Privacy Policy for Sicknote.com

1. Introduction

At Sick Note, we are committed to protecting your privacy and ensuring the security of your personal information. “Sick Note” (“we”, “us”, or “our”) refers to Sicknote OÜ, a company incorporated in Estonia, operating the website https://sicknote.com (“Site”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at https://sicknote.com (the “Site”) or use our online telehealth services (collectively, the “Services”). This policy applies to all users of our platform.

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

2. Information We Collect

2.1 Personal Information

We may collect the following categories of personal information:

  • Identification Information: Full name, date of birth, gender, email address, postal address, phone number, government-issued identification information, and digital signature.
  • Health and Medical Information: Medical history, current symptoms and conditions, diagnoses, treatment plans, prescriptions, lab results, uploaded images/documents (e.g., test results) and other health-related information you provide to us or that is generated through your use of our Services.
  • Payment Information: Credit card details, billing address, transaction history (note: no full card details are stored by us) and other financial information necessary to process payments.
  • Insurance Information: Health insurance policy details, coverage information, and insurance identification numbers.
  • Account Information: Username, password, security questions and answers, and preferences related to your account.
  • Communication Information: Records of your interactions with us, including consultation notes, messages, emails, phone calls, chat transcripts and feedback.

2.2 Automatically Collected Information

When you visit our Site or use our Services, we may automatically collect certain information about your device and usage, including:

  • Device Information: IP address, browser type and version, operating system, device type, and mobile device identifiers.
  • Usage Data: Pages visited, time spent on pages, links clicked, referring/exit pages, search terms, date/time stamps, and interaction with content.
  • Location Information: General location data derived from your IP address.
  • Cookies and Similar Technologies: Information collected through cookies, web beacons, and similar tracking technologies (see our Cookie Policy section for more details).

3. How We Collect Your Information

We collect your information through:

  • Direct Interactions: Information you provide when creating an account, completing forms, participating in consultations, communicating with us, or using our Services.
  • Automated Technologies: When you interact with our Site, we may use cookies, web beacons, and similar technologies.
  • Third-Party Sources: Payment processors, identity verification services, with your consent or as permitted by law.

4. How We Use Your Information

We use your information for the following purposes:

4.1 Providing Our Services

  • To deliver telehealth services, including medical consultations and prescriptions
  • To process payments and manage your account
  • To communicate with you about your care, prescriptions, and appointments
  • To maintain your medical records and treatment history

4.2 Improving Our Services

  • To analyze usage patterns and trends
  • To develop new features and services
  • To enhance the user experience
  • To conduct research and analysis (using de-identified or aggregated data)
  • To troubleshoot technical issues

4.3 Marketing and Communication

  • To inform you about new services, features, or health information that may be of interest to you (where you have opted in to receive such communications)
  • To conduct surveys and collect feedback
  • To respond to your inquiries and requests

4.4 Legal and Regulatory Compliance

  • To comply with legal obligations and regulatory requirements
  • To detect and prevent fraud, abuse, and security incidents
  • To enforce our Terms of Service and other policies
  • To establish, exercise, or defend legal claims

5. Legal Basis for Processing

We only process your data where we have a lawful basis to do so. If you are located in the European Economic Area (EEA), we process your personal information on the following legal bases:

  1. Consent: Processing based on your specific consent, which you may withdraw at any time.
  2. Contractual Necessity: Processing necessary to provide you with the Services you request.
  3. Legitimate Interests: Processing necessary for our legitimate interests, provided these interests do not override your fundamental rights and freedoms.
  4. Legal Obligation: Processing necessary to comply with our legal obligations.
  5. Vital Interests: In rare emergency situations, processing necessary to protect your vital interests or those of another person.

For special categories of personal data, including health information, we rely on:

  1. Explicit Consent: Your explicit consent for specific purposes.
  2. Healthcare Provision: Processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health care or treatment.
  3. Public Health: Processing necessary for reasons of public health.

6. How We Share Your Information

We may share your information with:

6.1 Healthcare Providers and Partners

Healthcare professionals providing services on our platform: Doctors, nurses, pharmacists, and other healthcare professionals involved in your care through our platform.

6.2 Service Providers

  • Technology Providers: Hosting services, analytics providers, customer support platforms, and other IT service providers.
  • Payment Processors: To process transactions and payments.
  • Communication Services: Email providers, messaging services, and telephony providers to facilitate communications.

6.3 Legal and Regulatory Recipients

  • Regulatory Authorities: Healthcare regulatory bodies, medicine enforcement agencies, and other government authorities as required by law.
  • Law Enforcement: When required by law, court order, or other legal process.

We may share your information with other third parties when you expressly consent to such sharing.

We do not sell your personal information to third parties.

7. Data Retention

We retain your personal information for as long as necessary to:

  • Provide the Services you request
  • Comply with legal and regulatory obligations, including healthcare record retention requirements
  • Resolve disputes and enforce our agreements

Healthcare records are typically retained for a minimum period as required by applicable healthcare laws:

  • Health data: up to 10 years (or as required by healthcare law)
  • Account data: up to 6 years after termination
  • Payment records: up to 7 years for tax/audit purposes

After the required retention period expires, we will securely delete or de-identify your information unless there is a legitimate reason to retain it longer.

8. Your Rights and Choices

You have the following rights under data protection law:

8.1 Access and Portability

  • The right to request access to your personal information
  • The right to receive a copy of your personal information in a structured, commonly used, machine-readable format

8.2 Correction and Deletion

  • The right to request correction of inaccurate personal information
  • The right to request deletion of your personal information, subject to certain exceptions including legal obligations to retain healthcare records

8.3 Restriction and Objection

  • The right to restrict processing of your personal information
  • The right to object to processing based on legitimate interests
  • The right to withdraw consent where processing is based on consent

8.4 Marketing Choices

You can opt out of marketing communications at any time by:

  • Clicking the “unsubscribe” link in marketing emails
  • Adjusting your communication preferences in your account settings
  • Contacting us directly using the information in the “Contact Us” section

8.5 Cookie Preferences

  • You can manage cookie preferences through your browser settings
  • See our Cookie Policy section for more information

To exercise your rights, please contact our Data Protection Officer using the contact information provided in Section 14. We will respond to your request in accordance with applicable laws.

9. Cookie Policy

9.1 What Are Cookies

Cookies are small text files that are placed on your device when you visit our Site. They allow us to recognize your device and store certain information about your preferences or actions.

9.2 Types of Cookies We Use

  • Essential Cookies: Required for the operation of our Site and Services, including security features and account authentication.
  • Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences.
  • Analytical/Performance Cookies: Help us analyze how users interact with our Site to improve its performance and design.
  • Marketing Cookies: Used to track visitors across websites to enable targeted advertising.

9.3 Third-Party Cookies

Some cookies may be placed by third parties, such as analytics providers and advertising networks. These third parties may use cookies, web beacons, and similar technologies to collect information about your use of our Site and other websites.

9.4 Cookie Management

You can control and manage cookies in various ways:

  • Browser Settings: Configure your browser to refuse all or some cookies, or to alert you when websites set or access cookies.
  • Cookie Consent Tool: Use our cookie consent management tool when visiting our Site.
  • Opt-Out Tools: Use industry opt-out tools like the Digital Advertising Alliance, Network Advertising Initiative, or European Interactive Digital Advertising Alliance.

For more, see our Cookie Policy. Please note that disabling cookies may impact your experience using our Site, as some features may not function properly.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, accidental loss, alteration, disclosure, or destruction. 

These measures include:

  • Encryption of sensitive data both in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Staff training on data protection and security practices
  • Physical security measures for our facilities
  • Incident response procedures

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to implementing reasonable security practices.

11. International Data Transfers

As a global service, we may transfer, store, and process your information in countries other than your country of residence, including the United States and countries in the European Union.

For transfers from the EEA to countries not deemed to provide an adequate level of data protection, we implement appropriate safeguards such as:

  • Standard Contractual Clauses approved by the European Commission
  • Binding Corporate Rules
  • Other legally approved mechanisms

You can request more information about these safeguards by contacting our Data Protection Officer.

12. Children’s Privacy

Our Services are not intended for children under the age of 16 without parental consent. We do not knowingly collect personal information from children under 16 without verifiable parental consent. If you are a parent or guardian and believe we have collected information from your child without your consent, please contact us immediately, and we will take steps to remove that information from our servers.

For telehealth services provided to minors, we require appropriate parental or guardian consent and involvement in accordance with applicable healthcare laws and regulations.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. We will post the revised policy on our Site with an updated “Last Updated” date. If we make material changes, we will notify you through the Services or by other means, such as email, prior to the changes becoming effective.

We encourage you to review our Privacy Policy periodically to stay informed about our data practices. Your continued use of our Services after any changes to this Privacy Policy constitutes your acceptance of the revised policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

Data Protection Officer

heyData GmbH
Schützenstraße 5,
10117 Berlin
www.heydata.eu
[email protected]

14.1 For EU/EEA Residents

If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal information does not comply with the GDPR.

15. Specific Jurisdictional Information

15.1 European Union / European Economic Area

As detailed in Section 5, we process personal data in accordance with the GDPR. We have appointed a Data Protection Officer and implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

15.2 United Kingdom

We comply with the UK GDPR and the Data Protection Act 2018. References to the GDPR in this policy also apply to the UK GDPR where applicable.

16. Additional Information

16.1 Telemedicine Services

Our telemedicine services involve the electronic exchange of health information. By using these services, you acknowledge and consent to the electronic transmission of your health information, which may include sensitive medical data. We maintain appropriate safeguards for this information in accordance with applicable healthcare privacy laws.

16.2 Sick Note Processing and Handling

Our core service involves the issuance of sick notes (medical certificates). When processing sick notes through our platform:

  • We collect only the minimum necessary health information required to appropriately issue a valid sick note.
  • Your sick note information is securely stored and transmitted using encryption technologies.
  • Sick notes may be shared with third parties (such as employers or educational institutions) only with your explicit consent and direction.
  • We maintain records of issued sick notes for legal compliance and to provide you with access to your history of medical certifications.
  • You can access, download, and share your sick notes through your secure account.
  • We implement additional verification mechanisms to ensure the authenticity and validity of sick notes issued through our platform.
  • We may use anonymized sick note data for quality improvement, statistical analysis, and service optimization.

By using our sick note services, you consent to this processing while understanding that we apply strict security controls to protect this sensitive information.

16.3 Healthcare Communications

We may send you appointment reminders, sick note notifications, follow-up care instructions, and other healthcare-related communications via email, SMS, or push notifications. These essential service communications are distinct from marketing communications and may continue even if you opt out of marketing communications.

16.4 Analytics and De-identified Data

We may use de-identified or aggregated data for analytics, research, and service improvement purposes. De-identified data is information that cannot reasonably identify, relate to, describe, or be linked to a particular individual. We maintain appropriate safeguards to prevent re-identification of such data.

16.5 Medical Emergencies

In case of a medical emergency that may pose an immediate risk to your health or safety, we may disclose your personal information, including health information, to emergency services or healthcare providers as necessary to provide urgent care. This disclosure will be limited to the minimum necessary information required for emergency treatment.

17. Accessibility

We are committed to making our Privacy Policy accessible to all users, including those with disabilities. If you have difficulty accessing any part of this policy, please contact us using the information in Section 14, and we will provide the information in an alternative format.

By using Sick Note’s Services, you acknowledge that you have read and understood this Privacy Policy and agree to its terms.