Privacy Policy

The data controller responsible for your personal data is:

We collect only the data necessary to provide our services. Depending on how you use Beedical, we may collect:

• •Providing, operating, and maintaining the Beedical platform and mobile app
• •Creating and managing your account and organisation
• •Authenticating users and securing access to patient records
• •Processing subscription billing and invoicing
• •Sending service notifications, security alerts, and product updates
• •Providing technical support and responding to your requests
• •Improving and analysing our services using aggregated, anonymised data
• •Complying with applicable legal and regulatory obligations

We do not use your data for advertising, and we never sell your data to third parties.

Under Moroccan Law No. 09-08, we process personal data on the following legal grounds:

• •Contract performance — processing required to deliver the subscription service you have signed up for
• •Consent — for optional features and communications, you may withdraw consent at any time without affecting prior processing
• •Legal obligation — where applicable law requires us to retain or disclose certain information
• •Legitimate interests — for platform security, fraud prevention, and service improvement, balanced against your rights

Processing of ordinary personal data is declared to the Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP). Processing of sensitive health data requires, and is subject to, prior authorisation from the CNDP pursuant to Article 24 of Law 09-08.

Health data is a special category of sensitive personal data under Moroccan Law 09-08. We apply heightened protections:

• •Health data is stored exclusively on OVHcloud infrastructure certified for healthcare data hosting (HDS — Hébergeur de Données de Santé), located in France
• •Access is strictly limited to authorised healthcare professionals within your organisation
• •All health data is encrypted at rest (AES-256) and in transit (TLS 1.3)
• •Beedical processes health data only on the documented instructions of the healthcare provider (data controller)
• •Health data is never used for any purpose other than delivering the agreed service and is never shared with third parties for commercial purposes

• •Account data: retained for the duration of the active subscription, then deleted within 3 years of termination unless a longer period is required by law
• •Patient health records: retained for the legally applicable period for medical records under Moroccan regulations, or as instructed by the healthcare provider acting as data controller
• •Billing records: retained for 10 years from the date of issue to comply with accounting obligations
• •Access logs: retained for 12 months for security and audit purposes
• •Anonymised analytics: retained indefinitely as they cannot be linked to any individual

We share data only with carefully selected sub-processors who provide services essential to operating Beedical. Each sub-processor is bound by appropriate data protection obligations:

We do not transfer personal data to countries outside Morocco or the European Union without ensuring an equivalent level of protection through appropriate safeguards.

Under Moroccan Law No. 09-08 (Articles 7–12), you have the following rights regarding your personal data:

• •Right to information (Art. 7–8): Be informed about how and why your data is processed before or at the time of collection
• •Right of access (Art. 9): Obtain confirmation that we process your data and receive a copy of it
• •Right to rectification & erasure (Art. 10): Request correction of inaccurate data or deletion of data in the circumstances provided by law
• •Right to object (Art. 11): Object to processing on legitimate grounds
• •Right against automated decisions (Art. 12): Not be subject to a decision based solely on automated processing that significantly affects you

To exercise any of these rights, contact us at privacy@beedical.com. We will respond within 30 days.

If your request is not satisfactorily resolved, you may lodge a complaint with the Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP), the Moroccan data protection authority.

We implement technical and organisational measures appropriate to the sensitivity of the data we process:

• •End-to-end encryption in transit (TLS 1.3) and at rest (AES-256)
• •Two-factor authentication available on all accounts
• •Role-based access control (RBAC) with the principle of least privilege
• •Daily encrypted backups across geographically separate locations
• •Full audit logging for all health data access
• •Hosting on HDS-certified OVHcloud infrastructure

Learn more on our Security & HDS page.

Beedical is a professional platform intended solely for licensed healthcare providers and their administrative staff. It is not directed at children under the age of 18.

Patient data managed through Beedical may include records for minor patients. In such cases, the data is processed exclusively under the direction of the responsible healthcare provider, who is the data controller and is responsible for obtaining any necessary parental or guardian consent.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the application or by email at least 15 days before the changes take effect. The "Last updated" date at the top of this page always reflects the current version.

Your continued use of Beedical after the effective date of a revised policy constitutes your acceptance of the updated terms.