GDPR information
Last updated: 2026-04-12
AltheraCare is built from the ground up to meet the EU GDPR as well as national frameworks (LOPD in Spain, Patientdatalagen in Sweden, equivalent laws in DE/NO/DK/FI). This page summarises our GDPR position.
1. Roles
- The clinic is the controller for all patient data in the system.
- AltheraCare is the processor, handling patient data on the clinic's instructions under Art. 28 GDPR.
- For AltheraCare's own account data (users, invoices), AltheraCare is controller.
2. Data Processing Agreement (DPA)
All clinics signing up to AltheraCare are automatically covered by a DPA included in the Terms of Use. The DPA covers:
- Purpose, duration and scope of processing
- Categories of data subjects (patients, therapists)
- Technical and organisational measures
- Sub-processor management
- Duty to assist with data subject requests
- Deletion and return of data at end of contract
A fully signed DPA can be requested from dpo@altheracare.com.
3. Sub-processors
AltheraCare uses the following sub-processors — all under DPA:
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database, auth, file storage, realtime | EU (Frankfurt) |
| Vercel | Hosting, CDN, serverless functions | EU edge |
| Resend | Transactional email | EU |
| Stripe | Payment processing | EU / US (SCCs) |
| Anthropic | AI note generation (Claude) | US (SCCs + Zero Data Retention) |
| Sentry | Error reporting (PII-filtered) | EU (Frankfurt) |
| Twilio | SMS notifications | EU / US (SCCs) |
4. Data transfers outside the EU
Most patient data is stored inside the EU (Supabase Frankfurt, Vercel EU edge). For the few sub-processors handling data in the US (Stripe, Anthropic, Twilio) we use the EU Commission's Standard Contractual Clauses (SCCs) under Art. 46 GDPR. Anthropic has also enabled "Zero Data Retention" — no patient data is stored after the AI call.
5. Security measures (Art. 32 GDPR)
- TLS 1.3 for all traffic
- AES-256 encryption at rest
- Field encryption of sensitive identifiers (personal ID, NIF/NIE)
- Row Level Security (RLS) in the database — each clinic is isolated from all others
- Multi-factor authentication (MFA) available for all accounts
- Immutable audit log for all read/write access to patient data
- Regular backups (7-day point-in-time recovery)
- Penetration tests and code reviews
6. Incident handling
In case of a personal data breach:
- AltheraCare notifies the affected clinic within 24 hours
- The clinic must then inform the supervisory authority within 72 hours under Art. 33 GDPR
- Data subjects are notified if the incident involves high risk (Art. 34 GDPR)
7. Data subject rights
Patients wishing to exercise their rights (access, rectification, erasure, portability) should first contact their clinic — the clinic is the controller. AltheraCare's tools for data export and deletion are under Settings → GDPR.
8. Data Protection Officer
AltheraCare has appointed a Data Protection Officer (DPO). Contact: dpo@altheracare.com.