Privacy Policy

Privacy policy

Introduction

SAT Health is a joint-stock company, established on 30 August 2017 in Sofia with registration number UIC 204705650. The company is specialized in gathering, processing, and analyzing data, delivering Patient Support Programs, delivering in-home medico-social services (Home Care), consulting services, and solutions for the healthcare sector. Our registered office address is: 251Е Okolovrasten put Str., Business Center Ring Tower, Floor 12, Sofia 1766, Bulgaria, and e-mail: office@sathealth.com and office@sathealth.care. 

As a controller of personal data, we at SAT Health take due care to protect the confidentiality of all categories of personal data that we receive, collect, process and store. We do it in accordance with the applicable legal requirements. 

With this privacy policy (The Policy) we inform you about the internal rules established in SAT Health for processing of personal information, which we receive or collect, also about your rights regarding the protection of your personal data. 

We urge you to carefully read this document. When you provide us with your personal data by logging onto our website or through other channels, you agree to and accept the here defined internal rules for processing and protecting your personal information.

Personal Data Processing

Personal data covers any information relating to an identified or identifiable individual, such as (but not limited to) a name, address, e-mail, or phone number. Information that is not directly related to your identity, is out of the scope to this policy.

At SAT Health we process personal data in compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data and for repealing Directive 95/46/CE (General Data Protection Regulation), later referred to as “Regulation (EU) 2016/679”.

We strictly follow Article 5 principles relating to processing of personal data for lawfulness, fairness, transparency, protection of integrity and confidentiality, accuracy, and data minimization. The personal data is collected by us for legitimate purposes only. Data will be processed and used solely for the purposes initially declared and/or as required by the applicable law. 

SAT Health has implemented Privacy and Information Security Management System (IMS), certified to ISO/IEC 27001 and in the process of ISO/IEC 27701 certification. We strive to ensure that all personal data is processed in a manner that ensures appropriate security protection against unauthorized or unlawful processing. Risk assessment based appropriate organizational and technical security measures are implemented and maintained to safeguard against unauthorized or unlawful processing, accidental loss, destruction, or damage of data. We have processes in place to make sure that only those people in our organization, who need to access your data, can do so. 

Our IMS is subject to regular information security audits by internationally recognized certification authority and is maintained in compliance. You can see our certificates on our website.

In-home medical-social services (Home Care) are provided through an online application "Home Care", accessible through our website, allowing you to request a medical service/manipulation/procedure, to track the history of the activities performed for you and your patient dossier and to communicate with our medical and non-medical professionals to provide you with services and consultations, including remote. For this purpose, the "Home Care" platform processes your data.

SAT Health group companies are controllers of the data they process in connection with the “Home Care” platform, the data of registered patients, medical and non-medical persons and all other third parties who do not fall into the above two categories, but whose data is processed in The Application.

In some cases, we act as a personal data processor when we provide Home Care medico-social care to patients on behalf of medical institutions. In these cases, we are fully guided by the requirements and guidelines of the medical institutions - administrators of personal data. 

The medical and non-medical persons working for us process your data in the Application following their knowledge and professional qualification. They are data processors on behalf of SAT Health based on a contract concluded with them.

We process the following personal data received by you through our website, the "Home Care" platform, when filling out documents together with our representatives, as well as through other channels of your choice or from third parties, depending on the services you use and your relationship with SAT Health group companies:

Names, 

Personal ID and ID card number,

Address,

E-mail,

Phone number and other contact information,

Health status data (disease, diagnosis, data from medical documentation, prescribed treatment, and others),

Data for children – patients, part of patient programs and Home Care services, including information on health status provided by a parent/guardian,

Qualification and education data of medical and non-medical persons working under contract with the companies of the SAT Health group.

This personal data is needed to provide you with the desired services and products. 

The volume and reliability of the data you provide determine our possibility to provide you with the information you need to access all the products and services offered by SAT Health.

Use of Cookies

Our website uses so-called Cookies - these are small text files, which are stored on your device’s hard drive when using a browser. We use these Cookies to analyze the information traffic, to personalize the services and products we offer, and to optimize the functions of our website. Cookies do not collect personal data that can identify the user. Additional personal information is required for identification. Users can refuse the use of cookies, which may affect the quality of use of the website but will not stop it.

As with most other commercial websites, we also automatically collect certain information, which is stored in log files. This information includes internet protocol addresses (IP addresses), type of browser used, internet service provider (ISP), reference and end pages, operating system, date and time, data volume transferred and click stream data. Additionally, we use pixel tags (small picture files) that provide information about which areas of the website customers have visited and/or measure the effectiveness of customer search requests on our website.

The use of cookies makes the use of our website more pleasant for you. For example, we use temporary cookies to optimize usability, which are stored on your device for a specific period. If you visit our site again to use our services, it will automatically recognize that you have already visited us and the data you have entered, as well as the settings you have set, will be automatically recognized so that you do not have to repeat them.

The cookies used by our site are category "Necessary". "Necessary" cookies are required for the operation and basic functions of our website. They guarantee the security features of the website.

The data processed by the necessary cookies are used for the stated purposes of guaranteeing our legitimate interests according to Art. 6, para. 1, ex. 1, letter "e" of the GDPR, such as the correct functioning of the site. 

Some cookies are stored on your device until you delete them. They enable us to automatically recognize your browser the next time you visit our website.

Most browsers automatically accept cookies. However, you can configure your browser not to save any cookies on your computer or to always show you a notification before placing a new cookie. The management of cookie settings is different for different browsers. It is described in the "Help" menu of each browser, where the way to change cookie settings is explained. 

Disabling or rejecting cookies may limit the quality of use of our website, but this will not stop it from functioning. 

We use the following types of cookies on our website:

Cookie

Category

Provider

Retention period

laravel_session

Necessary

sathealth.com

day

XSRF-TOKEN

Necessary

sathealth.com

1 day

CONSENT

Necessary

google.com

30 days


Data Processing

We collect personal data from you for the following purposes:

to fulfill our contractual obligations to you or to organizations,

to identify you as user and to provide you with information that you have requested, 

to provide you with information that we believe may be relevant to a subject in which you have demonstrated an interest,

to identify new products and services, like those you have used or shown interest in,

to meet the applicable legal and fiscal compliance requirements related to the services we provide for you (e.g., statistics, taxation, insurance, income management, etc.),

to organize and manage commercial and scientific activities conducted by us, such as participation in marketing research, in clinical trials or other information programs, projects and/or events,

to maintain quality of services and to protect our legitimate interests, property, and security of those working at SAT Health group,

to ensure the protection and safe operation of our website.

In case we collect personal data from you for our legitimate interest, we shall follow a process of preliminary assessment whether the processing of that data is appropriate. The process has three steps: a) purpose test to verify if there a solid legitimate interest behind the planned processing; b) necessity test to see if the processing is necessary for that purpose c) balancing test to assess if the legitimate interest is overridden, or not, by the individual’s interests, rights, or freedoms.

Legality of data processing

We process your personal data for the above purposes on the following reasons: 

a contract concluded with you,  

your express consent to the processing of your data for the purposes of providing patient programs and/or medico-social services (Home Care), 

contract with our partners for the assistance on patient programs and/or provision of Home Care medical and social services, 

to comply with our legal obligations,

for the performance of a contract to which a data subject is a party, or for taking steps, at the request of a data subject, before the conclusion of a contract (contracts with employees and counterparties, customers, suppliers, and others),

to protect vital interests of a data subject,

for legitimate purposes for analysis, development of new services, improvement of systems, ensuring the quality of services, protection of property and security of employees in the group and others.

Communication

We may communicate with you via electronic means (SMS or mail) to provide you with relevant information for products and services in which you have expressed interest or like the ones we have provided to you in the past. This will only be done if we have your consent.

If you wish that we discontinue the use of your personal data, please send us a e-mail to dpo@sathealth.com.

Information Disclosure

We undertake not to sell, exchange, or rent out your personal data for use by third parties in any form. The personal data collected is used only for the purposes stated above. We may provide access to your personal information and allow its processing, according to strictly defined purposes, to strictly defined third parties, which in these cases are Processors of personal data on behalf of the Administrator of your personal data - SAT Health group.

These third parties may be:

• providers and subcontractors for the performance of a contract concluded with you or for the provision of services requested by you, such as providers of IT, communication, or logistics services, such as providing assistance to patients to competent government organizations, 

• medical or non-medical persons, providing medico-social services (Home Care),

• providers of logistics in connection with specialized trainings offered by SAT Health, incl. transport, accommodation, etc. similar,

• providers of technical solutions, such as collective e-mail or text messages, that allow us to send you information, including product information, or about the level of customer satisfaction, if you have consented to receive such information.

Following the principles of ensuring legality, transparency and security, SAT Health signs with the Processors of personal data, the relevant contracts, or annexes to existing contracts. We reserve the right to conduct on-site audits of the methods used by the Personal Data Processors to protect the personal data we provide to them for processing. The processors of personal data are obliged not to obstruct the performance of such audits and to assist in their conduct without undue delay.

To perform our duties efficiently, we sometimes have to use the services of third parties that are beyond our control. Such are, for example:

Microsoft

Google

LinkedIn

SoundCloud

WhatsApp

Viber

Facebook

These providers may change their terms of service at any time, and we cannot be held responsible for this. 

Your personal information may be shared with competent legal authorities if we are required to comply with a legal obligation, protect our rights or property, or ensure the safety of our users or others.

Data storage and retention period

All personal information that you provide to us and that we collect is stored on servers protected by appropriate technical means in a specialized cloud-based "data center" of an internationally established provider. Your personal data will be accessed and processed only by our trained employees and representatives who work under the conditions of the Privacy and Information Security Management System (IMS) implemented in SAT Health and certified by an independent body, meeting the requirements of the international standards ISO 27001 and ISO/IEC 27701. The organization managing the specialized "data center" holds security certificates. 

We do not store any credit or debit card information. This information is maintained, and payments are processed by a third-party payment service provider in accordance with payment card and payment industry security standards. 

Your data is stored for the statutory period or for a period of 5 years after the termination of the contractual relationship or upon withdrawal of your consent, when the processing is based on your previously expressed consent.

Records of your telephone calls are kept for a period of 5 years, after which they are automatically deleted, unless we are required to keep them for a longer period to comply with a legal requirement or our legitimate interest.

We will take all steps that are reasonably necessary to ensure that the personal data provided by you is stored and processed safely, in accordance with the conditions set out in this Privacy Policy and in accordance with the applicable regulations.

By providing your personal date, you agree to the conditions described in this Policy for their storage, processing, or transfer to third parties.

Due Care

You need a password to access your user account created to use the services and products provided through our site. It is your responsibility to keep this password confidential. You agree not to share it with others. If this happens, you are responsible for any actions taken through your account. If your password is compromised for any reason, we urge you to inform us immediately and change it. If your password is used by others, you are responsible for any action taken through your account.

Unfortunately, as we all know, the transmission of information over the Internet is not completely secure. While we do our best to protect your personal information, we cannot guarantee its security at the stage of transferring it over the Internet to our site. Once received on our site, your personal information will be protected through strict policies, procedures, and security features to try to prevent unauthorized access, modification, or unauthorized deletion.

In case you are part of a patient program and wish to use our services, we undertake to store in a secure environment your personal data (names, contact details, health information and other personal information provided by you) for a period of 36 months after we terminate services to you under the Patient Program. However, if you stop using our products and services for more than 48 months, we will permanently delete your personal data. In the event that after this period you decide to use our products and services again, you will need to make a new registration with your current personal data.

Protection of your rights

You have the right to access the information that applies to you. You may request to be informed if and how your personal data is being processed. We will perform an in-depth inspection and will inform you in writing on your preferred contact channel.

You may also request that your processed personal data be corrected to keep it up to date. When updating your personal data, you should send us verified information. We undertake to enter it in the relevant registers without changes. It will be your responsibility if the data processed after the change turns out to be inaccurate.

You have the right at any time to ask us to suspend for a period of time or permanently the processing of your personal data for one or more purposes within the scope of the purposes stated in this Policy. You have the right to request your personal data processed in SAT Health to be deleted.

Your requests to exercise your rights listed above should be communicated to us by e-mail at dpo@sathealth.com. 

Upon receipt of a request for deletion of your processed personal data, we undertake, within the statutory deadlines, to make a thorough inspection and delete all available personal data, except those - if any - which we are obliged to keep in force of a regulatory requirement. In some cases, we may need to temporarily retain as much of your personal information as it is necessary to protect our interest in resolving disputes and resolving issues, as well as to take other actions permitted by law. Should such a situation arise, as in all other cases related to the management of your personal data processed by us, you will be promptly notified in writing via your preferred contact channel.

In case you are a patient to whom we provide Home Care medico-social services on assignment from a medical facility, to exercise your rights as a data subject, please contact directly the medical facility - administrator of your data. 

Objections and complaints

We shall readily accept any questions, comments, objections, complaints, and requests for clarifications on the management of personal data of data subjects in SAT Health group. The same applies to this Privacy Policy. You may contact us on these issues by email at office@sathealth.com or dpo@sathealth.com.

The Commission for Personal Data Protection (CPDP) is the authorized body for monitoring the application of the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council (of Europe) of 27 April 2016. Contact with it can be established at: Blvd. "Prof. Tsvetan Lazarov” 2, 1592 Sofia, by fax on 029153525 and electronically at the e-mail of the CPDP (kzld@cpdp.bg) with an electronic document signed with a qualified electronic signature.

This Policy is subject to update in the event of changes in the applicable legislation or changes in the processes managed in SAT Health. Updated versions of the Policy will be made available on the Company's website.

Note:

For the purposes of this policy, the terms "personal data" and "personal information" are used interchangeably to avoid the emerging tautology in several texts.

Definitions

The terms "personal data" and "processing" should be understood as those specified in Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council (of Europe) of April 27, 2016, namely:

(1) “Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

(2) “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Additional Definitions:

(3) ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future.

(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

(5) ‘pseudonymization’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

(6) ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

(7) ‘controller’ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

(8) ‘processor’ means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

(9) ‘recipient’ means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

(10) ‘third party’ means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

(11) ‘consent’ of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

(12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

(13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.

(14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.

(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. 

Date of last actualization: 06/2023