Privacy Policy

Last updated: 8 May 2026

This Privacy Policy explains how Lidisto ("Lidisto", "we", "us") collects, uses, and protects personal data when you use the Lidisto booking platform — accessed through the public booking pages of our business customers (clinics, beauty salons, barber shops, psychology offices, fitness studios, and similar service providers) or through the Lidisto admin interface.

1. Data Controller

The data controller is:

• Company: BHDIT SRL
• Registration number: J2026027909001
• Tax ID: 54575180
• Registered office: Aleea Barajul Uzului 1, Sector 3, București, Romania
• Email: [email protected]
• Website: https://lidisto.com

Each business using Lidisto to manage bookings (a "Business Customer") acts as an independent data controller for their own client records. Lidisto acts as a data processor on behalf of the Business Customer for those records, under a Data Processing Agreement.

2. What We Collect

We collect the following categories of personal data:

a) Identification and contact data

• Full name
• Email address
• Phone number (in E.164 format)
• Date of birth (only if requested by the Business Customer)

b) Booking and service data

• Selected service, date, time, and location
• Notes you provide on the booking form (intake answers)
• Files you upload (e.g. medical history, prior test results, when applicable)
• Booking history with that Business Customer

c) Authentication data

• One-time login codes (OTPs) sent by SMS or email
• Session identifiers and login timestamps

d) Technical data

• IP address, user agent, device type
• Cookies and similar technologies (see Section 9)
• Access logs

e) Communication data

• Records of email and SMS notifications sent to you (delivery status, timestamps)
• Replies and support requests

We do not collect special categories of data (health, biometric, etc.) unless the Business Customer's intake form explicitly requests them and you provide them voluntarily. Where this happens, the Business Customer is the controller.

3. Legal Basis (Art. 6 GDPR)

We process your data on the following legal bases:

• Contract (Art. 6(1)(b)) — to create and manage your booking, deliver appointment reminders, and provide the platform.
• Legitimate interest (Art. 6(1)(f)) — to secure our service, prevent fraud and abuse, maintain logs, and improve the platform.
• Consent (Art. 6(1)(a)) — for optional features such as marketing or non-transactional communications. Consent can be withdrawn at any time.
• Legal obligation (Art. 6(1)(c)) — when retention or disclosure is required by Romanian or EU law (e.g. accounting, tax, anti-fraud).

For special categories of data submitted via intake forms, the legal basis is your explicit consent (Art. 9(2)(a)) or, where applicable, the contractual necessity of providing healthcare (Art. 9(2)(h)).

4. How We Use Your Data

• Create and confirm your bookings.
• Send transactional notifications (booking confirmation, reminders, schedule changes) by email and SMS.
• Authenticate you when you log in to the patient portal (passwordless OTP).
• Provide intake forms and store the answers for the Business Customer who scheduled the booking.
• Respond to support requests and resolve issues.
• Comply with legal obligations.
• Detect and prevent abuse.

5. SMS Notifications

When you provide your phone number in the booking form or contact form, you consent to receiving transactional SMS related to your booking and authentication, delivered via our SMS provider (e.g. sent.dm, Twilio). These messages may include:

• Login verification codes (OTP)
• Booking confirmations and reminders
• Follow-up messages if you submitted a contact form but did not complete a booking

You can opt out at any time by replying STOP to any SMS, or by emailing us at [email protected]. Opting out does not affect bookings already confirmed; the Business Customer may contact you by other means.

We do not send marketing SMS.

6. Recipients and Sub-processors

We share your data only with:

• The Business Customer whose booking page you used (they are the primary controller of your client record with that business).
• Hosting and infrastructure providers (servers, databases, file storage) located within the EU or under EU adequacy decisions.
• Email providers (e.g. Resend) to deliver transactional emails.
• SMS providers (sent.dm, Twilio) to deliver transactional SMS.
• Payment processors, if applicable, when payments run through the platform.
• Authorities, where required by law.

Each sub-processor is bound by a data processing agreement consistent with GDPR.

7. International Transfers

Where a sub-processor is located outside the EEA, transfers are made under appropriate safeguards — Standard Contractual Clauses or an adequacy decision of the European Commission.

8. Retention

• Booking records: kept for the duration of your relationship with the Business Customer and for up to 5 years afterwards, or longer if required by Romanian healthcare or accounting law.
• Authentication codes: deleted within 15 minutes of issuance.
• Access logs: retained for up to 12 months.
• Files uploaded to intake forms: kept according to the Business Customer's policy and applicable law.
• Marketing consent records: kept until you withdraw consent plus 3 years.

After the retention period, data is permanently deleted or fully anonymised.

9. Cookies

Lidisto uses strictly necessary cookies (session, CSRF protection) and, optionally, analytics cookies if you consent. The cookie banner shown on first visit lets you accept or reject non-essential cookies. You can change your choice at any time through the cookie settings link in the page footer.

10. Your Rights

Under GDPR, you have the right to:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your data ("right to be forgotten"), subject to legal retention.
• Restriction — limit how we process your data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — at any time, without affecting prior lawful processing.
• Lodge a complaint — with the Romanian supervisory authority ANSPDCP (https://www.dataprotection.ro/) if you believe your rights have been violated.

To exercise any of these rights, email [email protected]. We respond within 30 days.

11. Children

Lidisto is not directed to children under 16. If a Business Customer offers services to minors, the booking is made by a parent or legal guardian, who provides consent on behalf of the minor.

12. Security

We apply industry-standard technical and organisational measures: encryption in transit (TLS), access controls, password hashing, principle of least privilege, regular backups, and audit logging. No system is perfectly secure, but we work continuously to reduce risk.

13. Changes to This Policy

We may update this Privacy Policy. The "Last updated" date at the top reflects the latest revision. Material changes are announced by email or in-app notice at least 14 days before they take effect.

14. Contact

For any privacy question or to exercise your rights:

• Email: [email protected]
• Postal: BHDIT SRL, Aleea Barajul Uzului 1, Sector 3, București, Romania