General information on the processing of personal data
Contents
1. Data controller
Med Connect Systems S.R.L. is the data controller for personal information collected through the website med-connect.ro and the MedConnect platform. Contact details for any data-related request are listed at the end of this document.
2. Purpose of processing and data categories
We process personal data for the following purposes:
- Providing MedConnect services — account management, authentication, technical support.
- Commercial and operational communication — replying to contact-form requests, scheduling demos.
- Service improvement — usage analysis, technical issue detection, new feature development.
- Legal compliance — fiscal, accounting and authority-reporting obligations.
Data categories processed include: first and last name, email address, phone number, name of the medical institution, contact-form message content, technical data (IP address, browser type, operating system).
3. Legal basis for processing
We process your data based on:
- Your consent — for optional commercial and analytical communications (art. 6 (1) (a) GDPR).
- Contract performance or pre-contractual measures — to provide requested services (art. 6 (1) (b) GDPR).
- Legitimate interest — service improvement and infrastructure security (art. 6 (1) (f) GDPR).
- Legal obligation — compliance with fiscal and accounting rules (art. 6 (1) (c) GDPR).
4. Recipients of data
Your data is accessed exclusively by authorized personnel of Med Connect Systems S.R.L. and, where applicable, by:
- Technical service providers under GDPR-compliant processing contracts (e.g. EU cloud hosting, transactional email).
- Legal or accounting advisors, under professional confidentiality.
- Public authorities, only when expressly required by law.
We do not transfer data outside the European Economic Area. All data is stored on EU-based servers.
5. Retention periods
- Contact form data: maximum 24 months from last communication.
- Platform account data: contract duration + 36 months for handling any later requests.
- Fiscal and accounting data: as required by law (generally 10 years).
- Technical security logs: maximum 12 months.
6. Your rights
Under GDPR, you have the following rights:
- Right of access — to know what data we process about you.
- Right to rectification — to request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — under GDPR conditions.
- Right to restriction of processing — in specific situations.
- Right to data portability — to receive your data in a structured, commonly used and machine-readable format.
- Right to object — to processing based on legitimate interest.
- Right to withdraw consent — at any time, without affecting the lawfulness of prior processing.
- Right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (dataprotection.ro).
7. Security measures
We implement appropriate technical and organizational measures:
- End-to-end encryption for all communication channels (TLS 1.3, AES-256).
- Mandatory multi-factor authentication for all users with access to medical data.
- Alignment with ISO 27001 standards for information security management.
- Immutable audit logs for every data access.
- Storage exclusively within the European Economic Area.
- Strict internal access-control policies, on a "need-to-know" basis.
- Periodic security audits and penetration testing.
8. Cookies and similar technologies
Our website uses a minimum number of cookies, exclusively for:
- Strictly necessary cookies — site functioning (session, language preference). No separate consent required.
- Anonymous analytics cookies — aggregated statistics, no individual identification. We use privacy-respecting measurement tools.
We do not use profiling cookies, advertising tracking or third-party advertising.
9. Contact details
For any request regarding the processing of personal data, you can reach us at:
- Controller: Med Connect Systems S.R.L.
- GDPR email: office@med-connect.ro
- Address: Bucharest, Romania
We respond to requests within a maximum of 30 calendar days, in accordance with GDPR.