Privacy Policy

This Privacy Policy explains how Fidelia collects, uses, stores, and protects your personal data when you use our websites (getfidelia.com and fidelia.ae) and our review management service. We have written it in plain language so you can understand exactly what happens with your data.

1. Data controller

Fidelia is operated by Nexus Tech L.L.C-FZ. If you have any questions about this policy or how we handle your data, you can contact us at:

• Email: [email protected]
• Websites: getfidelia.com, fidelia.ae
• Registered address: The Meydan Hotel, Grandstand, 6th Floor, Meydan Road, And Al Sheba, Dubai, U.A.E

2. What data we collect

Account data

When you sign up, we collect your name and email address via Google OAuth. We do not access your Google contacts, files, or any other Google data beyond what is needed to create your account.

Clinic data

During onboarding, you provide your clinic name, address, and Google Place ID. This information is used to connect your account to your Google Business Profile.

Review data

We collect publicly available Google reviews for your connected clinics, including the review author's display name, star rating, review text, and date. This data is already publicly visible on Google Maps; we aggregate it to provide our service.

AI drafts

When our AI generates reply suggestions for your reviews, those drafts are stored temporarily in your account until you approve, edit, or dismiss them.

Usage data

We collect information about how you use the service, including pages visited, features used, and timestamps. This helps us improve the product and diagnose technical issues.

Payment data

Subscription payments are processed by Stripe. We never see or store your card number, CVV, or full payment details. Stripe handles all payment data in accordance with PCI DSS standards.

3. Legal basis for processing

Under GDPR Article 6, we process your personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): We process your account data, clinic data, and review data because it is necessary to provide the review management service you signed up for.
• Legitimate interest (Article 6(1)(f)): We process usage data to improve the service, prevent fraud, and conduct analytics. We have assessed that these interests do not override your rights and freedoms.
• Consent (Article 6(1)(a)): If we send marketing communications, we do so only with your explicit consent. You can withdraw consent at any time.

4. How we use your data

We use the data we collect to:

• Generate AI draft responses to your clinic's Google reviews
• Send you email notifications about new reviews and draft suggestions
• Calculate your clinic's reputation score
• Process your subscription payments
• Improve the service and fix bugs
• Comply with legal obligations

5. Data processors (third parties)

We share your data with the following third-party processors, each of which has been selected for their data protection standards:

• Cloudflare — hosting, CDN, and database infrastructure. Data is processed on EU infrastructure.
• Stripe — payment processing. PCI DSS compliant. Stripe acts as an independent data controller for payment data.
• Resend / Amazon SES — transactional email delivery (e.g., new review notifications, draft alerts).
• Anthropic (Claude API) — AI draft generation. Review text is sent to Anthropic's API to generate reply suggestions. Under Anthropic's API terms, data sent via the API is not used for model training.
• Google — Places API, OAuth authentication, and Google Business Profile API. Used to fetch your clinic's reviews and authenticate your account.
• Google Analytics (GA4) — anonymised usage analytics to understand how visitors use our website. Can be blocked without affecting core service functionality.

We do not sell your data to any third party. We do not share your data with any party not listed above, except where required by law.

6. Cookies

We use a minimal number of cookies, none of which are used for advertising or cross-site tracking:

• fidelia_session — authentication cookie. HttpOnly, Secure, 7-day expiry. This is an essential cookie; the service cannot function without it.
• fidelia_lang — stores your language preference. 1-year expiry. This is a functional cookie that remembers your chosen language across visits.
• Google Analytics cookies — performance and analytics cookies used to understand website usage. These can be blocked by your browser or a cookie consent tool without affecting the core service.

We do not use any advertising or tracking cookies.

7. Data retention

We retain your data only for as long as necessary to provide the service and meet our legal obligations:

• Account data: retained while your account is active, plus 30 days after cancellation to allow for reactivation. After that, it is permanently deleted.
• Review data and AI drafts: retained while your account is active. Deleted 30 days after account cancellation.
• Payment records: retained as required by applicable tax law (typically 7 years). Payment records are managed and stored by Stripe.
• Server logs: retained for 30 days, then automatically purged.

8. Your rights

Under GDPR Articles 15 to 22, you have the following rights regarding your personal data:

• Right of access (Article 15): You can request a copy of all personal data we hold about you.
• Right to rectification (Article 16): You can ask us to correct any inaccurate or incomplete data.
• Right to erasure (Article 17): You can ask us to delete your personal data. This is sometimes called the "right to be forgotten."
• Right to restrict processing (Article 18): You can ask us to temporarily stop processing your data in certain circumstances.
• Right to data portability (Article 20): You can request your data in a structured, machine-readable format.
• Right to object (Article 21): You can object to our processing of your data where we rely on legitimate interest as the legal basis.
• Right to withdraw consent (Article 7): Where processing is based on consent, you can withdraw that consent at any time.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority:

• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
• Portugal: Comissão Nacional de Proteção de Dados (CNPD) — cnpd.pt

9. International data transfers

Your data is primarily processed on Cloudflare infrastructure located in the EU and UK. However, some of our third-party processors are based in the United States:

• Anthropic (US): Review text is sent to Anthropic's API for AI draft generation only. This transfer is covered by Standard Contractual Clauses (SCCs).
• Stripe (US): Payment data is processed by Stripe under their Data Processing Agreement, which includes Standard Contractual Clauses.
• Google (US): Data shared with Google APIs is covered by Google's Data Processing Terms, which include Standard Contractual Clauses.

In all cases, we ensure that appropriate safeguards are in place to protect your data in accordance with GDPR Chapter V requirements.

10. Children's privacy

Fidelia is a business-to-business service designed for healthcare practice owners and managers. Our service is not directed at individuals under the age of 18, and we do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a person under 18, please contact us at [email protected] and we will delete it promptly.

11. UAE-specific provisions (PDPL)

For users based in the United Arab Emirates: your personal data is processed in compliance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). Data is processed for the purpose of delivering the review management service you have subscribed to. Under the PDPL, you have the right to access your personal data, request correction of inaccurate data, and request deletion of your data. To exercise these rights, email [email protected].

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you by email before the changes take effect. We encourage you to review this page periodically. The "last updated" date at the top of this page indicates when the policy was most recently revised.

13. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: [email protected]
• Websites: getfidelia.com, fidelia.ae