Privacy

HealthTalk's Commitment to Privacy

At HealthTalk, we prioritize the protection of personal data for our users and patients. We handle personal data with the utmost care, ensuring it is secured and processed in accordance with this Privacy Statement and all applicable laws and regulations.

Processor

HealthTalk BV, located at Bargelaan 200 in Leiden and registered with the Chamber of Commerce under number 92905501, is responsible for the HealthTalk platform and for the processing activities for which HealthTalk determines the purposes and means, including platform operation, security, account administration, and AI-enabled drafting functionality. For clinical processing carried out in the treating relationship, HealthTalk and the treating physician or healthcare organisation may act as joint controllers where they jointly determine the purposes and essential means of processing. Our goal is to provide innovative medical care through the HealthTalk platform, using AI to enable patients, caregivers, and other stakeholders to deliver individually tailored care.

Controller

Your doctor  will usually determine the clinical purposes of the processing and will remain responsible for clinical decisions and the content of the medical record within the meaning of the law, which means that your doctor decides why and how your personal data is processed.  Where HealthTalk acts only on documented instructions, HealthTalk acts as processor. Where HealthTalk materially determines platform or AI processing together with the healthcare provider, the parties should document the arrangement as joint controllers and make the essence of that arrangement available to patients.

Data Collection

We require certain personal data to provide you access to HealthTalk, create your personal environment, and deliver the requested products and services. This data is collected where there is a valid legal basis for the relevant processing activity. In a healthcare context, this may include provision of healthcare or treatment, performance of a contract, compliance with legal obligations, legitimate security interests (such as protecting the platform and its users from fraud, misuse, and unauthorised access), or explicit consent where consent is specifically appropriate, such as optional research participation.

Types of Data Collected:

  • Contact Information: Name, email, address, phone number, billing, and delivery addresses.
  • Account Details: Screen name, password.
  • Personal Information: Gender, place of residence, date of birth, purchase history.
  • Payment Information: Payment or credit card details.
  • Health Data: Images, photos, videos, physical characteristics, health data (weight, heart rate, blood pressure, cholesterol), medical history, medication information, family illness history, fitness activities; these are special category data under GDPR and receive enhanced protection.

Purpose and Use of Data

HealthTalk uses your personal data for the following purposes:

  1. Platform Functions: To enable the features of the HealthTalk platform and your Personal HealthTalk Health Environment, including account creation and login.
  2. Support Services: To provide support via email, such as password resets.
  3. Transaction Processing: To handle purchases and services, requiring your name and address.
  4. Health Monitoring: To track fitness activities, health data, and progress, displaying results in your Health Environment.
  5. Health Reports: To generate basic health reports using your email, date of birth, zip code, house number, and gender.
  6. Research: To use data for scientific research and product improvement. Your consent is required for participation in active research, unless another research basis and appropriate safeguards are clearly documented and communicated before the research processing starts.
  7. AI-Generated Reports: HealthTalk uses a Large Language Model (LLM) to generate summaries or reports of conversations between doctors and patients. According to AI regulations, this application may be classified as high risk depending on the applicable regulatory analysis and is subject to strict regulations to ensure safety and compliance. The doctor is always the final responsible party for these reports, as they must review the AI-generated draft before clinical reliance. The clinician may accept, modify, reject, or replace the draft. No clinical decision should be based solely on automated processing without meaningful human oversight.

Patients may request meaningful information about the use of AI in generating drafts, including the significance of the processing, the envisaged consequences, and how to request human review or correction of the resulting record.

Information Security

HealthTalk ensures the security of your personal data through appropriate technical and organisational measures, supported by the NEN 7510 and ISO/IEC 27001-certified infrastructure and services provided by MEDrecord BV, where MEDrecord BV acts as a service provider or sub-processor under written contractual arrangements. MEDrecord BV is certified for NEN-7510 and ISO27001 standards for information security in healthcare, ensuring:

  • Availability: Information and services are accessible when needed.
  • Confidentiality: Only authorized persons have access to information.
  • Integrity: Information is accurate and complete.

We use secure (SSL) SHA-256 encryption for data exchange and store personal data on physically separate, secure servers within the European Economic Area. HealthTalk remains responsible for maintaining security measures appropriate to the sensitivity of the personal data and the healthcare context.

Data Retention and Transfer

Personal data is retained as long as necessary for the purposes for which it was collected, unless legally required otherwise, including any applicable statutory medical-record retention period. Clinical records may need to be retained for the legally required healthcare retention period, while account, billing, security log, and research data should be retained according to separate documented retention periods. Data is stored on secure servers within the European Economic Area, unless a specific provider or support arrangement involves an international transfer supported by an appropriate GDPR transfer mechanism.

Your Rights

You have the right to request access to, correction, or deletion of your personal data. You may also object to data processing on legitimate grounds and withdraw consent at any time. Where deletion is requested, HealthTalk will assess the request against applicable legal retention duties, healthcare obligations, and any research safeguards. Where data cannot be deleted immediately, HealthTalk will explain the reason and, where appropriate, restrict, pseudonymise, or otherwise protect the data. Where your data is processed on the basis of consent or a contract, you may also request data portability under Article 20 GDPR.

Cookies

We use cookies to enhance your experience on the HealthTalk website. Cookies help us recognize you, save preferences, and improve website functionality. Where cookies are not strictly necessary, we will request your prior consent through a cookie banner or preference tool, and you may withdraw or adjust that consent as easily as you gave it.

Updates to the Privacy Statement

We may update this Privacy Statement to reflect changes in our practices or applicable laws.  Where a material change affects how we use your personal data, we will provide an appropriate notice through the platform, by email, or by another suitable communication channel before the change takes effect, where required.

Contact Information

For questions or requests regarding your personal data, please contact us at [email protected]. If you request data deletion, your  anonymised or pseudonymised, as applicable, health data  may remain available for scientific research only where a valid legal basis and appropriate safeguards apply.

You also have the right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens (www.autoriteitpersoonsgegevens.nl), if you believe your personal data has not been handled appropriately.

Children and Minors

HealthTalk may process health data relating to minors where this is necessary for the provision of healthcare. In the Netherlands, the digital consent age is sixteen years. For patients under sixteen, the consent of a parent or legal guardian is required before their personal data is processed through the platform. HealthTalk will take reasonable steps to verify parental authority where required.

Thank you for trusting HealthTalk with your personal data.