Privacy Policy & DPA

I. Introduction

VitaBoost Health Systems AG ("VitaBoost", "we", "us") provides a SaaS infrastructure for clinic management. In the context of the General Data Protection Regulation (GDPR) and HIPAA, we typically act as a Data Processor, while our Clients (Clinics/Enterprises) act as Data Controllers.

II. Data We Process

To provide our Service, we process the following categories of data on behalf of our Clients:

• Identity Data: Names, employee IDs (for corporate plans).
• Contact Data: Business email addresses, phone numbers for SMS alerts.
• Health Data (Encrypted): Appointment timestamps, treatment types (e.g., "Vitamin C Infusion"), and adherence logs.
• Technical Data: IP addresses, login logs, device types used to access the secure portal.

III. Data Residency & Security

Our primary infrastructure is hosted in Zürich, Switzerland, a jurisdiction recognized by the European Commission as providing an adequate level of data protection.

We utilize AES-256 encryption for data at rest and TLS 1.3 for data in transit. Access to production data is strictly limited to authorized engineering staff via MFA and VPN.

IV. Sub-processors & Third-Party Infrastructure

To provide our Service and ensure reliable delivery of critical alerts, we utilize trusted third-party sub-processors. [cite_start]By using VitaBoost, you acknowledge that data may be processed by[cite: 2]:

• Cloud Infrastructure Providers: AWS / Google Cloud (for secure hosting and database management).
• Email Delivery Vendors: Enterprise-grade SMTP providers (e.g., Mailgun, Sinch, AWS SES) solely for the transmission of transactional alerts. These vendors are prohibited from using your data for their own marketing purposes.

We maintain signed Data Processing Agreements (DPAs) with all sub-processors to ensure compliance with GDPR and standard contractual clauses.

V. Email & Communication Privacy

We do not sell, rent, or share email addresses with third parties. Emails sent via our system are strictly for the purpose of fulfilling the service contract between the Clinic and the Patient (e.g., appointment reminders).

We retain transmission logs (metadata) for 90 days to assist with troubleshooting and compliance audits, after which they are permanently anonymized.

VI. Your Rights

Under GDPR, you have the right to access, correct, or delete your personal data. Since VitaBoost is a Processor, please contact your Clinic (the Controller) directly to exercise these rights. We will assist the Controller in fulfilling these requests.