1. Who we are
Secondoctor ("we", "us", "the platform") provides an online service that connects patients seeking a second medical opinion with verified specialists. This Privacy Policy explains what data we collect, why, and what rights you have over that data.
If you have questions about this policy, you can reach us at hello@secondoctor.com.
2. What data we collect
Information you provide
- Account information: name, email address, password (stored as a one-way hash, never readable), language preference, timezone
- Profile information (doctors): professional credentials, license details, biography, photo, consultation pricing
- Medical records you upload: scans, lab reports, prescriptions, diagnostic documents, and any other files you choose to share for a consultation
- Case descriptions: the case description you provide when booking, including current diagnosis and questions for the specialist
- Communication: messages exchanged with doctors through the platform, support requests
- Payment information: we use Stripe for payment processing. Card details are sent directly to Stripe and never stored on our servers. We retain only transaction IDs and amounts.
Information we collect automatically
- Technical data: IP address, browser type, device type, operating system, pages visited, referring URL
- Cookies: session cookies (required for login), language preference cookie. See our Cookie Policy.
- Audit logs: security-relevant events (login attempts, password changes, etc.) — used for fraud prevention and account security
3. How we use your data
- To provide the second-opinion consultation service you booked
- To create and maintain your account
- To verify doctor credentials before approving them on the platform
- To process payments and pay doctors their consultation fees
- To send transactional emails (booking confirmations, consultation reminders, password resets, security alerts)
- To prevent fraud and protect platform security
- To comply with legal obligations (e.g., tax records, medical retention requirements where applicable)
- To improve the platform — aggregated, anonymous usage statistics only
We do not use your data for advertising. We do not sell, rent, or trade your personal information to third parties.
4. Who can access your data
- You. You can view and export all your data from your account settings.
- The doctor you book. The specific specialist you book a consultation with can access the records and case description you choose to share with that consultation, for the duration of the consultation plus 7 days of follow-up.
- Our support team. When you contact support or when a dispute is raised, authorized members of our support team may access account information necessary to resolve the issue. All access is logged.
- Service providers we use: Stripe (payments), Hostinger (hosting), Daily.co or equivalent (video infrastructure). Each provider is contractually bound to use your data only to provide their service to us.
- Legal requirements: we may disclose data when required by valid legal process (e.g., a court order). We will notify you when legally allowed to do so.
5. How we protect your data
- All connections to the platform use HTTPS / TLS encryption
- Passwords are hashed using bcrypt (industry standard, one-way)
- Medical records are encrypted at rest on our servers
- Access to production data is restricted to authorized engineers, all access is logged
- Regular security reviews and dependency updates
No system is 100% secure. If we ever experience a data breach affecting your data, we will notify you promptly and explain what happened.
6. How long we keep your data
We retain your data as long as your account is active, plus the periods below for specific data types:
- Consultation records and reports: as long as you keep the account, or longer if required by medical retention laws in your jurisdiction
- Payment records: 7 years (financial recordkeeping requirements)
- Audit logs: 1 year
- Deleted accounts: personal information is anonymized within 30 days of deletion; financial and legal records are retained for the periods above with personal identifiers removed
7. Your rights
Under GDPR and similar regulations, you have the right to:
- Access: request a copy of all data we hold about you
- Rectify: correct inaccurate data
- Delete: request deletion of your account (with exceptions for legally-required records)
- Restrict: ask us to limit how we process your data
- Object: object to specific uses of your data
- Portability: receive your data in a machine-readable format
- Withdraw consent: for processing based on consent
- Lodge a complaint with your local data protection authority
To exercise these rights, email us at hello@secondoctor.com. We respond within 30 days.
8. International data transfers
Because doctors and patients are located in different countries, your data may be transferred internationally during a consultation. We use standard contractual clauses and other legally-approved mechanisms to protect data during these transfers.
9. Children's privacy
Secondoctor is not intended for users under 18. If you are under 18, please have a parent or guardian create the account on your behalf. We do not knowingly collect data from children directly.
10. Changes to this policy
We may update this policy from time to time. Material changes will be announced via email and a notice on the platform at least 30 days before they take effect.
11. Contact
Questions, concerns, or requests about this policy: hello@secondoctor.com.