Data Protection and Compliance values data confidentiality and transparency.

For example, we are taking proactive measures to ensure that our service meets Swiss standards (in anticipation of the new DPA Data Protection Act). as well as the new European Data Protection Regulation DPSR applicable since 25 May 2018. We would therefore like to inform you of some changes to our General Terms and Conditions for clients, as well as the addition of Conditions for booking appointments online, which must now be validated by your clients / patients for all appointments booked online since May 15, 2018.

Before presenting the concrete actions, it is important to detail the specific case of Indeed, is a SaaS platform for "B to B" agenda management, Our corporate and freelance clients therefore use it to collect and store appointment scheduling and customer/patient data.

It is thus necessary to identify and clearly distinguish two responsibilities:

1. The data controller (Data Controller) - it's the company / the person who decides which data to collect, and who defines the purpose of this data collection, in our case the customer (doctor, osteopath, beautician, etc.).

2. The subcontractor (Data Processor)- (here is the company that "processes" the data. personal data on behalf of the data controller.

As a subcontractor, we only process personal data managed by our service on the documented instructions of the person responsible for the treatment (our client). This means that we do not handle, disseminate, use, share the data collected through of our platform, as this data does not belong to us.

In addition, all data from is stored at our provider Exoscale in Switzerland.

Here is a brief summary of the ongoing actions:

  • Since May 15, 2018, we have integrated into the appointment booking form the obligation for a client/patient to check specific terms of use for data protection when making appointments online, with the implementation of legal notices relating to the collection of personal data, which detail the data collection and processing flows specific to them.
  • We regularly update this Privacy Principles page with explanations of how personal information and data a detailed description of our security practices, as well as a description of our security policies and procedures. data processing conditions explaining how the customers can have more information about our security.
  • Idem for details on how we work with trusted partners and online sources to improve the quality of personal information that we hold about users, to understand how users interact with our site and to discover the types of services they are interested in.

The main objective of the future Swiss Data Protection Act and the GDPA (General Data Protection Regulations) is to strengthen the legal framework for the protection of personal data, and to standardise it throughout Europe. In our context, the rules promulgated by RGPD (and the future DPA) mainly call for common sense measures to be taken: an architecture modern and secure, a good organization, a little documentation, these measures allow to be in conformity with the majority of the rules. More information on this will follow soon.

Current application architecture :

All the data of are hosted in Switzerland (at Exoscale). An client has access to its space, accessible via a password stored in encrypted form, accessible via SSL.
  • An account is blocked after a number of unsuccessful login attempts.
  • does not use or process data from its clients, in particular their patient or client file.
  • All our backups are encrypted.
  • We have implemented an application logging policy to detect and trace any intrusion attempt into our application architecture.

    Planned evolution of our services towards a "Privacy by Design":
    • We will be able to perform physical destruction of all data of a user, or a customer of a customer, upon request.
    • We will create pages to allow users, once logged in, to view and modify their personal information;
    • We are studying the creation of a form to collect requests for access to users' personal information, in particular to trigger a right to oblivion and to make them physically and therefore permanently delete. We will determine in the coming months whether this request will be handled by customers or by directly.
    • We will be adding information in our Help Center on how to enforce users' rights to their data and to control the use of your personal information through our services. We also explain how we can handle requests for information concerning the data you may receive from clients/patients of European nationality.
    With the implementation of these measures, we want to ensure our customers to be in compliance with the future DPA law and the GDPR on aspects related to their data processor.

    This page will be regularly updated, last update on November 12, 2019.