Privacy Policy

This privacy notice describes the processing of personal data related to the use of the "EMSy" digital services, including the native mobile app for Android and iOS.

We process data according to lawfulness, fairness, transparency, minimization, integrity and confidentiality (art. 5 GDPR).

• Account data: name, email, profession, organization/company, preferences.
• Usage data and technical logs: IP address, device identifiers, timestamps, application events, errors.
• User-Generated Content: texts and information entered in forms/input areas excluding any data that directly or indirectly identifies patients.
• Billing/payment data: company name, VAT ID/Tax ID, address, transaction amounts and metadata (card data is managed by payment service providers).
• Audio data (voice input): voice recordings initiated by the user for the AI Assistant voice input, transmitted to OpenAI Whisper for real-time transcription only; not retained after processing.
• Device token: FCM (Firebase Cloud Messaging) token generated by the mobile app for sending push notifications on Android; retained until consent is withdrawn or the app is uninstalled.

• Service Delivery (art. 6.1.b GDPR – contract).
• Support and operational communications (art. 6.1.b).
• Security, fraud prevention, legal defense (art. 6.1.f – legitimate interest).
• Analytics, product improvement and scientific research on aggregated or anonymized data (art. 6.1.a – consent via CMP, when requiring non-technical cookies/identifiers).
• Direct marketing (newsletter/updates) only with consent (art. 6.1.a) and revocable at any time.
• Billing and accounting/tax obligations (art. 6.1.c – legal obligation).

The Services are prohibited for minors under 18 years of age. We may implement reasonable age and professional qualification verification measures.

The failure to provide the necessary data for contractual performance prevents the use of the Services. Consent for analytics/marketing is optional.

We use technical cookies/SDKs to deliver the Services. Analytics/marketing tools are activated only with prior consent through a cookie banner/CMP with "Accept all", "Reject all" and granular choice options. Consent can be withdrawn at any time from the "Cookie Preferences" link. The native mobile app does not use browser cookies; it uses an FCM (Firebase) token for push notifications on Android — consent is explicitly requested before activation and can be revoked from profile settings.

We process data with vendors who act as Data Processors (art. 28 GDPR) or independent Controllers for specific purposes.

The main providers include:

• Vercel, Inc. - hosting/app delivery (USA/EU, EU–US DPF)
• Stripe, Inc. - PSP payments (USA/EU, EU–US DPF)
• Google LLC - analytics (USA/EU, EU–US DPF, consent only); Firebase Cloud Messaging for Android push notifications (device token, EU–US DPF)
• OpenAI - language models and Whisper for voice input transcription (USA/EU, SCC + TIA, no training; audio not retained)
• Anthropic - language models (USA, SCC + TIA, no training)
• Pinecone - vector database (USA/EU, SCC + TIA)
• Mistral AI - document PDF OCR (France/EU, GDPR-native, no training)
• Brevo (Sendinblue SA) - transactional and marketing email (France/EU, GDPR-native)

Important note: Where available, we prioritize EU regions and pseudonymization/minimization measures. We do not use your content to train third-party models. Patient data is never shared with external providers.

For certified EU-US Data Privacy Framework (DPF) providers (e.g., Vercel, Stripe, Google), transfers occur on the basis of an adequacy decision. For other providers (e.g., OpenAI, Anthropic, Pinecone), we use Standard Contractual Clauses (SCC) accompanied by Transfer Impact Assessment (TIA) and supplementary technical measures (encryption, minimization, pseudonymization).

• Account data: for the duration of the relationship and up to 24 months from last access, unless required by law.
• Submitted content (no patient data): up to 90 days, then pseudonymization/anonymization where possible.
• Technical/security logs: 6 months (unless further retention is necessary for security or defense purposes).
• Billing: according to legal requirements (up to 10 years).
• Marketing: until consent is withdrawn and, in any case, 24 months of inactivity.
• Audio/voice input: not retained; processed in real time by OpenAI Whisper and immediately discarded after transcription.

We implement appropriate technical and organizational measures: encryption in transit and at rest where applicable, access controls, logging, hardening, backups, data minimization, environment segregation, periodic vendor review.

You can exercise the rights referred to in articles 15–22 GDPR (access, rectification, erasure, restriction, portability, objection; withdrawal of consent) by writing to info@emsy.io. We respond within 30 days. You can always file a complaint with the Data Protection Authority (www.gpdp.it).

In case of personal data breach:

• Notification to the Data Protection Authority (art. 33 GDPR) within 72 hours if the breach is likely to result in a risk to the rights and freedoms of natural persons.
• Communication to data subjects (Article 34 GDPR) without undue delay if the breach is likely to result in a high risk.

We may employ light profiling logic for gamification/leaderboard and non-invasive personalization of the experience. Profiling does not produce significant legal effects nor significantly impact the User in an analogous manner. You can object at any time by contacting us.

We may update this privacy notice; in case of substantial modifications, we will provide adequate notice.