...Get notified...

Sign up now for early access!

Get WhatsApp updates and be the first to know what’s happening.

Current # of people in the know:

Privacy Policy

Last Updated: May 29, 2026

Introduction

Health Online (“we,” “us,” “our,” or “Company”) is committed to protecting your privacy and ensuring you have a positive experience on our mobile application and website. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our telehealth platform, including our mobile application (available on iOS and Android) and website. Health Online is operated and provided through Healthcare Innovative Solutions B.V. (HISBV), a company registered in and operating under the laws of Curaçao. Our services are delivered from and governed by Curaçao.

Please read this Privacy Policy carefully. If you do not agree with our practices, please do not use our services. By accessing and using Health Online, you acknowledge that you have read, understood, and agree to be bound by all the terms of this Privacy Policy.

Health Online is governed by the laws of Curaçao. We process special category health data in compliance with Curaçaoan data protection regulations, the Dutch Medical Treatment Contracts Act (WGBO – as our users may include EU residents), and the General Data Protection Regulation (GDPR – where applicable to EU users). Any disputes arising from this Privacy Policy will be subject to Curaçaoan law and the courts of Curaçao.

1. Information We Collect

1.1 Personal Information

We collect the following personal information:

  • Account Information: Full name, date of birth, gender, email address, phone number, and account password.
  • Medical and Health Information: Medical history, current medications, allergies, symptoms reported during consultations, diagnoses, treatment recommendations, consultation notes, and health conditions. This constitutes special category health data under GDPR Article 9 and requires enhanced protection.
  • Contact Information: Postal address, emergency contact details, and insurance information (if applicable).
  • Payment Information: Billing address, payment method, and transaction history. Payment processing is handled by Stripe; we do not store full credit card details.

1.2 Technical Information

We automatically collect:

  • Device Information: Device type, operating system, unique device identifiers, and mobile network information.
  • Usage Data: Pages or features accessed, time spent in the app, features used, clicks, and navigation patterns.
  • Connection Data: IP address, browser type, Internet Service Provider (ISP), referring/exit pages, and the dates and times of your activity.
  • Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to enhance functionality, analyze usage, and improve user experience.

2. Legal Basis for Processing

We process your data based on the following legal bases (as defined by GDPR Article 6 and Article 9):

  • Performance of a Contract: Processing is necessary to deliver telehealth services, manage consultations, and process payments.
  • Legal Obligation: We process health data to comply with healthcare regulations, medical record retention requirements (WGBO), and law enforcement requests.
  • Explicit Consent: You explicitly consent to the processing of your special category health data (GDPR Article 9(2)(a)) when you register and accept our Patient Consent & Terms of Care agreement.
  • Legitimate Interests: We process technical and usage data to improve platform security, prevent fraud, and enhance user experience.

3. Use of Information

We use the information we collect for the following purposes:

  • Deliver Telehealth Services: Facilitate consultations with healthcare providers, process consultation requests, manage medical records, and coordinate patient care.
  • Account Management: Create and manage user accounts, verify identity, authenticate users, and reset passwords.
  • Payment Processing: Process transactions, manage billing, and communicate payment-related information. Payments are processed through Stripe (certified SOC 2).
  • Improve Services: Analyze usage patterns, optimize app performance, identify technical issues, and develop new features.
  • Communication: Send appointment confirmations, consultation reminders, billing notifications, policy updates, security alerts, and other important information.
  • Compliance & Legal: Meet regulatory requirements, comply with medical record retention laws, investigate fraud or abuse, and respond to legal requests.

4. Data Retention

We retain your data for the following periods, depending on the data type and applicable regulations. This complies with the Dutch Medical Treatment Contracts Act (WGBO) and GDPR principles of data minimization.

4.1 Legal Requirement: 20-Year Medical Record Retention

Health Online provides medical treatment via licensed healthcare providers. Even though consultations occur online and advice is non-binding, all data related to medical consultations constitutes a medical record under Dutch law (WGBO). Therefore, ALL medical-related data must be retained for a minimum of 20 years from the date of the last modification, as mandated by the Dutch Medical Treatment Contracts Act (WGBO).

4.1a Medical Records Storage – Paid Accounts Only

Medical records (consultation histories, diagnoses, prescriptions, symptom data, and clinical notes) are stored only for users with active paid subscriptions:

  • HO Club: Includes medical record storage with 20-year retention (monthly subscription).
  • Silver: Includes medical record storage + urgent care access with 20-year retention (monthly, weekly, or daily subscription options available).
  • Free Tier Users: Medical records are NOT stored. Free users can access reminders, prescriptions, marketplace, and limited features, but consultation data is not retained. Users must subscribe to HO Club or Silver to store medical records and access consultations.

4.1b Deletion Upon Account Cancellation or Inactivity

When a user cancels their subscription or their account becomes inactive, the 20-year retention requirement no longer applies. Medical records will be permanently deleted as follows:

  • Account Cancellation: Upon cancellation of a paid subscription (HO Club or Silver), the user has 30 days to download or export their complete medical records. After 30 days, all medical data associated with the account is permanently and irreversibly deleted from all systems, backups, and archives.
  • Account Inactivity: If an account remains inactive (no login or activity) for 12 consecutive months, Health Online will notify the user via email that their account is subject to deletion. The user has 30 days to reactivate. If the account remains inactive after 30 days, all medical records are permanently deleted.
  • Data Export Before Deletion: Users have the right to request a complete export of their medical records in machine-readable format (GDPR Article 20 – Data Portability) before deletion. Health Online will provide this within 7 days of the request.
  • Legal Holds & Disputes: If a user has an ongoing legal claim, dispute, or investigation involving their care, medical records will be retained indefinitely until the matter is resolved, regardless of account status.

This expedited deletion upon cancellation or inactivity reflects our commitment to data minimization principles (GDPR Article 5(1)(e)) and ensures that inactive users’ data is not retained longer than necessary.

4.2 Data Retention Schedule (Active Accounts Only)

The following retention periods apply to users with active, paid subscriptions. Upon account cancellation or inactivity exceeding 12 months, all medical records are deleted within 30 days (see Section 4.1b).

Data Type Retention Period Legal Basis
Consultation Chat Histories & Records 20 years WGBO Article 7:454 BW; Medical liability; Telemedicine = medical treatment
Medical Diagnoses & Clinical Notes 20 years WGBO; Medical liability & malpractice defense
Prescriptions & Medication Records 20 years WGBO; Prescription regulation; Medical liability
Symptom Data & Medical History 20 years WGBO; Part of medical record
Consent Records (Medical) 20 years GDPR + WGBO evidence; Legal defense
Payment & Billing Records 5 years Tax & financial audit requirements (NL/CW); Stripe PCI compliance
Audit Logs & Access Records 5 years Compliance, fraud detection, dispute resolution & medical liability defense
Account & Usage Analytics Data 12 months Service optimization; Data minimization
Marketing & Communication Data Until unsubscribe + 12 months Legitimate interest; GDPR Article 21 opt-out

 

4.3 Storage & Archiving

Active Storage (Years 0–5): All medical records, consultation notes, and audit logs are retained in active, searchable databases accessible to authorized healthcare providers and administrators for clinical, legal, and regulatory purposes.

Cold Storage/Archive (Years 5–20): After 5 years of inactivity, medical records are moved to encrypted cold storage (e.g., AWS Glacier) for cost-effectiveness while maintaining full legal compliance. These records remain accessible upon authorized request (patient access, legal proceedings, regulatory audits).

Deletion After 20 Years: Once the mandatory 20-year retention period expires, medical data is securely and irreversibly deleted from all systems and backups, or anonymized for research purposes in compliance with GDPR Article 5(1)(e). HISBV documents and logs all deletions for compliance audits.

Non-Medical Data: Payment records, billing data, and analytics are retained only for their required periods (5 years for financial compliance, 12 months for analytics) and securely deleted thereafter, in compliance with data minimization principles.

5. Sharing of Information

We share your information only in the following circumstances:

  • Healthcare Providers: We share your medical history, symptoms, and consultation notes with licensed healthcare providers for the sole purpose of delivering telehealth services. Physicians are independent contractors bound by professional confidentiality obligations and our Physician Data & Confidentiality Agreement.
  • Data Processors: We engage third-party processors for cloud hosting, payment processing (Stripe), analytics, and customer support. All processors sign Data Processing Agreements (DPAs) compliant with GDPR Article 28. Examples include: cloud infrastructure providers, Stripe (payment processing), and analytics platforms.
  • Legal & Regulatory Authorities: We may disclose information to law enforcement, regulatory bodies, or healthcare authorities when legally required, such as responding to subpoenas, court orders, or investigations.
  • Partners: With your consent, we may share non-identifiable or anonymized data with hotel chains, airlines, or corporate partners to improve services or for research purposes.
  • Business Transfers: If Health Online is acquired, merged, or undergoes asset sale, your data may be transferred as part of that transaction. We will notify you of any such change and give you the opportunity to object.

We do NOT sell your personal information to third parties for marketing purposes.

6. Data Security

We implement comprehensive technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption: All data in transit uses TLS 1.2+ encryption. Medical data at rest is encrypted using AES-256 encryption.
  • Access Control: User authentication requires secure passwords. Healthcare providers access patient data only with appropriate role-based permissions. Administrative access is logged and audited.
  • Infrastructure Security: We use secure, compliant cloud infrastructure with firewalls, intrusion detection, and regular security monitoring.
  • Data Backups: Regular encrypted backups are maintained for disaster recovery and business continuity.
  • Audit Logging: All access to medical records is logged, including who accessed what data, when, and for what purpose.
  • Third-Party Compliance: Our payment processor (Stripe) is SOC 2 certified. Cloud infrastructure providers meet ISO 27001 and SOC 2 standards.
  • Employee Training: Staff handling health data receive regular GDPR and data protection training.

Disclaimer: While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute protection against all security breaches. You accept the inherent risks of transmitting information over the internet.

7. Your Rights

Under GDPR and applicable data protection laws, you have the following rights:

  • Right of Access (GDPR Article 15): You have the right to request a copy of your personal and health data. We will provide this within 30 days of your request, in a structured, commonly used, and machine-readable format.
  • Right to Rectification (GDPR Article 16): You can request corrections to inaccurate or incomplete personal information.
  • Right to Erasure (GDPR Article 17): You can request deletion of your data, except where: (a) we have a legal obligation to retain it (e.g., 20-year medical record retention), (b) the data is necessary for the service, or (c) you have outstanding health or legal claims.
  • Right to Restrict Processing (GDPR Article 18): You can request that we limit processing of your data under certain circumstances.
  • Right to Data Portability (GDPR Article 20): You have the right to receive your data in a portable format and transfer it to another service provider.
  • Right to Object (GDPR Article 21): You can object to processing based on legitimate interests or direct marketing.
  • Right to Withdraw Consent: You can withdraw your consent to data processing at any time. This does not affect the legality of processing before withdrawal.
  • Rights Related to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the relevant data protection authority (in the Netherlands: the Dutch Data Protection Authority, or your local equivalent).

To exercise any of these rights, please contact us at: info@healthonline.app

8. Children’s Privacy

Health Online does not knowingly collect information from children under the age of 16 (or the age of digital consent in your jurisdiction). If we become aware that we have collected data from a child under 16 without parental consent, we will take immediate steps to delete such information.

For users between 16 and 18, parental or guardianship consent may be required depending on local laws. Users in this age group must declare their age during registration.

9. International Data Transfers

Health Online operates through entities in the Netherlands and Curaçao. The Netherlands is subject to GDPR, which governs how your data is handled. If data is transferred outside the EU/EEA, we implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for transfers to jurisdictions without an adequacy decision.
  • Data Processing Agreements: All third-party processors sign DPAs that include transfer mechanisms compliant with GDPR.

10. Data Breach Notification

In the event of a confirmed data breach affecting your personal or health information, we will:

  • Notify you without undue delay, typically within 72 hours of discovery, unless the data is encrypted and poses minimal risk.
  • Notify the relevant data protection authority as required by GDPR Article 33.
  • Provide details about the breach, affected data, measures taken, and steps you can take to protect yourself.

11. Cookies and Tracking Technologies

11.1 Use of Cookies

We use cookies and similar tracking technologies to:

  • Maintain your session and remember login information (essential cookies).
  • Enhance app functionality and user experience (functional cookies).
  • Analyze usage patterns and improve performance (analytics cookies).
  • Prevent fraud and enhance security (security cookies).

 

11.2 Cookie Types

  • Essential Cookies: Required for app functionality. Cannot be disabled without impairing service.
  • Functional & Analytics Cookies: Help us understand how you use the app and optimize performance. You can disable these through your device settings or browser controls.
  • Third-Party Cookies: We use limited third-party analytics (e.g., Google Analytics) for performance monitoring. These are governed by third-party privacy policies.

11.3 Managing Cookies

You can control cookies through:

  • Browser settings (allow/block cookies)
  • Mobile device settings (clear app cache, disable app tracking)
  • Opt-out links provided in our communications

12. Medical Limitations & Emergency Disclaimer

Important:

  • Health Online is not for emergencies. If you experience a medical emergency, please call emergency services (112 in the EU, or your local emergency number) immediately.
  • Your medical data may not be immediately accessible during system outages or technical difficulties. We are not liable for delays in providing access to your records in urgent situations.
  • Telemedicine consultations have inherent limitations. Physicians may determine that in-person evaluation is necessary.
  • Health Online is a technology facilitator. All medical liability rests with the healthcare provider. We are not responsible for medical decisions, diagnoses, or treatment outcomes.

13. Marketing & Communications

We may send you marketing communications about new features, special offers, or health tips. You can:

  • Unsubscribe from marketing emails by clicking the unsubscribe link in any email.
  • Manage push notification preferences in your app settings.
  • Update your communication preferences in your account settings.

Note: We will continue to send you essential communications about your account, appointments, billing, and important policy changes, regardless of your marketing preferences.

14. Third-Party Links

Our app may contain links to third-party websites or services. We are not responsible for their privacy practices. Please review their privacy policies before providing any information.

15. California & Regional Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA). If you are a resident of another jurisdiction with specific privacy laws, those rights apply accordingly. To exercise these rights, contact: info@healthonline.app

16. Changes to Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Sending you a notification email to your registered email address.
  • Posting a prominent notice in the app.
  • Requiring your consent to the updated policy if required by law.

Your continued use of Health Online after changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

17. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Health Online 
Email: info@healthonline.app
Website: healthonline.app
Organization: Healthcare Innovative Solutions B.V. (HISBV)
Headquarters & Legal Jurisdiction: Curaçao
Governing Law: Curaçaoan law. Any disputes will be subject to the jurisdiction of Curaçaoan courts.

This Privacy Policy is effective as of May 29, 2026. Healthcare Innovative Solutions B.V. (HISBV) reserves the right to update this policy at any time in accordance with applicable law.