Privacy Policy

The data controller for personal data collected through the DIAGNORA platform is:

DIAGNORA (formerly PARAFY), a simplified joint-stock company (SAS) under French law
Registered office: 18, rue Général Fabvier, 54000 Nancy, France
SIREN: 920 841 590
Email: contact@diagnora.com

In the course of using the Platform and managing the contractual relationship, the Company collects and processes the following categories of personal data:

2.1 Identification Data

• Last name, first name, position
• Professional contact details (email, phone, address)
• Professional identification number

2.2 Connection and Usage Data

• Login credentials
• Platform browsing and usage data
• IP address, browser type, operating system
• Access and action logs

2.3 Billing Data

• Payment information
• Transaction history

2.4 Health Data

When the Client uses Platform features involving the processing of health data, the Company acts as a data processor within the meaning of the GDPR. The Client remains the data controller for such data. The processing terms are defined in a data processing agreement (DPA) appended to the contract.

The processing of personal data is based on the following legal grounds:

• Performance of a contract (Article 6(1)(b) of the GDPR): processing necessary for the provision of the Services, user account management, and billing;
• Legitimate interests (Article 6(1)(f) of the GDPR): improvement of the Services, Platform security, fraud prevention;
• Legal obligations (Article 6(1)(c) of the GDPR): accounting, tax, and regulatory obligations;
• Consent (Article 6(1)(a) of the GDPR): for non-essential cookies and marketing communications.

Personal data is processed for the following purposes:

• Provision and management of access to the Platform
• Creation and management of user accounts
• Management of the contractual relationship and billing
• Technical support and assistance
• Improvement and optimization of the Services
• Platform security and fraud prevention
• Compliance with legal and regulatory obligations
• Usage statistics and performance analysis

Personal data may be disclosed to the following recipients:

• Authorized personnel of the Company (technical, support, and commercial teams);
• Technical subcontractors (hosting, maintenance, payment) strictly within the scope of providing the Services;
• Competent authorities, upon judicial request or in compliance with a legal obligation.

The Company ensures that its subcontractors provide sufficient guarantees regarding the implementation of appropriate technical and organizational measures, in accordance with the GDPR.

Data is hosted within the European Union. When the Services involve the processing of health data, such data is hosted by a provider certified as a Health Data Host (HDS) in accordance with Article L.1111-8 of the French Public Health Code.

The Company implements the following security measures:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and rights management
• Access and action traceability (logging)
• Regular backups and business continuity plan
• Regular security audits and penetration testing

The Company is pursuing compliance with ISO 27001 standards.

Personal data is retained for the following periods:

• Account data: for the duration of the contractual relationship, then deleted within 30 days following termination;
• Billing data: in accordance with accounting and tax obligations (10 years);
• Connection logs: 12 months in accordance with legal obligations;
• Cookies: 13 months maximum in accordance with CNIL recommendations.

The Platform uses cookies and similar technologies. The categories of cookies used are as follows:

• Strictly necessary cookies: essential for the operation of the Platform (authentication, session security). These cookies do not require consent;
• Analytical cookies: used to measure and analyze the use of the Platform;
• Functional cookies: used to personalize the user experience (display preferences, language).

You may configure your cookie preferences at any time through the consent manager integrated into the Platform, in accordance with CNIL recommendations.

In accordance with the GDPR and the French Data Protection Act (Loi Informatique et Libertés), you have the following rights over your personal data:

• Right of access: obtain confirmation that your data is being processed and receive a copy thereof;
• Right to rectification: correct inaccurate or incomplete data;
• Right to erasure: request the deletion of your data in the cases provided for by the GDPR;
• Right to restriction: request the restriction of the processing of your data;
• Right to data portability: receive your data in a structured, commonly used format;
• Right to object: object to the processing of your data on legitimate grounds;
• Post-mortem directives: define directives regarding the fate of your data after your death.

How to Exercise Your Rights

To exercise your rights, you may contact us:

• By email: dpo@diagnora.com
• By post: DIAGNORA – 18, rue Général Fabvier, 54000 Nancy, France

Please include proof of identity with your request. The Company undertakes to respond within a maximum period of one (1) month from receipt of the request.

If your complaint regarding the processing of your personal data is not resolved to your satisfaction, you may lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL):

• Website: https://www.cnil.fr
• Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07

The Company reserves the right to modify this privacy policy at any time. Changes will be published on this page with an indication of the date of the last update. In the event of material changes, users will be notified via a notification on the Platform or by email.

For any questions regarding this privacy policy:

• Email: dpo@diagnora.com
• Address: DIAGNORA – 18, rue Général Fabvier, 54000 Nancy, France