Skip to content

Privacy Policy and Personal Data Protection

Last updated:

Platform melio.med — www.melio.med Version 1.0 | Effective date: September 2025

This Privacy Policy is drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), Law no. 190/2018 on measures for implementing GDPR in Romania, Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, and Law no. 95/2006 on healthcare reform, as subsequently amended.

1. Identity of the Data Controller
Company name ONCOSTOP S.R.L. — operator of the melio.med platform
Tax ID (CUI) 52443272
Trade Register No. J2025066671009
Registered office Bucharest, Sector 3, Strada Murgeni, No. 3, Room 1, Bl. L29, Staircase B, Floor 3, Apt. 74
Legal representative Stefania Carmen CHITU
Website https://www.melio.med
GDPR email gdpr@melio.med
Contact email contact@melio.med

ONCOSTOP S.R.L. acts as DATA CONTROLLER within the meaning of Art. 4(7) of the GDPR, determining the purposes and means of processing personal data collected through the melio.med platform.

2. Categories of Personal Data Processed

2.1. Identification and contact data

  • First and last name
  • Personal Identification Number (CNP) — collected exclusively in the context of medical services
  • Home/residence address
  • Email address
  • Phone number
  • Date of birth and gender

2.2. Medical data — special categories (Art. 9 GDPR)

The melio.med platform processes health data, which constitutes special categories of personal data within the meaning of Art. 9(1) of the GDPR and benefits from an enhanced level of protection:

  • Symptoms described by the patient during consultations
  • Diagnoses and medical history
  • Prescribed treatments and administered medications
  • Results of medical investigations
  • Allergies and medical contraindications
  • Clinically relevant biometric data (weight, height, blood pressure)
  • Medical records created during teleconsultations
  • Video/audio recordings of telemedicine sessions (with explicit consent)

2.3. Payment data

Payment data (card number, expiration date, CVV) is processed exclusively through the payment processor PayU, which is PCI-DSS certified. ONCOSTOP S.R.L. does not store complete payment card data.

2.4. Technical and browsing data

  • IP address
  • Browser type and version
  • Operating system
  • Pages accessed and session duration
  • Session identifiers and cookies (cf. Cookie Policy)

3. Purposes and Legal Bases for Processing

3.1. Provision of telemedicine services

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) + Art. 9(2)(h) GDPR (medical/diagnostic purpose) + Law no. 95/2006 + Government Decision no. 1133/2022 on the regulation of telemedicine services.

  • Creation and management of the patient account
  • Scheduling and conducting video teleconsultations
  • Doctors' access to relevant medical history
  • Issuance of medical documents (referrals, recommendations)
  • Monitoring of patients' health status

3.2. Doctors and clinics marketplace

Legal basis: Art. 6(1)(b) GDPR (performance of the contract) + Art. 6(1)(f) (legitimate interest).

  • Publication of partner doctors' and clinics' profiles
  • Management of reviews and ratings
  • Facilitating the patient-doctor connection

3.3. Payment processing

Legal basis: Art. 6(1)(b) GDPR + Law no. 227/2015 (Tax Code) + Government Ordinance no. 99/2006 on credit institutions.

3.4. Legal obligations

Legal basis: Art. 6(1)(c) GDPR — compliance with obligations under Law no. 95/2006, National Archives Law no. 16/1996, Ministry of Health Order no. 1226/2012 on the retention of medical documents.

3.5. Legitimate interest

Legal basis: Art. 6(1)(f) GDPR — platform improvement, fraud prevention, information systems security.

4. Recipients of Personal Data

Personal data may be disclosed to the following categories of recipients:

4.1. Doctors and healthcare providers

Partner doctors and clinics through the melio.med platform, acting as joint controllers or processors, have access to patients' medical data strictly within the limits of the agreed consultation or monitoring.

4.2. Payment processors

PayU S.A. (Romania) — PCI-DSS certified payment processor, headquartered in Bucharest. Payment data is transmitted through SSL/TLS encrypted connection.

4.3. Technical service providers

  • Hosting/cloud service providers within the EU or with adequate safeguards under Chapter V GDPR
  • Medical videoconferencing service providers
  • Communication service providers (email, SMS)

4.4. Public authorities

Public health authorities, the Romanian College of Physicians, ANSPDCP, courts — exclusively based on legal obligations or court orders.

4.5. International transfers

To the extent that data transfers outside the EEA are involved, they are carried out exclusively in compliance with the safeguards provided for in Chapter V of the GDPR (Adequacy Decisions, Standard Contractual Clauses approved by the European Commission).

5. Data Retention Period

Data category Retention period Legal basis
Medical files and documents Minimum 10 years from the last consultation Ministry of Health Order 1226/2012
Active user account data Duration of the contract + 5 years GDPR + Civil Code
Financial data/invoices 10 years Tax Code / Law 82/1991
Video consultation recordings 90 days (with consent) GDPR Art. 9 + consent
Browsing data / logs 12 months Law 506/2004
Technical cookies Session / max. 12 months Law 506/2004

6. Rights of Data Subjects

In accordance with the GDPR (Art. 15-22) and Law no. 190/2018, you have the following rights:

Right of access (Art. 15 GDPR) — You have the right to obtain confirmation that we process your data and a copy thereof, along with information about purposes, categories, recipients, and retention period.

Right to rectification (Art. 16 GDPR) — You have the right to request the correction of inaccurate data or the completion of incomplete data.

Right to erasure / "right to be forgotten" (Art. 17 GDPR) — You have the right to request the deletion of data, except where processing is necessary for compliance with legal obligations (e.g., retention of medical records under Ministry of Health Order 1226/2012).

Right to restriction of processing (Art. 18 GDPR) — You have the right to request restriction of processing in the situations provided by law.

Right to data portability (Art. 20 GDPR) — You have the right to receive the data provided in a structured, commonly used, machine-readable format.

Right to object (Art. 21 GDPR) — You have the right to object to processing based on the controller's legitimate interest.

Right not to be subject to automated decision-making (Art. 22 GDPR) — You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.

To exercise the aforementioned rights, you may contact us at: gdpr@melio.med. We will respond to requests within 30 calendar days (with the possibility of extension to 90 days for complex requests, with prior notification).

You also have the right to file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP), headquartered in Bucharest, B-dul G-ral. Gheorghe Magheru no. 28-30, Sector 1, email: anspdcp@dataprotection.ro, website: www.dataprotection.ro.

7. Data Security

ONCOSTOP S.R.L. implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, in accordance with Art. 32 GDPR:

  • SSL/TLS encryption for all communications
  • Encryption of medical data at rest (AES-256)
  • Two-factor authentication (2FA) for medical accounts
  • Role-based access control (RBAC)
  • Access audit logging
  • Periodic vulnerability assessment
  • Security incident response plan
  • Regular staff training in data protection

In the event of a personal data breach, ONCOSTOP S.R.L. will notify the ANSPDCP within 72 hours and, where the risk is high, will directly inform the data subjects, in accordance with Art. 33-34 GDPR.

8. Data Protection Officer (DPO)

Given the nature of the activity (large-scale processing of health data — special categories), ONCOSTOP S.R.L. is required to appoint a Data Protection Officer (DPO) pursuant to Art. 37(1)(c) GDPR and to notify the ANSPDCP accordingly.
DPO Contact gdpr@melio.med

The Data Protection Officer can be contacted regarding any aspects related to the processing of personal data and the exercise of GDPR rights.

9. Data Protection Impact Assessment (DPIA)

Pursuant to Art. 35 GDPR, ONCOSTOP S.R.L. conducts a Data Protection Impact Assessment (DPIA) for processing operations that present a high risk, in particular:

  • Large-scale processing of health data (Art. 35(3)(b) GDPR)
  • Systematic monitoring of patients' health status
  • Use of new technologies in telemedicine

DPIA results are available upon request addressed to gdpr@melio.med.

10. Changes to the Privacy Policy

ONCOSTOP S.R.L. reserves the right to modify this Privacy Policy to reflect legislative changes, changes to services, or other circumstances. Any substantial modification will be communicated to users by email and/or notification on the platform, at least 30 days before taking effect.

The current version is always available at: https://www.melio.med/politica-de-confidentialitate
Last updated September 2025
Version 1.0

ONCOSTOP S.R.L. | Tax ID: 52443272 | J2025066671009 | Bucharest, Sector 3, Strada Murgeni, No. 3, Room 1, Bl. L29, Staircase B, Floor 3, Apt. 74 | gdpr@melio.med | www.melio.med