Privacy Policy

1. Controller & contact

Ema Health is operated by Emaq d.o.o. Sarajevo (the "Controller"), registered at Dr. Fetaha Bećirbegovića 8E, 71000 Sarajevo, Bosnia & Herzegovina. For privacy enquiries, including subject access requests, contact our Data Protection Officer at dpo@emaq.ba or info@emaq.ba.

2. Roles — controller vs processor

For data about clinics and clinic users (account credentials, billing, support correspondence) Emaq d.o.o. is the controller. For patient data entered into Ema Health by a clinic, Emaq acts as the processor on behalf of the clinic, which is the controller. A Data Processing Agreement (DPA) under Article 28 GDPR is signed at onboarding.

3. Categories of data we process

• Account & identity: name, work email, phone, role, language preference.
• Clinic data: practice name, address, tax IDs, banking details for invoicing.
• Patient data (special-category, GDPR Art. 9): identifiers, demographic data, treatment plans, clinical notes, appointments, billing — entered by clinic staff. Processed on the lawful basis of Art. 9(2)(h).
• Service-operational data: audit logs, IP addresses, device/browser metadata, error reports.
• Marketing-site analytics: page views, referrers, country (IP-derived). Cookieless and aggregated.

4. Lawful basis & purposes

We process personal data to (a) deliver the contracted service, (b) meet legal and tax obligations, (c) ensure security and prevent abuse, and (d) — only with consent — improve the product through analytics. Patient data is processed solely on instructions from the clinic.

5. Sub-processors

We use a small set of vetted sub-processors. The current list, with location and purpose, is published at /sub-processors.html [TODO: publish] and updated 30 days before any change. Customers may object to new sub-processors per the DPA.

6. Where data is stored

Production data is hosted in EU data centres [TODO: name region — e.g., Microsoft Azure West Europe / AWS Frankfurt]. Encrypted in transit (TLS 1.2+) and at rest (AES-256). No transfers outside the EU/EEA without standard contractual clauses (SCCs) and a transfer impact assessment.

7. Retention

• Active patient records: for the duration of the clinic's subscription; deleted within 90 days of contract termination unless the clinic exports them first.
• Audit logs: 24 months.
• Marketing leads: 24 months from last interaction, then deleted.
• Backups: rolling 30-day window.

8. Your rights

Under GDPR and applicable BiH/HR/SR/ME law, you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with your supervisory authority. Patient data requests are routed via the clinic that operates as controller. Email dpo@emaq.ba — we respond within 30 days.

9. Security & breach notification

We maintain technical and organisational measures appropriate to the risk: role-based access, audit logging, encryption, periodic vulnerability scans, employee training, and incident response procedures. In the event of a personal-data breach we notify the affected clinic without undue delay and within 72 hours where required (GDPR Art. 33–34).

10. Cookies & marketing analytics

Our marketing site uses essential cookies for theme and language preferences. We also load Cloudflare Web Analytics for cookieless aggregate page-view statistics — this runs without consent under the legitimate-interest lawful basis (no personal data is stored, IP is not retained). With your explicit consent we additionally load Contentsquare — session replay and heatmaps on the marketing site (no patient data is processed). You can decline Contentsquare at any time via the cookie banner.

11. Children

Patient data may include minors when the patient–clinic relationship requires it. Such processing follows the clinic's instructions and applicable national law on consent and parental authority.

12. Changes to this policy

If we update this policy materially, we publish the new version here and notify customers in-app or by email. The "Last updated" date above always reflects the most recent revision.