Levita Med

Privacy Policy

Last updated12 May 2026

This Privacy Policy explains how Levita Med ("Levita", "we", "our") collects, uses, stores, and protects your personal data, in compliance with Albanian Law No. 9887 "On the Protection of Personal Data" and the principles of the GDPR (Regulation (EU) 2016/679).

1. The Controller and Levita's Role

Levita Med, headquartered at Durrës, Shijak, Xhafzotaj, Durana Tech Park, Rruga Ahmet Zogu, Property No. 336, CZ 3852, NIPT M61615505, acts as the Data Controller for account data, billing, system security, AI-assisted analysis, and scientific research.

For your medical data (diagnoses, clinical records, consultation notes), the licensed doctor you choose acts as an independent Data Controller, while Levita acts as a Processor providing the secure technological infrastructure for conducting and storing the consultation. The doctor determines the purpose and means of clinical treatment; Levita processes this data only on the doctor's instructions and to provide the service.

2. Data We Collect

  • Identifying data: First name, last name, date of birth, gender, phone number, email.
  • Account data: Login credentials, booking history.
  • Medical data (special category): Symptoms, medical history, diagnoses, prescriptions, AI-assisted diagnostic results, documents you upload.
  • Payment data: Processed by our payment provider; Levita does not store the full card number.
  • Technical data: IP address, device type, log data for security.

3. Legal Basis and Purposes of Processing

  • Your explicit consent — for processing medical data (special category).
  • Performance of the contract — for providing consultations and managing your account.
  • Legal obligation — for retaining medical documentation and billing records.
  • Legitimate interest — for platform security, fraud prevention, and service improvement.

4. AI-Assisted Diagnostics and Processors

  • The AI-assisted diagnostic tool operates through Mistral AI, with data processing within the European Union (Mistral EU).
  • Your data is NOT used to train AI models. It is processed only to generate the supporting result for the doctor in real time.
  • We use other processors (hosting, email, payments) that act only on our instructions and under data processing agreements (DPAs) compliant with the GDPR.

5. The Right to Erasure

You have the right to request the deletion of your personal data. However, this right is not absolute: Levita and the doctor are legally required to retain medical documentation for a period of 10 years (under legal obligations for retaining health records). During this period, medical data may be archived and restricted from active processing but cannot be fully deleted. Non-medical data (e.g. marketing data) is deleted immediately upon your request.

6. Data Retention

  • Medical data: retained for 10 years, in compliance with legal obligations.
  • Account and billing data: retained for as long as the account is active and in accordance with legal tax periods.
  • After the retention periods end, data is securely deleted or anonymized.

7. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, Levita will notify the Commissioner for the Right to Information and Protection of Personal Data within 72 hours of becoming aware of the breach. If the breach poses a high risk, you will also be notified without undue delay, with a description of the nature of the breach and the measures taken.

8. Your Rights

You have the right to: access your data, request rectification, request erasure (per Section 5), restrict processing, object to processing, request data portability, and withdraw consent at any time. For medical data, requests may also be addressed to the doctor as an independent controller.

9. Security

We implement appropriate technical and organizational measures: encryption in transit and at rest, role-based access control, secure authentication, and continuous monitoring.

10. International Transfers

Data is stored and processed within the European Union / European Economic Area. Any transfer outside this area is carried out only with the safeguards required by the GDPR (e.g. Standard Contractual Clauses).

11. Minors

Levita does not knowingly collect data from minors under 18 without the consent and verification of a parent/legal guardian. If we discover data collected without authorization, it is deleted.

12. Data Protection Officer (DPO)

For any question, request, or complaint regarding your data, you may contact our Data Protection Officer at: dpo@levita.ai.

You also have the right to lodge a complaint with the Commissioner for the Right to Information and Protection of Personal Data (idp.al).

13. Changes to This Policy

Levita may update this Policy. Significant changes will be communicated to you at least 30 days before they take effect.

14. Contact

  • Controller: Levita Med — NIPT: M61615505.
  • Address: Durrës, Shijak, Xhafzotaj, Durana Tech Park, Rruga Ahmet Zogu, Property No. 336, CZ 3852.
  • DPO: dpo@levita.ai.
  • General email: contact@levita.ai.
  • Website: levitamed.com.

Data Protection Officer

Send us a message about privacy or data protection and our team will respond as quickly as possible.

Levita - Privacy Policy