Data Processing Agreement
Last Updated: December 10, 2025
Introduction
This Data Processing Agreement (DPA) describes how Lilac processes personal data on behalf of our users and healthcare providers. It outlines the types of data we process, our legal basis for processing, data retention periods, and your rights as a data subject.
Categories of Data Processed
We process various categories of personal data to provide our healthcare services:
| Data Category | Examples | Processing Purpose |
|---|---|---|
| Identity Data | Name, date of birth, gender, profile photo | Account creation and user identification |
| Health Data | Medical history, medications, lab results, vital signs | Healthcare service delivery and health tracking |
| Usage Data | App interactions, feature usage, session logs | Service improvement and technical support |
| Communication Data | Messages with doctors, appointment notes | Facilitating patient-provider communication |
Legal Basis for Processing
We process your personal data based on the following legal grounds:
- Your explicit consent for health data processing
- Performance of our service agreement with you
- Compliance with legal and regulatory obligations
- Protection of vital interests in healthcare emergencies
Data Retention
We retain your personal data only as long as necessary for the purposes described in this agreement:
- Health records: Retained for the duration required by applicable medical record retention laws (typically 7-10 years)
- Account data: Retained while your account is active, plus 30 days after deletion request
- Usage logs: Retained for up to 12 months for security and analytics purposes
International Data Transfers
Your data may be processed in countries outside your residence. We ensure appropriate safeguards are in place for all international transfers, including Standard Contractual Clauses and adequacy decisions where applicable. Our primary data centers are located in secure, certified facilities.
Third-Party Processors
We engage trusted third-party processors to help deliver our services. All processors are bound by data processing agreements and are required to maintain appropriate security measures:
- Cloud infrastructure providers (hosting and storage)
- Analytics services (anonymized usage data only)
- Communication services (secure messaging and notifications)
Data Protection Officer
For questions about data processing or to exercise your data protection rights, please contact our Data Protection Officer:
Data Protection Officer: dpo@lilac.health