Privacy Policy

1. Controller & contact

Ema Health is operated by Emaq d.o.o. Sarajevo (the "Controller"), registered at Dr. Fetaha Bećirbegovića 8E, 71000 Sarajevo, Bosnia & Herzegovina. For privacy enquiries, including subject access requests, contact our Data Protection Officer at dpo@emaq.ba or info@emaq.ba.

2. Roles — controller vs processor

For data about clinics and clinic users (account credentials, billing, support correspondence) Emaq d.o.o. is the controller. For patient data entered into Ema Health by a clinic, Emaq acts as the processor on behalf of the clinic, which is the controller. A Data Processing Agreement (DPA) under Article 28 GDPR is signed at onboarding.

3. Categories of data we process

• Account & identity: name, work email, phone, role, language preference.
• Clinic data: practice name, address, tax IDs, banking details for invoicing. A subset (billing contact, address, country, VAT ID) is shared with Paddle as the Merchant of Record — see section 12.
• Patient data (special-category, GDPR Art. 9): identifiers, demographic data, treatment plans, clinical notes, appointments, billing — entered by clinic staff. Processed on the lawful basis of Art. 9(2)(h).
• Service-operational data: audit logs, IP addresses, device/browser metadata, error reports.
• Marketing-site analytics: page views, referrers, country (IP-derived). Cookieless and aggregated.

4. Lawful basis & purposes

We process personal data to (a) deliver the contracted service, (b) meet legal and tax obligations, (c) ensure security and prevent abuse, and (d) — only with consent — improve the product through analytics. Patient data is processed solely on instructions from the clinic.

5. Sub-processors

We use a small set of vetted sub-processors. The current list, with location and purpose, is published at /sub-processors.html and updated 30 days before any change. Customers may object to new sub-processors per the DPA. Our Merchant of Record (Paddle) is a separate third-party controller for the payment transaction, not a sub-processor — see section 12.

6. Where data is stored

Production data is hosted in EU data centres [TODO: name region — e.g., Microsoft Azure West Europe / AWS Frankfurt]. Encrypted in transit (TLS 1.2+) and at rest (AES-256). No transfers outside the EU/EEA without standard contractual clauses (SCCs) and a transfer impact assessment.

7. Retention

• Active patient records: for the duration of the clinic's subscription; deleted within 90 days of contract termination unless the clinic exports them first.
• Audit logs: 24 months.
• Marketing leads: 24 months from last interaction, then deleted.
• Backups: rolling 30-day window.
• Billing & tax records held by Paddle: retained for the statutory period required by EU and Irish tax law (typically 7–10 years), independent of your subscription status.

8. Your rights

Under GDPR and applicable BiH/HR/SR/ME law, you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with your supervisory authority. Patient data requests are routed via the clinic that operates as controller. Email dpo@emaq.ba — we respond within 30 days.

9. Security & breach notification

We maintain technical and organisational measures appropriate to the risk: role-based access, audit logging, encryption, periodic vulnerability scans, employee training, and incident response procedures. In the event of a personal-data breach we notify the affected clinic without undue delay and within 72 hours where required (GDPR Art. 33–34).

10. Cookies & marketing analytics

Our marketing site uses essential cookies for theme and language preferences. We also load Cloudflare Web Analytics for cookieless aggregate page-view statistics — this runs without consent under the legitimate-interest lawful basis (no personal data is stored, IP is not retained). With your explicit consent we additionally load Contentsquare — session replay and heatmaps on the marketing site (no patient data is processed). You can decline Contentsquare at any time via the cookie banner.

11. Children

Patient data may include minors when the patient–clinic relationship requires it. Such processing follows the clinic's instructions and applicable national law on consent and parental authority.

12. Payment processing (Paddle)

Online subscription purchases are processed by Paddle.com Market Limited, an Irish company that acts as our Merchant of Record (MoR). Paddle is a separate third-party data controller for the payment transaction itself — not a sub-processor under our control — and has its own legal bases (contract performance, legal obligation under tax and AML law, fraud prevention) for processing your data.

Data shared with Paddle includes: name, email address, billing address, country, IP address at checkout, partial card data (Paddle does not pass full card data back to us), VAT/Tax ID, transaction history. Paddle may engage its own sub-processors globally (payment networks, fraud-prevention services, tax-calculation services); cross-border transfers are governed by Paddle's standard contractual clauses (SCCs).

Patient data never reaches Paddle. The Paddle checkout sets its own cookies during the purchase flow — see Paddle's privacy notice and cookie notice for details. To exercise data-protection rights against Paddle directly, contact privacy@paddle.com; for rights against Emaq, contact dpo@emaq.ba.

13. Changes to this policy

If we update this policy materially, we publish the new version here and notify customers in-app or by email. The "Last updated" date above always reflects the most recent revision.