Confidentiality Policy

Privacy

Protecting your privacy and personal data is one of our core commitments at MEDLIST S.R.L., a Romanian legal entity headquartered in Bucharest, District 1, 22-26 Siriului Street, 3rd floor, registered with the Trade Registry under no. J40/12436/2024, having unique registration code 50273937, hereinafter referred to as MEDLIST.

Therefore, we strive to process your personal data in accordance with the principles outlined in the applicable data protection laws in Romania, including Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data ("GDPR"). Terms used in this privacy policy that are not defined shall have the meaning given to them in the GDPR.

Personal data refers to any information related to an identified or identifiable natural person. An identifiable person is someone who can be identified, directly or indirectly, particularly by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.

This privacy and data protection policy concerns the data of our clients, business partners, other individuals who contact or visit us, as well as their representatives, prospective employees, collaborators, etc. It applies to all personal data collected through our platform or app through which you can find the right doctor for your needs and make an appointment ("Services"), www.medlist.ro (hereinafter the "Website"), as well as all other personal data collected via email or other offline interactions.

The privacy and data protection policy describes:

  • the purposes for which we collect and use your personal data;
  • the legal grounds for processing data for these purposes;
  • the categories of personal data we process;
  • the duration of data processing;
  • your rights as a data subject and how you can exercise them;
  • who we may disclose your personal data to.

We aim to present this information clearly and transparently, so you can understand what we are communicating to you.

You will also learn how to contact us if you have questions about your personal data — we will be happy to answer them. Please also read our Cookie Policy https://medlist.ro/politicadecookies, which explains how MEDLIST uses cookies and similar technologies.

Purposes, Legal Grounds, and Categories of Personal Data Processed

In the context of interacting with MEDLIST, and considering that the Website is a platform through which you can identify the right doctor for your medical needs and make an appointment, we may process your personal data. Therefore, we use your personal data in the following situations:

If you are a USER or potential USER of MEDLIST:

Using the Website and Accessing the Services

We use your relevant personal data to provide the Services or to send you the requested Service offers. For this, we require the following personal data: full name, mobile number, email address, spoken languages, medical specializations, professional photo, date of birth, gender, and geolocation. In this case, we rely on the performance of the contract as the legal basis for processing your personal data — without this data, we would be unable to provide the Services or send you the requested offers.

You may consult the Website without disclosing your identity or providing any personal data. However, information may still be collected automatically when visiting www.stg.medlist.ro, such as your internet service provider's name and the referring website, but this cannot be linked to any individual. Other personal data will only be stored if voluntarily provided by you.

Communication with You

We use your contact data — name, email, phone number — to communicate with you regarding your requests and any relevant appointment-related matters. Again, the legal basis is the performance of the contract.

Data Processing as a Legal Obligation

We may process certain personal data in the context of providing the Services due to legal obligations applicable to us as a service provider.

Sending Offers and News about MEDLIST Services

We may also use your contact data to send you — in your chosen format (email, SMS, print) — our offers and other information about MEDLIST services, products, promotions, etc., but only if you have explicitly requested this service and given prior consent. You may withdraw your consent at any time by:

  • Sending an email to [email protected]
  • Sending a registered letter to: Bucharest, District 1, 22-26 Siriului Street, 3rd floor

If you are a representative/contact person, employee, or collaborator of a MEDLIST USER or partner:

Providing Services

We use your relevant personal data to make appointments with the selected individual medical office, clinic, polyclinic, or hospital. If you represent a MEDLIST partner, we may also contact you to provide the requested Services. The legal basis is our legitimate interest and contract performance.

Communication with You

We use the contact information you provide to communicate regarding your or our requests and any other relevant business matters. This is based on our legitimate interest in managing our relationships with partners or users.

Data Processing as a Legal Obligation

We may process your personal data to comply with legal obligations governing healthcare service intermediaries. In such cases, the processing is based on our legal obligation.

Sending Offers and Promotions

We may use your contact data to send you — in your chosen format — offers and/or updates about MEDLIST or our partners, but only if you have explicitly requested this and provided prior consent. You can withdraw your consent at any time by:

  • Emailing [email protected]
  • Sending a registered letter to: Bucharest, District 1, 22-26 Siriului Street, 3rd floor

Data may be provided either directly by you or by a user/partner. Categories of data processed include name, phone number, email address, and other data you may provide as needed for the above purposes.

If you are a job/internship applicant

We use the personal data contained in the CVs we receive to evaluate applicants' qualifications for a position at MEDLIST, including internship programs. We rely on your consent (given when you submit your CV) and, later, on the conclusion and performance of an employment contract as the legal basis for processing.

Categories of personal data processed include: name, surname, email address, phone number, home address, personal information included in CVs, education and training details, professional qualifications, and other personal data you may directly provide to us.

Information we collect automatically – Cookies

When you visit the Website, we automatically collect certain data using cookies. Please read our Cookie Policy at https://medlist.ro/politicadecookies.

Additionally, to profile, monitor, and send personalized offers and communications, we may use a marketing automation tool dedicated to our platform.

Profiling, monitoring, or sending personalized offers and communications has no legal or similarly significant effect on Website users. The only result is the reception of personalized discounts and marketing offers. You may opt out of profiling or marketing communications at any time.

For the purposes of processing and monitoring activity on the Website, the following personal data is automatically collected and stored: IP address, browser and version, device type and OS, date/time of access, location, timestamps related to page visits, page/category/doctor visits, photo clicks, scrolls, variations selected, items added to favorites, comments, Facebook likes, and help page visits.

We also run retargeting campaigns through platforms like Meta and Google, allowing users who visited the Website to be shown targeted ads on Facebook. We do not collect or process any data about individual Facebook users targeted by such ads and cannot identify them.

For more information about data processing by Facebook:

  • Privacy Policy: https://www.facebook.com/about/privacy
  • Cookies Policy: https://www.facebook.com/policies/cookies/

Categories of data subjects include visitors, registered users, or users of the Website, depending on the selected service.

To withdraw consent for retargeting and profiling, send an email to: [email protected]

Information we collect from third parties

We may receive your personal data from other sources, even if not directly provided by you, including business partners or public authorities who are legally entitled or obligated to share such data with us.

Processing for other purposes

We do not process your personal data for any secondary purposes other than those originally collected, without your prior consent, a legitimate interest, or a legal basis.

Do we share your personal data with third parties?

In certain circumstances, we may share personal data with third parties:

  • Third-party service/product providers – We may use third-party providers to process your data on our behalf. We have signed data processing agreements and confidentiality clauses with all providers to ensure data protection, and we do not allow them to use your data for other purposes.
  • Competent authorities – If required by law, we will provide data to competent authorities for purposes such as fraud detection or criminal investigations.
  • When you explicitly request or authorize such disclosure.
  • In urgent or force majeure situations.
  • When disclosure is necessary for dispute resolution or legal claims.

We assure you that we do not sell or transfer your personal data to any other entities, whether individuals or companies.

HOW LONG DO WE KEEP PERSONAL DATA?

We limit the retention period of your personal data to what is necessary for the processing purposes previously communicated to you.

We regularly review the necessity of keeping your personal data. Every 3 years, we assess the data collected and processed to filter, sort, and retain only the data still relevant to current processing purposes. If, following this review, it turns out that you have not used the Website in the last 3 years, MEDLIST will send you an email to reactivate your commercial relationship. If you do not respond, we will delete both your processed personal data and your User Account.

Regardless of your activity on the Website, we will immediately delete your personal data upon request, except for data whose processing/retention is required by legal provisions — in which case, the retention period will comply with the applicable mandatory legislation.

We may also retain personal data for the establishment, exercise, or defense of legal claims.

If data retention is required by law for specific purposes, we may continue to retain that data.

HOW DO WE ENSURE THE SECURITY OF PERSONAL DATA? ARE THEY SAFE?

We aim to keep your personal data safe by implementing appropriate technical and organizational measures.

In accordance with applicable laws, we have defined and implemented internal procedures to prevent unauthorized access or misuse of personal data.

We use suitable systems and procedures to protect and secure personal data, especially to prevent unauthorized/illegal processing, accidental or unlawful loss, destruction, or damage.

We have implemented measures for detecting and responding to security breaches, documenting incidents, affected data, remediation efforts, and personal data recovery.

We also have measures and procedures in place to meet our legal obligations in the event of a security incident, including notifying the competent supervisory authority and informing you, if applicable.

Access to personal data is restricted for MEDLIST employees, contractors, suppliers, and collaborators, limited strictly to what is necessary. They are also bound by strict confidentiality obligations.

We conduct ongoing staff training on data protection and privacy procedures.

We perform an annual audit of our data management system to improve the protection and safety of the personal data we process.

DO WE TRANSFER PERSONAL DATA OUTSIDE THE EU OR EEA?

No, we do not transfer your personal data outside the European Union or the European Economic Area or to international organizations.

HOW CAN YOU CONTROL YOUR PERSONAL DATA? WHAT ARE YOUR RIGHTS?

As a data subject, the GDPR grants you several rights, including:

  • Right of access: You can obtain information about the processing of your personal data and a copy of that data.
  • Right to rectification: If you believe your personal data is inaccurate or incomplete, you may request corrections.
  • Right to erasure: You may request the deletion of your personal data, as permitted by law.
  • Right to restrict processing: You may request the restriction of processing your personal data.
  • Right to object: You may object to the processing of your personal data, based on your specific situation.
  • Right to data portability: You may request that the personal data you provided be returned to you or transferred to a third party, where possible.

We are committed to supporting you in exercising these rights.

You can exercise these rights or learn more about them by sending a written request to us at: MEDLIST S.R.L., 22-26 Siriului Street, 3rd floor, District 1, Bucharest, Romania, or by email to [email protected].

You also have the right to file a complaint with the National Authority for the Supervision of Personal Data Processing (ANSPDCP) – [http://dataprotection.ro/].

All requests will be handled seriously and responded to by MEDLIST, even if unfounded. The response will reflect the action taken; if the request is denied, the reasoning will be provided.

MEDLIST does not charge any fee or request any material benefit for exercising your GDPR rights, except in the case of repetitive or excessive requests, where a reasonable fee may be charged — you will be informed beforehand.

We will respond to requests within a maximum of 30 days. If the request is complex or requires more information, we will notify you within 30 days and deliver the response within a maximum of 60 days.

If the request concerns personal data for which MEDLIST acts as a data processor (not controller), the request will be forwarded within 3 business days to the appropriate data controller. MEDLIST will not respond directly in such cases but will assist in formulating a response and ensure it reaches the data subject if requested by the controller.

Please do not provide personal data to MEDLIST through any channels other than those specified in this policy (i.e., through your User Account or by email to [email protected]). If you provide data through other channels or individuals claiming to represent us (including former employees), MEDLIST is not responsible for the security of those data and cannot ensure their protection. You are advised to always consult third parties’ privacy policies before sharing personal information.

WHO IS RESPONSIBLE FOR PERSONAL DATA PROCESSING? CONTACT

MEDLIST is the data controller responsible for personal data processing. For any questions or concerns about this policy or personal data processing, please contact us at [email protected].

This privacy policy is effective from [insert date]. It may be subject to future updates. Any updates will take effect upon publication on the Website.

We commit not to negatively impact your rights with any future updates to this policy. If any changes could significantly affect your personal data rights, we will notify you explicitly and obtain your consent where required by law.

All future versions of this policy will be available on this page and archived by MEDLIST for reference.