Privacy policy — Healthcall

How Healthcall collects, uses and protects your personal data. GDPR compliance.

Privacy policy

Last updated: 21 April 2026 Effective date: [effective publication date to be set] Version: 1.0

1. Introduction and commitments

The healthcall.be website is published by Groovit SRL, a company incorporated under Belgian law whose registered office is in Frasnes-lez-Anvaing, Belgium (hereinafter “Healthcall”, “we”, “us”). Groovit SRL (Belgian private limited company) acts as data controller within the meaning of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR), supplemented under Belgian law by the Belgian law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (implementing the GDPR).

This policy sets out, in accordance with Articles 13 and 14 of the GDPR, the data we collect when you visit our showcase website or contact our teams, the purposes pursued, the legal bases relied upon, the recipients, the retention periods and the rights available to you.

We undertake to collect only the data strictly necessary, to process them fairly and transparently, to secure them with appropriate technical and organisational measures, and never to resell them to third parties for commercial purposes.

The publisher’s legal identification details (company name, business registration number, VAT, registered office, host) are set out in our legal notice. Cookie and tracker management is detailed in our cookie policy.

2. Data we collect

2.1. Data collected via our forms

When you complete one of our forms (contact or demo request), we collect the following information, depending on the form used:

  • First name and surname
  • Business email address
  • Telephone number (optional for contact, requested for demo)
  • Organisation or affiliated entity (care home, care home group, engineering firm, installer, etc.)
  • Position or role (optional)
  • Free-text content of your message
  • Date and time of submission

These data are entered voluntarily by you; providing them conditions our ability to respond to your request.

2.2. Data collected automatically

When you browse healthcall.be, our audience measurement tools collect anonymous or anonymised technical information:

  • Via self-hosted Matomo (hosted on our servers in Belgium):
    • Anonymised IP address (the last 2 octets are masked before storage)
    • Pages viewed, timestamp, navigation order, session duration
    • Device type, browser, operating system, screen resolution
    • Source website or search engine (referrer)
    • No cookies are set by Matomo in this configuration
  • Via Microsoft Clarity (anonymised heatmaps and session recordings):
    • Anonymised interactions (mouse movements, aggregated clicks, scrolling)
    • Aggressive PII masking enabled server-side (all form fields, emails and names are automatically masked in recordings)
    • Deferred loading (after at least 10 seconds of scroll) in order to limit collection to genuinely engaged visitors

2.3. Turnstile anti-spam (Cloudflare)

To prevent automated submissions (bots) on our forms, we use Cloudflare Turnstile in invisible mode. Turnstile analyses technical browser signals (HTTP headers, TLS fingerprint, JavaScript behaviour) to determine whether the visitor is human. According to Cloudflare’s documentation, Turnstile does not set any advertising tracking cookies and is not a profiling tool.

2.4. Technical cookies

The website may set a limited number of strictly necessary cookies for its operation (language preference, secure session, CSRF protection). Full details are set out in the cookie policy.

3. Purposes of processing

We process your data for the following exclusive purposes:

PurposeDescription
Responding to your requestsHandling contact and demonstration requests, qualifying your project, getting back to you, arranging an appointment.
Legitimate commercial follow-upSending you information directly related to your request, arranging a demonstration, sending a proposal.
Confirmation and follow-up emailsSending an acknowledgement of receipt and, where applicable, the technical or commercial documents requested, via our transactional email provider Brevo.
Anonymous audience measurementUnderstanding how the website is used (most read pages, navigation paths, difficulties encountered) in order to improve its usability and content.
Security and fraud preventionDetecting and blocking automated submissions (Turnstile), protecting the integrity of our systems, logging access for investigation in the event of an incident.

We do not use your data for any other purpose — in particular, no advertising profiling, no resale, no enrichment of third-party files.

4. Legal bases (Article 6 GDPR)

Each processing operation described above is based on an explicit legal basis:

  • Pre-contractual measures taken at your request (Art. 6(1)(b) GDPR) — processing of contact and demo request forms, and subsequent exchanges. When you contact us, this processing is necessary for the performance of the pre-contractual measures taken at your initiative.
  • Legitimate interest (Art. 6(1)(f) GDPR) — strictly anonymous audience measurement, fraud prevention, website security, confirmation emails linked to an ongoing exchange. Our legitimate interest consists in improving the experience of professional visitors, securing our services and maintaining continuity of an exchange you have initiated. This interest has been balanced against your fundamental rights and appears proportionate given the anonymous or anonymised nature of the data concerned.
  • Legal obligation (Art. 6(1)(c) GDPR) — retention of certain technical traces where required by law or case law (access logs, accounting obligations).

Our audience measurement set-up (Matomo without cookies, anonymised IP) is designed to fall within the consent exemption provided for by the guidelines of the Belgian Data Protection Authority (DPA) and the recommendations of the EDPB on strictly anonymous audience measurement. It does not allow us to re-identify a visitor, does not feed any advertising profile and remains strictly internal.

This analysis is subject to change depending on regulatory guidance; it will be reviewed and confirmed by our legal counsel before publication.

5. Data recipients

Your data are disclosed only to recipients strictly necessary for the performance of the purposes above:

  • Healthcall / Groovit SRL team — authorised staff, subject to a contractual obligation of confidentiality, accessing the data on a need-to-know basis.
  • Brevo (Sendinblue SAS, a French company) — data processor for sending transactional and confirmation emails. Servers in the European Union. GDPR data processing agreement (DPA) signed in accordance with Article 28 GDPR. [Effective DPA to be verified before publication]
  • Diogenius — Belgian host of our private cluster (showcase website, self-hosted Matomo, database). Servers located in Belgium. Hosting contract including GDPR guarantees. [Effective DPA to be verified before publication]
  • Cloudflare (Cloudflare Inc. / Cloudflare Ireland) — Turnstile anti-spam service. In accordance with its documentation, Cloudflare processes strictly technical data, under its standard contractual clauses and public DPA.
  • Microsoft Clarity (Microsoft Ireland Operations Ltd, Azure EU Data Boundary infrastructure) — anonymised heatmaps and session recordings. Microsoft Online Services DPA applicable. Azure EU data residency.
  • Cal.com (Cal.com Inc.) — online appointment booking platform used when you click on “See available slots” on our demonstration page. EU/international servers depending on the plan. DPA applicable. [Effective DPA to be verified before publication]

Transfers outside the European Union

We systematically favour providers with servers in the European Union. Where a data processor relies on international infrastructure (Cloudflare, Microsoft, Cal.com), the transfer is governed by the Standard Contractual Clauses adopted by the European Commission, supplemented where necessary by additional technical measures (encryption, pseudonymisation). No unsecured transfer outside the EU is carried out.

6. Retention periods

We retain your data only for the time necessary for the purposes pursued, and then proceed to erase them or irreversibly anonymise them.

DataRetention periodJustification
Contact forms3 years from the last exchangeB2B commercial prescription (to be confirmed by legal counsel)
Demonstration requests3 years from the last exchangeCommercial opportunity follow-up
Transactional emails (Brevo logs)1 yearIntegrity of sending logs, anti-abuse
Anonymised Matomo data25 months maximumYear-on-year audience comparison, then definitive anonymisation
Microsoft Clarity data1 year (Clarity’s default retention)Retrospective UX analysis
Server access logs (Caddy, fail2ban)30 daysSecurity, incident detection, anti-abuse filtering
Accounting data linked to a concluded contract7 yearsBelgian legal obligation (Art. III.86 Code of Economic Law)

Beyond these periods, the data are deleted or irreversibly anonymised.

The periods indicated constitute a target framework and must be confirmed by legal counsel before publication, in particular for commercial durations (3 years) and application logs.

7. Data security

We implement appropriate technical and organisational measures to preserve the confidentiality, integrity and availability of your data, in accordance with Article 32 GDPR:

  • Encryption in transit: TLS 1.3 via Caddy 2 and Let’s Encrypt certificates, HSTS preload enabled, strengthened security policy (CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy).
  • Encryption at rest: encrypted database and backups.
  • High-availability private cluster hosted in Belgium by Diogenius, with a contractual SLA.
  • Triple MongoDB database in mirroring providing redundancy for application data.
  • Daily backups (Proxmox Backup Server) deduplicated, offsite and immutable.
  • Strong authentication for administrator access, restricted SSH, root disabled, UFW firewall + fail2ban.
  • Strictly limited data access for authorised staff on a need-to-know basis, with logging of sensitive accesses.
  • Security testing and regular code reviews, structured vulnerability management.

In the event of a data breach likely to create a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority (DPA) within 72 hours and will inform you as soon as possible if the risk is high, in accordance with Articles 33 and 34 of the GDPR.

8. Your rights

In accordance with Articles 15 to 22 of the GDPR and the Belgian law of 30 July 2018, you have the following rights in relation to the data we hold on you:

  • Right of access (Art. 15) — obtain confirmation that your data are being processed and receive a copy.
  • Right of rectification (Art. 16) — have inaccurate or incomplete data corrected.
  • Right to erasure (Art. 17) — obtain erasure of your data, within the limits provided for by law (“right to be forgotten”).
  • Right to restriction of processing (Art. 18) — temporarily suspend the use of your data.
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used format.
  • Right to object (Art. 21) — object to processing based on legitimate interest.
  • Right to withdraw your consent at any time, where the processing is based on your consent, without calling into question the lawfulness of the processing carried out previously.
  • Right not to be subject to an automated individual decision (Art. 22) — not applicable at Healthcall, as no automated processing producing legal or significant effects is implemented.

How to exercise your rights

You may exercise these rights, free of charge, by contacting us:

  • By email: dpo@healthcall.be
  • By post: Groovit SRL — For the attention of the Data Protection Officer — [exact postal address in Frasnes-lez-Anvaing to be provided]

In order to enable us to identify you, we may ask you for proof of identity where a reasonable doubt remains. We will respond to your request within a maximum of one month from its receipt (Art. 12(3) GDPR), which may be extended by two months for complex requests, in which case you will be informed.

9. Right to lodge a complaint

If you consider that the processing of your data does not comply with the regulations, you have the right to lodge a complaint with the competent supervisory authority:

Belgian Data Protection Authority (DPA) Rue de la Presse 35 1000 Brussels — Belgium Tel.: +32 (0)2 274 48 00 Website: autoriteprotectiondonnees.be

We invite you, where possible, to contact us before lodging any complaint so that we can attempt to resolve your concern directly.

10. Health data and specific contexts

The healthcall.be showcase website does not collect any health data directly from its visitors. The contact and demo forms do not request any information relating to the health of an identified or identifiable natural person.

The processing carried out by the Healthcall solution deployed at our clients’ premises (care homes, assisted living residences) falls within a separate legal framework:

  • The client — care home or care home group — is the data controller for the health data of its residents, in the context of its own care purposes.
  • Groovit SRL acts as a data processor within the meaning of Article 28 GDPR, on the basis of a data processing agreement (DPA) signed with each client.
  • The legal bases applicable to the health data processed in the product include the vital interest of the data subject (Art. 9(2)(c) GDPR), the legal obligations in the field of healthcare (Art. 9(2)(h) GDPR, in connection with the Woonzorgdecreet in Flanders and the AViQ standards in Wallonia) and, where applicable, explicit consent.
  • This processing is not covered by this policy, which applies only to the showcase website. The processing arrangements by the deployed solution are described in the contractual documents and GDPR records kept by each responsible client.

If you are a resident of a care home equipped with Healthcall and wish to exercise your rights over your health data, you should contact the management of your care home, which is the data controller.

11. Changes to this policy

Healthcall may adapt this policy to reflect changes in its services, the regulations or its data processors. Any substantial change will give rise to:

  • an update of the date shown at the top of the document;
  • a visible notification on the website (information banner or insert) for a reasonable period;
  • where applicable, direct notification by email for active contacts, where the change directly affects processing concerning them.

The version history of this policy is kept and may be obtained on simple request to dpo@healthcall.be.

12. Contact of the Data Protection Officer

For any question relating to this policy, to the processing of your data or to the exercise of your rights:

Data Protection Officer (DPO)

  • Name: [to be provided once formal appointment has been made]
  • Email: dpo@healthcall.be
  • Postal address: Groovit SRL — For the attention of the DPO — [exact postal address in Frasnes-lez-Anvaing to be provided]