Privacy Policy – Rhealth360

← Back

1. Who We Are

Rhealth360 is the data controller for your personal data. We are based in Ireland and subject to the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

Data Protection Officer
Email: support@riztech.ie

2. What Data We Collect

We process the following categories of personal data:

Category	Examples
Identity Data	First name, surname, title, date of birth, gender
Contact Data	Address, email, phone / mobile number
Health Data Special Category	Medical history, diagnoses, prescriptions, clinical notes, investigation results, procedures
Appointment Data	Dates, times, doctor assigned, visit type, status
Financial Data	Invoices, receipts, insurance details
Technical Data	IP address, browser type, login timestamps

3. Lawful Basis for Processing

We rely on the following lawful bases under GDPR Articles 6 and 9:

Processing Activity	Lawful Basis (Art. 6)	Special Category (Art. 9)
Processing patient health data for the provision of healthcare services.	6(1)(b) — contractual necessity / 6(1)(c) — legal obligation	9(2)(h) — health/social care
Sending appointment reminders and confirmations via SMS/WhatsApp.	6(1)(f) — legitimate interest	9(2)(h) — health/social care
Processing based on explicit patient consent (e.g. marketing).	6(1)(a) — consent	N/A

4. How We Use Your Data

Providing healthcare services and managing appointments
Sending appointment reminders via SMS
Managing prescriptions, investigations and clinical procedures
Generating invoices and processing insurance claims
Communicating with referral hospitals and specialists
Meeting our legal and regulatory obligations

5. Data Retention

We retain your personal data only as long as is necessary or as required by Irish law:

Data Type	Retention Period
Medical records	8 years (Irish regulatory requirement)
Appointment records	8 years
SMS / message logs	365 days
Activity / audit logs	2 years
Deleted accounts	30 days, then permanently removed

When retention periods expire, data is either securely deleted or anonymised in accordance with our data management policy.

6. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15) — Request a copy of your personal data.
Right to Rectification (Article 16) — Correct inaccurate personal data.
Right to Erasure (Article 17) — Request deletion of your data (subject to legal retention requirements).
Right to Restrict Processing (Article 18) — Limit how we use your data.
Right to Data Portability (Article 20) — Receive your data in a machine-readable format.
Right to Object (Article 21) — Object to processing based on legitimate interests.
Right to Withdraw Consent — Where processing is based on consent, you may withdraw it at any time.

We will respond to your request within 30 days as required by GDPR Article 12(3).

7. Cookies

We use the following types of cookies:

Essential cookies — Required for the application to function (session, CSRF protection). These cannot be disabled.
Analytics cookies — Help us understand how the application is used (only with your consent).
Preference cookies — Remember your settings such as theme and language (only with your consent).

You can manage your cookie preferences at any time using the cookie banner shown on your first visit.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Encryption of data in transit (TLS/HTTPS)
Role-based access controls and permission management
Regular audit logging of data access
Secure password hashing
Regular system updates and security patches

9. Data Sharing

We may share your data with:

Healthcare providers — Referral hospitals, specialists, laboratories
Insurance companies — For claim processing (with your consent)
SMS/communication providers — To send appointment reminders (Twilio)
Regulatory authorities — If required by law

We do not sell your personal data to any third party.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Irish Data Protection Commission within 72 hours in accordance with GDPR Article 33. Where the breach poses a high risk to you, we will also notify you directly under Article 34.

11. International Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). If any data is transferred outside the EEA (e.g. cloud infrastructure), we ensure appropriate safeguards are in place such as Standard Contractual Clauses (SCCs).

12. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available at this page. We encourage you to review it periodically.

Last updated: 2 March 2026

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

Rhealth360
Email: support@riztech.ie

You also have the right to lodge a complaint with the Irish Data Protection Commission.