Privacy Policy
1. Introduction
At Ask Aletta we respect your privacy. This policy describes what data we collect when you use our services and how we handle it.
2. Information we collect
We collect and process the following data:
- Account data: your name (first and last), email address, medical role and specialism (if applicable), and employer
- Profile data: your field or discipline, career phase, organisation, region and language preference — we use these to personalise the service
- Usage data: information about how you use the service
- Cookies and tracking technology: see section 15
Special categories of personal data: We do not process special categories of personal data within the meaning of Article 9 GDPR (such as health data). Your medical role and specialism relate to your profession, not your health. Medical questions asked through the service concern clinical knowledge at a case level only, never an identifiable patient. Should processing of special categories become necessary in the future, we will only do so with an additional legal basis (Art. 9(2) GDPR), such as your explicit consent.
3. How we use information
We use your data for:
- delivering and improving our service
- creating and managing your account
- verifying your identity
- personalising your experience
- communicating about your account and our services
- product improvement
We also process anonymised usage data for statistical analyses and dashboards that we make available to organisations with which we have a contract. These data are never traceable to individual users.
Secondary use of anonymised chats: We may anonymise chat conversations that do not contain patient data and use them for scientific research, improvement of healthcare quality, innovation in healthcare, and communication purposes (such as knowledge sharing, publications and marketing). These anonymised data may also be made available to third parties in the healthcare sector for research and innovation purposes.
The anonymisation process ensures that the data cannot in any way be traced back to an individual and is carried out in accordance with the guidelines of the European Data Protection Board. Once fully anonymised, the data are no longer subject to the GDPR. The anonymisation process itself is based on our legitimate interest (Art. 6(1)(f) GDPR). You may object to this use of your chat data at any time, including before anonymisation, via the contact details in section 17.
4. Disclosure of your information
We may freely share aggregated, non-identifiable information. We only share personal data when this is necessary to deliver our services or when we are legally required to do so, for example:
- to comply with a court order or legal obligation
- to respond to a request from a government or supervisory authority
- to enforce our terms, including for billing purposes
- to protect the rights, property or safety of Ask Aletta, our users or others
When we share data with external processors acting on our behalf, we enter into data processing agreements that safeguard the security and confidentiality of your data.
5. Data security
We take appropriate technical and organisational measures to protect your data against unauthorised access, loss, alteration or destruction.
Staff access: A limited number of employees with elevated access rights can view chat conversations. This is permitted only for: quality and safety assurance of the service, technical support, investigation of misuse or incidents, and carrying out the anonymisation process (see section 3). These employees are bound by confidentiality obligations. Access is logged and periodically reviewed.
5a. Microphone and voice input
Ask Aletta offers the option to dictate your question instead of typing it, in both the web app and the mobile app. For this, the application requests one-time permission to access your device's or browser's microphone.
- The microphone is only activated the moment you press the microphone button. Ask Aletta does not listen in the background and does not record any audio outside of these moments.
- The audio is sent encrypted to our servers, converted to text (transcription), and then deleted. The audio recording itself is not permanently stored.
- The transcribed text is then treated as a regular chat question, in accordance with the rest of this privacy policy.
- You can revoke microphone permission at any time through your device or browser settings.
Legal basis: performance of the contract (Art. 6(1)(b) GDPR) — transcription is part of the service delivery and takes place only on your active initiative.
6. Legal basis and consent
We process your data on the legal bases set out in section 9. Where we need your consent (Art. 6(1)(a) GDPR), we ask for it separately and explicitly, independent of the sign-up process. You can withdraw your consent at any time through your account settings or via the contact details in section 17. Withdrawal does not affect the lawfulness of processing that took place before the withdrawal.
7. User rights and control
You can manage your personal data and exercise your rights as described in section 11 of this policy. If you choose to delete your account or have certain data removed, you may lose access to features of our service that depend on this information. You can submit a request to exercise your rights by contacting us via the details in section 17.
8. Changes to our privacy policy
We publish changes to this privacy policy on this page. The date of the last revision is shown at the top. We recommend that you review this policy regularly.
9. Legal basis for processing
We only process your data with a valid legal basis (Art. 6 GDPR). Per purpose, this is:
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Creating and managing your account | Performance of the contract (para. 1(b)) |
| Delivering the service and presenting content | Performance of the contract (para. 1(b)) |
| Identity verification and streamlining the sign-up process | Performance of the contract (para. 1(b)) |
| Communication about your account and our services | Performance of the contract (para. 1(b)) |
| Collection of contextual profile data (discipline, career phase, organisation, region, language) for personalisation | Performance of the contract (para. 1(b)) |
| Personalisation of your experience | Legitimate interest (para. 1(f)) |
| Analysis of usage patterns and service improvement (product improvement) | Legitimate interest (para. 1(f)) |
| Anonymised statistical analyses and dashboarding for contract partners | Legitimate interest (para. 1(f)) |
| Anonymisation of chat data (without patient data) for research, healthcare improvement, innovation and communication purposes, including making available to third parties in the healthcare sector | Legitimate interest (para. 1(f)) |
| Placement of analytical cookies | Consent (para. 1(a)) |
| Compliance with legal obligations (e.g. tax, retention requirements) | Legal obligation (para. 1(c)) |
For legitimate interest purposes, we have carried out a balancing test. You can always object to these processing activities via the contact details in section 17.
10. Retention periods
We do not retain your personal data longer than necessary for the purposes for which they were collected. Specifically:
- Account data: retained for as long as your account is active, plus one year after termination
- Chat histories: retained for as long as necessary for service delivery and product improvement, with a maximum of 2 years
- Data for legal obligations: retained in accordance with the legally prescribed periods
11. Your rights
As a data subject you have the following rights regarding your personal data:
- Right of access to the personal data we process about you
- Right to rectification of inaccurate personal data
- Right to erasure ('right to be forgotten')
- Right to restriction of processing
- Right to data portability
- Right to object to processing
- Right not to be subject to automated decision-making
You can exercise these rights by contacting us via the details at the end of this privacy policy.
12. International data transfers
Your data may be processed outside the European Economic Area (EEA). In that case we protect the transfer with:
- Standard Contractual Clauses (SCCs, 2021) approved by the European Commission
- An adequacy decision by the European Commission for the relevant country (including the EU-US Data Privacy Framework for transfers to certified organisations in the United States)
- Binding Corporate Rules (BCRs), where applicable
Prior to any transfer we carry out a Transfer Impact Assessment (TIA). Where necessary, we take additional measures to ensure an equivalent level of protection.
13. Supervisory authority
If you believe we are not handling your data properly, you can lodge a complaint with a supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens (www.autoriteitpersoonsgegevens.nl).
14. Data breaches
A data breach (unintended access to, loss or alteration of personal data) can never be fully excluded. If a data breach occurs that poses a risk to your rights, we will report it to the Autoriteit Persoonsgegevens within 72 hours (Art. 33 GDPR). In case of a high risk we will also inform you, explaining what happened, the potential consequences and the measures we are taking (Art. 34 GDPR).
15. Cookies and tracking technologies
Our service uses the following types of cookies:
- Essential cookies: necessary for the website to function
- Functional cookies: to remember your preferences and settings
- Analytical cookies: to gain insight into user behaviour and improve our services
You can set your browser to refuse all or some cookies or to alert you when cookies are being sent. If you disable cookies, some parts of the service may not be accessible or may not function properly.
16. Final provisions
If any provision of this policy is found to be invalid, the remaining provisions shall remain in force.
17. Data controller and Data Protection Officer
Responsible for the processing of your data is:
Brainshelf B.V. (trading as Ask Aletta and Brainshelf) WG-plein 316, 1054 SG Amsterdam Chamber of Commerce number: 97743038
For questions about this privacy policy or the processing of your personal data you can contact us at support@askaletta.com.
We have determined under Article 37 GDPR that a Data Protection Officer (DPO) is not required, as we do not carry out large-scale processing of special categories of personal data nor large-scale systematic monitoring of data subjects. For privacy-related questions you can contact us directly via the email address above.