SmartArzt
Legal

Privacy Policy

Last updated: June 27, 2026

1. About Us

DataFit Solutions OÜ
Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Estonia
Email: info@datafit-solutions.com

2. Scope & Our Role

This Privacy Policy applies to all services offered by DataFit Solutions OÜ under the SmartArzt brand:

  • Web application at app.smartarzt.de
  • SmartArzt Audio Recorder Chrome Extension
  • Public API for third-party integrations

SmartArzt is intended for medical professionals (physicians and healthcare institutions). Users are the data controllers under GDPR for the patient data they process via SmartArzt. In this respect DataFit Solutions OÜ acts as a data processor under Art. 28 GDPR and processes that data solely on the controller's instructions.

We are the data controller only for the limited personal data we collect directly, such as the contact and account data of our users (see section 3.1).

3. What Data We Collect

3.1 User & Contact Data

When you register for and use the service, we process:

  • Name and email address
  • Authentication data (managed by Auth0)
  • Usage and billing data (number of recordings processed, quota usage)

3.2 Audio Recordings & Medical Documents

As part of using the service, we process:

  • Audio recordings
  • Transcriptions of recordings
  • AI-generated medical letters and documents
  • Uploaded context documents (e.g. lab results, PDFs)

This data may contain patient data (special categories of personal data under Art. 9 GDPR). DataFit Solutions OÜ processes such data solely on the instructions of the using healthcare institution, as a data processor.

3.3 Technical Data

  • IP addresses and access times (in server logs)
  • Device information and browser type
  • Settings stored locally in the Chrome Extension (API key, recording settings)

4. How We Use Your Data

  • Transcription of audio recordings and generation of structured medical documents
  • Authentication and authorisation of users
  • Usage accounting and quota management
  • Detection and prevention of abuse and security incidents
  • Responding to support requests

5. Legal Basis for Processing (GDPR)

  • Contract performance (Art. 6(1)(b) GDPR): User data, authentication, and usage and billing data.
  • Legitimate interests (Art. 6(1)(f) GDPR): Server logs, security monitoring, and operation of the service.
  • Legal obligation (Art. 6(1)(c) GDPR): Where required by applicable law.
  • Processing of health data (Art. 9(2)(h) GDPR): Where audio or documents processed via SmartArzt contain health data, the controller (the medical institution using the service) determines the applicable Article 9 condition; where processing supports medical diagnosis or the provision of health care, Art. 9(2)(h) applies.

For any personal data contained in audio or documents processed via SmartArzt, the legal basis is determined solely by the data controller (the using healthcare institution). DataFit Solutions OÜ processes such data strictly as a processor and does not determine the purpose or means of processing.

6. Sub-processors

We do not sell your data or share it with third parties for commercial purposes. To deliver the service we use the following sub-processors, all located within the EU:

  • Amazon Web Services (AWS)
  • Google Cloud Platform
  • Speechmatics
  • Auth0 by Okta

All sub-processors are bound by data processing agreements under Art. 28 GDPR, and all processing takes place exclusively within the European Union. A current list is also available on request at info@datafit-solutions.com.

7. Data Retention

  • Web application: Account data and medical documents are retained for the duration of the contractual relationship and fully deleted within 30 days of contract termination.
  • Public API: Audio uploads, transcriptions, and generated documents are automatically deleted no later than 48 hours after processing.
  • Server logs: Technical access logs are retained for 365 days and then deleted.

8. Data Security

  • All data encrypted in transit via TLS 1.2+
  • Data at rest encrypted with AES-256 via AWS KMS
  • Infrastructure hosted in private AWS networks (C5-certified) within the EU, with no direct internet exposure
  • Access controls following least-privilege principles
  • Regular security reviews
  • ISO 27001-aligned information security management

For a full overview see our Trust Center.

9. International Data Transfers

All data is processed and stored exclusively within the European Economic Area (EEA). No transfers outside the EEA take place.

10. Your Rights under GDPR

As a data subject you have the following rights:

  • Access (Art. 15 GDPR): What data we process about you
  • Rectification (Art. 16 GDPR): Correction of inaccurate data
  • Erasure (Art. 17 GDPR): Deletion of your data
  • Restriction (Art. 18 GDPR): Restriction of processing
  • Portability (Art. 20 GDPR): Receipt of your data in a machine-readable format
  • Objection (Art. 21 GDPR): Objection to processing

If you are an end user whose personal data may be contained in audio or documents processed via SmartArzt, your data controller is the healthcare institution using SmartArzt. Please contact them directly to exercise your rights.

To exercise your rights over data we process directly, contact us at info@datafit-solutions.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. The competent authority for DataFit Solutions OÜ is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), www.aki.ee.

11. Cookies

The SmartArzt marketing website does not use tracking cookies or third-party analytics. No cookie consent is required beyond standard server-side session handling.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "last updated" date at the top of this page reflects the latest revision. For material changes, users will be notified by email.

13. Contact

DataFit Solutions OÜ
Email: info@datafit-solutions.com
More information: Trust Center