This page is published in English as the authoritative version. Translations of headings are provided for convenience; the legal text below remains in English.
Plain answers to the questions practitioners and patients ask most often. Last updated April 2026. Full legal detail is in the Privacy Policy.
Patient records are stored by Supabase (US company, AWS infrastructure). The transfer of EU data to the US is lawful under EU Standard Contractual Clauses (Commission Decision 2021/914).
The application runs on Vercel's edge network (EU + US). AI dossier generation uses Anthropic Claude (US), also under EU SCCs. No patient data is used to train AI models.
Yes — every paying clinic gets one. As a practitioner (data controller), you sign a Data Processing Agreement with MyDosha (data processor) as part of onboarding, typically alongside your first invoice. The agreement is yours; we keep a countersigned PDF on file.
Need it sooner for institutional vendor approval (hospital network, association membership, insurance scheme)? Email hello@mydosha.org with the subject "DPA request" and we send within 48 hours. It covers our sub-processor list, EU SCC references, and your rights as controller.
Practitioners: Open your portal → Account modal → "Export patient data (CSV)". Instant download of all records: name, email, dosha scores, intake answers, care plan, dates. Keep this export in your own statutory patient-file archive before unsubscribing if WGBO or similar rules apply to your practice.
Patients: Email privacy@mydosha.org with your name and the clinic you visited. We respond within 30 days with a full copy of your data.
Individual records: Practitioners can delete any single patient from the practitioner portal at any time — no form, no request needed.
Full practice wipe: Portal → Account modal → "Delete my practice". Phrase-confirmed and irreversible. Export first if you need to keep a statutory archive outside MyDosha.
Patient requests: Email privacy@mydosha.org. We respond within 30 days and follow the practitioner's controller instructions where a legal retention duty applies.
Many clinics, wellness centres, and Ayurvedic schools require a Data Processing Agreement before onboarding a data processor. MyDosha provides a standard DPA based on the EU model clauses. It covers our sub-processors, your rights as data controller, and the transfer mechanism for US-based services.
Request DPA by emailPatient health data (special category under GDPR Article 9) is processed by the following sub-processors. Each has a DPA with MyTrueDosha incorporating EU Standard Contractual Clauses as the transfer mechanism for data leaving the EEA.
| Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Patient record storage (primary database), herb/formula inventory. | US (AWS infrastructure) | EU SCCs 2021/914 — Modules 2 & 3. DPA signed April 2026. |
| Anthropic, PBC | AI dossier generation & intake conversation (stateless per call) | USA | Anthropic DPA with EU SCCs. No model training on API traffic. |
| Resend, Inc. | Transactional email (OTP codes, care plans, access links) | USA | Resend DPA with EU SCCs. |
| Vercel, Inc. | Application hosting & serverless functions (no persistent patient data) | EU + US (edge) | Vercel DPA with EU SCCs. |
Supabase's own sub-processor list: supabase.com/privacy#subprocessors
All patients who complete an intake via MyDosha are data subjects under GDPR. The following rights apply:
To exercise any right: email privacy@mydosha.org. We respond within 30 days (GDPR Article 12(3)).
Lead supervisory authority: Garante per la protezione dei dati personali (Italy — garanteprivacy.it). You may also lodge a complaint with the authority in your country of residence.
MyTrueDosha (operating brand) / Thomas Thijs
Frazione Ammazzavecchia 12, 58010 Sorano (GR), Italy
Email: privacy@mydosha.org
Estonian OÜ in formation — governing law will be updated on registration.
Full legal notice: Imprint · Full privacy policy: Privacy & Terms