Privacy Policy
Last updated: 13 July 2026 · Applies to ponavita.com and the Ponavita platform.
1. Who we are (Data Controller)
Ponavita is operated by HandwerkSolutions OÜ, Sepapaja tn 6, Lasnamäe linnaosa, 15551 Tallinn, Harju maakond, Estonia ("Ponavita", "we", "us"). We are the controller of the personal data described here.
Data Protection contact / DPO: e-contact@ponavita.com.
2. What we collect
- Account & contact data: name, email, phone, country, preferred language.
- Case data: your enquiry, specialty of interest, non-clinical intake summary, case status.
- Special-category (health) data — GDPR Art. 9: medical documents, reports, and information you upload or that is created to coordinate your care.
- Documents: passport/visa/invoices and other files you provide for travel and treatment coordination.
- Communications: messages and email correspondence with our team.
- Technical data: authentication/session data and basic security logs.
3. Why we process it & legal bases
- To provide the service (coordinate a review, quote, travel and treatment) — performance of a contract (Art. 6(1)(b)).
- Health data — processed only with your explicit consent (Art. 9(2)(a)); the specific consent text and version are recorded. You can withdraw consent at any time.
- Legal obligations (e.g. accounting) — Art. 6(1)(c).
- Security and service integrity — legitimate interests (Art. 6(1)(f)).
4. Who we share it with
- German partner clinics — to obtain a medical opinion, quote or treatment. Clinics are proxied through Ponavita; your data is shared with a clinic only as needed to coordinate your care.
- Referral agents — where you came through an agent, the agent sees case status only and never your medical documents, quotes or consents.
- Processors — hosting and infrastructure providers acting on our instructions: Supabase (database/auth, EU region), Amazon Web Services (email delivery via SES, EU region), Cloudflare (content delivery).
- We do not sell your personal data.
5. Where your data is stored (international transfers)
Personal and health data is hosted in the European Union (Frankfurt / eu-central-1). Where any transfer outside the EEA is necessary (e.g. a treating clinic located outside the EEA, or your own choices), we rely on an appropriate safeguard such as your explicit consent or Standard Contractual Clauses. [CONFIRM/EXPAND per your actual providers and clinic locations.]
6. How long we keep it
We keep personal and health data for as long as needed to provide the service and to meet legal retention obligations, then delete or anonymise it. [SPECIFY retention periods.]
7. Your rights
Subject to the GDPR you may request access, rectification, erasure, restriction, portability, and object to processing; withdraw consent for health-data processing at any time; and lodge a complaint with your supervisory authority (in Germany, the competent data protection authority). To exercise these rights, contact e-contact@ponavita.com.
8. Security
Access to medical data is restricted by role (row-level security): agents never receive medical documents; only authorised medical reviewers and administrators can access clinical files. Data is encrypted in transit; access is authenticated.
9. Cookies
We use only the cookies/local storage necessary to keep you signed in and to secure the service. We do not use advertising cookies. [ADD a cookie/consent notice if you introduce analytics.]
10. Changes
We may update this policy; material changes will be posted here with a new "Last updated" date.
11. Contact
HandwerkSolutions OÜ, Sepapaja tn 6, Lasnamäe linnaosa, 15551 Tallinn, Harju maakond, Estonia · e-contact@ponavita.com.