Siffi - Privacy policy

Revised on 20.10.2025

Minudoc OÜ (henceforth also “we” and „Siffi“) highly values the privacy of each client (henceforth “you”). In this privacy notice, we will explain to you what kind of data we collect about you, why we do it and what we do with your data.

Who are we?

Minudoc OÜ (hereafter „Siffi“) is a company that manages and administrates Siffi platform and mediates clients registered via Siffi platform to registered Siffi mental health service providers and vice versa.

Siffi applies the necessary technical, physical and organisational security measures to Siffi platform to protect the client’s personal data from loss or unlawful processing.

What kind of data do we collect about you and from whom?

We collect the following data about you:

• personal data: first and last name;
• contact information: e-mail address, phone number;
• transaction data: information about the time, duration and cost of your transactions on the Siffi platform, language preferences;
• special categories of data (information on health): descriptions of health issues directed to the health service provider through the Siffi platform, and the feedback given to these problems from the service provider;
• optional data: such as profile photos that can be uploaded by our customers, and/or pictures or videos shared with health service providers via chat for better clinical decisions;
• mental wellbeing profile information based on our proprietary questionnaires across 5 dimensions of your mental wellbeing. These questionnaires have clinical surveys incorporated, but also use feedback on other aspects of your life;
• support and quality related information: feedback on the quality of service you used on Siffi platform, mobile device logs like phone OS, make and model, user given permissions, our app versioon;

In general, we get the information directly from you, when you create your account in Siffi and use the health services that it mediates.

Also, your information is entered into the Siffi platform by the persons providing the health service for you, with the objective of that information being forwarded to you.

Why do we need your data? What happens if you don’t submit data to us?

We need and we use your data through Siffi platform to mediate health and wellbeing services to you. For example, for creating a user account, for managing it, and for connecting it through the Siffi platform to the services offered, including for creating references between you and the service provider.

Some examples:

• personal data – we need this data to verify your identity;
• contact information – we need this to get in touch with you, send you notifications about your service (for example, about a booked time with a health service provider);
• transaction data – we use this information for billing with the health service provider, and for providing you information about transactions you have carried out in Siffi;
• special categories of data (information on health) – this is data we use only when forwarding it to the person providing the health service for you, and vice-versa, when forwarding their feedback back to you;
• optional data such as photos and videos – this is needed for better clinical decisions by service provider. But you can choose not to supply these and can still use our services;
• support and quality related information – this is needed for troubleshooting any technical or service usage issues. Some of the feedback can not be shared with us, i.e. service ratings. Most of this is collected automatically on your login;

If you do not submit information to us and if you do not provide the consent outlined in section 4 of this notice, it will not be possible for us to provide health services for you through the Siffi platform as our service providers need that data.

What are the legal bases for us when processing your data?

When processing your data, we rely on various following legal bases:

the need to enter into a contractual relation with you or execute a contract we have signed with you;

your consent – this is our basis when processing special categories of data (health information).
Without your consent, we cannot provide health services for you through the Siffi platform. At any moment, you have the right to revoke your consent. To give and withdraw consent, please see the My consents subsection of your account;

our need to fulfil legal obligations – for example, the obligation to store accounting documents for 7 years, which stems from the Accounting Act;

We process your health data solely for the purpose of providing health or wellbeing services via the Siffi platform, based on Article 9(2)(h) of the GDPR. Other processing, such as platform maintenance, security logs or analytics, may rely on our legitimate interest under Article 6(1)(f), but this never involves health data;

Siffi acts as an independent controller for platform operations and a data processor when transmitting data between you and the health service provider, who remains the controller for health service provision;

In limited cases, we may process data to comply with legal obligations (e.g., accounting, security, or audit requirements) or to protect vital interests (e.g., emergencies).

With whom do we share your data?

We do not share the data you have entrusted with us, except in a limited number of cases described below, and in case if it is necessary to fulfil the objectives described in this privacy notice:

• Service providers: like many other companies, we may outsource data processing services to trusted third party providers, such as IT and consultation services;
• Public authorities and government institutions: we may share data with the authorities if we are legally obligated to share said data. We may process limited non-health personal data as necessary to defend or establish legal claims or prevent fraud, in accordance with our legitimate interests (Art. 6(1)(f) GDPR).

If we share your data with the persons listed above, we will guarantee the protection of your data through a data processing contract that we will enter into with this person.

We do not store or send your personal data outside the EEA.

How long do we store your data?

In general, we store your data until it is needed to fulfil the various objectives of data processing.

We store your special categories of data (information on health) for 7 days starting from their entry into the platform by you or by your chosen service provider.

For determining the storage period of other data, we use the following criteria:

How long do we need to store data to offer you our services?

If you have created an account with us, we store your data for the entire time that your account is active or until the data are needed for providing services for you.

If we have a legal, contractual or any other type of obligation of the kind to store your data, we will do so until that obligation applies to us. Examples of such obligations are laws that set requirements for data storage, the regulations and decisions of the government, according to which data necessary for proceedings have to be maintained, or data that are needed for settling court disputes.

Deleting account

You can delete your account anytime. For that you will need to navigate to Profile view via web or mobile app and hit “Delete my account”. When you delete your account, your personal identifiers (e.g., name, email, phone) are permanently erased. Certain non-identifiable usage statistics (e.g., booking made by you, but not any more associated with you) are retained in anonymised form for preserving transaction data and reporting. These records can no longer be linked to you personally.

What are your rights in relation to your data?

As a data subject, you have the following rights:

• Right of access to the data – you have the right to know what kinds of data about you are being stored. You can access your data through the account you created on the Siffi platform through the subsection My profile.
• Right to rectification – you have the right to demand the correction of your personal data if they are incorrect. If needed, you can change the data you have submitted to us (except your identification code) yourself in the Siffi platform through the subsection My data.
• Right to erasure (‘right to be forgotten’) – you have the right to demand us to erase your personal data (for example, if we do not need the data anymore, if you withdraw the consent you have given us for processing your personal data, etc.).
• Right to restriction of processing – in certain cases, you have the right to prohibit or limit the processing of your personal data for a certain period (for example, if you have submitted an objection in relation to data processing).
• The right to object – depending on a concrete situation, you have the right to submit objections to the processing of your personal data if the processing of your data is based on our legitimate rights or on public interest. Data processing for the purpose of direct marketing can be objected at any time.
• Right to data portability – you have the right to demand that information you have given us be given to you in a machine-readable format. You can also demand for your data to be transferred to another data controller, but only if it is technically feasible. The right to data portability only applies to data that we process based on your consent or to fulfil the obligations of a contract we have entered into with you.
• Automatic individual decision-making (including profiling) – if we have notified you that we are carrying out automated individual decision-making (including profiling), which will entail legal consequences for you or will impact you in a significant way, you have the right to demand that decisions are not made based on automated processing alone.

If you have any questions about information in this privacy notice or if you want to submit a claim for the execution of your rights as a data subject, please contact us via e-mail at info@siffi.com.

We will do our utmost to address your claims and wishes in a timely manner and free of charge, except in cases, where it would entail a disproportionate cost. If you are not satisfied with our reply, you have the right to take your claim to the Data Protection Inspectorate.

In effect as of 11.02.2018

The Health Service Provider (HSP, henceforth also “we”) that has joined Siffi platform, whose Medical Worker you have chosen to provide a service for you, highly values the privacy of each client (henceforth “you”). In this privacy notice, we will explain to you what kinds of data we collect about you, why we do it and what we do with your data.

Who are we?

The HSP is a provider of health services to clients, who has opened an account with Siffi via Siffi platform.

What kind of data do we collect about you and from whom?

We collect the following data about you:

• personal data: first and last name, personal identification code;

• transaction data: information about the time, duration and cost of your transactions on Siffi platform;

• special categories of data (information on health): at your consent, your health information, descriptions of health problems, video and audio recordings taken when providing health services through Siffi platform, health information entered into your user account on Siffi platform

In general, we get data directly from you in the course of providing health services, and when you forward us descriptions of your health problems. We also get your data from the Health information system.

Why do we need your data? What happens if you don’t submit data to us?

We need and we use your data through Siffi platform to provide health services.

Some examples:

• personal data – we need this data to verify your identity;

• transaction data – we use this data in relation to health services that have been provided for you for accounting purposes with Minudoc OÜ;

• special categories of data (information on health) – this is data we use only when providing health services for you

If you do not submit information to us and if you do not provide the consent outlined in section 4 of this notice, it will not be possible for us to provide health services for you through Siffi platform.

What are the legal bases for us when processing your data?

When processing your data, we rely on various following legal bases:

the need to enter into a contractual relation with you or execute a contract we have signed with you;

your consent – this is our basis when processing special categories of data (health information)
Without your consent, we cannot provide health services for you through the Siffi platform. At any moment, you have the right to revoke your consent. To give and withdraw consent, please see the My consents subsection of your account;

our need to fulfil legal obligations – for example, the obligation to store accounting documents for 7 years, which stems from the Accounting Act;

the need to protect your vital interests or those of any other person (for example, when disclosing your information in case of an accident to an emergency medical service worker);

other legal bases.

With whom do we share your data?

We do not share the data you have entrusted with us, except in a limited number of cases described below, and in case if it is necessary to fulfil the objectives described in this privacy notice:

• Our subsidiaries and related companies: we can share your personal data with our subsidiaries and related companies, which are all located in the European Union

• Service providers: like many other companies, we may outsource data processing services to trusted third party providers, such as IT and consultation services

• Public authorities and government institutions: we may share data with the authorities if we are legally obligated to share said data or if the sharing of data is necessary to protect our rights;

• Professional consultants and others: we may share your data with professional consultants such as auditors, lawyers, accountants and other providers of consultation services;

• Third persons in relation to the company’s transactions: From time to time, we may share your data with third persons during a corporate transaction, for example, the sale of the company or part of the company to another company. This may also occur during company restructuring, the establishment of a joint enterprise, a merger, or any other type of reorganisation of the company’s assets or shares.

If we share your data with the persons listed above, we will guarantee the protection of your data through a data processing contract that we will enter into with this person.

We do not store or send your personal data outside the EEA or to countries that are have not taken a decision on the adequate level of data protection in relation to Article 25 section 6 of Directive 95/46/EC or its extension regulation (EU) 2016/679 Article 45 section 1

How long do we store your data?

In general, we store your data until it is needed to fulfil the various objectives of data processing.

We store data collected in relation to the provision of health services according to the Health Services Organisation Act and the 18.09.2008 regulation nr 56 of the Minister of Social Affairs “Documentation of Provision of Health Services and Conditions and Arrangements for Retention of these Documents”. For example, according to § 35 of the regulation, your anamnesis is stored at least 30 years after its closure.

For determining the storage period of other data, we use the following criteria:

How long do we need to store data to offer you our services?

If we have a legal, contractual or any other type of obligation of the kind to store your data, we will do so until that obligation applies to us.

What are your rights in relation to your data?

As a data subject, you have the following rights:

• Right of access to the data – you have the right to know what kinds of data about you are being stored. As a general rule, you have the right to access documented evidence of any health services that have been provided to you.

• Right to rectification – you have the right to demand the correction of your personal data if they are incorrect.

• Right to erasure (‘right to be forgotten’) – in certain cases, you have the right to demand us to erase your personal data (for example, if we do not need the data anymore, if you withdraw the consent you have given us for processing your personal data, etc.).

• Right to restriction of processing – in certain cases, you have the right to prohibit or limit the processing of your personal data for a certain period (for example, if you have submitted an objection in relation to data processing).

• The right to object – depending on a concrete situation, you have the right to submit objections to the processing of your personal data if the processing of your data is based on our legitimate rights or on public interest.

• Right to data portability – you have the right to demand that information you have given us be given to you in a machine-readable format. You can also demand for your data to be transferred to another data controller, but only if it is technically feasible. The right to data portability only applies to data that we process based on your consent or to fulfil the obligations of a contract we have entered into with you.

If you have any questions about information in this privacy notice or if you want to submit a claim for the execution of your rights as a data subject, please contact us via e-mail at info@www-test.siffi.com.

We will do our utmost to address your claims and wishes in a timely manner and free of charge, except in cases, where it would entail a disproportionate cost. If you are not satisfied with our reply, you have the right to take your claim to the Data Protection Inspectorate.