Privacy Policy

Version 1 - January 2025

Table of Contents

This Policy is established by Vesalius Health BV:

Ottergemsesteenweg-Zuid 808b bus 48, 9000 Gent

VAT: 1011.125.426

privacy@vesalius.health

Hereinafter, the "Vesalius" or "we", "us", "our".

We are particularly vigilant to the protection of personal data (hereinafter referred to as data) and to the respect of the privacy of all persons who come into contact with us. We act transparently, in accordance with national and international provisions in this area, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th 2016 on the protection of individuals with regard to data processing for personal use and for the free movement of this data, and which repeals Directive 95/46 / EC (hereinafter referred to as the "General Data Protection Regulation" or "GDPR").

This policy describes the measures undertaken for the treatment and processing of your personal data, and your rights as a data subject.

Vesalius as processor of sensitive data such as health data, processes on behalf of hospitals and health care providers. You should therefore contact them for information on the processing of your personal data.

You can react to any of the treatments described below by contacting us. We inform you that your data will be used in compliance with this data protection declaration.

1. Definitions

In this statement, the following words and expressions shall be understood as follows:

  • Statement: This privacy statement.
  • General terms and conditions of use: The general terms and conditions and the condition of use of Vesalius which administer the use of Vesalius.
  • Personal data: Any information processed relating to an identified or identifiable physical person in accordance with this declaration is described in the article "The data processed".
  • Data relating to health: Data of a personal nature relating to the physical or mental health of a physical person, which reveal information about the health condition of that person.
  • Our professional healthcare partners: The healthcare professionals who are connected to the patient via Vesalius.
  • Our services: All the services we provide on Vesalius in the context of our professional activity or in execution of our statutory purpose, as described in our general terms and conditions of use.
  • Person responsible for processing: The legal entity that determines the effectiveness and means of processing personal data in accordance with this declaration, namely us.
  • Processing: Any operation or set of operations, whether or not carried out with the aid of automated processes and applied to data of a personal nature, such as collection, recording, organization, storage, adaptation or alteration, extraction, consultation, use, communication by transmission, dissemination or any other form of provision, association or linkage, as well as the locking, erasure or destruction of data of a personal nature.
  • Anonymized data: Removing identifiable elements such as name and e-mail address and using masking data.
  • DPO: The data privacy officer (DPO) is the person who monitors Vesalius compliance with the General Data Protection Regulation (GDPR) in relation to the protection of personal data.

2. Why do we process your data?

We collect and process your personal data for different reasons based on a legal ground determined by the GDPR (for example, compliance with a legal obligation to which we are subject or the performance of a contract concluded with you).

Management of our medical care customers

We process your personal data in order to carry out operations relating to the contracts; invoices; accounting; provision of documents. We could process your personal data to contact you or a member of your team and answer your questions.

Legal basis: Article 6.1.b) and 6.1.c) of the GDPR

Management of the application and identification/authentication

We process your personal data to give you access to our application. We could also process your data to contact you and answer your questions; ensure the technical administration and security of Vesalius.

Legal basis: Article 6.1.b) and 6.2.f) of the GDPR

Management of our patients/customers

We process your personal data in order to carry out operations relating to the contracts; invoices; accounting; provision of documents. We could process your personal data to contact you and answer your questions.

Legal basis: Article 6.1.b) and 6.1.c) of the GDPR

Research, statistics, and improving our application software

We process personal data in order to provide and improve our services. We perform statistical analysis with anonymized data. You can withdraw your consent anytime by contacting us (privacy@vesalius.health).

Legal basis: Article 6.1.a) of the GDPR (consent)

Management of our communication

We process personal data in order to provide you with information relating to our activities and services. You can object to the processing by contacting us.

Legal basis: Article 6.2.f) of the GDPR (legitimate interest)

Management of our pre-contractual relationships

We process your personal data in order to respond to requests that you address to us (in particular via the contact form on our site), or if you sent us your Curriculum.

Legal basis: Article 6.1.b) of the GDPR

Management of our suppliers

We process personal data to fulfill our contractual obligations to you or to your company or our legal obligation, for instance accountable legal obligations.

Legal basis: Article 6.1.b) and 6.1.c) of the GDPR

Management of our litigation

We may use your personal data to respond to our legitimate interest or to that of third parties, when this is necessary without affecting your interests or your fundamental freedoms and rights to manage a litigation.

Legal basis: Article 6.1.f) and 9.2.f) of the GDPR

3. What data is collected and processed?

We only collect personal data that is adequate, relevant and limited to what is strictly necessary with regard to the purposes for which it is processed.

Management of medical care customers

  • Personal identifying data: first and last name; personal address; phone number
  • Electronic identification data: email address
  • Professional data: job title; workplace; Riziv/INAMI number; VAT

Management of patients/customers

  • Personal identifying data: first and last name; personal address; phone number; national register number
  • Electronic identification data: email address, IP address; encrypted password and username, or PIN code
  • Personal features: date of birth; place of birth; gender; nationality
  • Family data: marital and familial status; family composition
  • Conversation: Your medical interactions via the platform
  • Appointments: Your medical appointments with different doctors
  • Referral letters and other data related to your appointments

Management of the application (doctors)

  • Personal identifying data: first and last name; personal address; phone number
  • Electronic identification data: email address, encrypted password and username; IP address
  • Professional data: job title; workplace; Riziv/INAMI number; national register number

Research, statistics, and improving application

  • Personal identifying data: surname, first name, address, telephone number
  • Electronic identification data: email address, encrypted password
  • Personal features: nationality, gender, languages spoken, country and town/city of birth
  • Health data, encrypted data, conversations

4. Is your data disclosed or shared with third parties?

The data listed above is accessible to people who are members of our team, or intervening as collaborators, professional healthcare practitioners, and only to the strict extent necessary to our lawyers or any technical advisers, to banking or insurance organizations.

We are also likely to transmit your data:

  • At the request of a legal, judicial or administrative authority or auxiliary of justice
  • In good faith, considering that this action is required to comply with any current law or regulation
  • In order to protect and defend our rights or those of other users of our services

We may also be required to leave access to certain data to our co-contracting parties, qualified as "subcontractors" within the meaning of the legislation. In all circumstances, we ensure the protection of your data by agreements ensuring confidentiality.

Service Providers (all in Europe unless noted)

  • Customer service tool for feedback and complaint handling
  • Software development company
  • Document management, productivity tools and emails
  • Database infrastructure and service provider
  • Cloud provider and database server
  • CRM and communication tools
  • Lawyers and legal services providers
  • HR services and social security
  • Accountants and financial services providers
  • Providers of IT solutions (US)

More information about the subcontractors is available via privacy@vesalius.health

5. Do we transfer your data outside the European Union?

We do not make transfers outside the European Union. If applicable, data transfers to a country outside the Union will only be authorized if and only if:

  • The European Commission has issued a decision granting an adequate level of protection equivalent to that provided for by European legislation
  • The transfer is covered by an adequate measure such as the Commission's Standard Clauses
  • Your consent

6. How long is your data kept?

Your personal data that we process will be kept for the duration of our contractual relationship, the time strictly necessary for the fulfillment of our legal and contractual obligations, and the time strictly necessary to protect the vital interests of you or any other person.

ProcessingDuration
Medical care customer7 years from end of financial year
Patient/customer30 years from last action
Identification/authenticationDeleted at end of contractual relation
Research, statistics20 years after completion of study
Communication2 years from last contact
Pre-contractual relationships2 years after last contact
Suppliers7 years from end of financial year
Litigation7 years from decision notification

7. How do we protect your privacy?

We strive to optimally protect your personal data against unauthorized use and leakages. To this end, we use physical, organizational, technological, administrative and appropriate measures such as:

  • We use recognized security and encryption processes to ensure the security of the transmission and storage of your data
  • We have organizational measures in place, such as restricting access to our computer systems in accordance with the strict needs of each member of staff
  • As soon as we can, your data will be pseudonymized or anonymized
  • We host your information on our servers which are protected by ad hoc security and certificates
  • We have an internal privacy policy and we conduct regular basic training to maintain data privacy awareness

8. What are your rights and how to exercise them?

We attach a great deal of importance to the rights we have as individuals. Contact us at: privacy@vesalius.health or help@vesalius.health. Our DPO is available at: dpo@vesalius.health

Right of access, information and rectification

You can request information at any time about our treatments, the objectives pursued, the categories of personal data that we hold about you. You may also ask for your data to be corrected or supplemented if it proves to be incorrect or incomplete.

Right to restrict processing

You have the right to ask for the processing of your personal data to be restricted when you dispute the accuracy, when the processing is unlawful, or when we no longer need your data but you need them for legal action.

Right to object

You can object to the processing of your personal data if your data is processed on the basis of our legitimate interests or on the basis of consent. You can also click on "unsubscribe" in every commercial email you receive from us.

Right to data portability

If your information is treated as part of our contractual obligations or following your consent, you have the right to have your personal information transferred in the form in which we hold it.

Right to erasure / right to be forgotten

In the cases provided for by the GDPR or the law, we will proceed with the deletion of your personal data at your request. In principle, you can exercise your rights free of charge.

Right to individual decision making

You have the right not to be subject to a decision based solely on automated processing. We combine automated processes with human intervention.

Lodge a complaint

You have the right to lodge a complaint with the Data Protection Authority (DPA):

Rue de la Presse, 35 at 1000 Brussels
Phone: +32 (0) 2 274 48 00
Email: contact@apd-gba.be
Website: dataprotectionauthority.be

9. Do we use cookies?

A cookie is a code in the form of a file stored on your computer. Cookies help us to improve our website, to facilitate your browsing and to analyze audiences. Learn more about our Cookie Policy.

10. What is the applicable law and the competent jurisdictions?

This Policy is governed by Belgian law. Any dispute relating to the interpretation or execution of this Policy will be subject to Belgian law and will fall under the exclusive jurisdiction of the courts of the judicial district of Brussels.

11. Be mindful to the update of this policy!

This Policy can be updated at any time without notice of modification. We advise you and invite you to consult it regularly.