Skip to content
DHEP

Privacy Policy

Last updated: January 1, 2026 | Effective: January 1, 2026

1. Who we are

DHEP SA (hereafter "DHEP", "we", "us") is a company incorporated under Swiss law (CHE-XXX.XXX.XXX), headquartered in Geneva, Switzerland. We operate the digital healthcare platform accessible at dhep.care and its subdomains. DHEP is the data controller for data processed in connection with the platform.

Data Protection Officer contact: dpo@dhep.care

2. Data we collect

We collect only the data necessary to provide our services (principle of data minimization):

  • Identity data: Name, date of birth, nationality, government ID (where required by law for medical services)
  • Contact data: Email address, phone number, postal address
  • Health data (Special Category): Medical history, diagnoses, prescriptions, lab results, blood type — only as necessary for clinical services you have requested
  • Usage data: Log data, device information, IP address, session data
  • Payment data: Billing information processed via PCI-DSS certified payment processors; we do not store card numbers

3. Legal basis for processing

  • Contract performance: Processing necessary to provide the services you have requested (Art. 6(1)(b) GDPR)
  • Consent: For optional features (donor alerts, marketing communications) — Art. 6(1)(a) GDPR. You may withdraw consent at any time.
  • Vital interests: In genuine medical emergencies where processing is necessary to protect the vital interests of a patient (Art. 6(1)(d) GDPR)
  • Legal obligation: Where we are required to process data under applicable law

For health data (Special Category under GDPR Art. 9), we rely on Art. 9(2)(h) (medical purpose with professional secrecy obligation) or explicit consent under Art. 9(2)(a).

4. Your rights

Under GDPR, you have the right to: access your data, correct inaccurate data, delete your data (where applicable), restrict processing, data portability, and to object to processing. Exercise your rights through the DHEP patient app or by contacting dpo@dhep.care. We respond within 30 days.

5. Data retention

Medical records are retained for the duration required by applicable law (minimum 10 years in most jurisdictions). You may request deletion of non-clinical data at any time. Clinical data deletion is subject to legal retention requirements.

6. Data transfers

DHEP may transfer your data to countries outside the EU/EEA where necessary to provide services. All transfers are covered by adequate safeguards (Standard Contractual Clauses or adequacy decisions). On-premise clients retain full data sovereignty with no cross-border transfer.

7. Contact and complaints

For privacy questions: dpo@dhep.care. You also have the right to lodge a complaint with your national supervisory authority (in Switzerland: FDPIC; in the EU: your local DPA).