AURAMED PRIVACY POLICY

• (1)This Policy applies to all personal data processing carried out by AuraMed in connection with:
• a)accessing and using the Platform;
• b)completing online forms;
• c)sending requests, medical descriptions, or logistics information;
• d)uploading documents or files;
• e)communications with us;
• f)being referred to clinics, physicians, or other partners;
• g)appointments, bookings, logistical organization, and operational support;
• h)the security and proper functioning of the Platform.
• (2)To the extent that, subsequently, the User is connected with a clinic, physician, hospital, laboratory, accommodation provider, transport provider, or another partner, that partner may become a separate controller for its own data processing activities. Those processing activities will be governed by that partner's own policies and notices.
• (3)By merely operating the Platform, AuraMed does not act as a direct provider of medical services. The Platform facilitates, structures, and transmits information, but does not replace the direct relationship between the patient and the medical provider.

Depending on how you use the Platform, we may process the following categories of data:

• 3.1.Identification and contact data
• a)first and last name;
• b)telephone number;
• c)e-mail address;
• d)country, city, or other logistical contact details;
• e)legal representative details, if you act on behalf of another person.
• 3.2.Data relating to your request
• a)a description of the medical issue or declared need;
• b)preferences regarding clinic, specialty, language, budget, location, or availability;
• c)details about transport, transfer, accommodation, or other ancillary services.
• 3.3.Health data
• a)information about symptoms, medical history, results, investigations, or medical conditions communicated by you;
• b)medical documents uploaded by you (for example: analyses, imaging, recommendations, medical summaries), if the Platform provides this functionality;
• c)technical structuring or summarization conclusions generated from the uploaded documents.

Health data represent special categories of data within the meaning of Article 9(1) GDPR.

• 3.4.Technical and usage data
• a)IP address;
• b)device and browser technical identifiers;
• c)access logs, errors, and technical diagnostics;
• d)session, security, and service performance data;
• e)data collected through cookies or similar technologies, in accordance with the Cookies Policy.
• 3.5.Communication data
• a)the content of messages sent through chat, form, e-mail, WhatsApp, or other channels;
• b)the history of interactions with support;
• c)any feedback or responses to questionnaires.
• 3.6.Financial and transaction data

If in the future the Platform allows payments, bookings, or advances, we may process data necessary for invoicing and payment records, such as:

• a)name / business name;
• b)billing address;
• c)tax identification number / VAT number, where applicable;
• d)amount, currency, payment status;
• e)transaction identifiers provided by payment processors.

• (1)Data are collected:
• a)directly from you, within the meaning of Article 13 GDPR, when you complete forms, use chat, upload documents, or contact us;
• b)indirectly, within the meaning of Article 14 GDPR, from representatives, family members, clinics, partners, or other providers involved in your request, if there is a lawful basis for doing so;
• c)automatically, through use of the Platform, in the form of technical data, logs, and cookies.
• (2)If you provide data about another person (for example, a family member, represented patient, minor, or person in your care), you declare that you have the legal right to do so and that you have made the relevant information from this Policy available to them, to the extent required by law.

In accordance with Article 6 GDPR and, where applicable, Article 9 GDPR, AuraMed processes your data for the following purposes:

• 5.1.Provision and operation of the Platform

Purpose: access, use, display of features, technical stability, session management, and ensuring baseline security.

Legal basis:

Article 6(1)(b) GDPR – processing necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract;

Article 6(1)(f) GDPR – legitimate interest concerning the security, administration, and proper functioning of the Platform.

• 5.2.Handling requests, contact, and support

Purpose: receiving your request, formulating responses, clarifying the request, contacting you, and providing operational or administrative support.

Legal basis:

Article 6(1)(b) GDPR;

Article 6(1)(f) GDPR, for internal organization, record-keeping, and the protection of AuraMed's legitimate interests.

• 5.3.Informational pre-triage, structuring, and facilitating connection with clinics / physicians / partners

Purpose: organizing the information provided by you, formulating additional questions, identifying relevant options, and forwarding the request to selected or compatible partners.

For ordinary data:

Article 6(1)(b) GDPR.

For health data:

Article 6(1)(a) GDPR, read together with Article 9(2)(a) GDPR – explicit consent;

to the extent that certain operations are strictly necessary for the data subject's express request and are compatible with the applicable legal framework, other legal bases permitted by law may also apply, but AuraMed treats explicit consent, in the current model, as the primary legal basis for this category of data.

• 5.4.Communicating and transferring data to selected clinics / physicians / partners

Purpose: sending the request, obtaining offers, availability, or responses, facilitating scheduling, and organizing related services.

Legal basis:

Article 6(1)(b) GDPR, for the steps requested by you;

Article 6(1)(a) GDPR + Article 9(2)(a) GDPR, to the extent health data are transferred.

• 5.5.Compliance with legal obligations

Purpose: fiscal and accounting compliance, legal archiving, responding to requests from authorities, fraud prevention, and defending rights in judicial or administrative proceedings.

Legal basis:

Article 6(1)(c) GDPR – legal obligation;

Article 6(1)(f) GDPR – legitimate interest in establishing, exercising, or defending a right.

• 5.6.Security, abuse prevention, and internal audit

Purpose: security monitoring, incident detection, prevention of unauthorized access, technical audit, and incident documentation.

Legal basis:

Article 6(1)(f) GDPR;

security measures must be implemented in line with Article 32 GDPR.

• 5.7.Commercial communications / newsletter

Purpose: sending news, offers, promotional information, or campaigns.

Legal basis:

Article 6(1)(a) GDPR – consent;

where specially regulated electronic means are used, Law no. 506/2004 is also observed.

• 5.8.Cookies and similar technologies

Purpose: technical functioning, security, remembering preferences, and, where applicable, analytics / marketing.

Legal basis:

for strictly necessary cookies: legitimate interest / technical necessity, within the limits of the law;

for non-essential cookies: consent, in accordance with Article 4(5) of Law no. 506/2004 and Article 6(1)(a) GDPR. In 2025 ANSPDCP also sanctioned operators who stored non-essential cookies without clear notice and without express consent.

• 5.9.Service improvement

Purpose: improving flows, identifying errors, optimizing the experience, and operational testing and calibration.

Legal basis:

Article 6(1)(f) GDPR, for technical data, logs, and proportionate operational information;

if the data are irreversibly transformed into anonymized data, they no longer constitute personal data.

The principles of lawfulness, transparency, purpose limitation, data minimization, and storage limitation are set out in Article 5 GDPR, while the information duty regarding purposes, legal bases, recipients, and storage periods is imposed by Articles 13-14 GDPR.

• (1)Health data are sensitive data / special categories of data within the meaning of Article 9(1) GDPR. As a rule, their processing is prohibited, except in the situations provided by Article 9(2) GDPR.
• (2)Under AuraMed's current model, when you provide us with:
• a)symptoms;
• b)medical history data;
• c)analyses, MRI, CT, X-rays, results, medical letters, or other medical documents;

processing is carried out mainly on the basis of your explicit consent, in accordance with Article 9(2)(a) GDPR, read together with Article 6(1)(a) and/or (b) GDPR, depending on the nature of the request.

• (3)Consent must be freely given, specific, informed, and unambiguous, and for health data it must be explicit. It may be withdrawn at any time, without affecting the lawfulness of processing carried out before withdrawal, in accordance with Article 7 GDPR. The EDPB explicitly treats consent as the benchmark standard in such sensitive contexts.
• (4)Withdrawal of consent may make it impossible to continue the requested service, to the extent that those data are strictly necessary to process your request.
• (5)Please do not provide more medical data than is necessary for the intended purpose.

• (1)Some data are mandatory in order to process your request or provide the requested service. These will be marked as such in forms or explicitly requested in the conversation.
• (2)Refusal to provide certain data may result in:
• a)the impossibility of analyzing the request;
• b)the impossibility of identifying a relevant partner;
• c)the impossibility of facilitating an appointment, booking, or offer.
• (3)Providing marketing data and non-essential data is generally optional.

• (1)AuraMed may use software tools, algorithms, and artificial intelligence components for:
• a)extracting and structuring information from documents;
• b)formulating clarification questions;
• c)generating summaries;
• d)ordering certain options;
• e)conversational assistance and operational support.
• (2)In the current Platform model, these operations serve an assistance and support role, and AuraMed seeks to avoid the adoption of a decision based solely on automated processing that produces legal effects concerning the data subject or similarly significantly affects them, within the meaning of Article 22(1) GDPR.
• (3)If, in a specific workflow, there is an automated assessment component relevant to the data subject, AuraMed will provide the information required by Article 13(2)(f) and/or Article 14(2)(g) GDPR, as applicable.
• (4)In the situations provided by law, the data subject has the right:
• a)to request human intervention;
• b)to express their point of view;
• c)to contest the decision, in accordance with Article 22(3) GDPR.

To the extent necessary and proportionate, we may disclose your data to:

• a)IT, cloud, hosting, security, maintenance, and technical support providers;
• b)AI service providers or document processing providers, to the extent they are used in the operational flow;
• c)clinics, physicians, hospitals, laboratories, or other indicated or selected medical partners;
• d)transport, transfer, accommodation, translation, concierge, or other ancillary partners;
• e)lawyers, consultants, auditors, accountants;
• f)public authorities, institutions, judicial bodies, or supervisory bodies, where there is a legal obligation or a strong legitimate interest;
• g)payment processors and financial institutions, if and when the Platform integrates payments.

In each case, the transfer of data is limited to what is necessary for the intended purpose and is carried out in accordance with Article 5(1)(c) GDPR and Article 28 GDPR, where applicable.

• (1)In principle, AuraMed seeks to process data within the European Economic Area (“EEA”).
• (2)If, for certain technical, cloud, AI, support, or communication services, data are transferred to recipients outside the EEA, AuraMed will use one of the mechanisms permitted under Chapter V GDPR, in particular:
• a)an adequacy decision within the meaning of Article 45 GDPR; or
• b)appropriate safeguards within the meaning of Article 46 GDPR, such as standard contractual clauses, where applicable.
• (3)The European Commission confirms that, under Article 45 GDPR, data may flow to jurisdictions for which an adequacy decision exists without additional safeguards, and the list of those jurisdictions is officially updated by the Commission.
• (4)If you would like information about the specific mechanism applicable to an international transfer relevant to your data, you may write to us at contact@auramed.ro.

AuraMed applies the storage limitation principle set out in Article 5(1)(e) GDPR. Data are kept only for as long as necessary for the purposes for which they were collected or for the period required by law.

• 11.1.Contact data and requests

They are kept for the time necessary to manage the request and, subsequently, for a reasonable period necessary for record-keeping, support, defense of rights, or compliance.

• 11.2.Uploaded medical documents

In AuraMed's current MVP model, uploaded medical documents are, as a rule, processed transiently for extracting / structuring information and are not intended for long-term storage, absent a contrary contractual or legal necessity.

If, at the specific time of collection, the technical flow requires temporary retention, it will be limited to the minimum necessary.

• 11.3.Conversations and interactions

Conversations may be kept temporarily in identifiable or pseudonymized form for as long as necessary for operating the service, support, and safety. They may subsequently be deleted or irreversibly anonymized.

• 11.4.Billing and transaction data

They are kept for the period required by the applicable fiscal, accounting, and archiving legislation.

• 11.5.Technical logs and security

They are kept for the time necessary to diagnose issues, prevent incidents, and protect the Platform.

• 11.6.Marketing

Data used for commercial communications are kept until consent is withdrawn or until there is no longer a legitimate purpose for the processing.

• (1)The Platform may use cookies and similar technologies for operation, security, analytics, and, where applicable, marketing.
• (2)In accordance with Article 4(5) of Law no. 506/2004:
• a)storing or accessing information on the user's terminal equipment is permitted only after the user receives clear and complete information;
• b)for cookies that are not technically necessary, the user's valid agreement / consent is required, subject to the exceptions strictly provided by law. ANSPDCP reiterated this standard through recent sanctions applied for non-essential cookies installed without consent and without adequate notice.
• (3)Full details regarding cookie types, duration, and management methods will be set out in a separate Cookies Policy or in a dedicated consent module.

Under the conditions laid down in Articles 12-22 GDPR, you have the following rights:

• a)the right to information – Articles 13 and 14 GDPR;
• b)the right of access – Article 15 GDPR;
• c)the right to rectification – Article 16 GDPR;
• d)the right to erasure (“right to be forgotten”) – Article 17 GDPR;
• e)the right to restriction of processing – Article 18 GDPR;
• f)the right to data portability – Article 20 GDPR;
• g)the right to object – Article 21 GDPR;
• h)the right not to be subject to a decision based solely on automated processing – Article 22 GDPR;
• i)the right to withdraw consent at any time where processing is based on consent;
• j)the right to lodge a complaint with the competent supervisory authority – Article 77 GDPR;
• k)the right to seek a judicial remedy – Article 79 GDPR.

These rights are also reflected in ANSPDCP's official materials regarding the rights of data subjects.

• (1)To exercise the rights above, you may contact us at:

E-mail: contact@auramed.ro

DPO (if any): not currently appointed

• (2)We will respond without undue delay and, as a rule, within no more than one month of receiving the request, in accordance with Article 12(3) GDPR, with the possibility of extending the period under the conditions laid down by law.
• (3)Where we have reasonable doubts about the identity of the requester, we may request additional information for verification, to the extent permitted by Article 12 GDPR.

If you believe that the processing of your data infringes the applicable legislation, you have the right to lodge a complaint with:

National Supervisory Authority for Personal Data Processing (ANSPDCP)

Bd. G-ral Gheorghe Magheru 28-30, District 1, Bucharest, Romania

Website: https://www.dataprotection.ro/

E-mail: anspdcp@dataprotection.ro

You also have the right to an effective judicial remedy, in accordance with Article 79 GDPR. ANSPDCP officially indicates the right of data subjects to lodge complaints and makes the relevant procedures available.

• (1)AuraMed implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR.
• (2)These measures may include, as applicable:
• a)access control;
• b)authentication and logging;
• c)encryption in transit and/or at rest, where feasible;
• d)segmentation and limitation of internal access;
• e)pseudonymization;
• f)backup, monitoring, and incident response policies;
• g)the principles of “privacy by design” and “privacy by default”, laid down in Article 25 GDPR.
• (3)However, no system can guarantee absolute security. In the event of a security incident, AuraMed will apply the relevant legal procedures.

• (1)The Platform is not intended for autonomous use by persons who do not have the legal capacity necessary to make the requests covered by the service on their own.
• (2)If the data concern a minor or a legally represented person, use of the Platform and submission of the data must be carried out by a parent, guardian, curator, or another authorized legal representative.
• (3)If an information society service is offered directly to a child on the basis of consent, the relevant rules under Article 8 GDPR and the applicable national legislation will apply.

• (1)AuraMed is the controller for the processing operations it decides within its own workflow: collection of the request, structuring, operational support, transfer to selected partners, and administration of the Platform.
• (2)Clinics, physicians, and other partners are generally separate controllers for their own activities, including for:
• a)medical assessment;
• b)medical scheduling;
• c)issuance of medical documents;
• d)the actual provision of the medical service;
• e)their own billing;
• f)medical archiving and professional obligations.
• (3)If, in a specific workflow, there is a joint controllers relationship within the meaning of Article 26 GDPR or a special processing mandate, you will be informed separately.

The Platform may contain links to websites, portals, scheduling systems, clinic pages, or other external services. AuraMed is not responsible for third parties' privacy policies or practices. We recommend that you consult their own policies before providing them with data.

• (1)AuraMed may amend this Policy for legal, technical, operational, or commercial reasons.
• (2)Any updated version will be published on the Platform, indicating the date of the latest update.
• (3)If the changes are significant, we may also inform you through other reasonable means.

For any questions regarding the processing of personal data, you may contact us at:

PTECHIT SRL

Address: Bdul. Mamaia Nord 14, CORP B2, Floor 2, Apt. 38, Navodari, Constanta County, postal code 905700, Romania

E-mail: contact@auramed.ro

Telephone: +40 750 484 004

DPO: not currently appointed

Regulation (EU) 2016/679 (“GDPR”), in particular Articles 5, 6, 7, 9, 12-22, 25, 32, and 44-49;

Law no. 190/2018 on measures for implementing the GDPR;

Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, including cookies and similar technologies.