Privacy Policy

Last updated: January 2025

1. Introduction

This Privacy Policy explains how SofMedica Ventures SRL ("we", "us", or "our") collects, uses, shares, and protects your personal data when you use DORA AI, our medical procedure management platform.

DORA AI is designed for healthcare professionals to manage surgical procedures, including video conferencing, AI-assisted documentation, and patient record management. Given the sensitive nature of medical data, we are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Data Controller

Company: SofMedica Ventures SRL
Address: Calea Bucurestilor 87-91, Cod 075100, Loc. Otopeni, Romania
Registration Number: J40/24635/1994
Privacy Contact: sofmedica.ventures@sofmedica.com

2. What Data We Collect

User Account Data

When you create an account, we collect:

Email address (required for authentication)
First and last name
Country and city
Hospital or organization name
Medical specialty
Phone number (optional)

Patient Data

Healthcare professionals using DORA AI may enter patient information, including:

Patient name, date of birth, and gender
National identification number (optional)
Address and contact information
Medical diagnosis and conditions (using SNOMED-CT coding)
Clinical notes and observations
Medical imaging files (DICOM)

Procedure Data

During medical procedures, we may collect:

Procedure type and scheduling information
Video and audio recordings of procedures (with consent)
AI-generated summaries and presentations
Transcripts from speech-to-text processing
Attendee information (names, roles, email addresses)
Checklists and procedure notes

Technical Data

We automatically collect certain technical information:

IP address and approximate location
Browser type and device information
Session tokens and authentication data
Usage analytics (with your consent)

3. How We Use Your Data

Purpose	Legal Basis
Provide and maintain the DORA AI service	Contract performance
Process medical data for procedure management	Explicit consent (Article 9(2)(a))
Provide AI-powered medical assistance	Explicit consent
Record and store procedure videos	Explicit consent
Send authentication emails and service notifications	Contract performance
Analyze usage to improve our service	Consent (opt-in analytics)
Ensure security and prevent fraud	Legitimate interest
Comply with legal obligations	Legal obligation

4. Data Sharing and Third Parties

We share your data with trusted third-party service providers who help us deliver DORA AI. All processors are bound by Data Processing Agreements (DPAs) and appropriate safeguards.

Processors Based in the United States

The following services involve international data transfers to the US. We rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework to ensure adequate protection.

Service	Purpose	Data Shared
OpenAI	AI medical assistant (DORA)	Medical notes, transcripts, documents for AI analysis
Amazon Web Services (AWS)	Cloud infrastructure, storage, and video processing	All application data, recordings, documents
Livekit	Video conferencing and recording	Live video and audio streams during procedures

Processors Based in the European Union

Service	Purpose	Data Shared
Deepgram (EU)	Speech-to-text transcription	Audio recordings for transcription
Nylas (EU)	Calendar integration	Calendar events and scheduling data
Mailgun (EU)	Email delivery	Email addresses and message content
PostHog (EU)	Product analytics	Usage data (only with your consent)

Transfer Safeguards

For international data transfers, we implement:

Standard Contractual Clauses (SCCs) approved by the EU Commission
Data Processing Agreements with all service providers
Transfer Impact Assessments for US-based processors
Technical measures including encryption in transit and at rest

5. Data Retention

We retain your data for the following periods:

Data Type	Retention Period	Reason
User account data	Until account deletion + 1 year	Service provision and legal compliance
Patient medical records	8 years minimum	UK medical records retention requirements
Procedure recordings	As configured by user	User-controlled retention
Session data	30 days	Authentication security
Analytics data	2 years	Service improvement

Note on Medical Records: Under UK healthcare regulations, medical records must be retained for a minimum of 8 years after the last treatment. This legal requirement takes precedence over deletion requests during the retention period.

6. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right to Access (Article 15): Request a copy of all personal data we hold about you.
Right to Rectification (Article 16): Request correction of inaccurate or incomplete data.
Right to Erasure (Article 17): Request deletion of your data, subject to legal retention requirements.
Right to Restriction (Article 18): Request that we limit how we process your data.
Right to Data Portability (Article 20): Receive your data in a machine-readable format.
Right to Object (Article 21): Object to processing based on legitimate interests.
Right to Withdraw Consent: Withdraw your consent at any time, without affecting the lawfulness of prior processing.

How to exercise your rights: Contact us at sofmedica.ventures@sofmedica.com. We will respond within 30 days. When available, you can also manage your data through Settings > Privacy in the application.

7. Cookies and Analytics

Essential Cookies

We use strictly necessary cookies for authentication and session management. These cookies are required for the service to function and do not require consent.

Session cookie: Maintains your login session (expires after 30 days of inactivity)

Analytics Cookies (Opt-in)

With your consent, we use PostHog for product analytics to understand how users interact with DORA AI and improve the service. Analytics cookies are only set after you explicitly accept them.

PostHog: Usage analytics and session recordings (with privacy masking enabled)

Managing Cookie Preferences

When you first visit DORA AI, you will see a cookie banner allowing you to accept or reject analytics cookies. You can change your preferences at any time using the button below.

8. Security Measures

We implement appropriate technical and organizational measures to protect your data:

Encryption: All data is encrypted in transit (TLS) and at rest
Authentication: Secure magic link authentication (no passwords stored)
Access Controls: Role-based access control for all data
Session Security: Automatic session expiration and secure token handling
Infrastructure: Hosted on secure cloud infrastructure with regular security updates
Monitoring: Continuous security monitoring and incident response procedures

9. Special Category Data

DORA AI processes special category data, including health data, which requires additional protections under GDPR Article 9. We process this data based on:

Explicit consent from users for processing medical data
Processing necessary for healthcare provision by or under the supervision of healthcare professionals

Video recordings of procedures may capture images of patients and medical staff. Such recordings are only made with appropriate consent and are subject to strict access controls.

10. AI and Automated Processing

DORA AI uses artificial intelligence to assist healthcare professionals:

DORA Assistant: AI-powered responses to medical queries using OpenAI
Automatic Transcription: Speech-to-text conversion of procedure audio
Summary Generation: AI-generated procedure summaries and presentations

Important: AI-generated content is provided as a tool to assist healthcare professionals and should always be reviewed by qualified medical personnel. We do not make automated decisions that produce legal or similarly significant effects without human oversight.

11. Children's Data

DORA AI is a professional medical platform intended for use by healthcare professionals only. We do not knowingly collect personal data from individuals under 18 years of age. If you believe we have inadvertently collected such data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

Posting the updated policy on this page
Updating the "Last updated" date
Sending an email notification for significant changes

We encourage you to review this policy periodically to stay informed about how we protect your data.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Email: sofmedica.ventures@sofmedica.com
Address: Calea Bucurestilor 87-91, Cod 075100, Loc. Otopeni, Romania

Supervisory Authority

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with a supervisory authority:

UK: Information Commissioner's Office (ICO) at ico.org.uk
EU: Your local Data Protection Authority