1. Data controller
JUNIOR S.R.L. — Biofertility
Registered office: Viale Eroi di Rodi 214, 00128 Rome (RM), Italy
Clinic: Via Velletri 7, 00198 Rome (RM), Italy
VAT and tax ID: 05470161000
Email: centrimanna2@gmail.com
Certified email (PEC): juniorsrlroma@pec.it
Phone: +39 06 841 5269
2. Personal data we process
- identity, personal and contact details relating to the patient and, in couple pathways, the partner;
- tax, payment and invoicing details;
- booking details, requested services and healthcare or medically assisted reproduction documentation;
- identity documents uploaded for applicable administrative purposes;
- notices, declarations and acknowledgements, including their version, date and technical collection evidence;
- technical and security data, such as IP address, user agent, audit logs and session identifiers;
- WhatsApp number, preferences and delivery status only when the optional service is enabled.
Health information and the requested healthcare service are special categories of personal data under Article 9 GDPR.
3. Purposes and legal bases
- Booking and delivery of healthcare services: Article 6(1)(b) GDPR and, for health data, Article 9(2)(h) GDPR and applicable healthcare law.
- Healthcare, administrative, accounting and tax obligations: Article 6(1)(c) GDPR.
- Security, abuse prevention and legal claims: security obligations and the Controller’s legitimate interests, where applicable.
- Transactional WhatsApp messages: optional consent under Article 6(1)(a) GDPR, withdrawable at any time without affecting the main service.
Acknowledgement of this notice and of the general healthcare information are collected separately. Any procedure-specific informed consent is obtained by the healthcare professional before that procedure. Processing of health data that is necessary to provide care is not presented as optional consent.
4. System operation and automation
- Google Calendar: to manage schedules, an event may contain the patient’s name, contact details, service, clinic or online format, time and booking notes. The patient’s email may be added as an attendee. Authorised staff may use these events only for operational and healthcare purposes.
- Bank reconciliation: the system may automatically match a bank transaction to a payment request; ambiguous or incomplete cases are referred to staff for review.
- AI-assisted document templates: automated processing is limited to templates. Clinical records and identity documents must not be submitted to generative models without specific authorisation and assessment.
- We do not make decisions based solely on automated processing that produce legal or similarly significant effects.
5. Recipients and service providers
Where necessary and under access controls, data may be processed by authorised staff and by:
- Railway for application hosting;
- Neon for the PostgreSQL database;
- Supabase for private document storage;
- Stripe for card payments or provider-managed bank transfers;
- Fatture in Cloud / TeamSystem for invoicing and connected compliance tasks;
- Enable Banking for authorised access to bank-transaction information;
- Google Workspace and Google Cloud for Calendar, Drive, Sheets, Gmail and technical template functions;
- Resend for transactional email;
- Meta Platforms / WhatsApp Business Platform only after a WhatsApp opt-in.
Personal data is not sold or used for behavioural advertising.
6. Transfers outside the EEA
Some providers are established or operate infrastructure outside the European Economic Area. Where relevant, transfers must rely on an adequacy decision, the Data Privacy Framework where applicable, Standard Contractual Clauses, or another safeguard under Articles 44 and following GDPR. The Controller reviews contracts, processing regions and subprocessors as part of supplier governance.
7. Retention
- Tax and accounting documents: for the statutory period, normally 10 years.
- Healthcare and medically assisted reproduction documentation: under the clinical and medico-legal retention schedule approved by the Controller.
- Temporary identity documents linked to a booking: removed from the operational flow after 7 days unless a documented need applies.
- Unreferenced temporary uploads: automatically deleted after 7 days.
- Privacy-form tokens: valid for 48 hours and removed after the technical security period following expiry.
- WhatsApp data and secure links: minimised or deleted under configured technical retention; opt-out immediately prevents new messages.
- Audit logs: retained as necessary for security, accountability and applicable obligations.
8. Security and access controls
- HTTPS/TLS and security headers;
- hashed passwords and mandatory two-step verification for staff and administrators;
- role-based access and staff access limited to assigned patients;
- private storage, short-lived signed URLs and paths that do not expose email addresses;
- application-level encryption for credentials and tokens where required;
- access auditing and minimisation or redaction of application logs;
- rate limiting, CSRF protection and uploaded-file checks.
9. Optional WhatsApp service
WhatsApp is used only after a separate, explicit opt-in. It may be used for confirmations, reminders and document-availability notices through temporary links. You may opt out using the instructions in the message or by contacting the Controller. Completing a privacy form does not, by itself, enable WhatsApp.
10. Your rights
Where Articles 15–22 GDPR apply, you may request access, rectification, erasure, restriction, portability or object to processing, and you may withdraw optional consent. Erasure requests are recorded and reviewed; clinical or tax data subject to statutory retention is not automatically deleted.
Email centrimanna2@gmail.com or the certified address juniorsrlroma@pec.it. The Controller normally responds within one month, subject to any reasoned extension permitted by the GDPR.
11. Cookies
The platform uses only technical cookies required for sessions, security and CSRF protection. It does not use profiling or advertising-tracking cookies; consent is not requested for these strictly necessary cookies.
12. DPO and complaints
For privacy matters, contact the Controller using the details above. If a Data Protection Officer is appointed, their contact details will be published in this section.
You may also lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), Piazza Venezia 11, 00187 Rome, using the channels published at garanteprivacy.it.
13. Changes
Material changes will be published with a new version and effective date. Technical evidence of later acknowledgements will refer to the version in force when it was collected.