Legal

Privacy Notice

This notice explains how Sistemi Umani collects, uses and protects your personal and health information. We handle your data in line with the General Data Protection Regulation (GDPR) and the Maltese Data Protection Act (Cap. 586). Health information is the most strictly protected category of data, and we treat it accordingly.

Effective 30 June 2026 · Last updated 3 July 2026

1. Who we are

Sistemi Umani Ltd, trading as Sistemi Umani(“we”, “us”, “our”), is the data controller for the personal data described here. We are a company registered in Malta, [company number — to confirm], with registered address at 59, Ramiro Cali Street, Mġarr, Malta.

For any question about this notice or your data, contact us at privacy@sistemiumani.com.

2. The data we collect

We collect only what a service genuinely needs (data minimisation):

Identity & contact details

  • Name, date of birth, gender, phone number, and address.
  • Account credentials — your email and a securely hashed password, managed by our authentication provider. We never see your password in plain text.

Health data (special-category data)

  • Clinical records created during your care: appointment history, practitioner session notes, measurements and assessments, treatment goals, and any documents you or your practitioner upload (e.g. scans or referral letters).
  • In a later phase, and only with your separate explicit consent: biometric signals from connected wearable devices (e.g. heart-rate variability).

Booking & technical data

  • Your appointments and the practitioner involved in your care.
  • Standard information needed to operate and secure the service (e.g. a session cookie that keeps you logged in).
Health and biometric data are “special category” data under Article 9 GDPR, the most strictly protected category. We only process them on the lawful grounds set out in section 4 and under a duty of professional secrecy.

3. How we collect it

  • Directly from you — when you register, book, or provide information.
  • From your practitioner — clinical notes and assessments recorded during the care we provide to you.
  • From a device you choose to connect — biometric readings, in a later phase, under separate explicit consent.

4. Why we use it, and our legal basis

We rely on the following lawful bases. Because health data is special-category data, we identify both a general basis (Article 6) and an additional condition that permits special-category processing (Article 9):

PurposeArticle 6 basisArticle 9 condition
Providing your care and managing your clinical recordContract — Art. 6(1)(b)Provision of health care / treatment — Art. 9(2)(h)
Creating your account and booking appointmentsContract — Art. 6(1)(b)
Optional wellness / marketing emailsConsent — Art. 6(1)(a)
Connected wearable / biometric data (later phase)Consent — Art. 6(1)(a)Explicit consent — Art. 9(2)(a)
Keeping the platform secure and meeting legal obligationsLegitimate interests / legal obligation — Art. 6(1)(f) / (c)

Your clinical record is processed for the provision of health care under Article 9(2)(h) GDPR, by or under the responsibility of a practitioner subject to an obligation of professional secrecy (Article 9(3)). This reflects Maltese law — the Health Act (Cap. 528), the Professional Secrecy Act (Cap. 377) and the Medical and Kindred Professions Act (Cap. 31). We do not rely on your consent to hold your clinical record, so that record is not lost if you later withdraw an optional consent.

Where we do rely on consent (optional emails, and future wearable data), it is explicit, unbundled and recorded, and you can withdraw it at any time (see section 9). Withdrawal does not affect processing already carried out.

5. Who can see your data

  • Your care team — our practitioners and authorised clinical staff, who work as one team. Access is technically enforced (role-based access control and row-level security), and every access to and change of a clinical record is recorded in an audit log.
  • We do not sell your data and do not share it for third-party marketing.
  • We share data with the service providers that operate the platform on our behalf (section 7), only as needed to run the service and under a written data-processing agreement.
  • We may disclose data where the law requires it (e.g. a valid legal request).

6. Where your data is stored

Your data is hosted within the European Union (our database and file storage are EU-region hosted). It is encrypted in transit (HTTPS) and at rest. Where a provider processes data outside the EEA, that transfer is covered by appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

7. Service providers (processors)

We use a small number of carefully selected providers to deliver the platform, each under a data-processing agreement. We will update this list before introducing a new provider (for example, a payment processor):

ProviderPurposeWhere
SupabaseDatabase, authentication and file storageEuropean Union
VercelApplication hosting and deliveryEU / global edge
Google WorkspaceTransactional email (account and service messages)EU / international (SCCs)

8. How long we keep it

We keep personal data only as long as necessary for the purposes above and to meet our legal and professional obligations.

  • Clinical records are kept for 10 years from your last clinical encounter (or 10 years after death, where known). This mirrors the standard applied across the Maltese public health service and the GDPR storage-limitation principle (Art. 5(1)(e)).
  • For minors, the retention period runs from the date the patient reaches the age of majority.
  • Account and booking data not forming part of the clinical record is kept for the life of your account and a reasonable period afterwards.

Because we are legally required to retain medical records, they cannot simply be deleted on request — but they can be closed and hidden from active use. After the retention period, data is securely deleted or anonymised.

9. Your rights

Under the GDPR you have the right to:

  • Access a copy of your data;
  • Rectify inaccurate data;
  • Eraseyour data (“right to be forgotten”), subject to the medical-record retention obligations above;
  • Restrict or object to certain processing;
  • Data portability — receive your data in a portable format;
  • Withdraw consent at any time, where processing is based on consent;
  • Complain to the supervisory authority.

To exercise any of these, contact us at privacy@sistemiumani.com. We will respond within the time required by law (generally one month).

You also have the right to lodge a complaint with Malta’s supervisory authority, the Information and Data Protection Commissioner (IDPC):

Level 2, Airways House, High Street, Sliema SLM 1549, Malta
idpc.info@gov.mt · +356 2328 7100 · idpc.org.mt

10. Cookies & similar technologies

We use a single strictly-necessary session cookie to keep you logged in. We do not use analytics, advertising or tracking cookies, so no cookie-consent banner is required. If we ever introduce non-essential cookies, we will add a consent banner and a cookie section first.

11. Children’s data

In Malta, the age of digital consent is 16. Where we provide care to someone under 16, a parent or guardian gives and manages consent on their behalf, and we use age-appropriate safeguards.

12. Changes to this notice

We may update this notice as the platform evolves. We will post the updated version here and update the effective date. Where a change materially affects how we use your data, we will tell you and, where required, ask for your consent again.

13. Contact

Sistemi Umani Ltd
59, Ramiro Cali Street, Mġarr, Malta
privacy@sistemiumani.com

See also our Terms of Service.