AuraMed Medical Disclaimer & GDPR

• 2.1.AuraMed is a digital platform for information, request structuring, contact facilitation, administrative orientation and logistics between the user and clinics, doctors or other relevant partners.
• 2.2.AuraMed is not a clinic, hospital, medical office, laboratory, pharmacy or insurer, and does not provide medical services in its own name, unless such capacity is expressly, separately and legally indicated.
• 2.3.Any consultation, clinical evaluation, medical interpretation, diagnosis, therapeutic recommendation, prescription, investigation, treatment or medical intervention belongs exclusively to the authorized medical professionals and providers who actually perform those services.
• 2.4.No provision of this document affects patient rights or the confidentiality of patient information, as established by applicable legislation, including Romanian Law no. 46/2003 on patient rights, especially Articles 21-25, to the extent they become applicable in the relationship between the patient and the medical service provider.

• 3.1.The information displayed, generated, structured or communicated through the Platform is for orientation, information, administrative, logistics and facilitation purposes.
• 3.2.Content provided through the Platform does not constitute and must not be interpreted as:
• a)medical diagnosis;
• b)definitive medical interpretation;
• c)medical prescription;
• d)mandatory individual therapeutic recommendation;
• e)a substitute for direct consultation with an authorized doctor.
• 3.3.The user understands and accepts that any decision regarding their health must be made exclusively together with a doctor or authorized medical provider, based on an appropriate clinical evaluation.
• 3.4.The Platform is not intended for use in medical emergencies. In the event of a medical emergency or acute deterioration of health, the user must immediately contact the competent emergency services or go to the nearest medical facility.

• 4.1.The Platform may use software systems, algorithms, automations and/or artificial intelligence components for:
• a)collecting and structuring information submitted by the user;
• b)formulating clarification questions;
• c)generating summaries or classifications;
• d)facilitating the identification of relevant clinic, doctor or related-service options;
• e)conversational and operational support.
• 4.2.The user accepts that results generated or assisted by such systems may be incomplete, approximate, dependent on the data entered, may contain errors and must be verified before being used for any medical, legal, financial or logistics decision.
• 4.3.AuraMed aims for these functionalities to serve as assistance and support, not as a replacement for human clinical judgment.
• 4.4.To the extent that, in the future, certain functionalities could produce legal effects or similarly significant effects solely through automated processing, AuraMed will implement the applicable requirements provided by Article 22 GDPR and will separately inform users, in accordance with Article 13(2)(f) and/or Article 14(2)(g) GDPR.

Basis for Articles 1-4: the information obligations are set out in Articles 12-14 GDPR; the right concerning exclusively automated decisions is set out in Article 22 GDPR; for medical software, the intended purpose is the central criterion under MDR/MDCG.

• 5.1.Depending on how the Platform is used, AuraMed may process:
• a)identification and contact data;
• b)data regarding the request submitted;
• c)technical and usage data;
• d)data regarding communications;
• e)health data, including symptoms, medical history, investigations, medical documents and other medical information provided by the user.
• 5.2.Within the meaning of Article 4(15) GDPR, “health data” means personal data related to the physical or mental health of a person, including the provision of healthcare services, which reveal information about that person’s health status.
• 5.3.Health data forms part of the special categories of data provided by Article 9(1) GDPR and benefits from a high level of protection.

• 6.1.AuraMed may process the user’s data for the following purposes:
• a)providing and operating the Platform;
• b)receiving, organizing and clarifying the request;
• c)facilitating contact with clinics, doctors and other partners;
• d)transmitting the request to selected or compatible partners;
• e)administrative and logistics organization;
• f)technical support and user relations;
• g)security, fraud prevention and defense of rights;
• h)compliance with legal obligations;
• i)improvement of the service, within the limits of the law.
• 6.2.AuraMed applies the principles provided in Article 5 GDPR, including:
• a)lawfulness, fairness and transparency;
• b)purpose limitation;
• c)data minimization;
• d)accuracy;
• e)storage limitation;
• f)integrity and confidentiality.

• 7.1.For non-special-category data, AuraMed may process data on the basis of:
• a)Article 6(1)(a) GDPR – consent;
• b)Article 6(1)(b) GDPR – performance of a contract or pre-contractual steps at the request of the data subject;
• c)Article 6(1)(c) GDPR – legal obligation;
• d)Article 6(1)(f) GDPR – legitimate interest, especially for security, administration, support and defense of rights.
• 7.2.For health data, AuraMed processes such data, in the current Platform model, primarily on the basis of:
• a)Article 9(2)(a) GDPR – explicit consent of the data subject;

correlated, where applicable, with:

• b)Article 6(1)(a) GDPR;
• c)Article 6(1)(b) GDPR;
• d)Article 6(1)(f) GDPR, only to the extent permitted by law and without replacing the special condition under Article 9 GDPR.
• 7.3.AuraMed will not rely on a legal basis incompatible with the sensitive nature of health data.

• 8.1.By ticking the dedicated checkbox and/or by voluntarily continuing the flow for uploading and submitting medical documents, the user may express explicit consent, within the meaning of Article 7 and Article 9(2)(a) GDPR, for the processing of health data necessary to process their request.
• 8.2.Consent must be freely given, specific, informed and unambiguous, and for this category of data it must be explicit.
• 8.3.Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out before withdrawal.
• 8.4.Withdrawal of consent may make it impossible to continue the requested services if the relevant data is strictly necessary for processing the request.
• 8.5.The user declares that they will not submit data about another person through the Platform unless they have the legal right to do so.

Basis for Articles 5-8: the definition of health data is found in Article 4(15) GDPR; special categories are set out in Article 9(1); their processing requires one of the exceptions in Article 9(2), and for AuraMed the safest option is explicit consent. The principles of processing are set out in Article 5 GDPR.

• 9.1.To the extent necessary and proportionate, the user’s data may be disclosed to:
• a)selected clinics, doctors, hospitals, laboratories or other medical partners;
• b)providers of transport, transfer, accommodation, translation or concierge services, if the user requests such services;
• c)IT, cloud, hosting, technical support, communications, cybersecurity or AI service providers;
• d)consultants, lawyers, accountants, auditors;
• e)public authorities and institutions, where there is a legal obligation.
• 9.2.The clinics and doctors to whom the request is transmitted generally act as separate controllers for their own medical and administrative activities.
• 9.3.AuraMed will transmit only the data strictly necessary for the intended purpose.

• 10.1.If, for providing the Platform, AuraMed uses providers located outside the European Economic Area, data transfers will be carried out only under the conditions of Chapter V GDPR.
• 10.2.Where applicable, AuraMed will use one of the mechanisms permitted by law, including:
• a)an adequacy decision within the meaning of Article 45 GDPR; or
• b)appropriate safeguards within the meaning of Article 46 GDPR, including standard contractual clauses, where applicable.
• 10.3.Upon request, the user may ask for additional information regarding the legal mechanism relevant to the transfer applicable to their data.

• 11.1.AuraMed processes only data that is adequate, relevant and limited to what is necessary for the stated purposes.
• 11.2.In the current Platform model, medical documents uploaded by the user should, as far as possible, be:
• a)processed only to the extent required for the requested purpose;
• b)retained only for the operationally necessary period;
• c)subsequently deleted, anonymized or pseudonymized, to the extent technically and legally feasible.
• 11.3.Conversations and logs may be retained for reasonable periods for security, support, internal audit and defense of rights, according to internal policies and applicable legal requirements.
• 11.4.AuraMed recommends that the user does not submit more documents, images or medical information than is strictly necessary for evaluating their request.

• 12.1.AuraMed applies appropriate technical and organizational measures to protect data, in accordance with Articles 25 and 32 GDPR.
• 12.2.These measures may include, where applicable:
• a)access control;
• b)segregation of roles;
• c)logging;
• d)encryption in transit and/or at rest, where feasible;
• e)pseudonymization;
• f)retention and deletion policies;
• g)periodic risk and security assessments.
• 12.3.Although AuraMed takes reasonable security measures, no information system can guarantee absolute security.

Basis for Articles 9-12: international transfers are regulated by Articles 45-46 GDPR and the official mechanisms of the Commission; security and protection by design/default are set out in Articles 25 and 32 GDPR.

• 13.1.Under the conditions provided by Articles 12-22 GDPR, the user benefits, where applicable, from:
• a)the right to be informed;
• b)the right of access;
• c)the right to rectification;
• d)the right to erasure;
• e)the right to restriction of processing;
• f)the right to data portability;
• g)the right to object;
• h)the right not to be subject to a decision based solely on automated processing, under the conditions of Article 22 GDPR;
• i)the right to withdraw consent at any time, where processing is based on consent;
• j)the right to lodge a complaint with the competent authority.
• 13.2.In Romania, the competent authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP).
• 13.3.The user may exercise these rights by submitting a request to contact@auramed.ro.

• 14.1.By using the Platform, the user confirms that:
• a)they have read and understood this Medical Disclaimer & GDPR;
• b)they understand that AuraMed does not provide diagnosis and does not replace medical consultation;
• c)they will consult an authorized medical professional before making decisions regarding their health;
• d)the data and documents submitted are accurate, to the best of their knowledge;
• e)they have the legal right to submit the uploaded data, including where it concerns another person.
• 14.2.If the user does not agree with the necessary processing of their data, including, where applicable, health data, they must not use the Platform functionalities that involve such processing.

• 15.1.For any questions regarding personal data or this document, the user may contact AuraMed at:

E-mail: contact@auramed.ro

Telephone: +40 750 484 004

Address: Bdul. Mamaia Nord 14, CORP B2, Floor 2, Apt. 38, Navodari, Constanta County, postal code 905700, Romania

• 15.2.If a Data Protection Officer (DPO) has been appointed, their contact details are:

DPO: not currently appointed

E-mail for data protection requests: contact@auramed.ro