying that the request comes from an authorised person of the provider and provisioning the account. Legal basis: Art. 6(1)(b) (steps at your request) and (f) (integrity of the directory).
- Removal request: email address and reason. Purpose: processing the request and permanently preventing re-import of the removed listing. Legal basis: Art. 6(1)(f) and giving effect to an objection under Art. 21 GDPR.
5.6 Clinic staff accounts
When a provider registers, we collect: email address and password (stored in a protected, hashed form in the authentication system), practice name and city; and subsequently members' roles within the organisation. Purpose: providing the service to the provider (sign-in, calendar management). Legal basis: Art. 6(1)(b) — the contract with the provider.
5.7 Security records (audit log)
We record security-relevant actions: who performed them (a staff member, or an anonymous action such as an online booking), which action, on which record, and when. Purpose: security, abuse prevention, accountability. Legal basis: legitimate interest (Art. 6(1)(f)). The log is available to the members of the provider concerned.
5.8 Technical data: server logs, maps and geolocation
- Server logs. Each access to the platform generates technical logs (IP address, requested URL, time) with our hosting provider (Vercel). URLs may contain your secret appointment cancellation token. Legal basis: legitimate interest — operating and securing the service (Art. 6(1)(f)).
- Maps. Map background tiles on search pages are loaded by your browser directly from CARTO's servers (OpenStreetMap data); CARTO thereby receives your IP address and the visible map area, but sets no cookies on our pages.
- Geolocation. We use your browser's location only if you explicitly click the map-search button; the coordinates are converted in your browser into a search area and are never stored anywhere.
6. How long we keep data
An honest statement of the current state: the platform currently performs no automatic deletion of data. Until we adopt and technically implement the retention schedule below, data is kept until we receive your deletion request and process it manually (Section 7).
Planned retention periods (to apply once adopted):
| Data category | Retention period |
|---|---|
| Booking data (patients, appointments, reason for visit, consent records) | [ retention period — booking and patient records] |
| Waiting list | [ retention period — waitlist entries] |
| Reviews | [ retention period — reviews] |
| Claim/removal requests | [ retention period — claim and removal requests] (the fact that a listing was removed is kept permanently on a suppression list so it is not republished) |
| Audit log | [ retention period — audit log] |
| Staff accounts | [ retention period — staff accounts] after account closure |
| Directory listings | for as long as the listing is published |
7. Your rights and how to exercise them
Under the GDPR you have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection to processing based on legitimate interest (Art. 21), and the right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
What you can do yourself, immediately:
- cancel your appointment via the link in the confirmation email,
- view the basic details of your appointment via the same link,
- edit your review via your personal link,
- request removal of an unclaimed directory listing via the form on the listing's page.
All other rights — access, rectification, erasure, portability, objection, withdrawal of consent — currently cannot be exercised self-service in the app. Send your request to privacy@medkit.ltd. We process requests manually and respond without undue delay, at the latest within one month of receipt; in complex cases the deadline may be extended in accordance with Art. 12(3) GDPR, in which case we will inform you. To protect your data we may ask for reasonable proof of identity (e.g. that you write from the email address used for the booking).
For medical records and data held by a clinic as an independent controller, contact the clinic directly.
Right to lodge a complaint with the supervisory authority: Agencija za zaštitu osobnih podataka (AZOP — the Croatian Personal Data Protection Agency), Zagreb, www.azop.hr. You may also complain to the supervisory authority of the EU Member State of your residence or workplace.
8. Recipients: processors and third parties
We do not sell personal data and do not share it for marketing purposes. We disclose data to: (a) the clinic you booked with (an independent controller), (b) service providers (processors) who process it on our instructions, and (c) competent authorities where the law requires it.
| Provider | Service | Place of processing |
|---|---|---|
| Supabase (on AWS infrastructure) | database and authentication | EU — AWS region eu-west-1 (Ireland); US-headquartered company |
| Vercel Inc. | web hosting, CDN, DNS and execution of application code | serverless functions in the EU — region fra1 (Frankfurt); global CDN/edge; US-headquartered company |
| Vercel Web Analytics (Vercel Inc.) | aggregate, cookieless usage analytics | as for Vercel Inc. (functions in the EU, region fra1; global edge; US-headquartered company) |
| Resend | sending transactional emails | sending from an EU region (eu-west-1); US-headquartered company |
| Microsoft 365 | receiving email addressed to our @medkit.ltd addresses | per Microsoft's terms for Microsoft 365 |
| CARTO | map background tiles loaded by your browser | see Section 5.8 |
| Google (Geocoding API) | one-off geocoding of clinic addresses via an administrative script (no patient data whatsoever) | outside the production system |
To measure overall site usage we use privacy-preserving, cookieless analytics (Vercel Web Analytics, provided by Vercel Inc.); it collects aggregate usage data — for example the page path, referrer, country, device/browser type and UTM parameters — but sets no cookies, uses no persistent identifiers, does not track individuals across other sites, and collects no data that directly identifies you (PII) [ counsel to confirm the lawful basis / ePrivacy treatment of cookieless analytics]. We use no advertising providers and no providers that track users across other sites.
9. Transfers to third countries
Processing and storage of data take place in the European Union: the database and authentication system are located in AWS region eu-west-1 (Ireland), the application's serverless functions execute in the EU (Vercel, region fra1, Frankfurt), and emails are sent from an EU region (Resend, eu-west-1). However, in the interest of full transparency:
- our hosting provider's content delivery network (CDN/edge) is global — the edge nodes that serve content and forward your requests may also be located outside the EU;
- Vercel's technical request logs (including URLs containing the cancellation token) are stored with Vercel;
- Supabase, Vercel, Resend and Microsoft are US-headquartered companies, so access from the USA is possible for technical support and operations.
Any transfers to the USA are based on [ transfer mechanism per vendor — DPF/SCCs, counsel to verify] (e.g. the European Commission's Standard Contractual Clauses and/or the EU–US Data Privacy Framework for certified recipients).
10. Data security
Among other measures (Art. 32 GDPR), we apply:
- data storage in the European Union (Supabase, AWS eu-west-1) and execution of serverless functions in the EU (Vercel, region fra1),
- encryption in transit (TLS) with HSTS,
- infrastructure-level encryption at rest (provider defaults),
- per-provider data isolation enforced at the database level (forced row-level security policies), covered by automated tests,
- database-level integrity rules (e.g. it is impossible to double-book the same slot; cross-provider writes are blocked),
- unguessable secret tokens for patient access to appointments, with a strict Referrer-Policy preventing their leakage to other sites,
- least-privilege service access keys,
- an audit log of staff actions,
- strict security HTTP headers and a Content-Security-Policy with no third-party scripts.
11. Automated decision-making and profiling
We carry out no automated individual decision-making or profiling within the meaning of Art. 22 GDPR. The ordering of search results involves no paid placement.
12. Children and minors
In the Republic of Croatia, a child may independently give consent in relation to information-society services from the age of 16 (Croatian GDPR Implementation Act, NN 42/18). Appointments for persons under 16 should be booked by a parent or guardian using their own contact details. The platform performs no technical age verification.
13. Cookies and local storage
The only cookies we set ourselves are login cookies for clinic staff (Supabase authentication) and a functional cookie remembering your chosen language (NEXT_LOCALE), which is set only if you change the language yourself. Patients and anonymous visitors receive no login cookies. One map display preference containing no personal data is kept in the browser's local storage. There are no analytics or advertising cookies: to measure overall site usage we use cookieless analytics (Vercel Web Analytics) that sets no cookies and stores no identifiers on your device; and we set no third-party cookies (loading map tiles from CARTO is a third-party network request, but CARTO sets no cookies on our pages). Details are in the separate Cookie Policy.
14. Changes to this notice
We publish changes on this page with the date indicated. We will reasonably highlight material changes on the platform.
15. Governing language
The Croatian version of this notice is the sole authentic version. Translations into other languages are provided for convenience only.
---
Last updated: [ date]
DRAFT — this document must be reviewed and approved by qualified Croatian legal counsel before publication.