Privacy policy

1. Who we are

Treat Oy (business id 3618620-6) is the data controller for personal data processed through the Treat service. Address: Kampinkuja 2, 00100 Helsinki, Finland.

2. What data we process

Identification data from your DVV-issued professional or citizen ID card. Contact details you supply. Clinical case data you create or receive. Audit logs of who accessed what, when, and why.

3. Legal bases

GDPR Article 6(1)(b) — necessary for the contract to provide medical advice. GDPR Article 9(2)(h) — health data processed by health professionals bound by professional secrecy. Finnish Act on the Status and Rights of Patients.

4. Sub-processors

Google Cloud (EU data residency — europe-north1 region in Finland). AWS SES (transactional email, eu-north-1). Cloudflare (DNS only, no traffic routing). All sub-processors sign GDPR Article 28 DPAs.

5. Your rights

Access, rectification, erasure, restriction, portability, objection. Email dpo@treat.health. We respond within one month. You may complain to the Finnish Data Protection Ombudsman.

6. Retention

Clinical case records retained per Finnish patient-data legislation. Account data deleted within 90 days of account closure unless legal retention applies.

Contact

Data Protection Officer: dpo@treat.health. Security incidents: security@treat.health.