GDPR Compliance

Last updated: April 1, 2025

1. Our Commitment to GDPR

DocLive.ai is fully committed to compliance with the European Union's General Data Protection Regulation (GDPR). As a health technology platform that processes sensitive personal data, we hold ourselves to the highest standards of data protection. This page explains how we comply with GDPR requirements and how you can exercise your rights.

2. Data Controller

DocLive.ai acts as the Data Controller for all personal data processed through our Service. This means we determine the purposes and means of processing your personal data and are responsible for ensuring compliance with GDPR.

3. Lawful Basis for Processing

We process your personal data under the following lawful bases as defined by Article 6 of GDPR:

  • Consent (Art. 6(1)(a)): For processing health data (special category data under Art. 9), we obtain your explicit consent during account creation and onboarding. You may withdraw consent at any time.
  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service you have subscribed to, including AI health consultations, document processing, and health tracking.
  • Legitimate Interest (Art. 6(1)(f)): For analytics, security monitoring, and service improvement, where our interests do not override your fundamental rights.
  • Legal Obligation (Art. 6(1)(c)): Where processing is required by law, such as tax or regulatory compliance.

4. Special Category Data

DocLive.ai processes health data, which is classified as special category data under Article 9 of GDPR. We process this data under the following conditions:

  • Explicit Consent (Art. 9(2)(a)): You provide explicit consent for health data processing during onboarding.
  • Health Management (Art. 9(2)(h)): Processing is necessary for health management purposes and the provision of health services.

5. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR. We have built tools directly into the app to help you exercise these rights easily:

5.1 Right of Access (Art. 15)

You have the right to obtain confirmation of whether we are processing your personal data and to access that data. You can export all your data at any time through Settings > Privacy > Export My Data in the app, or by contacting our DPO.

5.2 Right to Rectification (Art. 16)

You have the right to have inaccurate personal data corrected. You can update your profile information directly in the app, or contact us for data that cannot be self-corrected.

5.3 Right to Erasure (Art. 17)

You have the right to request deletion of your personal data (“right to be forgotten”). You can delete your account and all associated data through Settings > Privacy > Delete My Account in the app. Upon deletion:

  • All personal data, health records, chat history, and uploaded documents are permanently deleted.
  • Data is removed from all primary databases and backups within 30 days.
  • Anonymized, aggregated data that cannot identify you may be retained for research purposes.

5.4 Right to Restrict Processing (Art. 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of data or object to processing.

5.5 Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON). Use the data export feature in the app to download your complete data package.

5.6 Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds.

5.7 Right Not to Be Subject to Automated Decision-Making (Art. 22)

Our AI-generated health guidance, including triage severity assessments and Health Intelligence Scores, are advisory in nature and do not constitute automated decisions with legal or similarly significant effects. They are always presented as informational guidance, not medical decisions.

6. Data Processing and Sub-processors

We use the following categories of sub-processors, all bound by Data Processing Agreements (DPAs) that ensure GDPR compliance:

  • Cloud Infrastructure: EU-based hosting for data storage and processing.
  • AI Processing: Language model providers for generating health guidance (data is not retained by AI providers for training).
  • Authentication: Secure identity verification services.
  • OCR Processing: Document scanning and text extraction services.

7. International Data Transfers

Your data is primarily stored and processed within the European Union. Where data must be transferred outside the EU (e.g., for AI processing), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data Processing Agreements with all third-party processors.
  • Adequacy decisions where applicable.

8. Data Protection Impact Assessment

Given the sensitive nature of health data, we have conducted a Data Protection Impact Assessment (DPIA) as required by Article 35 of GDPR. This assessment evaluates the risks of our data processing activities and the measures we have implemented to mitigate those risks.

9. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33).
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Art. 34).
  • Document all breaches, including their effects and remedial actions taken.

10. Contact Our Data Protection Officer

For any GDPR-related inquiries or to exercise your rights, please contact:

You also have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.