ScanFai Privacy Policy

1. Data We Process

• Scanned medical images and document files you capture or upload.
• QR or barcode scan values used for approved DocFai workflow actions.
• Account identifiers, role context, and security audit logs.
• Technical diagnostics needed to protect service integrity.

2. Controller and Processor Roles

In many healthcare deployments, the clinic, hospital, or healthcare provider using DocFai is the data controller for patient-related personal data. Tizfai Technologies AB may act as a processor or service provider on documented instructions, except where we must act as an independent controller for security, billing, legal, or regulatory obligations.

3. Why We Process Data

• To upload records to authorized DocFai user accounts and roles.
• To support document categorization for medical workflows.
• To enable secure history, traceability, and operational support.
• To detect abuse, investigate incidents, and maintain compliance.

4. GDPR Legal Bases

• Performance of a contract for provision of ScanFai and DocFai services.
• Compliance with legal obligations, including security and audit requirements.
• Legitimate interests in protecting systems, preventing misuse, and maintaining service integrity.
• Where applicable, healthcare organizations remain responsible for identifying the appropriate legal basis for patient data they control.

5. Security

• Data transfer uses encrypted channels.
• Sensitive payloads are protected using platform security controls.
• Access follows role-based authorization in the DocFai ecosystem.
• Authentication tokens are stored with mobile secure storage controls.

6. Camera and Storage Permissions

• Camera access is used to capture document images.
• Photo library access is used only when you choose existing media.
• Permissions can be controlled from device settings.

7. Storage and Retention

• Uploaded records are stored on secured infrastructure managed for DocFai services.
• Temporary device files are minimized and may be cleared by app or OS lifecycle.
• Retention and deletion are governed by your organization's policy and applicable law.

8. International Transfers and Third-Party Services

ScanFai may rely on vetted service providers for hosting, storage, and security operations under contractual confidentiality and data protection obligations. Where personal data is transferred outside the EEA or UK, we aim to use recognized transfer safeguards such as adequacy decisions or standard contractual clauses where required.

9. Your Rights Under GDPR

• You may have rights of access, rectification, erasure, restriction, objection, and data portability, subject to applicable law.
• If your healthcare organization controls the data, requests should normally be directed to that organization first.
• We may need to verify identity and authority before acting on a request.

10. Complaints and Contact

For privacy requests, contact: kamal@tizfai.com

If you are in Sweden or the EEA, you may also have the right to lodge a complaint with your local supervisory authority. In Sweden, the supervisory authority is Integritetsskyddsmyndigheten (IMY).