Data Protection & GDPR

Your health data.
Your rights. Your control.

Homy is built on the foundation of data protection by design and default. Every decision prioritizes your privacy, security, and fundamental rights under GDPR.

GDPR Core Principles

Seven foundational principles that govern how we handle your health data

Lawfulness, Fairness & Transparency

Data processed lawfully, fairly, and transparently. No hidden data practices.

Purpose Limitation

Data collected only for specified, explicit clinical care purposes - never repurposed.

Data Minimization

Only essential health data collected - adequate, relevant, and limited to necessity.

Accuracy

Health data kept accurate and up-to-date. Inaccurate data corrected or erased promptly.

Storage Limitation

Data retained only as long as necessary for clinical purposes or legal requirements.

Integrity & Confidentiality

Data secured with encryption, access controls, and comprehensive security measures.

Accountability

We are responsible for and can demonstrate compliance with all GDPR principles. Full documentation, audit trails, and regular assessments maintained.

Complete Data Lifecycle

From collection to deletion: transparent handling at every stage

1

Collection

Explicit Consent
Active consent obtained before any health data collection. Clear purpose explained.
Minimal Data Scope
Only data necessary for clinical triage and care coordination collected.
Transparent Methods
Clear documentation of what data is collected, why, and how it will be used.
2

Processing

Purpose-Limited Use
Data used only for explicit clinical care, triage, and coordination purposes.
Encryption in Transit & At Rest
AES-256 encryption for stored data, TLS 1.3+ for data transmission.
Access Controls
Role-based access with audit logging. Only authorized healthcare personnel access patient data.
Pseudonymization
Patient identifiers separated from clinical data where technically feasible.
3

Storage

EU Data Residency
All personal health data stored within the European Union (Frankfurt, Germany region).
Retention Policies
Clinical data retained for 7 years (medical records compliance), then securely deleted.
Backup & Recovery
Encrypted backups with same security standards. Recovery procedures tested regularly.
4

Deletion

Automated Expiration
Data automatically deleted after retention period expires unless legal hold applies.
User-Initiated Deletion
Right to erasure honored within 30 days. Data removed from all systems and backups.
Secure Erasure
Cryptographic erasure (key deletion) ensures data cannot be recovered.

Consent Management

Your explicit consent required at every step. Withdraw anytime.

Granular Consent

  • Separate consent for data collection, processing, and third-party sharing
  • Clear opt-in required - no pre-checked boxes or implied consent
  • Plain language explanations of each consent purpose

Consent Withdrawal

  • Withdraw consent as easily as it was given - no barriers
  • Immediate effect upon withdrawal - processing stops within 24 hours
  • Confirmation provided when consent withdrawal is complete

Consent Records

  • All consent decisions logged with timestamp and scope
  • Audit trail maintained for regulatory compliance
  • Access your consent history anytime via patient portal

Special Category Data

  • Health data requires explicit consent under GDPR Article 9
  • Additional safeguards for sensitive health information
  • Clear explanation of health data sensitivity and protection

Your GDPR Rights

Eight fundamental rights guaranteed under GDPR. We honor all requests within legal timeframes.

Right to Access

Request a complete copy of all personal data we hold about you, including processing purposes and recipients.

Response time: 30 days
Free of charge

Right to Rectification

Correct any inaccurate personal data or complete incomplete information in your health records.

Response time: 30 days
Immediate correction

Right to Erasure ("Right to be Forgotten")

Request deletion of all personal data when no longer necessary, consent withdrawn, or unlawfully processed.

Response time: 30 days
Secure deletion

Right to Restriction of Processing

Limit how we process your data during accuracy verification, legal claim defense, or pending consent withdrawal.

Response time: 30 days
Processing paused

Right to Data Portability

Receive your personal data in machine-readable format (JSON, CSV) and transfer to another service provider.

Response time: 30 days
Structured formats

Right to Object

Object to processing based on legitimate interests, direct marketing, or scientific/statistical research purposes.

Response time: 30 days
Stop processing

Right to Human Review (Automated Decision-Making)

Human oversight required for AI-driven clinical recommendations. Request manual review of any automated decision.

Response time: Immediate
Human-in-loop

Right to Lodge a Complaint

File a complaint with your national data protection authority (Dutch DPA - Autoriteit Persoonsgegevens).

Independent oversight
Regulatory protection

How to Exercise Your Rights

Email privacy@homy.health with your request. We respond within 30 days and provide clear confirmation of actions taken.

Submit GDPR Request

Security Architecture

Military-grade security protecting your health data at every layer

Encryption Standards

  • AES-256 encryption for data at rest
  • TLS 1.3+ encryption for data in transit
  • End-to-end encryption for sensitive communications
  • Key rotation every 90 days

Access Controls

  • Role-based access (RBAC) with least privilege
  • Multi-factor authentication (MFA) required
  • Session management with automatic timeout
  • IP whitelisting for admin access

Data Protection

  • Pseudonymization where technically feasible
  • Data masking in non-production environments
  • Tokenization for payment information
  • SHA-256 hashing for passwords

Audit & Monitoring

  • Complete audit logs of all data access
  • Real-time monitoring for security threats
  • Intrusion detection systems (IDS)
  • Annual penetration testing by third parties

Incident Response

  • 72-hour breach notification to authorities
  • Immediate user notification if data compromised
  • Incident response plan tested quarterly
  • Forensic investigation procedures

Infrastructure Security

  • EU-based infrastructure (Frankfurt, Germany)
  • ISO 27001 certified cloud providers
  • Network segmentation and firewalls
  • DDoS protection and rate limiting
🇪🇺

EU AI Act Classification

Homy is classified as a high-risk AI system under the EU AI Act and meets all regulatory requirements.

High-Risk AI System

Homy is classified as high-risk under Annex III: AI systems for healthcare because it processes patient health data and provides clinical decision support. This classification imposes the strictest regulatory requirements to ensure safety and fundamental rights protection.

Risk Management System

Continuous identification, analysis, estimation, and mitigation of risks throughout the AI lifecycle.

Data Governance

Training, validation, and testing datasets comply with quality, relevance, and bias mitigation requirements.

Technical Documentation

Comprehensive documentation of system design, development process, and validation methodology maintained.

Record-Keeping

Automatic logging of AI system operations to enable traceability and post-market monitoring.

Transparency Obligations

Clear disclosure to users that they are interacting with an AI system. Instructions for use provided.

Human Oversight

Human-in-loop design ensures qualified personnel can oversee, intervene, and override AI decisions.

Accuracy & Robustness

System validated against benchmarks. Continuous monitoring for performance degradation and drift.

Cybersecurity

Resilience against unauthorized access, data poisoning, and adversarial attacks through security-by-design.

Conformity Assessment

Third-party conformity assessment in progress to verify compliance with EU AI Act requirements before market deployment.

In Progress

Post-Market Monitoring

Continuous post-market monitoring plan to identify and address risks, performance issues, and regulatory non-compliance.

Active

Data Protection Officer (DPO)

Homy has appointed a Data Protection Officer as required by GDPR Article 37. Our DPO oversees data protection strategy, ensures regulatory compliance, and serves as the point of contact for data subjects and supervisory authorities.

Contact Our DPO
dpo@homy.health
Supervisory Authority
Autoriteit Persoonsgegevens (Dutch DPA)
autoriteitpersoonsgegevens.nl

Questions About Data Protection?

We're committed to transparency and your privacy rights. Contact our Data Protection Officer or privacy team for any questions about how we handle your health data.

Contact Privacy TeamView Clinical Safety

Last Updated: December 6, 2025
Version 1.0 • Homy Healthtech Solutions B.V.