Logo
PatientsDoctorsOur medical practicesAbout us
Patient accessBook an appointment

Privacy Policy

Last updated: October 2025

Article 1 - Preamble

Primary takes the protection of patients’ personal data seriously. Primary is committed to managing the information it collects about you in a secure and responsible manner, in compliance with the General Data Protection Regulation (GDPR).

This privacy policy describes the methods of collection, use, storage, and protection of the personal data of users of the Primary mobile application, made available to patients of medical practices that are members of the Primary network.

The GDPR is a continuation of French law n°78-17 of January 6, 1978 (“Data Protection Act”) and has been applicable since May 25, 2018. The GDPR governs the use of Personal Data by public and private organizations, including Primary.

Patients’ personal data (including health data) who use Primary’s services are hosted in France by a certified and authorized hosting provider for health data (Health Data Host - “Hébergeur de Données de Santé”).

Article 2 - General Framework

Definitions

  • Personal Data: any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, etc.
  • Health Data: any data relating to the physical or mental health of a natural person, including the provision of healthcare services, revealing information about their health status.
  • Processing of Personal Data: any operation or set of operations carried out with or without automated processes and applied to personal data or sets of personal data (collection, recording, organization, storage, adaptation, modification, retrieval, consultation, use, etc.).
  • Data Controller: the natural or legal person who determines the purposes and means of the processing of personal data.
  • Processor: the natural or legal person who processes personal data on behalf of the Data Controller.

1. Role of Primary

In accordance with the GDPR, there are two main roles, and Primary may act in either capacity:

  • The Data Controller is the person who determines the reasons and the manner in which your Personal Data is processed.
  • The Processor is the person processing Personal Data on behalf of the Data Controller. They act under the authority of the Data Controller and on their instructions.

Primary may act in either role. Primary is the Data Controller when it acts on its own behalf and decides for which reasons it uses your Personal Data, for example when you create a User Account. Conversely, the healthcare professional is the Data Controller when they decide for which reasons they use your Personal Data, for example when they use Primary to communicate with you via messaging or to send you a consultation report. In that case, Primary acts as Processor, on behalf of the healthcare professional.

Whether acting as Data Controller or Processor, Primary takes appropriate measures to ensure the protection and confidentiality of the Personal Data it holds or processes, in compliance with the provisions of the GDPR.

2. Data collected

The data collected may either be directly obtained from you, or shared by your healthcare professionals in the context of Primary’s role as Processor.

When you use the application, we collect the following categories of data:

  • Identification Data:
  • Last name
  • First name
  • Date of birth
  • Gender
  • Phone number
  • Email address
  • Consultation date
  • Health Data:
  • Reason for consultation
  • Consultation history
  • Symptoms
  • Consultation reports
  • Medical documents (prescriptions, medical reports, etc.)
  • Messaging exchanges with the patient
  • Preventive check-ups, including lifestyle habits and health goals
  • Health profile, including screenings, vaccines, and medical history

3. Purposes of processing

Personal data is collected for the following purposes:

  • Availability and proper functioning of the application
  • Access to medical information by patients and their healthcare professionals
  • Communication with your medical team
  • Medical follow-up and personalization of the care pathway
  • Compliance with legal and regulatory obligations applicable to health data

4. Legal basis for processing

The processing of your personal data is based on:

  • Performance of a contract: for the provision of services offered by the application;
  • Legal obligation: for compliance with legal obligations relating to the retention of health data;
  • Legitimate interest: for the improvement of our services and communication with users;
  • Consent: Primary collects the explicit consent of users upon registration in the application for the processing of personal data directly collected through the application. Concerning data transmitted by physicians as part of medical care, the GDPR provides exceptions to the collection of consent. Indeed, healthcare professionals are not required to obtain patients’ consent to process their health data when such processing is necessary for medical diagnoses and their health or social care.

5. Data recipients

Your data is only accessible to:

  • Yourself
  • The healthcare professionals of the medical practice you consult
  • Authorized Primary teams (strictly within the scope of their technical and support duties)

It is never transferred or sold to third parties.

6. Data hosting

The data is hosted in France by Clever Cloud, a certified Health Data Host (HDS), in accordance with the law and the standards established by the ANS (“Agence du Numérique en Santé”), in consultation with the CNIL (“Commission Nationale de l’Informatique et des Libertés”). This State-approved certification requires advanced security measures to protect health data hosting centers, ensuring the confidentiality of such data. For more information on the “HDS” label, see: https://esante.gouv.fr/produits-services/hds.

7. Data retention period

  • Identification Data: 3 years after the last activity
  • Health Data: according to applicable legal obligations (generally 20 years from the last consultation)

Article 3 - Primary as Data Controller

In this section, Primary presents the main processing activities for which it acts as Data Controller, i.e., when it decides the reasons and the manner in which your Personal Data is used.

Processing 1

  • Purpose: Availability and proper functioning of the application
  • Data: Last name, first name, date of birth, gender, phone number, email address, consultation date
  • Legal basis: Consent
  • Retention period: 3 years after the last activity

Article 4 - Primary as Processor for healthcare professionals

In this section, Primary presents the main processing activities for which the healthcare professional decides the reasons and the manner in which your Personal Data is used. In this case, Primary acts as Processor, on behalf of the healthcare professional.

Processing 1

  • Purpose: Access to medical information by patients and their healthcare professionals
  • Data: Reason for consultation, consultation history, symptoms, consultation reports, medical documents (prescriptions, medical reports, etc.), messaging exchanges with the patient

Processing 2

  • Purpose: Communication with your medical team
  • Data: Reason for consultation, consultation history, symptoms, consultation reports, medical documents (prescriptions, medical reports, etc.), messaging exchanges with the patient

Processing 3

  • Purpose: Medical follow-up and personalization of the care pathway
  • Data: Reason for consultation, consultation history, symptoms, consultation reports, medical documents (prescriptions, medical reports, etc.), messaging exchanges with the patient

Processing 4

  • Purpose: Compliance with legal and regulatory obligations applicable to health data
  • Data: Reason for consultation, consultation history, symptoms, consultation reports, medical documents (prescriptions, medical reports, etc.), messaging exchanges with the patient

Article 5 - Your rights

In accordance with the GDPR and the French Data Protection Act, you have the following rights regarding your personal data:

  • Right of access: to obtain confirmation that your data is being processed and to access this data;
  • Right to rectification: to request correction of inaccurate or incomplete data;
  • Right to erasure: to request deletion of your data under certain conditions;
  • Right to restriction of processing: to request suspension of the processing of your data in certain cases;
  • Right to object: to object to the processing of your data for reasons relating to your particular situation;
  • Right to data portability: to receive your data in a structured, commonly used format and to transmit it to another data controller.

To exercise these rights, you can contact our DPO at the following address: dpo@helloprimary.care or by postal mail at Primary’s headquarters address.

If you believe, after contacting us, that your rights are not being respected, you may file a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés): https://www.cnil.fr

Article 6 - Data security

Primary implements technical and organizational security measures in line with industry standards to protect your data, including encryption, authentication, and logging mechanisms.

Article 7 - Policy updates

We may update this policy from time to time. In case of substantial modifications, you will be notified directly through the application.