← Back to CardioHelper

Privacy Policy

Last updated: March 25, 2026

1. Who We Are

CardioHelper is operated by Dr. Zbigniew Bociąga ("we", "us", "our"). We provide an informational clinical decision support tool that synthesizes published cardiology guidelines. For privacy inquiries, contact us at privacy@cardiohelper.com.

2. Data We Collect

2.1 Account Data

When you create an account: email address, name (optional), and payment information (processed by our payment provider — we do not store card details).

2.2 Query Data

Clinical questions you submit to CardioHelper. All queries are automatically scrubbed of personally identifiable information (PII) — including patient names, dates of birth, medical record numbers, and other identifiers — before processing. We store only redacted queries in anonymized audit logs for clinical governance purposes.

2.3 Usage Data

We collect anonymized usage analytics (page views, feature usage) via Vercel Analytics. No cookies are used for tracking. No third-party advertising trackers are present on our site.

3. How We Process Your Data

Queries are processed via a dedicated API endpoint with our LLM provider under a zero-retention agreement. This means:

  • Your query data is not used to train any AI models
  • Query content is not retained by the LLM provider after processing
  • No query data is shared with third parties

4. Where Your Data Is Stored

All data is hosted on servers located in Frankfurt, Germany (EU), ensuring compliance with GDPR data residency requirements. Data never leaves EU infrastructure.

5. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — limit processing of your data
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, email privacy@cardiohelper.com. We will respond within 30 days.

6. Data Retention

  • Account data — retained while your account is active, deleted within 30 days of account closure
  • Anonymized audit logs — retained for 12 months for clinical governance, then permanently deleted
  • Payment records — retained as required by applicable tax law (typically 7 years)

7. Data Processing Agreements

For institutional deployments, we provide a custom Data Processing Agreement (DPA) that meets GDPR Article 28 requirements. Contact governance@cardiohelper.com.

8. Third-Party Processors

  • Hosting — Vercel (EU region) / AWS eu-central-1
  • Payment processing — Stripe (PCI DSS Level 1 certified)
  • Analytics — Vercel Analytics (privacy-friendly, no cookies)
  • LLM provider — under zero-retention agreement, EU processing

9. Changes to This Policy

We will notify registered users by email of any material changes to this privacy policy at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.

10. Contact

For any privacy-related questions or requests:
privacy@cardiohelper.com

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.