Hoppa till huvudinnehåll
AltheraCare

Privacy policy

Last updated: 2026-04-12

AltheraCare is a European SaaS platform for clinic management used by chiropractors, physiotherapists, osteopaths and other manual therapists. This policy explains how we collect, use and protect personal data under GDPR (EU) 2016/679, Spanish LOPD-GDD and the Swedish Patientdatalagen (2008:355).

1. Data controller

AltheraCare (registered in Spain) is the controller for platform account and billing data. For patient data that clinics store in AltheraCare, the clinic itself is the controller and AltheraCare acts as processor under Article 28 GDPR.

Contact: privacy@altheracare.com

2. What data we collect

  • Account data: name, email, password (hashed), clinic, role, language and currency preferences.
  • Clinic data: clinic name, address, organisation number, tax info, opening hours, services and prices.
  • Patient data (PHI): name, personal ID/NIF/NIE, contact details, booking history, clinical notes (SOAP), treatment plans, invoices. This data belongs to the clinic.
  • Payment data: invoice amounts and status. Card numbers are never handled by AltheraCare — they go directly to Stripe (PCI DSS Level 1).
  • Technical data: IP address, session cookies, browser, error reports (Sentry).

3. Why we process data

  • Deliver the platform and its features (booking, notes, billing).
  • Meet legal obligations (note retention, bookkeeping law).
  • Billing and payment handling.
  • Security, abuse detection and technical support.
  • Product development (aggregated, anonymised statistics).

4. Legal basis

  • Contract — Art. 6(1)(b) GDPR: providing the service to clinic customers.
  • Legal obligation — Art. 6(1)(c) GDPR: bookkeeping and health record legislation per jurisdiction.
  • Legitimate interest — Art. 6(1)(f) GDPR: platform security and abuse detection.
  • Consent — Art. 6(1)(a) GDPR: for marketing and non-essential cookies.
  • Health data — Art. 9(2)(h) GDPR: patient data is processed for healthcare purposes.

5. Retention period

Note retention varies by jurisdiction. AltheraCare follows the clinic's home country:

  • Spain: 5 years after last treatment
  • Sweden, Norway, Denmark, Germany: 10 years
  • Finland: 12 years

Account data is deleted within 30 days of cancellation, except invoices kept per national bookkeeping law (7–10 years).

6. Your rights

Under GDPR you have the right to:

  • Access (Art. 15) — a copy of your personal data
  • Rectification (Art. 16) — correct inaccurate information
  • Erasure (Art. 17) — "right to be forgotten"
  • Restriction (Art. 18)
  • Data portability (Art. 20)
  • Objection (Art. 21)
  • Complain to a supervisory authority (IMY in Sweden, AEPD in Spain)

For patient data: contact your clinic first (controller). For account and platform data: privacy@altheracare.com.

7. Sub-processors and data transfers

AltheraCare uses the following sub-processors — all based in the EU or with GDPR-approved safeguards (Standard Contractual Clauses or adequacy decision):

  • Supabase (EU region Frankfurt) — database, auth, storage.
  • Vercel (EU edge) — hosting and CDN.
  • Resend (EU region) — transactional email (confirmations, reminders).
  • Stripe — payment processing (PCI DSS Level 1).
  • Anthropic (Claude) — AI note generation. Patient data is only sent with the clinic's explicit consent and is not stored by Anthropic for model training.
  • Sentry — error reporting. PII is filtered before upload.

8. Security

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Row Level Security (RLS) — each clinic sees only its own data
  • Field-level encryption of sensitive identifiers (personal ID, NIF/NIE)
  • Immutable audit log for all access to patient data
  • Incident handling per 72-hour notification duty (Art. 33 GDPR)

9. Changes

For material changes we notify all customers by email at least 30 days in advance.