Privacy Policy

SmartArzt – Web Application, Chrome Extension and Public API

Last updated: May 13, 2026

1. Data Controller

DataFit Solutions OÜ
Harju maakond, Tallinn, Kesklinna linnaosa, Ahtri tn 12, 15551, Estonia
Email: info@datafit-solutions.com

2. Scope

This privacy policy applies to all services provided by DataFit Solutions OÜ under the SmartArzt brand, including:

Web application at app.smartarzt.de
SmartArzt Audio Recorder Chrome Extension
Public API for third-party integrations

SmartArzt is designed for medical professionals (physicians and medical practices). Users are the data controllers under the GDPR for any patient data they process through SmartArzt. DataFit Solutions OÜ acts as a data processor in this regard pursuant to Art. 28 GDPR.

3. Data We Process

3.1 User Data

When registering and using the service, we process:

Name and email address
Authentication credentials (managed by Auth0)
Usage and billing data (number of recordings processed, quota usage)

3.2 Audio Data and Medical Documents

In the course of using the service, we process:

Audio recordings
Transcriptions of recordings
AI-generated medical letters and documents
Uploaded context documents (e.g. lab results, PDFs)

This data may contain patient data (special categories of personal data under Art. 9 GDPR). DataFit Solutions OÜ processes this data solely on the instructions of the medical practice as data processor.

3.3 Technical Data

IP addresses and access timestamps (in server logs)
Device information and browser type
Settings stored locally in the Chrome Extension (API key, recording preferences)

4. Legal Basis for Processing

Data type	Legal basis
User data, authentication	Art. 6(1)(b) GDPR (performance of contract)
Usage and billing data	Art. 6(1)(b) GDPR (performance of contract)
Audio data and medical documents	Art. 6(1)(b), Art. 9(2)(h) GDPR (performance of contract; processing on behalf of the controller)
Server logs, security monitoring	Art. 6(1)(f) GDPR (legitimate interest in security and operations)

5. Processors and Sub-processors

We do not share your data with third parties for commercial purposes. To provide the service, we engage processors under data processing agreements pursuant to Art. 28 GDPR. All processing takes place exclusively within the European Union. A current list of our sub-processors is available on request at info@datafit-solutions.com.

6. Data Retention and Deletion

Web application: Account data and medical documents are retained for the duration of the contractual relationship and deleted in full within 30 days of contract termination.

Public API: Audio uploads, transcriptions and generated documents are automatically deleted within 48 hours of processing.

Server logs: Technical access logs are retained for 365 days and then deleted.

7. Data Security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS). Infrastructure runs in private AWS networks with no direct internet exposure.

8. Your Rights (GDPR)

As a data subject you have the following rights:

Access (Art. 15 GDPR): What data we hold about you
Rectification (Art. 16 GDPR): Correction of inaccurate data
Erasure (Art. 17 GDPR): Deletion of your data
Restriction (Art. 18 GDPR): Restriction of processing
Data portability (Art. 20 GDPR): Receipt of your data in machine-readable format
Objection (Art. 21 GDPR): Objection to processing
Complaint: With a supervisory authority, e.g. the Estonian Data Protection Inspectorate (www.aki.ee)

To exercise your rights, contact us at: info@datafit-solutions.com

9. Contact

DataFit Solutions OÜ
Email: info@datafit-solutions.com
Further information: Trust Center