Home

Privacy Policy

Version 1.2 · in force since 2026-05-14 · pursuant to Art. 13-14 of Regulation (EU) 2016/679 (GDPR). For technical security measures see /en/security. For the sub-processor list see /legal/subprocessors.

Notice: this is an unofficial English translation provided for accessibility. The Italian original is the binding legal reference.

1. Data Controller

The Data Controller is Fabio Borgia (pending incorporation of neonatae. Srl), operating in Italy, contact: privacy@neonatae.it.

Note: the pediatrician using the platform is the autonomous Data Controller for the clinical data of their own patients. neonatae. acts as Data Processor (Art. 28 GDPR) for those patient data, governed by the DPA executed at registration (see Pediatrician DPA).

2. Data Processed

By role, the following data are processed:

  • Parent: name, email, password (hashed), child date of birth, child name, sex, message content sent to the pediatrician, attached photos.
  • Pediatrician: name, professional email, password (hashed), region, city, panel size, practice software in use, message content, scheduling rules, reply templates.
  • Child (Art. 8 GDPR, minor): name (display name chosen by parent), date of birth, sex, content of clinical conversations, photos/attachments. Consent for processing of the minor's data is given by the parent exercising parental responsibility.
  • Special-category data (Art. 9 GDPR): conversation content may include health data. Processed for healthcare purposes (Art. 9.2.h GDPR) under the pediatrician's responsibility.
  • Technical data: IP address, user agent, access logs, platform-action audit log.

3. Purposes and Lawful Bases

  • Service provision (Art. 6.1.b GDPR - contract performance)
  • Healthcare (Art. 9.2.h GDPR - for health data, under pediatrician responsibility)
  • Legal obligations (Art. 6.1.c GDPR - invoicing, medical-legal audit log)
  • Platform security (Art. 6.1.f GDPR - legitimate interest)

4. Recipients and Transfers

Data are hosted on Supabase (EU Frankfurt region) and on Vercel (global CDN, data at rest in EU). No extra-EU transfer for clinical data. Push notifications transit via the browser provider (Google FCM / Apple APNs / Mozilla) - payloads are end-to-end encrypted with VAPID keys. The only parties able to read conversation content are: (a) the parent account-holder, (b) the linked pediatrician.

5. Retention Periods

  • Active accounts: for the duration of the contractual relationship.
  • Medical-legal audit log: 10 years from the date of recording (Italian Civil Code Art. 2946 + medical-legal obligations).
  • Security backups: 30 days rotating.
  • Deleted-account data: 30-day safety net, then full deletion.

6. Data-Subject Rights

You have the right to: access (Art. 15), rectify (Art. 16), erase "right to be forgotten" (Art. 17), restrict processing (Art. 18), receive in structured format "portability" (Art. 20), object (Art. 21). To exercise these rights write to privacy@neonatae.it. You also have the right to lodge a complaint with the Italian Garante or your national supervisory authority.

7. Cookies and Similar Technologies

We use exclusively strictly-necessary technical cookies for authentication (Supabase session cookie) and language-preference storage. Under Art. 5.3 of the ePrivacy Directive and the Italian Garante guidelines (10 June 2021 and subsequent), technical cookies do not require prior consent. We do NOT use analytical, profiling, marketing or cross-site tracking cookies. If we ever introduce non-essential cookies, we will activate a compliant per-category consent banner and update this notice.

8. Security Measures

  • Transit: enforced TLS 1.3 (HTTPS).
  • Storage: at-rest encryption on Supabase Postgres + Storage.
  • Authentication: server-side bcrypt hashed passwords, signed JWTs.
  • Data isolation: Postgres Row Level Security (RLS) with per-table policies.
  • Audit log: append-only, retained 10 years.
  • Backups: automatic daily (Supabase) + Point-in-Time Recovery on roadmap.

9. Processing via Artificial Intelligence (Neo)

Pursuant to Regulation (EU) 2024/1689 (AI Act), Art. 50, we explicitly inform you that neonatae. integrates an AI system (Neo) with which you interact in chat. Neo is clearly identified in every message with visible labels ("Neo · gathering details", "Composed by Neo", "Neo · estimated reply"). neonatae. uses a language model (Mistral AI SAS - Paris, EU) for the functions detailed on /en/security:

  • Structured intake (Neo): collects information from the parent with targeted questions before passing the message to the pediatrician.
  • Reply suggestions for the pediatrician: 3 short variants that the pediatrician can edit and send. The final message is always the pediatrician's.

Lawful basis: Art. 6.1.b GDPR (contract performance - platform feature) + Art. 9.2.h GDPR (healthcare, under pediatrician responsibility).

Data transmitted to the AI provider: only at request time - child first name, age, sex, clinical conversation text of the current turn. No surname, fiscal code, email, address. Mistral AI does not train the model on our data (commercial clause) and does not retain prompts beyond the single request.

Opt-out: the pediatrician can disable automatic Neo intake from per-conversation settings. The parent's consent for the minor's data processing explicitly includes this processing.

Guardrails: Neo does not diagnose, prescribe drugs, or reassure on severe symptoms. Red flags (high fever in infant, dyspnea, bleeding, seizures, lethargy, fontanelle bulge) escalate automatically to the pediatrician with no further questions.

10. DPIA (Art. 35 GDPR)

Processing minor's and health data, we have conducted a Data Protection Impact Assessment (DPIA-003 v1.2) mapping 22 risks each with residual measure ≤ 4/5 (data breach, ATO, sub-processor, LLM clinical error, re-identification, identity-change abuse, etc.). External review by a healthcare-specialized DPO is scheduled by Q3 2026. LLM risk summaries are published on /en/security (see sections R-17 through R-22). The full DPIA is available on request to privacy@neonatae.it.

This Privacy Policy is version 1.2 in force since 2026-05-14. External DPO review specialized in healthcare is scheduled by Q3 2026. Any updates will be communicated to users with 30-day prior notice, as required by Art. 13.2.f GDPR.