ProfDiagnos← Back to Home

Privacy Policy

Last updated: March 2026  ·  Effective: March 2026

1. Introduction

ProfDiagnos ("we", "our", or "the Platform") is a medical-intelligence platform operated in Egypt. We provide AI-assisted clinical diagnosis support, digital patient records, appointment management, and health analytics to licensed physicians and their patients.

This Privacy Policy explains what personal data we collect, why we collect it, how we store and protect it, and your rights under the Egyptian Personal Data Protection Law No. 151 of 2020 (PDPL) and its executive regulations.

2. Data Controller

The data controller responsible for your personal data is ProfDiagnos, operating at profdiagnos.com. For privacy inquiries, contact us at: privacy@profdiagnos.com

3. Data We Collect

3.1 Account & Identity Data

  • Full name (Arabic and/or English)
  • Mobile phone number (used for authentication via Firebase Phone Auth)
  • Email address
  • Date of birth and gender
  • Occupation and address (optional)
  • Medical license number (doctors only)

3.2 Medical & Health Data (Special Category)

  • Chief complaint, medical history, and clinical observations
  • Chronic conditions, allergies, and current medications
  • Mental health history and substance use history
  • Vital signs and health metrics
  • AI-generated diagnostic reports and treatment plans
  • Uploaded medical investigation files (lab results, imaging)

All medical data fields are encrypted at rest using AES-128-CBC encryption (PDPL Article 12).

3.3 Technical Data

  • IP address and approximate location at registration
  • Device type and browser information
  • Session timestamps and access logs (PHI access audit trail)

4. How We Use Your Data

  • Authentication — verifying your identity via Firebase Phone Auth (Google LLC) and issuing secure session tokens.
  • Clinical support — providing AI-assisted differential diagnosis, treatment plans, and evidence retrieval to your treating physician.
  • Medical records — storing and displaying your health history to authorised doctors under your explicit consent.
  • Appointments — scheduling, confirming, and reminding you of medical appointments.
  • Security & compliance — detecting abuse, maintaining audit logs as required by PDPL Article 20, and responding to legal obligations.
  • Service improvement — anonymised, aggregated analytics to improve diagnostic accuracy. Individual records are never sold.

5. Legal Basis for Processing

We process your data under the following legal bases (PDPL Article 4):

  • Explicit consent — obtained at registration for data collection and AI processing of health data.
  • Contractual necessity — processing required to deliver the platform services you subscribed to.
  • Legal obligation — audit trails and data retention mandated by Egyptian health regulations.
  • Vital interests — emergency health alerts and critical patient safety notifications.

6. Phone Number Authentication (Firebase)

We use Firebase Authentication (provided by Google LLC, USA) for phone number verification. When you register or log in, your phone number is transmitted to Firebase, which sends a one-time SMS code. Firebase may process your phone number outside Egypt (PDPL Article 44 — cross-border transfer).

By using phone authentication, you consent to this transfer. Firebase's privacy practices are governed by Google's Privacy Policy: policies.google.com/privacy

7. AI Processing

Diagnostic analysis is performed by large language models accessed through OpenRouter (routing to OpenAI and Anthropic models). Your clinical data is sent to these models only for the purpose of generating your diagnosis report. We do not permit these providers to train on your data. All AI output is reviewed within the physician workflow and is never used as a standalone clinical decision.

⚠ AI-generated content is a clinical decision-support tool only. It does not replace professional medical judgement.

8. Data Sharing

We share your data only in the following circumstances:

  • Your treating physician — who has been granted access by you or registered you on the platform.
  • Authorised doctors — via doctor-to-doctor record sharing with expiry dates, only with your consent.
  • Infrastructure providers — Hetzner (hosting, EU), PostgreSQL (database), Redis (cache). These providers do not access your data for their own purposes.
  • AI providers — clinical data only, under data processing agreements, no training use.
  • Legal authorities — only when required by Egyptian law with a valid court order.

We never sell your personal or medical data.

9. Data Retention

Medical records are retained for a minimum of 10 years from the date of creation, as required by Egyptian Ministry of Health regulations. Account data is retained for the duration of your account plus 2 years. You may request early deletion where legally permissible (see Section 11).

10. Security

  • All sensitive fields (medical history, diagnoses) are encrypted at rest with AES-128-CBC.
  • All data in transit is encrypted via TLS 1.2+.
  • Access to patient records is logged and auditable (PHI Access Log).
  • Phone authentication uses Firebase's infrastructure with SMS OTP.
  • Servers are hosted on Hetzner Cloud (Germany) with strict access controls.

11. Your Rights (PDPL Chapter 3)

  • Right of access — request a copy of all data we hold about you.
  • Right to rectification — correct inaccurate personal data.
  • Right to erasure — request deletion of non-medical data (subject to legal retention requirements for health records).
  • Right to restrict processing — limit how we use your data in certain circumstances.
  • Right to data portability — receive your data in a machine-readable format.
  • Right to withdraw consent — withdraw consent for AI processing at any time without affecting previous processing.
  • Right to lodge a complaint — with the Egyptian Data Protection Authority (EDPA).

To exercise any right, email privacy@profdiagnos.com. We will respond within 30 days.

12. Cookies & Local Storage

We use browser localStorage to store authentication tokens and user session data. We do not use advertising cookies or third-party tracking pixels. Essential functional storage cannot be disabled as it is required to keep you logged in.

13. Children

ProfDiagnos is not directed at children under 18. Patient accounts for minors may only be created and managed by a licensed physician or a parent/guardian. We do not knowingly collect data directly from minors.

14. Changes to This Policy

We may update this policy when we add new features or when required by law. We will notify registered users by email and display a notice on the platform at least 14 days before changes take effect. Continued use after the effective date constitutes acceptance.

15. Contact

For all privacy and data-protection enquiries:

ProfDiagnos
Country: Arab Republic of Egypt