Introduction and scope
This Privacy Policy describes how Doctena collects, uses, shares, retains and protects personal data when you use one of our services or visit one of our websites. It applies to:
- Patients who book appointments, receive reminders, attend video consultations, or interact with their healthcare professional through Doctena.
- Healthcare professionals (and the practices that employ them) who use Doctena to manage their availability, patient communications and billing.
- Visitors to doctena.com, trustcenter.doctena.com, and the country product domains.
- Customers' employees who interact with us through commercial, legal or support channels.
The policy is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and the national implementing laws of every country in which a Doctena entity is established.
Who is responsible
The Doctena entity responsible for your data depends on the country in which your service is offered. The applicable controller is listed on the Imprint page.
Group-level Data Protection Officer:
- Christina Webersohn (co-signatory: Kemal Webersohn, LL.M.)
- WS Compliance GmbH — Dircksenstraße 51, 10178 Berlin, Germany
- Email: dpo@doctena.com (operational), privacy@doctena.com (general)
- External page: https://www.ws-compliance.de
Country-specific privacy inboxes:
- Luxembourg — privacy-luxembourg@doctena.com
- Belgium — privacy-belgium@doctena.com
- Netherlands — privacy-netherlands@doctena.com
- Germany — privacy-germany@doctena.com
- Austria — privacy-austria@doctena.com
- Switzerland — privacy-switzerland@doctena.com
Data we collect
Account and profile data
- Name, email address, telephone number, password (hashed with bcrypt or argon2).
- For practitioners: professional title, practice address, registration number with the national medical council, languages, services and fee schedule.
- For patients: date of birth, address (when required for paediatric or home-visit appointments), insurance details (only when explicitly entered).
Appointment and clinical data
- Reason for visit, free-text notes you choose to write, appointment date and time, status.
- Documents you upload (lab results, referrals, prescriptions) when the practitioner has enabled this feature.
- Teleconsultation streams — these are end-to-end encrypted by our video sub-processor and not recorded by Doctena.
Technical and usage data
- IP address, user agent, device type, timestamps, pages viewed.
- Crash and error logs (collected by Datadog under tight redaction rules).
- Audit logs of authentication events, permission changes and data exports.
Communication data
- Support tickets you submit (handled by Zendesk).
- SMS and email metadata sent on your behalf (Postmark, Spryng, SMSAPI).
- In-app messages from Doctena (Beamer).
Marketing and analytics data (with consent)
- Cookies set by Matomo (analytics) and Beamer when you opt in via the CookieFirst banner.
- Email engagement (open, click) on marketing campaigns sent by Brevo (practitioner audience only).
- CRM signals captured in HubSpot when you contact our sales team.
Why we process it
- To deliver the service — operate the booking platform, send appointment reminders, host video consultations, sync practitioner calendars, process payments.
- To secure the service — protect against fraud, abuse, account takeover, and security incidents.
- To support our users — answer questions, resolve incidents, perform requested operations.
- To meet our legal obligations — invoicing, accounting, response to lawful access requests, retention of medical records as required by national law.
- To improve the service — privacy-friendly analytics with opt-in, A/B testing of UI changes on aggregated data, customer surveys.
- To communicate — service announcements, security advisories, optional marketing (with opt-in).
Legal bases under the GDPR
| Purpose | Article 6 basis | Article 9 basis (health data) |
|---|---|---|
| Operate the booking platform | 6(1)(b) — performance of contract | 9(2)(h) — provision of healthcare, by/under responsibility of a health professional bound by secrecy |
| Security, fraud prevention, audit logging | 6(1)(f) — legitimate interest in keeping the service secure | 9(2)(h) and 9(2)(i) (public health) |
| Legal and accounting retention | 6(1)(c) — legal obligation | 9(2)(h) |
| Marketing emails to practitioners | 6(1)(f) — legitimate interest (B2B) or 6(1)(a) — consent | not applicable |
| Analytics cookies (Matomo) | 6(1)(a) — consent via CookieFirst | not applicable |
| Improvement, anonymous research | 6(1)(f) — legitimate interest in continual improvement | Data anonymised before research; falls outside Article 9 |
How long we keep it
Doctena retains personal data only for as long as necessary to fulfil our contractual obligations, meet legal and regulatory requirements, support ongoing business operations (invoicing, compliance audits), and protect our rights and interests in case of disputes or litigation. Where laws differ between jurisdictions, we apply the strictest applicable retention duration. When data is no longer required, we delete it securely or anonymise it when retention is still needed for statistical purposes.
The values below are taken from the canonical Doctena Public Data Retention Policy maintained in our ISMS. Healthcare professionals — as controllers of the appointment record — may instruct us to apply a shorter retention period in writing, except where law mandates a longer one.
| Data category | Retention period | Legal basis / justification |
|---|---|---|
| Practitioner & patient data | 10 years from last interaction, or 1 month after termination | Medical and fiscal law (e.g., BGB § 630f, AO § 147) |
| Doctena account data | 3 years from last login, or anonymised earlier | Business continuity and fraud prevention (GDPR Art. 6(1)(b)) |
| HR data (employees) | 3 months to 30 years depending on data type | Employment and tax law (e.g., AO § 147, HGB § 257, AGG § 15) |
| Contractual data | 10 years from end of contract | Fiscal and audit obligations (AO § 147, HGB § 257) |
| Financial data | 10 years from fiscal year end | Required by tax law |
| CRM data | 6 years from last interaction | Customer relationship management and legal traceability |
| Support ticket data | 6 years from ticket closure | Audit trail and regulatory compliance |
| System logs | 3 months unless required longer for investigations | GDPR Art. 6(1)(f) — legitimate interest in security |
| Backup data | 1 month | Operational need and disaster-recovery planning |
When the retention window closes we apply one of: automated deletion configured in the system, anonymisation where the data retains statistical value, manual deletion for systems that don't support automation, or secure deletion for sensitive records (irrecoverable destruction). Cookies are governed separately on the Cookies page.
Who we share it with
Personal data is shared only with sub-processors acting on Doctena's documented instructions, and with the healthcare professional that you booked. We do not sell personal data and do not use it to train third-party AI models.
The full register of sub-processors — including their role, residency, and what data each one sees — is published at trustcenter.doctena.com/sub-processors and updated within 14 days of any change. Healthcare professionals can subscribe to that page's changelog.
We may also disclose personal data when required by law (a court order, a regulatory request, a lawful interception order from an EU/EEA authority). Every such request is reviewed by the DPO before disclosure and aggregated annually in our Transparency Report.
International transfers
Patient and practitioner records are hosted in the European Union
(AWS Frankfurt, eu-central-1). Where a sub-processor
provides functionality that requires transfers to a third country —
e.g., Postmark (US), Cloudinary (US), Mapbox (US), Webflow (US) — the
transfer is covered by the European Commission's Standard Contractual
Clauses (2021/914) and a documented Transfer Impact Assessment. See
the sub-processors page for the
per-supplier residency.
How we protect it
Encryption at rest with AES-256, encryption in transit with TLS 1.3, ISO 27001:2022 certified information security management system, annual third-party penetration tests, four isolated environments, principle of least privilege on every access path, mandatory MFA on every Doctena employee account.
The full set of technical and organisational measures is documented on the Security page.
Cookies and tracking
We use a small set of cookies — categorised as necessary, preferences and analytics — managed by the CookieFirst consent banner. The per-cookie register, the retention period of each cookie, and the instructions to change your preferences at any time are published at trustcenter.doctena.com/cookies.
Your rights
Under Articles 15 to 22 of the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Have inaccurate data corrected (Art. 16).
- Have your data deleted, subject to overriding legal obligations like the 10-year medical record retention (Art. 17).
- Restrict the processing of your data while a dispute is resolved (Art. 18).
- Receive a portable copy of your data in a structured machine-readable format (Art. 20).
- Object to processing based on legitimate interest (Art. 21).
- Withdraw your consent to processing that was based on consent (Art. 7(3)).
- Lodge a complaint with the competent supervisory authority (Art. 77) — see our Complaints page.
To exercise these rights, see /data-subject-rights. We answer within one month per Article 12(3) and at no cost, unless your request is manifestly unfounded or excessive (Art. 12(5)).
Minors and paediatric care
Paediatric appointments are part of the Doctena service. Where a booking is made for a minor:
- The booking account belongs to the legal guardian, who is the controller of the data subject's record together with the practitioner.
- The minor's data is treated with the same Article 9 protections as adult clinical data.
- We do not target marketing communications to anyone under 18.
- Practitioners are responsible for managing the transition to an independent account when a minor reaches the age of majority in their country.
Changes to this policy
We update this policy when a material change to our processing warrants it — for example, when we add a sub-processor, change a retention period, or modify the legal basis for a processing activity. The version, last-reviewed date and next-review date are always shown at the top of the page.
We notify practitioners by email when a material change affects them, and we summarise every change in the site changelog.
Contact and complaints
For any privacy question, contact us at privacy@doctena.com or write to the Data Protection Officer at dpo@doctena.com.
If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority — typically the authority of your country of residence or place of work. Doctena's lead supervisory authority is the Commission nationale pour la protection des données (CNPD) in Luxembourg. A full list of national supervisory authorities is available on the GDPR page.
Version 3.0.0 · Approved by the DPO on 2026-05-15 · Replaces the previous version published at doctena.com/<locale>/privacy-policy/