Privacy Policy & GDPR

Last updated: May 2026

GALIMED is a technology platform integrating artificial intelligence features designed to assist users in the preliminary analysis of medical or paramedical information.

1. Data Controller

The data controller for personal data collected within GALIMED is:

Groupe Business Thérapie
Compliance & Data Protection Contact:
📧 contact@groupe-businesstherapie.net

A Data Protection Officer (DPO) may be appointed depending on the evolution of processing volumes and applicable regulatory obligations.

2. Purpose of the GALIMED Service

GALIMED enables:

• User account creation and management;
• AI-assisted analysis of symptoms, descriptions, or submitted documents;
• Generation of informative, non-medical recommendations;
• Secure archiving of analyses and interactions;
• Centralization of health information in a secure space.

GALIMED does not in any way replace a medical consultation, professional diagnosis, medical prescription, or emergency service. Content generated by artificial intelligence is provided for informational purposes only.

3. Nature of Processed Data

Identification data: first and last name, email address, phone number, IP address, technical identifiers, connection logs.

Potentially sensitive health data: declared symptoms, voluntarily entered medical information, transmitted medical documents, analysis results and histories, biometric or physiological data if certain features are activated.

This data may constitute sensitive data within the meaning of the European GDPR, the French Public Health Code, and US HIPAA when applicable.

4. Purposes of Processing

• Authentication and account management;
• Technical operation of the platform;
• AI analysis and generation of informational content;
• History and secure tracking of interactions;
• Billing and subscription management;
• Legal and regulatory compliance (RGPD, HIPAA, HDS).

5. Legal Basis

Contract execution (Art. 6.1.b GDPR): User account management, access to services.

Legal obligation (Art. 6.1.c GDPR): Billing traceability, medical data retention.

Legitimate interest (Art. 6.1.f GDPR): Security, fraud prevention, service improvement.

Explicit consent (Art. 9.2.a GDPR): For sensitive health data, via explicit consent during account creation.

6. Data Retention

Active account data: Duration of the contractual relationship + 5 years (legal obligation).

Medical data: 20 years from the last medical event (Public Health Code).

Connection logs: 1 year (security and legal traceability).

Deleted account data: Anonymized or deleted within 30 days of account deletion request, except legal obligations.

7. Data Recipients

Personal data is strictly confidential and processed only by:

• Authorized GALIMED teams;
• Subprocessors (see DPA): Microsoft Azure, OpenAI, Stripe;
• Competent authorities in case of legal requisition.

8. Data Transfers

Data is primarily hosted in France and the European Union (Microsoft Azure regions).

Certain subprocessors may be located in the USA (OpenAI, Stripe). Appropriate safeguards are implemented: Standard Contractual Clauses (SCC), Data Processing Agreements, and encryption.

9. Your Rights (GDPR)

In accordance with the GDPR, you have the following rights:

• Right of access: Obtain confirmation that your data is being processed and access it.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure ("right to be forgotten"): Request deletion of your data, within legal limits.
• Right to restriction: Request limitation of processing in certain cases.
• Right to portability: Receive your data in a structured, commonly used format.
• Right to object: Object to processing based on legitimate interest.
• Right to withdraw consent: At any time for consented processing.

To exercise your rights: 📧 contact@groupe-businesstherapie.net

You also have the right to lodge a complaint with the supervisory authority (CNIL in France).

10. Security Measures

GALIMED implements appropriate technical and organizational measures:

• End-to-end encryption (TLS 1.3, AES-256);
• Secure authentication (JWT, bcrypt);
• Role-based access control (RBAC);
• Structured logging and audit trails;
• Automated backups (Cosmos DB continuous backup);
• Azure security monitoring (Application Insights, Azure Security Center).

11. Cookies

GALIMED uses only functional cookies necessary for platform operation (authentication, security). No advertising or tracking cookies without consent.

12. Changes to Privacy Policy

This Privacy Policy may be updated. Users will be notified of significant changes via the platform or email.