Privacy Policy

1. Who is responsible for your data

Doctavie is operated by its founding entity in Algiers, Algeria. References to "Doctavie", "we", "us", and "our" in this Policy mean that operating entity, acting as the data controller for the personal data described below.

You may contact us at any time at support@doctavie.com for any question about this Policy or about the data we hold about you.

2. The categories of data we collect

Identity and contact data — first name, last name, email, phone number, profile photo, preferred language, wilaya, and (when you choose to share it) approximate geolocation. For doctors, pharmacists, and pharmacies, this also includes professional identifiers such as the CNOM number (Algerian medical licence), the pharmacist registration number, and the pharmacy licence and registration number.

Health data — date of birth, gender, blood type, chronic conditions, current medications, allergies, emergency contacts, vitals (blood pressure, blood sugar, heart rate, temperature, weight), patient conditions and diagnoses (including ICD-10 codes), uploaded medical documents (lab results, scans, X-rays, prior prescriptions), consultation messages, and prescriptions issued through the Service.

Insurance and reimbursement data — CHIFA card number, national identity number (NIN), CNAS centre code, and coverage provider (CNAS, CASNOS, private mutuelle, or none). The CHIFA card number and the NIN are encrypted at rest at the column level.

Financial data — payment method indicator (Chargily, BaridiMob, cash-on-delivery), Chargily payment identifier, invoice references, and (for diaspora doctors) the payout currency selected and the payout account information you provide. Payout account information is stored opaquely and is not readable through the regular client APIs.

Family member data — when you add a dependent (a child, a spouse, a parent, a sibling) to your account, we collect their name, relationship to you, date of birth, gender, blood type, chronic conditions, current medications, allergies, and CHIFA card / NIN where you provide them. Adult dependents must give explicit consent, recorded with a timestamp.

Device, session, and usage data — push notification tokens (FCM on Android, APNs on iOS), session JWTs (stored in encrypted device storage on mobile, in browser storage on web), interface preference cookies on web (theme, font, layout, sidebar state), error and performance reports collected through Sentry, and audit logs of state changes for prescriptions, appointments, and payments.

Real-time consultation data — text messages exchanged during a consultation, optional voice notes recorded by the doctor, and the channel identifier of the audio / video call (we do not store the audio or video stream itself).

3. Why we use your data

To provide the Service: to authenticate you, to let you book and hold consultations, to render prescriptions, to route prescriptions to the pharmacy you choose, to deliver medication where you select courier delivery, and to maintain the medical record associated with your account.

To meet our regulatory obligations: to keep the audit trails of prescriptions, dispensing, payments, and reimbursement that Algerian healthcare and tax law require us to keep; to enforce single-fill rules on Tableau A, B, and C substances; and to verify the identity of patients receiving controlled substances.

To process payments and pay clinicians: to collect consultation fees through Chargily and BaridiMob, to remit the doctor's share, and (for diaspora doctors) to pay out in the currency you have selected.

To keep the Service safe and reliable: to detect abuse, to investigate security incidents, to monitor errors and performance through Sentry, and to enforce the Terms of Service.

To communicate with you: to confirm appointments, to deliver prescription notifications, to send reminders, to inform you of changes to this Policy or to the Terms.

4. The legal basis for processing

We process your data on the basis of (i) the performance of the contract we have with you (the Terms of Service), (ii) your consent, where consent is required for a specific category — notably for health data, geolocation, push notifications, and adult-dependent data, (iii) our legal obligation under Algerian healthcare, pharmaceutical, and tax law, and (iv) our legitimate interest in operating, securing, and improving the Service in a way that is reasonable and proportionate to your privacy.

You may withdraw any consent at any time. Withdrawing a consent does not affect the lawfulness of any processing carried out before the withdrawal. Some categories — for example, the audit trail of a prescription that has been dispensed — must be retained even after withdrawal, because Algerian law requires us to keep them.

5. Who has access to your data

The clinician you choose — the doctor with whom you book a consultation has access to the medical information you share with them and to the data they generate (consultation notes, prescriptions). They are bound by their own professional duty of confidentiality.

The pharmacy you choose — the pharmacy that receives a prescription you have routed to it has access to that prescription and to the strict minimum of patient identity needed to dispense it lawfully (including ID verification for controlled substances).

Family members — when you act as the legal guardian of a dependent or when an adult dependent has consented, you have access to their medical record within the Service.

Doctavie staff — a small operations team has access to the parts of the Service required to verify professional credentials, investigate incidents, support patients, and run the platform. Access is logged.

Service providers acting on our behalf (data processors): Supabase (database, authentication, storage, edge functions, real-time messaging — our primary infrastructure), Chargily (payment processing in Algeria), BaridiMob (mobile money payment), Yalidine and equivalent partner couriers (medication delivery and tracking), Agora (audio / video conferencing), Expo / Firebase Cloud Messaging / Apple Push Notification service (push notifications), and Sentry (error and performance monitoring).

Diaspora cross-border processing — when you request an asynchronous specialist review from a diaspora doctor, the medical documents and questions you submit are made available to that diaspora doctor in their country of practice. By making this request, you consent to the cross-border transfer of the data necessary for the specialist to review it.

Authorities — we may disclose data to a competent Algerian authority where the law requires us to, such as a judicial requisition or a regulatory inspection. We will not disclose more than is strictly required.

6. Special categories: health data

Health data is treated as a sensitive category in this Policy. We collect and process it only for the purpose of providing healthcare to you (or to the dependent you legally represent) through the Service, and only with the consent that you give when you sign up and when you book a consultation.

You can review the medical record we hold about you, request corrections, and ask for a copy. You can also delete a medical document you uploaded, subject to the audit-trail retention rules above.

7. Children's data

You must be 18 or older to register your own personal account on Doctavie. Children under 18 may receive care through the Service only as dependents added by a parent or legal guardian, using the Family Members feature.

We do not knowingly process the data of a child outside of this guardianship model. If you believe we are holding data about a child without proper guardianship, please contact us at support@doctavie.com so that we can investigate and, where appropriate, delete the data.

8. How long we keep your data

Account profile data is kept for as long as your account is active. When you close your account, we delete the data we are not required to keep.

Prescriptions, dispensing records, payments, and the related audit trails are kept for the period required by Algerian healthcare and tax law (typically ten years for medical records and financial records; longer for narcotic-related dispensings). We keep these even after you close your account, in accordance with the law.

Real-time consultation messages are kept for the duration of your medical record. Voice notes recorded by the doctor as part of a prescription are kept for the duration of the prescription and the related audit trail.

Sentry crash and performance reports are kept for the period defined by our Sentry plan (currently up to 90 days).

9. International data transfers

Doctavie infrastructure (Supabase) is hosted on cloud infrastructure outside Algeria. By using the Service, you acknowledge that your data is stored and processed on that infrastructure, with the same level of protection that is described in this Policy.

When you request an asynchronous specialist review from a diaspora doctor (for example, a cardiologist in Lille or in Montréal), the data you submit is transferred to the country in which that doctor practises, for the purpose of the review. We rely on your explicit consent for this transfer, and we transfer only the medical documents and questions necessary for the specialist to provide their opinion.

10. How we protect your data

Sensitive identifiers — the CHIFA card number and the national identity number — are encrypted at rest at the column level.

Database access is governed by row-level security policies that enforce, for every row, that the user requesting it has the right to see it. Sessions are issued and validated through Supabase Auth. Mobile sessions are stored in the encrypted secure storage of the operating system (Keychain on iOS, encrypted SharedPreferences on Android).

Doctor payout details are stored opaquely and are not readable through the regular client APIs; only privileged platform processes can access them, for the purpose of executing payouts.

No system is perfectly secure. We take reasonable technical and organisational measures, but we cannot guarantee absolute security. If you discover a vulnerability or suspect a security incident, please contact us at support@doctavie.com.

11. Your rights

You may request access to the personal data we hold about you, the correction of inaccurate data, the deletion of data we are not legally required to retain, the restriction or objection of certain processing, and the portability of your data in a structured, commonly-used format.

You may exercise these rights from within the Service where the relevant control is available, or by writing to support@doctavie.com. We will respond within a reasonable period, usually within thirty (30) days.

If your concern cannot be resolved with us, you may also bring it before the relevant Algerian authority for the protection of personal data, in accordance with applicable law.

12. Cookies and similar technologies

On the web Console, we use a small number of cookies for interface preferences only — your selected theme (light / dark / system), your selected font, your selected layout variant, and the open / closed state of the navigation sidebar. These cookies do not contain authentication data and are not used for advertising. They are stored for up to one year and can be deleted at any time from your browser.

On the web Console, your authentication session is held in browser storage (not in a cookie). On mobile, sessions are held in the encrypted secure storage of the operating system.

13. Changes to this Policy

We may update this Policy from time to time, especially as we add features and as we onboard new partner organisations. The current version is the version published at the URL where you are reading this document. We will give reasonable notice in advance of any change that materially affects you.

14. Contact

For any question about this Policy, to exercise a right, or to raise a concern, please write to support@doctavie.com.