Privacy Policy

Véora ("we", "us", "our") is committed to protecting the privacy and security of your personal data. We operate as a controller within the meaning of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Dutch GDPR Implementation Act (Uitvoeringswet AVG, "UAVG"), and applicable Dutch and European data protection legislation.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what your rights are. It applies to all visitors and users of our website at joinveora.com and the services we provide, including our medical intake process, treatment programme, and patient dashboard.

The controller responsible for your personal data is:

If you have any questions or concerns about how we handle your personal data, you can contact us at the email address above.

We collect and process the following categories of personal data:

Account information

• Full name, email address, phone number, date of birth
• Account credentials (password is stored in hashed form only)

Medical data (special category data)

• Height, weight, BMI, target weight, biological sex
• Medical conditions, current medications, known allergies
• GLP-1 treatment history and current dosage
• Lifestyle information (diet, exercise, sleep)
• Consultation notes and prescription records

Payment information

• Payment method type (e.g., iDEAL | Wero, credit card, SEPA direct debit)
• Transaction references and billing history
• We do not store full payment card numbers — these are processed by our payment provider Mollie

Identity verification

• Document type (passport, ID card, driving licence)
• Verification status and reference provided by our identity verification partner

Technical data

• IP address, browser type, device information
• Pages visited, session duration, referral source
• Cookies and similar technologies (see Section 10)

We process your personal data based on one or more of the following legal grounds under Article 6 GDPR:

• Contract (Art. 6(1)(b)): Processing is necessary for the performance of our contract with you — including account management, treatment provision, payments, and customer support.
• Explicit consent (Art. 9(2)(a)): For the processing of special category data (medical/health data), we rely on your explicit consent as provided during the intake process.
• Legal obligation (Art. 6(1)(c)): Where we are legally required to retain or share data, for example under Dutch medical record-keeping obligations (WGBO — Wet op de geneeskundige behandelingsovereenkomst).
• Legitimate interest (Art. 6(1)(f)): For analytics, fraud prevention, service improvement, and direct marketing to existing customers (with easy opt-out).
• Healthcare provision (Art. 9(2)(h)): Processing of health data is necessary for the provision of healthcare under the responsibility of a licensed physician, subject to professional secrecy.

• Medical evaluation: Your health information is reviewed by a licensed physician to assess eligibility for GLP-1 treatment and to prescribe medication if appropriate.
• Treatment management: To manage your dosage, track your treatment progress, and coordinate with our pharmacy partner.
• Payment processing: To process your payments and manage membership subscriptions through our payment provider.
• Identity verification: To verify your identity as required for prescription medication services.
• Communication: To send transactional emails regarding your treatment, dosage changes, payment confirmations, and appointment reminders.
• Service improvement: To analyse usage patterns and improve our platform, content, and medical services.
• Legal compliance: To fulfil our legal and regulatory obligations, including medical record-keeping requirements.

We share your personal data only with trusted parties who are necessary for the delivery of our services. All processors are bound by data processing agreements (DPAs) in accordance with Article 28 GDPR.

• Licensed physicians — who review your medical intake and prescribe treatment. They are bound by medical professional secrecy.
• Pharmacy partner — fulfils and delivers your prescription medication. Operates under its own pharmacy licence and terms.
• Mollie (payment provider) — processes payments. Mollie is a licensed EU payment service provider. We do not have access to your full payment card details.
• iDenfy (identity verification) — processes identity document verification. Data is processed within the EU.
• Supabase(hosting & database) — stores application data on servers located in Frankfurt, Germany (EU).
• Vercel (hosting) — serves our website from Amsterdam, Netherlands (EU).
• Resend (email) — delivers transactional emails on our behalf.

We do not sell your personal data to third parties. We do not share your data with advertisers or data brokers. We may disclose data if required by law, court order, or regulatory authority.

We store and process the majority of your data within the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Binding Corporate Rules of the receiving party

We retain your personal data for the following periods:

• Account data: For the duration of your account and up to 2 years after account closure or last activity.
• Medical records: 20 years after the last treatment, in accordance with the Dutch Medical Treatment Contracts Act (WGBO, Art. 7:454 BW).
• Payment records: 7 years after the transaction, in accordance with Dutch fiscal obligations.
• Identity verification: Verification status is retained for the duration of your account. Raw document images are not stored by Véora.
• Analytics data: Anonymised after 26 months.

After the applicable retention period, your data will be securely deleted or irreversibly anonymised.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Row-level security policies on our database
• Access controls based on user roles (patient, doctor, admin)
• Regular security reviews and updates
• Two-factor authentication for staff access to medical data

We use cookies and similar technologies to operate our website, remember your preferences, and analyse usage. In accordance with Dutch telecommunications law (Telecommunicatiewet), we distinguish between:

• Strictly necessary cookies: Required for the website to function (e.g., authentication session). No consent needed.
• Analytics cookies: Used to understand how visitors use our site. We use privacy-friendly analytics that do not require consent under Dutch guidelines, provided they have minimal privacy impact.
• Marketing cookies: Only placed with your explicit consent. You can withdraw consent at any time via our cookie settings.

Under the GDPR and Dutch privacy law, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your data, subject to legal retention obligations (e.g., medical records under WGBO).
• Right to restrict processing (Art. 18): Request that we limit how we process your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please email privacy@joinveora.com. We will respond within 30 days, as required by law.

If you believe we have not handled your data correctly, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

Our services are intended for individuals aged 18 to 65. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a minor, we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by email or through a prominent notice on our website. We encourage you to review this policy periodically.

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact: