Privacy Policy for Brown Bag Med

PRIVACY POLICY
Brown Bag Med - Digital Medication Safety Platform
Version 2.0 | Effective Date: April 2026 | Supersedes: Version 1.0

Plain-Language Summary
We process your health data only to review your medications and keep legally required records. We never sell your data, share individual health data with insurers without your explicit separate consent, or use it for advertising. Your data lives in GDPR- and Swiss nFADP-compliant infrastructure. You can access, correct, export, or delete your data at any time. Contact info@brownbagmed.eu for any data protection matter.

1. Identity and Contact Details of the Data Controller
The data controller responsible for the processing of your personal data through the Platform (brownbagmed.eu) is:

Brown Bag Med - Abotaleb
Legal form: Einzelunternehmen (sole proprietorship) under Swiss law
Owner / Data Controller: Aly Abotaleb
Business address: c/o ExpertFid & Audit AG, Marktgasse 8, 4051 Basel, Switzerland
Contact (all matters incl. data protection): info@brownbagmed.eu
Platform: brownbagmed.eu

Where Brown Bag Med processes personal data on behalf of an Institutional User (e.g. a health insurer acting as controller of its members' data), Brown Bag Med acts solely as a data processor within the meaning of Art. 28 GDPR and Art. 9 Swiss nFADP. In those cases, the Institutional User is the primary data controller and its privacy policy applies to you in addition to this one. Brown Bag Med's processing as processor is limited to what is necessary to deliver the agreed Services.

2. Data Protection Officer (DPO)
Brown Bag Med has designated a Data Protection Officer accessible at:
Email: info@brownbagmed.eu

The DPO is your primary contact for all matters relating to data protection, including requests to exercise your rights, questions about this Policy, or to lodge an internal complaint. All communications with the DPO are treated as strictly confidential.

3. Scope and Applicability of This Policy
This Privacy Policy applies to all personal data processed by Brown Bag Med in connection with:
- access to and use of the Platform by Consumer Users and Institutional Users;
- submission of Health Data for medication review purposes;
- communication with Brown Bag Med by any channel (email, in-platform messaging, telephone);
- use of the brownbagmed.eu website and any associated applications.

This Policy does not apply to the processing of data by Institutional Users acting as independent data controllers of their own members' data outside the Platform, or to the processing of data by third-party websites linked from the Platform.

This Policy is compliant with:
- EU General Data Protection Regulation (GDPR) Regulation (EU) 2016/679;
- Swiss Federal Act on Data Protection (nFADP), in force 1 September 2023;
- Swiss Ordinance on Data Protection (DPO-CH) and FDPIC guidance;
- German Federal Data Protection Act (BDSG) where applicable to German users.

4. Categories of Personal Data We Process
4.1 Data You Provide Voluntarily
We collect the following categories of personal data when you register and use the Platform:

Identity data: full name, date of birth, legal sex (as clinically relevant), email address, preferred language.
Health Data (special category - Art. 9 GDPR): current medication list (active pharmaceutical ingredients, brand names where provided, dosages, frequency, route); medical conditions and diagnoses you disclose; allergies and adverse drug reactions; relevant laboratory values (renal function, hepatic function, electrolytes, HbA1c, INR, etc.) where voluntarily provided; body weight and height; current supplements and herbal products.
Account data: username, hashed password (plaintext password is never stored), account preferences, language and notification settings.
Communication data: content of messages sent to us via email or in-platform support channels.
Payment reference data: transaction reference number and payment status. Full payment card data is processed exclusively by our PCI-DSS Level 1 compliant payment processor and is never transmitted to or stored on Brown Bag Med servers.

4.2 Data Collected Automatically
When you access the Platform, we automatically collect:
- Technical data: IP address (truncated to /24 subnet and anonymised at session close); browser type and version; operating system; device type; screen resolution.
- Usage data: pages and features accessed; session duration; navigation paths; feature interaction events.
- Log data: server access logs for security, fraud prevention, and debugging purposes.

4.3 Data We Expressly Do Not Collect
We do not collect, and our Platform is designed to actively prevent collection of:
- Genetic data or biometric data used for unique identification;
- National identification numbers (Swiss AHV/IV, German Rentenversicherungsnummer) unless voluntarily submitted and clinically relevant;
- Insurance membership numbers (except where provided by the User in connection with an Institutional User service and strictly necessary for eligibility verification);
- Precise geolocation data (country-level location is inferred from IP for compliance and fraud prevention only);
- Data from minors under 16 without verified parental consent;
- Social media account data.

4.4 Accuracy and User Responsibility
The accuracy of Health Data submitted to the Platform is the User's sole responsibility. We process submitted data as provided and do not independently verify its accuracy. Inaccurate or incomplete Health Data may result in a clinically unreliable Medication Safety Report. Brown Bag Med accepts no liability for clinical outcomes attributable to inaccurate user-submitted data.

5. Legal Basis for Processing and Retention Periods
We only process your personal data where we have a valid legal basis.

Account & identity data
Purpose: Account creation, authentication, user management, service delivery
Legal Basis (GDPR): Art. 6(1)(b) - contract performance
nFADP Basis: Art. 31(1) nFADP - contractual necessity
Retention: Active account + 2 years post-closure

Health Data (medication list, conditions, allergies)
Purpose: Brown Bag Medication Review; generation of Medication Safety Report
Legal Basis (GDPR): Art. 9(2)(h) - health service; Art. 9(2)(a) - explicit consent (backup)
nFADP Basis: Art. 31(2)(b) nFADP - health purposes + explicit consent
Retention: 6 years from Report delivery

Health Data (pharmacist clinical notes)
Purpose: Professional liability; quality assurance; regulatory compliance
Legal Basis (GDPR): Art. 9(2)(h) GDPR + Art. 6(1)(c) - legal obligation
nFADP Basis: Art. 31(2)(b) nFADP + legal obligation
Retention: 10 years from Report delivery

Payment reference data
Purpose: Billing, invoicing, fraud prevention, tax records
Legal Basis (GDPR): Art. 6(1)(b) contract + Art. 6(1)(c) legal obligation
nFADP Basis: Art. 31(1) nFADP - legal obligation
Retention: 10 years (Swiss OR/tax law)

Communication data
Purpose: Customer support, complaint resolution, legal defence
Legal Basis (GDPR): Art. 6(1)(b) contract + Art. 6(1)(f) legitimate interest
nFADP Basis: Art. 31(1)(b) nFADP
Retention: 3 years from last contact

Technical & usage data
Purpose: Platform security, abuse prevention, performance
Legal Basis (GDPR): Art. 6(1)(f) legitimate interest
nFADP Basis: Art. 31(1)(c) nFADP
Retention: IP logs: 90 days; analytics: 24 months

Marketing communications
Purpose: Service update notifications (no third-party marketing)
Legal Basis (GDPR): Art. 6(1)(a) - consent (withdrawable at any time)
nFADP Basis: Art. 31(1)(a) nFADP - consent
Retention: Until withdrawal of consent

Aggregated/anonymised analytics
Purpose: Platform improvement; clinical quality improvement; investor reporting
Legal Basis (GDPR): Art. 6(1)(f) legitimate interest (anonymised - not personal data)
nFADP Basis: N/A (anonymised)
Retention: Indefinite

Where retention beyond the above periods is required by a specific professional, regulatory, or legal obligation that arises after the date of this Policy, we will update this Policy accordingly and notify you.

6. Health Data: Special Category Processing and Explicit Consent
Health Data is a Special Category of Personal Data. Your medication list and related health information constitute special category personal data under Art. 9 GDPR and Art. 5 nFADP, commanding the highest level of protection. We apply enhanced technical and organisational safeguards to all Health Data.

6.1 Explicit Consent Workflow
Processing of Health Data under Art. 9(2)(a) GDPR requires your explicit, freely given, specific, informed, and unambiguous consent. Before you submit any Health Data, you will be presented with a dedicated explicit consent screen that clearly states:
- exactly which categories of Health Data will be processed;
- the specific purpose of processing (medication review);
- who will access your data (Licensed Pharmacist and subprocessors);
- the retention period;
- your right to withdraw consent at any time and the consequences of withdrawal;
- that consent is voluntary and that withholding consent means the review cannot be conducted.

Consent is recorded with a timestamp and version reference. You may request a copy of your consent record at any time.

6.2 Withdrawal of Consent
You may withdraw your consent to Health Data processing at any time by:
- using the 'Withdraw Consent' option in your account settings; or
- sending a written request to info@brownbagmed.eu.

Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. Where consent is withdrawn before a review is completed, the review will be cancelled and a refund will be issued in accordance with Section 7 of the Terms and Conditions. Where consent is withdrawn after a Report has been delivered, we will cease further non-mandatory processing but will retain data for the periods required by applicable professional and legal obligations (see Section 5).

6.3 Alternative Legal Basis for Health Data Processing
Where processing of Health Data for record-keeping, professional liability, or quality assurance purposes does not rely on consent, we rely on Art. 9(2)(h) GDPR (processing necessary for the provision of health or social care services or treatment), read together with applicable Swiss cantonal pharmacy record-keeping obligations. The Licensed Pharmacist is subject to professional obligations requiring retention of clinical records, which override the User's right to erasure with respect to those records during the mandatory retention period.

7. Disclosure of Personal Data to Third Parties
7.1 Licensed Pharmacists
Health Data and medication submissions are accessible to the Licensed Pharmacist assigned to your review. Pharmacists access only the data relevant to their assigned review. All pharmacists are subject to: (a) contractual data processing obligations; (b) statutory professional secrecy under their applicable professional code; and (c) Brown Bag Med's internal data access controls.

7.2 Institutional Users - Strict Restrictions
Where you access the Platform through an Institutional User (e.g. your health insurer), Brown Bag Med will share with the Institutional User only:
- Service delivery confirmation: confirmation that a review has been completed for an eligible member;
- Anonymised aggregate statistics: aggregated, de-identified data for contractual reporting purposes (e.g. number of reviews completed, aggregate interaction categories detected - never individual-level data).

Absolute Prohibition on Individual Health Data Sharing with Institutional Users
Brown Bag Med will NEVER share your individual Health Data, Medication Safety Report, medication list, diagnoses, or any other individually identifiable clinical information with your health insurer, employer, or any other Institutional User WITHOUT your prior, separate, explicit written consent.

7.3 Technology Subprocessors
We use vetted third-party technology providers (subprocessors) to operate the Platform. All subprocessors are bound by Data Processing Agreements (DPAs) compliant with Art. 28 GDPR and the equivalent nFADP provisions, and are assessed against Brown Bag Med's subprocessor security standards before engagement.
A current list of subprocessors, including their names and processing locations, is maintained and made available upon request to info@brownbagmed.eu.

7.4 Legal Disclosures
We may disclose personal data to competent public authorities where required by applicable law or binding court/regulatory order, necessary to protect vital interests, or required to establish, exercise, or defend legal claims.

7.5 Business Transfers
In the event of a merger, acquisition, asset sale, restructuring, or insolvency of Brown Bag Med, personal data may be transferred to a successor entity. We will provide 30 days' prior notice and ensure equivalent data protection obligations.

7.6 Absolute Prohibition on Data Sale
Brown Bag Med does not and will not sell, rent, lease, trade, or otherwise commercially transfer personal data - including Health Data - to any third party for that party's own commercial purposes.

7.7 No Advertising Data Use
Brown Bag Med does not share personal data with advertising networks, data brokers, demand-side platforms, or any entity that would use the data for targeted advertising.

8. International Data Transfers
8.1 Primary Storage Locations
Brown Bag Med's primary data storage and processing infrastructure is located in Switzerland and/or the European Economic Area (EEA).

8.2 Transfers Outside Switzerland/EEA
Where required for service operation, transfers are covered by approved safeguards such as EU SCCs, Swiss SCCs, and transfer impact assessments with appropriate supplementary measures.

8.3 Health Data Transfer Restriction
Health Data is not transferred outside Switzerland and the EEA except where approved transfer mechanisms and required safeguards are in place.

9. Data Security - Technical and Organisational Measures
Brown Bag Med applies security controls including encryption in transit and at rest, role-based access control, audit logging, incident response, and ongoing security monitoring/testing.

9.2 Data Breach Notification
In the event of a reportable breach, Brown Bag Med will notify competent authorities and affected individuals as required by GDPR and nFADP.

9.3 User Security Obligations
Users should protect account credentials and notify us immediately at info@brownbagmed.eu of suspected unauthorised access.

10. Your Rights as a Data Subject
You may exercise rights of access, rectification, erasure (subject to legal limits), restriction, portability, objection, withdrawal of consent, and complaint to a supervisory authority by contacting info@brownbagmed.eu.

11. Right to Lodge a Complaint with a Supervisory Authority
You may lodge a complaint with the Swiss FDPIC or your relevant EU/EEA supervisory authority.

12. Cookies and Similar Tracking Technologies
We use strictly necessary cookies and optional consent-based cookies for functionality/analytics. We do not use advertising or retargeting cookies.

13. Processing of Personal Data Relating to Minors
The Platform is not directed to children under 16 without verified parental/guardian consent.

14. Automated Processing and Profiling
No Medication Safety Report is produced solely by automated processing; each report includes review by a human Licensed Pharmacist.

15. Data Retention and Secure Deletion
We retain data only as necessary for service and legal obligations, then securely delete or anonymise data.

16. Changes to This Privacy Policy
Material changes are notified in advance; non-material clarifications may be posted directly with updated version date.

17. Contact Us
All enquiries (data protection, legal, clinical, general):
info@brownbagmed.eu

Postal address:
Brown Bag Med - Abotaleb
c/o ExpertFid & Audit AG
Marktgasse 8, 4051 Basel, Switzerland

Document Control
Version 2.0 | Effective: April 2026 | Supersedes: Version 1.0 (April 2026)
This document reflects legal and regulatory drafting for digital health privacy requirements under Swiss and EU frameworks. This document should be reviewed by a qualified Swiss data protection lawyer before publication.