Your data, handled properly.

Introduction

This Privacy Policy explains how GoodDoctor.Marketing collects, uses, and protects the personal data of visitors to gooddoctor.marketing, prospective clients who contact us, and active clients whose marketing we operate. We are committed to handling your data lawfully, transparently, and in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), and any other applicable data-protection law in the jurisdictions in which we operate.

Who we are

GoodDoctor.Marketing is operated by:

• Dolce Drago SAS, a société par actions simplifiée registered with the RCS de Nice under number 989228374 (SIRET 98922837400017, VAT FR10989228374), registered office NICE PREMIER A, 455 Promenade des Anglais, 06000 Nice, France, responsible for client engagements in France, Belgium, Luxembourg, Switzerland, and Italy.

Dolce Drago SAS acts as the data controller in respect of the personal data described in this Policy. For routine data-protection inquiries, please contact us at email us. For formal requests under data-protection law, please use the contact details in section 13 below.

Data we collect

We collect personal data in three principal contexts:

(a) When you visit our website

When you visit gooddoctor.marketing, we automatically collect limited technical information including your IP address, browser type and version, operating system, the pages you visit, the time and date of your visit, and the referring website. We also collect approximate geolocation data (city or region) derived from your IP address in order to display relevant content. If you have consented to analytics cookies, we collect additional information about how you use the site (see our Cookie Policy).

(b) When you contact us

When you complete an inquiry form, request a consultation, or otherwise communicate with us, we collect the personal data you provide to us directly. This typically includes your name, professional title, practice name, email address, telephone number, and the content of your message.

(c) During an engagement

If we agree to work together, we will collect additional information necessary to deliver our services. This may include access credentials to your existing digital properties, billing and payment information, business performance data, and any other information you choose to share with us during the engagement. This category may include personal data about your patients only to the extent strictly necessary for analytics purposes — and we will sign a separate Data Processing Agreement governing that data before any such processing begins.

How we use it

We use your personal data for the following purposes:

• To respond to inquiries and provide the information or proposal you requested;
• To deliver the services we have agreed to provide, including building, hosting, and marketing your website;
• To send you operational communications about your engagement (status updates, invoices, technical notifications);
• To send you commercial communications about our services, where you have consented or where we have a legitimate interest in doing so (you can unsubscribe at any time);
• To improve our website, services, and customer experience;
• To comply with our legal, regulatory, and tax obligations.

Legal basis

We process personal data on one or more of the following lawful bases under Article 6 of GDPR/UK GDPR:

• Performance of a contract (Article 6(1)(b)): where processing is necessary to fulfil our agreement with you, including responding to your pre-contractual inquiry.
• Legitimate interests (Article 6(1)(f)): where we have a legitimate interest in processing — for example, in marketing our services to other healthcare practices, in maintaining the security of our systems, or in improving our offering. Where we rely on this basis, we conduct a Legitimate Interests Assessment and balance our interests against your rights and freedoms.
• Consent (Article 6(1)(a)): where you have given us specific, informed, and freely-given consent — for example, for the use of optional cookies on this website.
• Legal obligation (Article 6(1)(c)): where processing is necessary for us to comply with a legal obligation, for example tax record-keeping.

How long we keep it

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. As a guide:

• Website-analytics data: up to 26 months from collection.
• Inquiry data from prospects who do not become clients: 24 months from the last contact.
• Client records (contracts, invoices, project files): for the duration of the engagement and 6 years thereafter, in line with UK and French statutory record-keeping requirements.
• Marketing-consent records: until you withdraw consent, plus a reasonable period to evidence the withdrawal.

Who we share it with

We do not sell your personal data. We share it only with the following categories of recipient, and only where necessary:

• Sub-processors: trusted service providers that help us deliver our services. Our analytics provider is Google (Google Ireland Limited), which provides Google Analytics 4; usage data may be processed in the United States under the EU-US Data Privacy Framework and the European Commission’s Standard Contractual Clauses. Other sub-processors include our website hosting provider, our email and CRM provider, our payment processor, and our accounting platform. Each sub-processor is contractually bound to process personal data only on our instructions and to maintain appropriate security measures.
• Professional advisors: our solicitors, accountants, and insurers, where strictly necessary and under duties of confidentiality.
• Public authorities: tax authorities, regulators, courts, or law-enforcement agencies, where we are legally required to do so.

A current list of our sub-processors is available on request from email us.

International transfers

Some of our sub-processors are based outside the United Kingdom and the European Economic Area, in particular in the United States. Where personal data is transferred to a country that is not the subject of an adequacy decision under UK GDPR or GDPR, we put in place appropriate safeguards. These typically take the form of the European Commission's Standard Contractual Clauses (and, where required, the UK International Data Transfer Addendum), and additional technical and organizational measures where necessary following a Transfer Impact Assessment.

Your rights

Under UK GDPR and GDPR, you have the following rights in respect of personal data we hold about you:

• The right of access — to obtain confirmation of whether we process your personal data, and a copy of that data (Article 15).
• The right to rectification — to ask us to correct inaccurate or incomplete personal data (Article 16).
• The right to erasure — to ask us to delete your personal data where one of the grounds in Article 17 applies.
• The right to restriction — to ask us to stop processing your personal data in certain circumstances (Article 18).
• The right to data portability — where we process data on the basis of consent or contract and by automated means, to receive it in a structured, machine-readable format and have it transmitted to another controller (Article 20).
• The right to object — to processing carried out under our legitimate interests, and, in particular, to processing for direct marketing (Article 21).
• The right not to be subject to automated decision-making producing legal or similarly significant effects (Article 22). We do not engage in such automated decision-making.
• The right to withdraw consent at any time, where processing is based on consent (Article 7(3)), without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at email us. We will respond within one month, although the law permits us to extend this by up to two further months for complex requests.

Cookies

Our website uses cookies and similar technologies. Strictly-necessary cookies are placed without consent. Analytics and marketing cookies are placed only with your consent, which you can give or withdraw at any time through our cookie banner or by clicking the "Manage cookie preferences" link in the footer of any page. For full details, please see our Cookie Policy.

Children's data

Our services are directed at healthcare practitioners and the staff of healthcare practices, and are not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. We will update the "Last updated" date at the top of this page when we do. For material changes, we will provide additional notice (for example, by email to active clients).

Contact

For any question about this Privacy Policy or our handling of your personal data, please contact us:

• Email: email us
• By post: Dolce Drago SAS, NICE PREMIER A, 455 Promenade des Anglais, 06000 Nice, France.

Supervisory authority

If you believe we have not complied with our data-protection obligations, you have the right to lodge a complaint with a supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ico.org.uk). In France, this is the Commission Nationale de l'Informatique et des Libertés (cnil.fr). In Italy, this is the Garante per la protezione dei dati personali (garanteprivacy.it). However, we would appreciate the opportunity to address your concerns directly before you approach a supervisory authority, and we encourage you to contact us first.