Privacy Policy
Last updated: 2026-02-08
1. Data Controller
2. Data We Collect
We collect and process the following personal data:
- Account data: Name, email address, password (encrypted), profile photo, phone number, language preference
- Location data: ZIP code and coordinates for searching nearby therapists; saved addresses for home visits
- Booking data: Session dates, duration, status, notes, cancellations
- Payment data: Payment metadata (amount, status, timestamps). Card details are processed exclusively by Stripe and are never stored on our servers.
- Chat messages: Messages between patients and therapists
- Documents: Uploaded prescriptions
- Reviews: Review text and star ratings
- Device data: Push notification tokens, platform, app version
3. Purposes of Processing
- Providing and operating the Alfar platform
- Matching patients with physiotherapists
- Processing bookings and payments
- Enabling communication via the chat function
- Sending push notifications
- Location-based therapist search
- Improving our services
4. Legal Bases (Art. 6 GDPR)
- Contractual performance (Art. 6(1)(b)): Processing necessary for the user agreement (account management, bookings, payments, communication)
- Consent (Art. 6(1)(a)): Push notifications, location-based search
- Legitimate interests (Art. 6(1)(f)): Platform improvement, fraud prevention, security
- Legal obligation (Art. 6(1)(c)): Retention of billing data as required by tax law
5. Data Processors
We use the following third-party services for data processing:
- Stripe, Inc. – Payment processing (PCI DSS compliant)
- Replit / Neon – Hosting and database operations
- Expo (EAS) – Push notification service
6. Data Retention
- Account data: Until account deletion
- Booking data: 10 years (legal retention requirement)
- Payment data: 10 years (tax law requirement)
- Chat messages: Until account deletion or upon request
- Push tokens: Until deactivation or account deletion
7. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15): Request a copy of your stored data (data export available in Settings)
- Right to rectification (Art. 16): Correction of inaccurate data
- Right to erasure (Art. 17): Deletion of your account and data (except where legal retention applies)
- Right to restriction (Art. 18): Restriction of processing
- Right to data portability (Art. 20): Export your data in a machine-readable format
- Right to object (Art. 21): Object to processing based on legitimate interests
- Right to withdraw consent: Withdraw any given consent at any time
To exercise your rights, contact us at: [email protected]
8. Security Measures
- Encryption of all data transmissions (HTTPS/TLS)
- Password hashing with bcrypt
- JWT-based authentication
- Role-based access control
- Stripe PCI DSS-compliant payment processing
9. No Advertising or Tracking
Alfar does not use advertising SDKs, ad tracking, or third-party analytics SDKs. We do not sell personal data to third parties.
10. Contact
For privacy-related inquiries:
Email: [email protected]
You have the right to file a complaint with a data protection supervisory authority.