Security & GDPR

1) GDPR Roles: Controller vs Processor

Depending on the use of the Service, the following usually applies:

• If a clinic uses tufisio.online to manage appointments, patients, or healthcare information, the clinic typically acts as the Data Controller (decides what data is processed and how).
• tufisio.online typically acts as the Data Processor (processes data on behalf of the clinic and following its instructions).

If needed, we can provide a Data Processing Agreement (DPA) upon request.

2) Data the Service may process

Depending on configuration and usage, the Service may process:

• Account/Company Data: clinic name, users, roles, access emails, and contact details.
• Operational Data: schedule, appointments, availability, notes (as configured by the clinic).
• Communication Metadata: reminder/notification settings (e.g., WhatsApp reminders), and delivery status where applicable.
• Website Technical Data: analytics and technical logs (IP, device, browser) for performance and security.

Recommendation: apply data minimization. Avoid storing unnecessary sensitive data and define internal access rules.

3) Security Measures (Overview)

We apply reasonable technical and organizational measures to protect data:

No system is 100% infallible, but we work continuously to reduce risks.

4) Minimization and Data Retention

We strive to process only what is necessary and retain data for the essential time:

• Demo/contact requests: for a reasonable period to manage the request and follow-up.
• Usage data and logs: for limited periods for analysis and service protection.
• Client data: during the relationship term and as agreed, plus legal periods.

The clinic (as Controller) largely defines what data is entered into the system and how long it must be kept.

5) Sub-processors and Providers

To operate the Service, we may rely on providers (e.g., hosting, analytics, email). These providers may act as sub-processors and will be subject to appropriate confidentiality and security commitments.

We do not sell personal data.

6) International Transfers

If providers outside the European Economic Area are used, appropriate legal guarantees will be applied (e.g., standard contractual clauses or other mechanisms recognized by regulations).

7) Rights of Individuals

Rights of access, rectification, deletion, opposition, limitation, and portability are normally exercised before the Data Controller clinic (e.g., the clinic that collected the patient's data).

For issues regarding data processed by tufisio.online on the website (e.g., forms or communications), you can contact via /en/contact indicating “Privacy / GDPR”.

8) Incident and Breach Management

We have an incident response approach oriented towards:

• detection and containment
• scope analysis
• corrective measures
• communication to affected clients where applicable

When the Service acts as Processor, notification and coordination will be carried out with the client (Controller) in accordance with the agreement and applicable legal deadlines.

9) Recommended Best Practices for Clinics

10) More Information

• Privacy Policy: /en/privacy
• Cookie Policy: /en/cookies