Data Processing Agreement

Effective Date: November 8, 2025

Version 1.1 | Last Updated: 11 June 2026

1. Scope

This Data Processing Agreement ("DPA") forms part of your agreement with LM TECH LABS, LDA (NIPC: 519341023), Estrada Nacional 221 - Poente, 54, 5225-104 Sendim, Portugal ("PixioDoc", "we", "us"). It applies to Personal Data we process on your behalf when you use PixioDoc.

This DPA supplements our Terms & Conditions and Privacy Policy. For processing of Personal Data, this DPA prevails over conflicting provisions in the Terms.

Descriptions here reflect our current practices and are not warranties or guaranteed service levels unless separately agreed in writing (e.g. a Teams order form).

This online DPA applies when you use the Service. A counter-signed (fully executed) copy is available only to subscribers on the Teams plan.

2. Roles

You are the Controller for patient and clinical Content you upload. You determine what to collect, obtain patient consent where required, provide privacy notices, handle data subject requests, and ensure a lawful basis for processing health data.

PixioDoc is the Processor for that Content. We process it only on your documented instructions — through the Service, this DPA, and applicable law — and implement appropriate technical and organisational measures.

3. Processing Instructions

We process Personal Data to provide the Service (storage, organisation, sharing, authentication, support, security, and billing), as you direct through the app, and as necessary to comply with law.

We may also process Content to verify compliance with the Terms and the clinical scope of the Service, and use anonymized, aggregated usage data to improve the Service. We do not sell Personal Data, use patient Content for advertising, or train AI models on identifiable patient data.

Authorised personnel may access Content where reasonably necessary to operate the Service, respond to your requests, comply with law, or investigate suspected misuse, without advance notice where appropriate.

4. Data Processed

Categories include: your account and professional information; patient identifiers, demographics (where provided), clinical notes, medical images and videos, annotations, and timelines; authorised user details and sharing permissions; and technical data needed to operate and secure the Service. The Service is designed to process health data (special category data under GDPR Article 9). You certify that you have a lawful basis and any required consents before uploading such data.

Primary clinical data is hosted in the EU/EEA. Retention is described in our Privacy Policy and Terms. Deleted Content may remain recoverable for a limited period before permanent deletion.

5. Security

We implement technical and organisational measures appropriate to the risk. We encrypt Personal Data in transit and at rest, and apply further measures that may include access controls, authentication, activity logging, and monitoring. Further detail is in our Privacy Policy. No method of transmission or storage is completely secure.

If we become aware of a personal data breach affecting your Content, we will assess it and notify you without undue delay where required by applicable law, with information reasonably available at the time. Breach notification does not constitute an acknowledgement of fault; liability is governed by the Terms.

6. Sub-processors

We use sub-processors under contract to help deliver the Service, including:

  • Supabase — database hosting and authentication (EU)
  • RevenueCat — subscription management
  • Firebase (Google) — push notifications
  • ZeptoMail (Zoho) — transactional email

We may also use providers for application hosting, CDN, error monitoring, and related infrastructure. Sub-processors are required to protect Personal Data under data processing terms. We will give advance notice before a new sub-processor begins processing Personal Data, and you may object on reasonable data protection grounds by contacting support@pixiodoc.com. If you object, we will work with you in good faith to find a solution and, where we cannot, you may terminate the affected Service.

7. International Transfers

Where Personal Data is transferred outside the EU/EEA or UK, we use appropriate safeguards such as Standard Contractual Clauses or other mechanisms recognised by applicable law. EU Commission Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated into this DPA where applicable. Full SCC text is available on request at support@pixiodoc.com.

8. Data Subject Rights

You are responsible for responding to patient requests to exercise their rights. We will assist you with reasonable measures, including self-service tools where available.

Export: Metadata may be exported via Profile → Privacy & Security → Export Data. Photo and video files are generally not included in self-service export; request them at support@pixiodoc.com. We will respond within a reasonable period, subject to verification and operational constraints.

9. Return and Deletion

On termination of the Service or your Account, you may export data as described above. Thereafter, we will delete or return Personal Data in accordance with our Privacy Policy and Terms, except where retention is required by law or for legitimate purposes such as dispute resolution or security. You are responsible for exporting data you wish to keep before deletion.

10. Audits

On reasonable written request, we will provide information needed to demonstrate compliance with this DPA, such as security documentation or sub-processor details. Audits of our facilities are subject to reasonable notice, confidentiality, and frequency limits. You bear the cost of audits you initiate unless otherwise required by law.

11. Liability

Liability under this DPA is subject to the limitations in our Terms. Nothing excludes liability that cannot be limited under applicable law.

12. Term and Changes

This DPA remains in effect while we process Personal Data on your behalf. It terminates when processing ends and data has been deleted or returned as applicable.

We may update this DPA. Where practicable, we aim to notify you of material changes. Continued use after the effective date constitutes acceptance unless applicable law requires otherwise.

13. Governing Law

This DPA is governed by the laws of Portugal. Courts in Porto, Portugal have jurisdiction, subject to mandatory consumer protections and your right to lodge a complaint with a supervisory authority (e.g. CNPD in Portugal).

14. Contact

LM TECH LABS, LDA — support@pixiodoc.com
Estrada Nacional 221 - Poente, 54, 5225-104 Sendim, Portugal

Related Legal Documents:

Need a signed DPA?

A counter-signed (fully executed) DPA is available only to Teams plan subscribers. Email support@pixiodoc.com with your organisation name and signatory details.

Request Signed DPA