Chalamet

Privacy Policy

Last Updated: November 10, 2025

This Privacy Policy explains how Chalamet ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our medical advice platform ("Service"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and French data protection laws.

As a healthcare platform processing sensitive health data, we take extra precautions to ensure your information is secure and used only for legitimate purposes. Please read this Policy carefully to understand our practices.

1. Data Controller

The data controller responsible for your personal data is:

[COMPANY NAME]

[Registered Address, City, Postal Code, France]

Email: [privacy@chalamet.com]

If you have any questions about this Privacy Policy or how we handle your data, please contact us using the information above.

2. Personal Data We Collect

We collect different types of personal data depending on how you use our Service:

Identity and Contact Data

  • Full name, date of birth, nationality
  • Email address and phone number
  • Profile photo
  • Identity documents (for GP verification only)

Special Category Data - Health Information (Article 9 GDPR)

This is the most sensitive data we process and requires your explicit consent:

  • Appointment reasons and medical concerns you share
  • Chat messages with your GP containing medical discussions
  • Clinical notes recorded by your GP (for GP records only, not shared with patients in MVP)
  • Medical documents you upload

Technical and Usage Data

  • IP address, browser type, device information
  • Login timestamps and session data
  • Audit logs of actions performed on the platform

3. How We Collect Your Data

  • Directly from you when you register, book appointments, or communicate with GPs
  • Automatically through cookies and analytics (see our Cookie Policy)
  • From third-party identity verification services (for GP accounts)
  • During video consultations via our video provider (daily.co)

4. Legal Basis for Processing

Under GDPR, we must have a legal basis to process your data. We rely on the following:

Consent (Article 6(1)(a) and Article 9(2)(a))

For processing health data, profile photos, and marketing communications. You can withdraw consent at any time.

Performance of a Contract (Article 6(1)(b))

To provide our Service, including account management, appointment booking, and facilitating consultations.

Legal Obligation (Article 6(1)(c))

For identity verification (anti-money laundering), tax records, and responding to legal requests.

Legitimate Interests (Article 6(1)(f))

For fraud prevention, platform security, and improving our Service. We balance these interests against your rights.

5. How We Use Your Data

  • To provide medical consultations between you and licensed GPs
  • To process payments and manage subscriptions
  • To verify GP credentials and maintain professional standards
  • To communicate with you about appointments, account updates, and Service changes
  • To ensure platform security and prevent fraud
  • To comply with legal obligations (e.g., retaining medical records as required by French law)
  • To improve our Service through analytics (with your consent)

6. Data Sharing and Third-Party Processors

We do not sell your data. We share data only with trusted third-party processors who help us provide the Service:

Video Consultations (daily.co)

Facilitates secure video calls between patients and GPs. Data: User IDs, video/audio streams. Location: HIPAA-compliant servers.

File Storage (AWS S3)

Stores medical documents and identity documents. Data: Encrypted files. Location: EU (Paris region).

Email Notifications (Resend)

Sends appointment confirmations and account notifications. Data: Email addresses, names.

Payment Processing (Stripe)

Processes subscription and consultation payments. Data: Payment details (not stored by us). Location: EU-compliant.

All third-party processors are bound by Data Processing Agreements (DPAs) that require GDPR compliance and ensure your data is protected.

7. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit (HTTPS/TLS) and at rest (AES-256)
  • Role-based access controls (only authorized personnel can access data)
  • Regular security audits and penetration testing
  • Audit logging of all sensitive data access

While we take every precaution, no system is 100% secure. If we experience a data breach affecting your rights, we will notify you and the CNIL (French data protection authority) within 72 hours as required by law.

8. Data Retention

We retain your data only as long as necessary:

  • Medical records (clinical notes, documents): 20 years from last consultation (required by French health law)
  • Chat messages: 2 years from last message
  • Account data: Until you delete your account, then 30 days (soft delete period)
  • Billing records: 10 years (required by French tax law)

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right to Access (Article 15)

Request a copy of all personal data we hold about you.

Right to Rectification (Article 16)

Correct inaccurate or incomplete data.

Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your data (subject to legal obligations, e.g., 20-year retention for medical records).

Right to Restriction (Article 18)

Limit how we use your data in certain circumstances.

Right to Data Portability (Article 20)

Receive your data in a machine-readable format (JSON) to transfer to another service.

Right to Object (Article 21)

Object to processing based on legitimate interests or for marketing purposes.

Right to Withdraw Consent (Article 7(3))

Withdraw consent for health data processing at any time (may limit Service availability).

To exercise these rights, visit your Account Settings or contact us at [privacy@chalamet.com]. We will respond within 1 month.

10. Cookies and Tracking

We use essential cookies for authentication and session management. These are necessary for the Service to function.

For optional analytics and marketing cookies, please see our Cookie Policy. You can manage your cookie preferences at any time.

11. International Data Transfers

We store data primarily in the EU (France). Some third-party processors may transfer data outside the EU, but only with appropriate safeguards (e.g., Standard Contractual Clauses, Privacy Shield replacement mechanisms).

We will never transfer health data outside the EU without explicit consent and adequate protection.

12. Children's Privacy

Our Service is not intended for children under 18. If you are under 18, your parent or legal guardian must create the account and accompany you during consultations. We do not knowingly collect data from children without parental consent.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect. Continued use of the Service after changes constitutes acceptance.

14. Complaints and Regulatory Authority

If you believe we have not handled your data properly, you have the right to lodge a complaint with the French data protection authority:

CNIL (Commission Nationale de l'Informatique et des Libertés)

3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

Website: https://www.cnil.fr

15. Contact Us

For questions, requests, or concerns about this Privacy Policy or your data:

Email: [privacy@chalamet.com]

Address: [COMPANY NAME], [Full Address]