Data Protection Declaration (DPD) - January 2026

As a data host and solution provider, we are aware of the importance of confidentiality and the protection of the data entrusted to us.

This statement explains how Dupraz Informatique Sàrl (hereinafter "publisher") processes personal data via its SaaS solution including ErgoApp, MedicApp, PhysioApp, and PsyApp.

1. Data controller and contact

The data controller within the meaning of the Federal Act on Data Protection (FADP) is Dupraz Informatique Sàrl Place de la Gare 9, 1260 Nyon, Switzerland Email: contact@dupraz-informatique.ch.

Patient data entered into the application is provided by the healthcare professional or the practice. The latter is therefore the data controller.
The editor then acts as a data processor.

2. Collected data and purposes

The publisher only collects data necessary to provide the services:

  • Healthcare professional identity data
    Last name, first name, address, contact details, federal identification numbers (GLN, RCC), and information required for issuing SwissQR invoices.
    Purpose: to allow the legal identification of the provider and the correct routing of their payments.
  • Patient identity data
    Last name, first name, address, contact details, insurance, reports, diagnoses, photos, prescriptions, medical history, ...
    This data is entered and managed exclusively by the healthcare professional under their own responsibility for the purpose of providing the appropriate medical treatment.
    Purpose: The publisher only provides the secure infrastructure for the storage and processing of this information.
  • Patient Portal for online appointment booking
    Last name, first name, address, contact details, insurance
    Privacy: This information is only transmitted to the healthcare professional(s) with whom the patient is booking an appointment.
    Purpose: Management of the patient user account and transmission of the appointment request to the selected healthcare professional.
  • Navigation
    Google Analytics is used only on public commercial sites with IP anonymization.
    Purpose: To obtain statistics on site attendance and performance.

We do not and will never engage in the commercial resale of data to third parties.

3. Hosting and Sovereignty

Unlike many solutions based on third-party 'public cloud' infrastructures, Dupraz Informatique Sàrl prioritizes a model of direct technological sovereignty.

All data is hosted in a secure data center in Switzerland. The hardware used, such as servers, routers, switches, etc., belongs to the publisher.
This ensures total control over the security chain, without any technical intermediaries.

To ensure service continuity and data resilience in the event of a major disaster, backups are replicated daily across three distinct geographical sites.

Except for the optional use of an external third-party service in point 8, no health data is transferred abroad.

We have our own SMS communication gateway, ensuring that basic notifications do not pass through international third-party platforms.

Everything is installed and maintained by our own employees. We do not use any subcontractors.

4. Data Security

The publisher implements rigorous technical and organizational measures (TOM):

  • Encryption

    Data encrypted in transit (TLS) and at rest (Encryption at rest).

  • Access Control

    Strong authentication (2FA) available, connection logging, security alerts, and IP restriction.

  • Restricted access

    Only the publisher's technical team may access the infrastructure for maintenance or support purposes. Our employees are contractually subject to strict professional secrecy (Art. 321 of the Swiss Criminal Code).

  • Backups

    Backup policy across three distinct geographical locations in Switzerland.

  • Incidents

    In the event of a security breach, we will inform the client within 48 business hours to allow for the necessary legal notifications.

  • Storage device

    In the event of a technical failure, all storage media (hard drives, SSDs) are physically destroyed. No media containing health data is returned to the manufacturer for warranty or repair, ensuring that no data leaves our infrastructure in physical form.

Reminder: For patient data entered into the application, the healthcare professional (or the practice) is the data controller. The publisher acts as the data processor.

5. Cookies and Analytics

Within the application (for both healthcare professional and patient spaces), no third-party tools are integrated to ensure total confidentiality.
For the showcase website (starting with www), the publisher uses Google Analytics to measure the audience. The data is anonymized, and you can opt out via your browser settings.

6. Your Rights

In accordance with the nFADP, users have the following rights:

  • Right of access and rectification.
  • Right to erasure of data (subject to legal medical retention obligations).
  • Right to data portability.
  • Right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC).

7. Retention period

  • Healthcare professional

    Healthcare professional account data is retained as long as the subscription is active.

    In the event of termination, patient data is kept on our servers for a period of 10 years (the legal retention period for medical records in Switzerland), unless otherwise instructed in writing by the healthcare professional.
    After this period, or upon explicit request for deletion following termination, the data will be permanently erased.
    It is the healthcare professional's responsibility to ensure they have a copy of their records in accordance with their ethical obligations before requesting any deletion.

  • Patient appointment booking

    Account data is retained as long as the user is actively using the service.
    In the event of prolonged inactivity (more than 2 years without logging in) or upon a deletion request, account data will be erased.

8. Partners and Third-Party Transfers

To provide a complete solution, can be connected to the following third-party services.
Data transmission only occurs if the healthcare professional activates or uses the relevant module.

  • Calendar

    OneDoc (Switzerland)

  • Insurance

    CoverCard (Switzerland)

  • Accounting
  • Billing

    MediData (Switzerland)
    MediServ (Switzerland)
    Zaala (Switzerland)

  • Online payment

    Stripe (International) - Currently only for the payment of the Publisher's SaaS subscriptions

  • SMS

    ClickSend (Australia)

Looking for a medical consultation? Click here to access the directory.
Copyrights © 2016 - 2026 All Rights Reserved by Dupraz Informatique Sàrl.
Terms and Conditions / Data Protection / Data Processing Agreement (DPA)