Legal

Privacy Policy

How we collect, use, and protect your personal and medical data.

Last updated: March 2026

1. Data Controller

The data controller responsible for your personal data is Betta Health Cameroon, a company registered under the laws of the Republic of Cameroon, with registered address at Entrée Ministre, NKOZOA, Yaoundé, Cameroon. Contact: info@bettahealth.com.

2. Data We Collect

  • Account data: full name, email address, role (patient, referring doctor), preferred language, phone number.
  • Medical case data: diagnosis details, clinical history, uploaded documents, imaging files, pathology reports submitted via the platform.
  • Specialist report data: written recommendations and clinical assessments produced by our specialists.
  • Payment data: transaction records processed via Stripe. We do not store card numbers — Stripe is PCI-DSS certified.
  • Usage data: login timestamps, page navigation, device type, IP address (anonymised after 30 days).

3. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR): processing your account and case data to deliver the consultancy service you requested.
  • Explicit consent (Art. 9(2)(a) GDPR): processing health data (a special category) requires and is based on your explicit consent given at registration.
  • Legal obligation (Art. 6(1)(c) GDPR): retaining financial records as required by German and Cameroonian tax law.
  • Legitimate interest (Art. 6(1)(f) GDPR): platform security, fraud prevention, and system integrity.

4. How We Use Your Data

  • To create and manage your account on the platform.
  • To submit, review, and deliver specialist consultations and second opinions.
  • To process payments and issue receipts.
  • To send transactional emails: case status updates, report availability, and payment confirmations.
  • To comply with applicable medical record retention laws.

5. Data Sharing & Third Parties

  • Supabase (Ireland/EU): cloud database and file storage provider. Data is stored within the European Economic Area.
  • Stripe (USA): payment processing. Stripe is certified under the EU-US Data Privacy Framework.
  • Vercel (USA): web hosting and content delivery. Data in transit is encrypted via TLS.
  • Our specialist physicians: assigned consultants receive the case data necessary to deliver their opinion.
  • We do not sell, rent, or share your data with advertisers or third-party marketers.
  • For users in the European Union, data transfers are governed by Standard Contractual Clauses (SCCs) in compliance with GDPR Chapter V.

6. Data Retention

  • Medical case records and specialist reports: retained for 10 years from case closure in accordance with Cameroonian public health regulations and applicable medical documentation standards.
  • Account data: retained for the duration of your account and 2 years after a deletion request.
  • Payment records: retained for 10 years as required by Cameroonian tax and commercial law.
  • Anonymised usage analytics: retained for up to 24 months.

7. Your Rights

  • Right of access (Art. 15 GDPR): request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): request correction of inaccurate data.
  • Right to erasure (Art. 17): request deletion of your data, subject to legal retention obligations.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to restrict processing (Art. 18): request that we limit how we use your data.
  • Right to withdraw consent: withdraw consent for health data processing at any time without affecting prior lawful processing.
  • Right to lodge a complaint: with your national data protection authority (Germany: BfDI; Cameroon: CNDP).

8. Cookies

We use strictly necessary cookies for authentication (Supabase session tokens) and a consent cookie to remember your preferences. No advertising or tracking cookies are used. You can manage cookie preferences via the banner shown on your first visit.

9. Security

All data is transmitted over HTTPS/TLS. Access to medical data is role-restricted and controlled by Row-Level Security policies enforced at the database level. Specialist reports are accessible only to the assigned specialist, the case owner, and authorised administrative staff.

10. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email to registered users at least 14 days before taking effect. Continued use of the platform constitutes acceptance of the updated policy.

Questions?

For any questions regarding this policy, contact us at: info@bettahealth.com or write to: Betta Health Cameroon, Entrée Ministre, NKOZOA, Yaoundé, Cameroon.