Legal document
Privacy policy
Last updated :
This policy explains which personal data is collected and processed when you use les plateformes Oulitech, for which purposes, on which legal bases, and which rights you may exercise. It applies to two categories of persons: the Clinic staff who use the service, and the patients whose data is entered into the platform by the Clinic.
1. Who is the data controller?
Roles vary depending on the category of data:
- Patient data: the Clinic is the data controller. Oulitech acts as a data processor.
- Clinic staff data: Oulitech is joint controller together with the employing Clinic.
- Browsing data: Oulitech is the sole controller.
2. Which data do we collect?
a. About patients (entered by the Clinic)
- Identity: surname, first name, date of birth, gender, national identification number.
- Contact details: phone, email, emergency contact.
- Appointments: date, time, department, physician, status, source, appointment notes.
- Health data: free-text clinical notes entered by staff, consultation history, medical history entered manually, waiting list.
b. About Clinic staff
- Professional identity: surname, first name, email address, phone number.
- Roles and permissions assigned within the Clinic.
- Sign-in data: timestamps, authentication token.
- Account status (active, deactivated) and history of sensitive actions.
c. About the Clinic as an organisation
- Establishment information: legal name, address, opening hours, departments, affiliated physicians, Google Maps link.
- Approval status (pending, approved, rejected).
- Technical connection and usage logs.
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Provide the clinic management service to the Clinic | Performance of the contract |
| Manage authentication and account security | Legitimate interest, legal obligation |
| Notify users (appointments, internal alerts) | Performance of the contract |
| Improve the platform and detect abuse | Legitimate interest |
| Respond to a request from a competent authority | Legal obligation |
4. Retention period
- Patient data: retained for as long as the Clinic remains a customer, then deleted within thirty (30) days following termination.
- Deactivated user accounts: anonymised within twelve (12) months following deactivation.
- Technical logs: retained for a maximum of twelve (12) months.
- Backups: purged according to a rotation cycle not exceeding thirty (30) days.
5. Data recipients
Data is accessible only to authorised persons:
- Clinic staff, according to the system of roles and permissions;
- the Oulitech technical team, strictly within the scope of maintenance, support and security;
- our technical subprocessors (hosting, transactional email, SMS);
- public authorities where the law so requires.
Oulitech does not sell, rent or transfer any patient data to third parties for commercial, advertising or profiling purposes.
6. Data location
Application data — patients, appointments, clinical notes, user accounts, histories and backups — is hosted in Algeria, on infrastructure located on the national territory. It is not subject to any cross-border transfer for processing or storage.
Two secondary technical components are hosted outside Algeria:
- The web interface: static files via CDN. No patient data.
- Transactional email delivery: specialised provider which may be located outside Algeria. Strictly necessary fields only (name, appointment date/time, Clinic name).
For these two exceptions, Oulitech ensures that appropriate contractual safeguards govern the processing, in accordance with loi n° 18-07 (Algerian Personal Data Protection Act).
7. Your rights
In accordance with Algerian loi n° 18-07 on the protection of personal data:
- right of access to data concerning you;
- right to rectification of inaccurate or incomplete data;
- right to erasure (subject to legal retention obligations);
- right to object to processing on legitimate grounds;
- right to restriction of processing;
- right to lodge a complaint with the Autorité Nationale de Protection des Données à Caractère Personnel (ANPDP — National Personal Data Protection Authority).
Patients exercise their rights directly with their Clinic. Clinic staff may contact Oulitech at hello@ouli.tech.
8. Security
Oulitech implements technical and organisational measures to protect data, detailed in our Security Statement. In the event of a personal data breach, Oulitech will notify the affected Clinic without undue delay.
9. Analytics and cookies
The platform uses minimal technical storage (session token, interface preferences). No advertising or profiling cookie is set.
To improve the service and diagnose incidents, Oulitech measures application usage using two internal, self-hosted tools located in Algeria:
- An analytics tool (Umami) that records pages viewed and certain actions. URLs are normalised on the client side. No cookie is set.
- An internal activity signal ("heartbeat") emitted every fifteen (15) seconds. This signal contains the account identifier, the Clinic identifier, the route template and a timestamp.
In addition, the public marketing website (Oulitech) uses Vercel Web Analytics, a cookieless audience measurement that produces only aggregate page and visit counts, with no personal data and no patient data and no cross-site tracking. This measurement applies only to the public marketing pages and never applies to the clinic application, whose audience measurement remains exclusively the internal Umami described above.
10. Changes to this policy
This policy may be updated to reflect legal or technical developments. Material changes will be notified within the application.
11. Contact
For any question: hello@ouli.tech.