Legal

Privacy Policy

Effective date: 3 June 2026 · Last updated: 3 June 2026

This Privacy Policy explains how Codeventor LTD ("Holty", "we", "us", "our") collects, uses, discloses and protects personal data in connection with the Holty website (getholty.com) and the Holty platform (the "Service").

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Romanian Law No. 190/2018 implementing GDPR, and other applicable data protection laws.

1. Who we are

Data controller for this website:

Codeventor LTD
Iași, Romania, European Union
Email: info@getholty.com
Phone: +373 79 771 161

For the Holty platform deployed at a clinic, the clinic is the data controller of patient personal data, and Codeventor LTD acts as a data processor on the clinic's behalf, as further described in Section 9 (Our role under GDPR) and the Data Processing Agreement (DPA) entered into with each clinic.

If you have questions about this Policy or wish to exercise your rights, contact us at info@getholty.com.

2. Scope

This Policy applies to:

Visitors of getholty.com and any subdomain operated by us;
Prospective customers who request a demo, contact us, or interact with our marketing;
Representatives of clinics that have entered into an agreement with us;
Job applicants who contact us regarding career opportunities.

This Policy does not apply to personal data processed by a clinic through the Holty platform in its role as data controller. For information about how a particular clinic processes patient data, please refer to that clinic's own privacy notice.

3. What personal data we collect

3.1 Information you provide directly

Contact and demo requests: full name, email address, phone number, clinic name, role, country, and any message you send us.
Commercial correspondence: content of emails, calls, meeting notes and information you share during sales or onboarding conversations.
Account information (for clinic representatives): name, work email, position, login credentials, billing and tax details.
Job applications: CV, cover letter, professional history and any information you share with us during the hiring process.

3.2 Information collected automatically

Technical data: IP address, browser type and version, operating system, referring URL, pages visited, date and time of visit, language preference.
Cookies and similar technologies: see Section 8 (Cookies).
Analytics data: aggregated and pseudonymised statistics about how visitors use our website.

3.3 Information from third parties

Enrichment: publicly available business information (e.g., LinkedIn, company registries) used to qualify leads.
Service providers: information from analytics, CRM, email delivery and hosting providers used by us.

We do not intentionally collect special categories of personal data (such as health data) through the website. Patient health data is processed only inside the Holty platform, under each clinic's instructions, in our capacity as processor.

4. Legal bases for processing

We process personal data on the following legal bases under Article 6 GDPR:

Purpose	Legal basis
Responding to demo requests, contact forms and questions	Consent (Art. 6(1)(a)) or pre-contractual measures (Art. 6(1)(b))
Performing a contract with a clinic	Contract (Art. 6(1)(b))
Sending direct marketing to business contacts	Legitimate interests (Art. 6(1)(f)) or consent where required
Analytics and product improvement	Legitimate interests (Art. 6(1)(f)) or consent for non-essential cookies
Complying with legal obligations (e.g., tax, accounting)	Legal obligation (Art. 6(1)(c))
Defending legal claims and protecting our rights	Legitimate interests (Art. 6(1)(f))
Recruitment and hiring	Consent (Art. 6(1)(a)) or pre-contractual measures (Art. 6(1)(b))

You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

5. How we use personal data

We use personal data to:

Respond to demo requests and customer enquiries;
Provide, operate, maintain and improve the Service and our website;
Manage our commercial relationship with clinics, including billing and support;
Send transactional emails (e.g., account confirmations, security notices);
Send marketing communications about our products, where permitted;
Measure and improve the performance of our website and marketing;
Detect, prevent and address technical issues, fraud and security incidents;
Comply with applicable laws and respond to lawful requests from authorities.

We do not sell personal data and we do not use personal data for automated decision-making producing legal or similarly significant effects.

6. Sharing personal data

We share personal data only when necessary and with appropriate safeguards. Recipients include:

Service providers (sub-processors) that help us run our business: cloud hosting, email delivery, CRM, analytics, customer support, payment processing, accounting. Each provider is bound by a written contract and processes data only on our instructions.
Professional advisors: lawyers, accountants and auditors, where necessary to obtain advice or comply with legal obligations.
Authorities: where required by law, court order or to protect our rights and the safety of others.
Corporate transactions: in connection with a merger, acquisition, financing or sale of assets, subject to confidentiality.

A current list of our sub-processors for the Holty platform is available to clinic customers on request and is referenced in the DPA.

7. International transfers

Our infrastructure and primary service providers are located in the European Union or the European Economic Area (EEA).

Where personal data is transferred outside the EEA, we ensure an adequate level of protection by using one or more of the following safeguards:

Transfers to countries covered by a European Commission adequacy decision;
Standard Contractual Clauses (SCCs) approved by the European Commission;
Additional technical and organisational measures where appropriate (encryption, pseudonymisation, access controls).

You may request a copy of the safeguards in place by contacting info@getholty.com.

8. Cookies and similar technologies

We use cookies and similar technologies to make our website work, measure performance and improve your experience. We use the following categories:

Strictly necessary cookies — required for the website to function; cannot be disabled.
Analytics cookies — help us understand how visitors use our website (e.g., page views, bounce rate). Set only with your consent.
Marketing cookies — used to measure the effectiveness of advertising. Set only with your consent.

You can accept or refuse non-essential cookies through our cookie banner, and change your preferences at any time. You can also block or delete cookies through your browser settings; doing so may affect website functionality.

9. Our role under GDPR (controller vs. processor)

Holty has two distinct roles:

Data controller — for personal data processed in connection with our website, marketing, sales and corporate operations (the subject of this Policy).
Data processor — for personal data processed by clinics inside the Holty platform, including patient health data. In this case, the clinic determines the purposes and means of processing, and we act strictly on the clinic's documented instructions under a Data Processing Agreement that complies with Article 28 GDPR.

For on-premise deployments, patient data remains on the clinic's own infrastructure and we have no access to it unless expressly requested by the clinic for support purposes.

10. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including legal, accounting or reporting requirements.

Indicative retention periods:

Demo requests and unqualified leads: up to 24 months from last interaction.
Customer account data: for the duration of the contract plus the statutory limitation period (typically up to 6 years in Romania for tax and accounting purposes).
Marketing contacts: until you unsubscribe or object, and then deleted from active databases within 30 days.
Website analytics: up to 26 months in aggregated form.
Job applications: up to 12 months after the end of the recruitment process, unless you consent to a longer retention.

After the retention period, personal data is deleted or anonymised.

11. Your rights

Under GDPR, you have the following rights, subject to legal conditions and exceptions:

Access — obtain confirmation of whether we process your personal data and a copy of it.
Rectification — correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — request deletion of your data where the conditions of Article 17 GDPR are met.
Restriction — request that we restrict the processing of your data in certain circumstances.
Portability — receive your data in a structured, commonly used and machine-readable format.
Objection — object to processing based on legitimate interests, including direct marketing.
Withdraw consent — at any time, without affecting prior lawful processing.
Lodge a complaint — with a supervisory authority. The Romanian authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP), www.dataprotection.ro.

To exercise these rights, email info@getholty.com. We will respond within one month and may extend that period by up to two further months for complex requests, in which case we will inform you of the extension.

If your request concerns patient data processed by a clinic through the Holty platform, please contact the clinic directly — they are the data controller.

12. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These measures include:

Encryption in transit (TLS 1.2+) and at rest (AES-256);
Role-based access controls and least-privilege principles;
Regular backups and disaster recovery procedures;
Logging, monitoring and intrusion detection;
Periodic security reviews, vulnerability scanning and penetration testing;
Vendor risk management for sub-processors;
Staff training and confidentiality obligations.

No system can be guaranteed 100% secure. In the event of a personal data breach, we will notify affected individuals and supervisory authorities where required by law.

13. Children

The website and the Service are not directed to children under the age of 16 and we do not knowingly collect personal data from them through the website. The Holty platform may be used by clinics to process paediatric records under the clinic's responsibility as data controller.

If you believe a child has provided us with personal data, please contact us and we will delete it.

14. Third-party links

Our website may contain links to third-party websites and services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before sharing your personal data.

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, the Service or applicable law. The "Last updated" date at the top indicates when this Policy was last revised. Material changes will be communicated through the website or by email where appropriate.

16. Contact us

For questions, requests or complaints regarding this Policy or our processing of your personal data:

Codeventor LTD
Iași, Romania, European Union
Email: info@getholty.com
Phone: +373 79 771 161

We aim to resolve all enquiries directly. You also have the right to contact the Romanian data protection authority (ANSPDCP) or the supervisory authority in your country of residence.