BARIFIX

Beta now live!

Privacy policy

1. Introduction

This Privacy Policy explains how Barifix (operated by Chironos Oy, “we”, “us”, “our”) collects, uses, protects, and shares personal data when patients, clinicians, or administrators use our mobile or web applications. We are committed to protecting your privacy and complying with EU General Data Protection Regulation (GDPR).

2. What Data Do We Collect?

We collect the following types of personal data:

  • Health data: Patient-reported outcomes, clinical observations, treatment updates, and other medical information.
  • Identifiers: Names, email addresses, login credentials, and other information (such as national social security number) needed for authentication.
  • Usage data: App activity logs, system usage, IP addresses, device type, and security monitoring logs.

Categories of data subjects:

  • Patients
  • Clinicians
  • Administrators

3. How Do We Collect Your Data?

  • Direct input: Patients provide health information via questionnaires and app forms.
  • Clinician input: Clinicians add clinical observations and treatment updates.
  • System logs: The system automatically logs usage activity for security, auditing, and quality monitoring.

4. How Will We Use Your Data?

We use your data for the following purposes:

  • Deliver personalized healthcare support and tailored medical recommendations.
  • Allow clinicians to monitor patient progress and optimize treatment plans.
  • Facilitate secure communication between patients and healthcare providers.
  • Authenticate and authorize users based on their role.
  • Comply with medical device software and health data regulatory obligations.
  • Conduct medical or scientific research with explicit consent, using pseudonymized or anonymized data whenever possible.

5. How Do We Store Your Data?

  • All data is stored on AWS cloud infrastructure in encrypted databases.
  • Access is role-based: patients, clinicians, and administrators have restricted access.
  • Audit logging records all access and changes for security and compliance.
  • Personal data is retained only as long as necessary for medical, regulatory, or research purposes.
  • Upon request or at the end of retention periods, data is securely deleted or anonymized.

6. How Do We Share Your Data?

We share personal data only with:

  • Authorized clinicians involved in the patient’s care.
  • Regulatory authorities, when required by law.
  • Medical researchers, using anonymized or pseudonymized data only, with patient´s explicit consent.

We do not sell or commercialize personal data.

7. Use of Artificial Intelligence (AI)

Purpose of Processing
We use Microsoft Azure OpenAI services to assist healthcare professionals by transforming structured questionnaire data into clear, human-readable health summary reports.
This AI-assisted processing helps improve clinical documentation and communication. It is used solely to support healthcare delivery and does not perform automated diagnosis or decision-making.
The AI processing is designed to be transparent, explainable, and proportionate, ensuring that outputs are interpretable by healthcare professionals.
All AI-generated summaries are subject to human oversight and validation before being used in any clinical context.Type of Data Processed
To generate these summaries, the system may process:

  • Health and lifestyle data provided by patients in questionnaires (e.g. age, gender, weight, medical history, symptoms, lifestyle habits).
  • Contextual information used to structure and format the report.
  • Output data — a generated text report stored as part of the patient’s medical record.

No direct personal identifiers (such as name, email address, phone number, or home address) are shared with Azure OpenAI.
All data transmitted to the AI service is pseudonymised, meaning internal identifiers are used instead of personally identifying details.

Data Handling and Safeguards
Data is transmitted to Azure OpenAI using encrypted HTTPS/TLS 1.2+ connections.
Processing occurs ephemerally; Azure OpenAI does not retain the input or output data beyond the completion of the request.
Azure OpenAI is fully GDPR-compliant and hosted within EU data centres.
Microsoft acts as a data processor under the EU Standard Contractual Clauses (SCCs) and the Microsoft Data Protection Addendum (DPA).
Data is not used by Microsoft or OpenAI for model training or any other secondary purpose.
Access to generated reports within internal systems is restricted to authorized medical and administrative personnel only.


AI processing is not used for:

  • Identifying or authenticating patients.
  • Profiling, marketing, or behavioral analysis.
  • Automated medical decision-making without human involvement.
  • Training or improving AI models.

Our legal bases for processing your data are:

  1. Provision of Healthcare Services (Articles 6(1)(b) & 9(2)(h) GDPR): Necessary to deliver healthcare services under a contract with the patient.
  2. Compliance with Legal Obligations (Article 6(1)(c) GDPR): Required to fulfill regulatory requirements for medical devices and healthcare data management.
  3. Explicit Consent (Articles 6(1)(a) & 9(2)(a) GDPR): For scientific or medical research purposes, separate from care consent.
  4. Scientific Research Exemption (Article 9(2)(j) GDPR, where applicable): Health data may be processed under safeguards such as pseudonymization and ethical review.

9. International Data Transfers

  • Data is stored and processed within the EU/EEA.
  • Transfers outside the EU/EEA are made only if required by law and under appropriate safeguards.

10. Your Data Protection Rights

You have the right to:

  • Access your personal data
  • Rectify inaccurate or incomplete data
  • Erase your data (“right to be forgotten”)
  • Restrict or object to processing
  • Data portability
  • Withdraw consent (for research)
  • Lodge a complaint with a supervisory authority
  • Request detailed information about how their personal data is processed by AI systems.
  • Request correction or deletion of AI-generated information if it is inaccurate or no longer relevant.
  • Object to the use of AI-assisted processing for their data.
  • Request human review of any AI-generated content that affects them.
  • Withdraw consent for AI-assisted processing at any time, without affecting the lawfulness of processing carried out before the withdrawal.

To exercise your rights, contact us by email: support@barifix.app

11. Data Security

We implement technical and organizational measures to protect your data, including:

  • Encryption for data at rest and in transit
  • Role-based access controls
  • Audit logs of all data access and modifications
  • Regular security audits and staff training on data protection
  • Pseudonymization or anonymization of data for research purposes

12. Updates to This Policy

We may update this Privacy Policy occasionally. The latest version will always be available in the app and on our website. Significant changes will be communicated to users.

13. How to contact Us

For questions or concerns about this policy or your data, contact:
support@barifix.app

14. How to contact appropriate authority

If you wish to report a complaint or see that our company has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.