Privacy Policy

The controller of your personal data is:

Operating as ekg-apraksti.lv — an online ECG interpretation service.

For all data-protection enquiries, you may contact either of the designated contact persons:

• Dr. Kaspars Kupičs (Medical Director) — kaspars.kupics@gmail.com
• Uldis Požarnovs (Technical Director) — ekg@sablons.lv

This Privacy Policy applies to all personal data collected and processed when you:

• Use the ekg-apraksti.lv website and platform
• Create an account or register as a user
• Upload, store, or share ECG files
• Order and receive an ECG interpretation report
• Make a payment for services
• Communicate with us by email or through the platform
• Are subject to any security or fraud-prevention measures

4.1 Identity and contact data

Name, email address, phone number (optional), country of residence.

4.2 Health data

ECG files (digital recordings) and any clinical context you provide (e.g. symptoms, medications, diagnosis). Health data is a special category under GDPR and is processed only with your explicit consent or under another lawful basis described in Section 6.

4.3 Payment data

Transaction reference, amount paid, payment status. Full card details are processed exclusively by our payment processor (EveryPay) and are not stored on our servers.

4.4 Technical and usage data

IP address, browser type, device identifiers, pages visited, timestamps, error logs, session tokens.

4.5 Communications

Emails, support messages, and any other correspondence you send to us.

We collect personal data:

• Directly from you — when you register, upload files, or contact us.
• Automatically — through cookies and server logs when you interact with the platform.
• From third-party services — authentication providers (e.g. eID Easy for verified login) may share your verified identity attributes with us.

6.1 Providing the ECG interpretation service
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR). For health data: your explicit consent (Art. 9(2)(a) GDPR).

6.2 User account management
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

6.3 Payment processing
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR) including accounting and tax law.

6.4 Security and fraud prevention
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — protecting the platform, our users, and our business.

6.5 Legal compliance and record-keeping
Legal basis: Legal obligation (Art. 6(1)(c) GDPR).

6.6 Service improvement and analytics
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — understanding how the service is used in order to improve it. Anonymised or aggregated data may be used for statistical analysis.

Providing your name, email address, and ECG file is necessary to use the service. Without this data, we cannot fulfil your order.

Providing additional clinical context (symptoms, medications) is voluntary but improves the accuracy of the interpretation.

Technical data (IP address, logs) is collected automatically as a standard part of web service operation.

We do not sell personal data. We share data only with processors and partners necessary to deliver the service:

8.1 Technology providers

• Cloudflare — DDoS protection, CDN, DNS (USA, Standard Contractual Clauses apply)
• Vercel — website hosting and serverless functions (USA, Standard Contractual Clauses apply)
• Supabase — database and file storage (EU region)
• Clerk / eID Easy — identity verification and authentication
• EveryPay — payment processing (licensed payment institution, EU)

All processors are bound by Data Processing Agreements and are required to implement appropriate technical and organisational measures to protect your data.

8.2 Cardiologists

Qualified cardiologists contracted by SIA TeleCardiology access your ECG files and any clinical context you provide solely for the purpose of preparing the interpretation report.

8.3 Legal and regulatory authorities

We may disclose personal data to competent authorities when required by applicable law.

Some of our technology providers (Cloudflare, Vercel) are based in the United States. Transfers of personal data to these providers are safeguarded by Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Art. 46(2)(c) GDPR.

Where possible, we configure services to process data within the EU/EEA region (e.g. Supabase EU region).

We retain personal data only as long as necessary for the purposes described in this policy:

• ECG files: 5 days after the report is delivered, then permanently deleted from our servers.
• Completed reports: retained for 12 months to allow you to re-download.
• Account data: retained for the duration of your account plus 3 years after account closure.
• Payment records: 5 years in accordance with Latvian accounting and tax legislation.
• Server logs: up to 90 days for security purposes.

11.1 Technical measures

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. Data at rest in our database is encrypted. Access to systems is protected by strong authentication.

11.2 Organisational measures

Access to personal data is restricted to personnel and contractors who need it to perform their tasks. All staff with access to health data are subject to confidentiality obligations.

11.3 Incident response

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Data State Inspectorate of Latvia within 72 hours and, where required, will notify affected individuals without undue delay.

Under GDPR, you have the following rights regarding your personal data:

• Right of access — to obtain a copy of the personal data we hold about you.
• Right to rectification — to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) — to request deletion, subject to legal retention obligations.
• Right to restriction — to request that we limit processing in certain circumstances.
• Right to data portability — to receive your data in a structured, machine-readable format.
• Right to object — to object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at ekg@sablons.lv. We will respond within 30 days.

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the supervisory authority:

We encourage you to contact us first so that we can address your concern directly.

We do not use automated decision-making, including profiling, that produces legal or similarly significant effects on individuals. All ECG interpretations are prepared by qualified cardiologists.

We use essential cookies necessary for the operation of the platform (session management, authentication). We do not use advertising or tracking cookies.

• Session cookies — keep you logged in during your visit.
• CSRF tokens — protect against cross-site request forgery.
• Preference cookies — remember your language and theme settings.

You can disable cookies in your browser settings, but this may affect the functionality of the platform.

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our services. The date at the top of this page indicates when the policy was last updated.

For material changes, we will notify registered users by email or via an in-platform notification at least 14 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.