GDPR information sheet

1. Roles: who is controller?

• BetterCall as operator: For account, product telemetry tied to your login, infrastructure logs, and platform security, BetterCall.ie typically acts as a controller (or joint controller where agreed in writing with a partner—see your contract if applicable).
• Clinical teams: For patient names, identifiers, notes, threads, and tasks entered in team workspaces, the healthcare organisation and treating clinicians usually act as controllers for clinical care. They decide why and how patient data is entered, obtain consent or another Article 9 basis, handle subject access requests from patients, and determine retention in line with Irish health records rules. BetterCall provides the processing environment and should be treated as a processor (or sub-processor of your organisation) for that clinical content unless a separate agreement states otherwise.

2. Special category data (Article 9)

Health data, genetic data, biometric data used for ID purposes, and related categories receive extra protection under the GDPR. Teams features are only appropriate where an appropriate Article 9 basis applies (for example explicit consent and/or provision of health care under national law). Banner and in-app notices remind clinicians of their obligations—those notices are educational and do not transfer legal liability to BetterCall.

3. Data minimisation and purpose limitation

Enter only the patient information necessary for the clinical task. Use pseudonyms or initials where your local policy allows and the product supports it. AI assistants must not be fed identifiable patient data unless you have a lawful pathway and organisational approval for that processing.

4. Team messaging (E2EE)

Where end-to-end encryption is enabled, message content is stored as ciphertext on our systems; we are not designed to read those bodies. Metadata such as membership, message timestamps, sender identifiers, and optional patient-id references on messages may still be processed like other Firestore fields. Configure workflows consistent with your organisation's policy.

5. International transfers

Subprocessors such as Google may process data in the United States and other regions. We rely on vendor mechanisms (including Standard Contractual Clauses and supplementary measures where appropriate) as offered by those vendors at the time of processing.

6. Data subject rights

Individuals have GDPR rights including access, rectification, erasure, restriction, portability, and objection, subject to exemptions (for example statutory retention of medical records). Patients should normally contact their care provider first. You may also contact BetterCall at privacy@bettercall.ie for platform-held copies or technical assistance where we are not prevented by law.

7. Supervisory authority

If you are in Ireland, you may contact the Data Protection Commission: www.dataprotection.ie.

8. Contact

Privacy: privacy@bettercall.ie
General: bettercallireland@gmail.com