Privacy Policy

"HAPPY EARS" Ltd. processes your personal data with maximum security in accordance with the contractual relationships between you and the company, and in accordance with the regulatory obligations arising from its activities.

Data Protection Officer

Name: Nikola Zlatev

Email: contact@telemediker.com

We collect and process the following categories of personal data:

Data Related to Physical Identity

• Full name
• Personal Identification Number / Date of Birth
• Social insurance information
• Contact details: email and phone number
• Address: permanent or current
• Health information data
• Banking information
• IP address

Data Related to Economic Identity

Payments are processed through the Stripe platform. We do not directly process banking data but receive information from Stripe regarding successful or unsuccessful payments.

Your personal data will be used for the following purposes:

• Creating a profile on the Controller's Platform
• Payments for Telemedical consulting service – video calls with doctors
• Establishing and maintaining registers for accountability
• Financial and accounting reporting
• Providing a secure connection between the patient and the doctor
• Issuing invoices
• Responding to data subject requests regarding their rights under GDPR
• Marketing purposes (only with your consent)
• Performing other functions as required by law or contractual obligations

The processing of your personal data is carried out based on:

• Article 6(1)(c) GDPR – Legal obligations applicable to the controller
• Article 6(1)(b) GDPR – Performance of a contract to which you are a party
• Article 6(1)(a) GDPR – Your consent for processing medical data through secure connections
• Article 6(1)(f) GDPR – Protection of legitimate interests

Note: The Controller does not apply automated individual decision-making, including profiling.

Entities Requiring Information on a Legal Basis

• State and municipal authorities, agencies, and regulatory bodies
• Judicial authorities (courts, prosecution offices)
• Regulatory bodies (Commission for Personal Data Protection, Health Commissions)
• Auditors and accreditation bodies

Entities Requiring Information on a Contractual Basis

• Service providers (consultants, accountants, lawyers)
• Data Protection Officer
• Companies providing cloud services – AWS
• External videoconferencing service – Daily.co
• Marketing agencies (only with your explicit consent)
• Payment processors – Stripe

We implement appropriate technical and organizational measures to ensure data protection:

• Licensed software and electronic security certificates
• Encrypted email services with paid, private domains
• Access controls – only authorized employees and doctors can access personal data
• Cloud service access secured through HTTPS connection
• Password policy and user rights management system
• Regular employee training on GDPR compliance
• 24/7 system maintenance to minimize security breaches
• Full internal audit and system check every 12 months

File Transfer Security

• Transport encryption: WebRTC SRTP/DTLS; TLS 1.2+ for all API and storage traffic
• Fallback encryption: client-side AES-GCM with ephemeral ECDH keys
• Access control: presigned URLs with ≤ 10 min expiry
• Audit logging: metadata only, no file content, retention max 90 days
• Automated deletion via webhooks and storage lifecycle rules
• No persistence: no thumbnails, no previews, no patient files stored on the platform

Your personal data will be retained for the following periods:

Data Category	Retention Period
Account information	Up to 5 years
Data processed based on consent	Until consent is withdrawn
Accounting data	10 years (under the Accounting Act)
System logs	Up to 5 years
Metadata (audit/security)	Up to 90 days

Your personal data will not be deleted if required for ongoing legal, administrative proceedings, or the resolution of a complaint.

Under GDPR, you have the following rights:

• Right to Information and Access: Request information about whether your data is being processed and obtain a copy
• Right to Rectification: Request correction of incomplete or incorrect data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data when no longer necessary
• Right to Object: Object to the processing of your personal data
• Right to Restrict Processing: Request restriction of data processing in certain cases
• Right to Data Portability: Request your data in a structured, machine-readable format
• Right to Withdraw Consent: Withdraw your consent at any time
• Right to Lodge a Complaint: File a complaint with the Commission for Personal Data Protection
• Right to Compensation: Claim compensation for damages resulting from GDPR violations

To exercise your rights, submit requests to:

Email: contact@telemediker.com

Requests should be signed with a Qualified Electronic Signature (QES) or by another method verifying the identity of the person submitting the request.

We respond to your request within one month of its submission. When additional time is required, this period may be extended by up to 30 days.