Privacy policy
We dedicate all the necessary resources and efforts to process your data in full compliance with Regulation (EU) 2016/679 ("General Data Protection Regulation" or "GDPR"), as well as with any other legislation applicable on the territory of Romania. This document tells you how we collect, use, transfer and protect your personal data when you interact with us in relation to our products and/or services, including through our website.
We reserve the right to periodically update and amend this Privacy Policy to reflect any changes in the way we process your personal data or any changes in legal requirements. In the event of any such change, we will display the modified version of the Privacy Policy on our website, so please check the content of this Privacy Policy periodically.
About us
Name: COREPRIME CLINIC S.R.L.
Headquarters: Bucharest Sector 1, Strada LAINICIC, No. 11
Registration number: J40/13924/2023
Unique tax registration code: 48550238
Telephone: +40 31 005 1313
E-mail: office@coreprime.ro
Personal data processed by CorePrime Clinic
- General information: name, surname;
- Contact details: phone number, email address.
- Appointment data: when you book an appointment or an online consultation, we also process the chosen specialty, doctor, service, appointment date and time, and any details you choose to provide in the booking form;
- Payment data for online consultations: the amount paid, the payment order reference and the payment status received from our payment provider (ING Bank). Your card details are entered exclusively on ING Bank's secure payment page and never reach our servers;
- Technical data: IP address and browser information, processed in server logs and for security purposes (such as limiting the number of booking requests).
The purposes for which personal data are processed
- To take the necessary steps to carry out the services requested by you (for example to inform you about the scheduling of your appointments, etc.)
- To process payments for paid online consultations, to confirm your booking, and, where a payment fails or expires, to release the booked slot and inform you;
- To respond to your questions and requests;
- For marketing, advertising and publicity activities, but only if you have given your prior consent; In the areas where personal data is collected you will be able to state whether or not you agree to us processing it for this purpose;
- To provide and improve the services;
- To fulfill our legal and contractual obligations to you, to public authorities, or required or permitted by law.
Data transfer
CorePrime Clinic does not directly transfer personal data to third countries or international organizations. However, certain third-party service providers we engage (such as Google Analytics) may process anonymised usage data outside the European Union; in all such cases, appropriate safeguards — including Standard Contractual Clauses — are in place to ensure an equivalent level of data protection.
Refusal to provide us with your data
CorePrime Clinic will process personal data only under legal conditions, strictly respecting the principles related to the processing of personal data established by national and European legislation. You are not obliged to provide us with your personal data, but refusing it will lead to the impossibility of accessing our medical services.
Legal basis for processing personal data
We process your personal data only where a valid legal basis exists under applicable data protection law. The legal bases we rely on are:
- Performance of a contract (Art. 6(1)(b) GDPR): Processing necessary to deliver the services you have requested, including scheduling and managing your appointments.
- Consent (Art. 6(1)(a) GDPR): For marketing, advertising, and promotional activities, but only where you have given your prior explicit consent. You may withdraw your consent at any time by contacting us at office@coreprime.ro.
- Legal obligation (Art. 6(1)(c) GDPR): Processing necessary to comply with our legal and regulatory obligations under Romanian and European Union law.
- Provision of healthcare (Art. 9(2)(h) GDPR): Where we process special category health data as part of our Programs or in connection with booking and delivering consultations, we do so for purposes of preventive medicine, medical diagnosis, and the provision of healthcare, carried out by licensed medical professionals bound by professional secrecy obligations.
Medical data processed in connection with Programs and consultations
When you apply for or participate in one of our medical Programs, we additionally collect and process special category personal data (health data) within the meaning of Art. 9 GDPR. This includes medical history, physical measurements (such as weight, blood pressure, and heart rate), and age. This data is used exclusively to assess your eligibility to participate in the Program and as part of the Program itself. It is processed solely by licensed medical professionals bound by professional secrecy and is never shared with any third party. Data may be collected both through the online application form and during in-person consultations.
Likewise, when you book an appointment or an online consultation, the medical specialty and service you choose, and any symptoms or other details you enter in the booking form, may reveal information about your health. This information is used exclusively to prepare and deliver your consultation, is accessible only to authorised personnel bound by confidentiality obligations, and is shared only with our medical activity management provider (Med-Soft), as described below.
How long we keep your data
We retain your personal data only for as long as necessary for the purposes for which it was collected, in accordance with applicable law.
- General contact data (name, phone number, email address): retained for 3 years from your last interaction with us, after which it is permanently deleted, unless you request earlier deletion by contacting office@coreprime.ro.
- Health data collected through Programs: retained in accordance with applicable Romanian medical legislation. You may request deletion of your health data at any time by contacting office@coreprime.ro, subject to any overriding legal retention obligations.
- Booking and payment records for online consultations (appointment details, amount paid, payment reference and payment status): retained for 3 years from the date of the appointment, after which they are permanently deleted, subject to any overriding legal retention obligations (such as financial and accounting legislation).
Third-party service providers
To operate our website and deliver our services, we work with the following third-party service providers who may process personal data on our behalf. All providers are contractually bound to process your data only as instructed by us and in compliance with applicable data protection law.
- Google LLC (Google Analytics): We use Google Analytics to analyse website traffic for marketing and improvement purposes. This service may process anonymised usage data on Google infrastructure. You can opt out at any time using the Google Analytics opt-out browser add-on.
- Microsoft Corporation (Microsoft 365): We use Microsoft 365 for email communications. Emails sent to or from office@coreprime.ro are processed through Microsoft infrastructure under EU data processing guarantees.
- ING Bank Romania S.A.: We use ING Bank Romania to process payments for online consultations. When you pay, we share with ING Bank the amount to be paid and your email address (used by the bank for the payment session and payment notifications), and we receive back the status of your payment. Your card details are entered exclusively on ING Bank's secure payment page — they never reach our servers and are processed directly by ING Bank in accordance with its own privacy policy and applicable financial regulations.
- Med-Soft (med-soft.ro): We use Med-Soft to manage our medical activity, including patient records, scheduling, and clinical documentation. This service processes personal data and special category health data on our behalf and is bound by strict confidentiality and data processing obligations.
- Doxy.me: We use Doxy.me for online video consultations. This service processes your connection data and, where applicable, information exchanged during the consultation. Doxy.me is a US-based service operating under HIPAA compliance standards; appropriate safeguards are in place for any data processed outside the European Union.
Data security
We apply appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Your personal data is stored on servers located in the European Union, operated in compliance with EU data protection standards.
Your rights as a data subject
Under GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at office@coreprime.ro.
- Right of access (Art. 15): You may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): You may request correction of any inaccurate or incomplete personal data.
- Right to erasure (Art. 17): You may request deletion of your personal data, subject to any overriding legal retention obligations.
- Right to restriction of processing (Art. 18): You may request that we restrict the processing of your personal data in certain circumstances.
- Right to data portability (Art. 20): Where processing is based on consent or a contract, you may receive your personal data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21): You may object to the processing of your personal data, including for direct marketing purposes.
- Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
- Right to lodge a complaint: If you believe your personal data has been processed unlawfully, you have the right to lodge a complaint with the Romanian national data protection supervisory authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) — www.dataprotection.ro.