GDPR Statement
Table of Contents
1. Overview
Carehub is committed to complying with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and its national implementing legislation across EU and EEA member states. This statement explains how GDPR applies to Carehub's operations both as a data controller (for its own business activities) and as a data processor (on behalf of the clinics that use our platform).
This document is intended primarily for clinic operators evaluating Carehub for compliance purposes. For a full description of personal data practices, please refer to our Privacy Policy.
2. Controller vs Processor Roles
Where Carehub is the Data Controller
Carehub acts as an independent data controller when processing:
- Personal data of clinic staff and administrators who have accounts directly with Carehub (name, email, role, billing details).
- Personal data of individuals who submit demo requests or contact us via the website.
- Technical and platform-level usage data collected for security, debugging, and service improvement.
For this processing, Carehub determines the purposes and means of processing and is fully responsible for GDPR compliance.
Where Carehub is the Data Processor
Carehub acts as a data processor under GDPR Art. 28 when clinics use our platform to manage their patient data. In this role:
- The clinic is the data controller and determines the purposes and means of processing patient data.
- Carehub processes patient data only on the documented instructions of the clinic.
- Carehub does not process patient data for its own purposes beyond what is necessary to deliver the contracted service.
- Special-category health data (GDPR Art. 9) is processed by Carehub as a processor acting under the clinic's Art. 9(2) lawful basis (typically Art. 9(2)(h) — provision of healthcare, or Art. 9(2)(a) — explicit patient consent).
If you are a patient of a clinic using Carehub and wish to exercise your GDPR rights, your primary contact is the clinic. The clinic may engage Carehub to fulfil your request under its processor obligations.
3. Data Processing Agreement (DPA)
Carehub makes a Data Processing Agreement (DPA) available to all clinics using the platform, as required by GDPR Art. 28(3). The DPA governs:
- The subject matter, duration, nature, and purpose of processing.
- The type of personal data and categories of data subjects.
- The obligations and rights of the controller.
- Sub-processor engagement and notification procedures.
- Security measures and audit rights.
- Assistance with data subject rights requests and breach notifications.
- Deletion or return of data upon termination.
To request a copy of the DPA or to enter into a signed DPA for your clinic, email [email protected] with the subject "DPA Request".
4. Sub-Processor List
Carehub engages the following sub-processors to deliver the service. All sub-processors are bound by contractual obligations at least as protective as those in our DPA:
| Sub-processor | Role | Categories of data | Headquarters |
|---|---|---|---|
| Supabase Inc. (hosted on AWS eu-central-1) | Database, authentication, file storage (PostgreSQL + S3-compatible) | All clinic data including patient records, authentication credentials, uploaded files | United States |
| Vercel Inc. | Serverless compute and static asset hosting | Request payloads, API responses, server-side logs | United States |
| Resend Inc. | Transactional email delivery | Recipient email addresses, email body content | United States |
| Cloudflare Inc. | DNS management, CDN, DDoS protection | IP addresses, HTTP request metadata | United States |
| Meta Platforms Inc. (WhatsApp Business API) | WhatsApp message delivery | Recipient phone numbers, message content (when WhatsApp feature enabled) | United States |
| Google LLC (Gemini AI) | AI-generated clinical text summaries | Clinical note text (only when AI summary feature is explicitly enabled by clinic) | United States |
Carehub will provide at least 30 days' prior written notice before engaging a new sub-processor or replacing an existing one. Controllers who object to a new sub-processor may terminate the service during the notice period.
5. International Data Transfers
Several of Carehub's sub-processors are based in the United States, which is a third country under GDPR. To ensure an adequate level of protection for such transfers, Carehub relies on:
- Standard Contractual Clauses (SCCs) adopted under EU Commission Decision 2021/914 (Module 2: Controller to Processor; Module 3: Processor to Sub-processor), incorporated into each sub-processor DPA.
- Transfer Impact Assessments (TIAs) conducted for each sub-processor to evaluate the legal and practical risk of surveillance laws in the receiving country.
For sub-processors operating within the EU (Supabase's primary database region is AWS eu-central-1 Frankfurt; Vercel's API runtime is lhr1 London), data does not leave the EEA/UK during normal operations. Copies of applicable SCCs are available on request.
6. Data Subject Request Procedures
Requests Directed to Carehub as Controller
For data that Carehub controls directly (account data, demo inquiries), submit requests to [email protected]. We will respond within 30 calendar days. We may require identity verification before actioning a request.
Requests Directed to Carehub as Processor
For patient data held on behalf of clinics, the patient should contact the clinic (the controller) directly. The clinic will direct Carehub to fulfil the request as required. Carehub commits to:
- Providing all information necessary for the clinic to respond to the request within 5 business days.
- Assisting with technical export, anonymisation, or deletion as instructed by the controller.
- Not actioning direct data subject requests for processor-role data without the clinic's authorisation, except where legally compelled.
7. Breach Notification
Carehub maintains a documented incident response procedure aligned with GDPR Art. 33–34 obligations:
- All security incidents are logged and triaged within 24 hours of detection by our security team.
- Carehub is deemed to have "become aware" of a breach upon the first credible internal confirmation of a personal data compromise (not the initial alert or unverified report).
- Incidents that constitute a personal data breach triggering GDPR notification obligations will be reported to affected data controllers within 72 hours of Carehub becoming aware, enabling controllers to fulfil their own notification obligations to supervisory authorities and data subjects.
- Breach notifications will include: nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of records concerned, likely consequences, and measures taken or proposed.
- Where Carehub is the data controller, we will notify the relevant supervisory authority within 72 hours and, where required, affected individuals without undue delay.
- Copies of our incident response policy are available to customers under NDA by request to [email protected].
7a. Data Protection Impact Assessment (DPIA)
Because Carehub processes special-category data (health information under GDPR Art. 9) at scale, we have conducted a Data Protection Impact Assessment pursuant to GDPR Art. 35. The DPIA covers:
- A systematic description of the processing operations and their purposes.
- An assessment of the necessity and proportionality of the processing.
- An assessment of the risks to the rights and freedoms of data subjects.
- The measures envisaged to address those risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data.
The DPIA is reviewed at least annually and updated when processing operations change materially. A redacted executive summary is available to customers under NDA by request to [email protected].
8. Data Residency
| Component | Provider | Primary Region | Notes |
|---|---|---|---|
| Database (PostgreSQL) | Supabase / AWS | eu-central-1 (Frankfurt, Germany) | All tables including patient records |
| File storage | Supabase / AWS S3 | eu-central-1 (Frankfurt, Germany) | Uploaded documents, images, receipts |
| API compute | Vercel | lhr1 (London, UK) | Serverless function execution |
| Static assets | Vercel CDN | Global edge (nearest PoP) | HTML, CSS, JS only — no personal data |
| Email delivery | Resend | US-based sending | SCCs in place; message content in transit only |
Customers who have specific data residency requirements (e.g., data must remain within Egypt, Saudi Arabia, or a specific EU member state) should contact us to discuss options.
9. Records of Processing Activities (RoPA)
Carehub maintains an internal Record of Processing Activities as required by GDPR Art. 30. Our RoPA documents:
- Contact details of Carehub as controller and processor.
- Purposes of processing for each activity.
- Categories of data subjects and personal data.
- Categories of recipients.
- Third-country transfers and safeguards.
- Planned retention periods.
- Technical and organisational security measures.
The RoPA is available for inspection by supervisory authorities on request. Clinics using Carehub as a processor should maintain their own RoPA entries for patient data processing activities, with Carehub listed as a sub-processor.
10. Data Protection Officer
Because Carehub processes special-category health data on behalf of healthcare providers, we have voluntarily designated a Data Protection Officer (DPO) responsible for:
- Advising on and monitoring compliance with GDPR and applicable data-protection law.
- Handling data subject requests, DPA/SCC execution, and security-questionnaire responses.
- Acting as the contact point for supervisory authorities and data subjects.
The DPO can be reached at [email protected]. For security-specific disclosures, use [email protected].
11. Supervisory Authority
As Carehub does not currently operate an EU establishment, no single "lead supervisory authority" under GDPR's one-stop-shop mechanism has been formally designated. In practice:
- EU / EEA residents: Lodge complaints with the supervisory authority of your member state of residence, place of work, or place of the alleged infringement (GDPR Art. 77).
- UK residents: Contact the Information Commissioner's Office (ICO) at ico.org.uk.
- California residents: Contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.
We will update this section if and when we establish an EU presence and a lead supervisory authority is formally designated. We commit to cooperating in good faith with supervisory authorities and resolving complaints through dialogue before formal proceedings are initiated.
12. Version History
| Version | Date | Summary of Changes |
|---|---|---|
| 1.1 | 2026-04-19 | Added DPIA section, DPO designation, CPPA reference, and triage timeline for breach notification |
| 1.0 | 2026-04-19 | Initial publication |