Privacy Notice
Docsa Health
Privacy Notice
Docsa Health
Effective Date: January 20, 2025
Last Updated: January 29, 2025
1. Introduction
Docsa Health (“we,” “us,” “our,” or “Docsa Health”) is committed to protecting your privacy. This Privacy Notice explains how we collect, use, disclose, and safeguard your personal information when you use our personal health records platform at https://docsa.health/ and related services (collectively, the “Service”).
Please read this Privacy Notice carefully. By accessing or using our Service, you acknowledge that you have read, understood, and agree to the practices described herein.
2. Data Controller
2.1 United States
For users in the United States, the data controller is:
SMARTAUTOMATICA LLC A Delaware Limited Liability Company Email: privacy@docsa.health
2.2 Mexico
For users in Mexico, the responsible party (Responsable) under the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) is:
Dmitrii Fedorov Operating under RESICO PF regime Email: privacy@docsa.health
2.3 Data Protection Officer
Name: Dmitrii Fedorov Email: privacy@docsa.health
We respond to all privacy inquiries within 2 business days.
3. Information We Collect
3.1 Personal Identification Information
We collect the following personal data when you create an account and use our Service:
| Data Type | Examples |
|---|---|
| Identity Information | Full name, date of birth |
| Contact Information | Email address, phone number, physical address |
| Government Identifiers | CURP, INE (for Mexico users), other identity documents |
| Account Credentials | Username, password (encrypted), MFA settings |
3.2 Health and Medical Information
With your consent, we collect and store:
| Data Type | Examples |
|---|---|
| Medical History | Diagnoses, conditions, surgical history, allergies |
| Clinical Documents | Doctor’s notes, discharge summaries, referral letters |
| Laboratory Results | Blood tests, imaging reports, diagnostic results |
| Prescriptions | Medications, dosages, treatment plans |
| Provider Information | Healthcare provider names, contact details, visit records |
| Insurance Information | Policy numbers, coverage details, claims |
| Wearable Device Data | Activity data, vital signs, sleep patterns |
| Medication Tracking | Adherence records, refill history |
3.3 Information from Healthcare Providers
When you connect your account with healthcare providers, clinics, or medical institutions, they may transmit:
- Appointment records
- Medical history updates
- Laboratory and diagnostic results
- Prescription information
- Treatment notes
This data is automatically integrated into your health record timeline.
3.4 Technical and Usage Information
We automatically collect:
| Data Type | Description |
|---|---|
| IP Address | Your internet protocol address |
| Device Information | Device type, operating system, browser type |
| Cookies | Session and preference cookies |
| Usage Data | Pages visited, features used, interaction patterns |
| Geolocation | Approximate location based on IP address |
| MFA Interactions | Authentication method used (Google Authenticator, etc.) |
3.5 Communication Data
When you contact us or use communication features:
- Support request content
- Chat transcripts
- Feedback and survey responses
4. How We Use Your Information
4.1 Primary Purposes (Essential for Service Delivery)
| Purpose | Legal Basis |
|---|---|
| Provide and maintain the Service | Contract performance |
| Create and manage your account | Contract performance |
| Store and organize your health records | Contract performance |
| Process your subscription payments | Contract performance |
| Send appointment and medication reminders | Contract performance |
| Facilitate data sharing with parties you authorize | Your consent |
| Provide emergency access as configured by you | Your consent |
| Respond to your support requests | Contract performance |
| Send security alerts and service notifications | Legitimate interest |
4.2 Secondary Purposes (With Your Additional Consent)
| Purpose | Legal Basis |
|---|---|
| AI-assisted document processing (OCR, classification) | Explicit consent |
| AI-assisted translation of medical documents | Explicit consent |
| AI-assisted transcription of audio recordings | Explicit consent |
| AI-generated correspondence with healthcare providers | Explicit consent |
Note: AI processing does not store or accumulate your data beyond the immediate task. Results are available in your account archive.
4.3 Service Improvement
| Purpose | Legal Basis |
|---|---|
| Analyze usage patterns to improve the Service | Legitimate interest |
| Develop new features and functionality | Legitimate interest |
| Ensure Service security and prevent fraud | Legitimate interest |
| Comply with legal obligations | Legal obligation |
5. Communications
5.1 Communication Channels
We may communicate with you through:
- SMS text messages
- Telegram
- Push notifications
5.2 Types of Messages
| Message Type | Content | Can Opt-Out? |
|---|---|---|
| Security Alerts | MFA codes, suspicious activity warnings | No |
| Service Notifications | Account changes, policy updates | No |
| Reminders | Appointments, medications, procedures | Yes |
| Marketing | New features, promotions | Yes |
5.3 Healthcare Provider Communications
When you authorize us to communicate with healthcare providers on your behalf, we may share limited personal information (name, age, phone number) necessary to facilitate such communications.
Important: No Protected Health Information (PHI) is transmitted through messaging platforms. Only reminders and alerts without medical details are sent via SMS, WhatsApp, or Telegram.
6. Information Sharing and Disclosure
6.1 At Your Direction
We share your information with third parties only when you explicitly authorize such sharing, including:
- Healthcare providers you designate
- Family members or caregivers you authorize
- Emergency responders (if you configure emergency access)
6.2 Service Providers
We engage trusted service providers who process data on our behalf under strict contractual obligations:
| Provider | Purpose | Data Processed | Agreement |
|---|---|---|---|
| Amazon Web Services | Cloud hosting, AI functionality | All data | Business Associate Agreement |
| Cloudflare | Security, content delivery | Technical data | Business Associate Agreement |
| Stripe | Payment processing | Payment information | Data Processing Agreement |
| HelpScout | Customer support | Support communications | Data Processing Agreement |
6.3 Legal Requirements
We may disclose your information when required by law, including:
- Court orders or subpoenas
- Government agency requests
- Fraud prevention
- Protection of our legal rights
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.
6.5 What We Never Do
We never:
- Sell your personal or health information
- Share your data for third-party marketing
- Use your health data for insurance underwriting
- Provide data to employers without your explicit consent
7. International Data Transfers
7.1 Data Location
| User Location | Primary Data Storage |
|---|---|
| Mexico | Secure datacenter in Mexico |
| All other locations | Secure datacenter outside Mexico |
7.2 Cross-Border Transfers
Your data may be processed in jurisdictions outside your country of residence. When we transfer data internationally, we ensure appropriate safeguards including:
- Standard contractual clauses
- Data processing agreements
- Compliance with applicable data protection laws
7.3 US-Mexico Transfers
SMARTAUTOMATICA LLC (US) may delegate certain processing activities to Dmitrii Fedorov (Mexico), and vice versa. Such transfers are governed by appropriate data protection agreements.
8. Data Security
8.1 Technical Safeguards
We implement comprehensive security measures:
| Measure | Implementation |
|---|---|
| Encryption at Rest | AES-256 encryption for all stored data |
| Encryption in Transit | SSL/TLS certificates, VPN tunnels |
| Access Controls | Role-based access, principle of least privilege |
| Multi-Factor Authentication | Optional MFA for user accounts |
| Monitoring | 24/7 security monitoring and alerting |
| Backups | Regular encrypted backups with geographic redundancy |
8.2 Organizational Safeguards
- Employee confidentiality agreements
- Security awareness training
- Incident response procedures
- Regular security assessments
8.3 Your Security Responsibilities
You are responsible for:
- Maintaining the confidentiality of your login credentials
- Enabling MFA for enhanced security
- Logging out of shared devices
- Reporting suspected security incidents immediately
9. Data Retention
9.1 Active Accounts
Your data is retained for as long as your account remains active.
9.2 After Account Deletion
| Scenario | Retention Period |
|---|---|
| User-initiated deletion | 30 days (then permanently deleted) |
| Data from healthcare institutions | Up to 6 years (legal compliance) |
| Inactive accounts | Up to 6 years (then deleted) |
| Legal hold or dispute | Duration of legal proceedings |
9.3 Anonymized Data
We may retain anonymized, aggregated data that cannot identify you for analytical purposes indefinitely.
10. Your Privacy Rights
10.1 Universal Rights
All users have the right to:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Correction | Request correction of inaccurate data |
| Deletion | Request deletion of your data |
| Data Portability | Receive your data in a portable format |
| Withdraw Consent | Withdraw consent for optional processing |
| Object | Object to processing based on legitimate interests |
10.2 Mexico-Specific Rights (ARCO)
Users in Mexico have additional rights under LFPDPPP:
- Acceso: Access your personal data
- Rectificación: Correct inaccurate data
- Cancelación: Request deletion
- Oposición: Object to processing
See our separate Aviso de Privacidad for complete LFPDPPP compliance details.
10.3 Exercising Your Rights
To exercise any privacy right:
- Self-Service: Use the data export and account deletion features in your account settings
- Support Request: Contact support at info@docsa.health
- Privacy Request: Email privacy@docsa.health
We respond to all requests within 2 business days and complete actions within the timeframes required by applicable law.
11. Cookies and Tracking
11.1 Types of Cookies
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, basic functionality | Session |
| Functional | Preferences, language settings | Persistent |
| Analytics | Usage patterns, service improvement | Persistent |
11.2 Third-Party Analytics Tools
We use the following third-party analytics services exclusively on our public-facing pages (landing pages, marketing pages, and informational content):
| Service | Provider | Purpose |
|---|---|---|
| Google Analytics 4 | Google LLC | Website traffic analysis, user behavior patterns, conversion tracking |
| Microsoft Clarity | Microsoft Corporation | Session recordings, heatmaps, user interaction analysis |
Important Privacy Protections:
- Public Pages Only: These analytics tools are active only on public, unauthenticated areas of our website (e.g., landing pages, about pages, pricing information, blog content).
- No PHI Tracking: Analytics tools are completely disabled within authenticated areas where Protected Health Information (PHI) is accessed, including your personal dashboard, documents, medical records, and any areas subject to HIPAA and other health data regulations.
- Data Minimization: We configure these tools to minimize data collection, including IP anonymization and exclusion of any personally identifiable information.
- No Cross-Tracking: Analytics data from public pages is never linked to your authenticated session or health records.
For more information about how these services handle data:
- Google Analytics: https://policies.google.com/privacy
- Microsoft Clarity: https://privacy.microsoft.com/privacystatement
11.3 Your Choices
You can manage cookies through:
- Browser settings
- Our cookie preference center
- Do Not Track browser signals (honored)
Note: Disabling essential cookies may affect Service functionality.
12. Children’s Privacy
12.1 Age Requirements
The Service is not intended for direct use by individuals under:
- 21 years of age in the United States
- 18 years of age in Mexico and other jurisdictions
12.2 Minor Records
Parents and legal guardians may manage health records of minors within their own accounts. We do not knowingly collect information directly from minors.
If we learn that we have collected personal information from a minor without parental consent, we will delete it promptly.
13. Third-Party Links
Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any information.
14. Changes to This Privacy Notice
14.1 Notification
We may update this Privacy Notice periodically. Material changes will be communicated via:
- Email notification
- Prominent notice on the Service
- At least 30 days before changes take effect
14.2 Continued Use
Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Notice.
15. Regulatory Compliance
15.1 Mexico
We comply with:
- Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP)
- LFPDPPP Regulations
- INAI guidelines
15.2 United States
For applicable users and data, we comply with:
- Health Insurance Portability and Accountability Act (HIPAA)
- State privacy laws as applicable
15.3 Filing Complaints
Mexico: You may file complaints with the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) at www.inai.org.mx
United States: You may file complaints with the U.S. Department of Health and Human Services Office for Civil Rights for HIPAA matters.
16. Contact Us
General Inquiries
Email: info@docsa.health Website: https://docsa.health/
Privacy Inquiries
Email: privacy@docsa.health Data Protection Officer: Dmitrii Fedorov
Response Times
We acknowledge all privacy inquiries within 2 business days and provide substantive responses within the timeframes required by applicable law.
By using Docsa Health, you acknowledge that you have read and understood this Privacy Notice.
Ready to join Docsa Health?
Create Account