Effective date:

This Privacy Policy explains how we collect, use and protect your personal data when you visit morethanone.ch (the “Website”) or use our medical second-opinion services

We are committed to handling your personal data in a transparent and secure way and in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and, where relevant, Swiss data protection law.

1. Who We Are

MoreThanOne is a service that helps patients obtain independent medical second opinions from international specialists.

• The Website (morethanone.ch) and non-clinical coordination activities in Europe are operated by:

MMS Bulgaria
[full legal name + legal form]
[registered address]

• The medical second-opinion and telemedicine services are provided by:

Symbian Health Co.
[legal form] incorporated under the laws of [State], USA
[registered / principal address

Data protection roles:

• For website browsing, contact forms and general enquiries, Symbian Health Co. is the controller of your personal data.
• When you order a medical second opinion, Symbian Health Co. is the controller of your medical (health) data. MMS Bulgaria supports Symbian as its EU representative and local support partner and may act as processor and/or joint controller for certain intake and logistics activities.

If you have any questions about this Privacy Policy, you can contact us at:

• Email (general/privacy): [hello@morethanone.ch or privacy@…]
• Postal address (EU contact): MMS Bulgaria, [address, Bulgaria]
• Postal address (US contact): Postal address (EU contact): MMS Bulgaria, [address, USA]

2. What Data We Collect

We collect and process different types of personal data depending on how you interact with us.

• When you contact us or use forms on the Website, we collect name, email address, phone number, country of residence, and the content of your message or enquiry.
• When you request a medical second opinion, we will ask for identification data (name, date of birth, contact details); medical and health data (diagnoses, medical history, medications, imaging, laboratory and pathology reports, letters from treating doctors, etc.); any additional health information you choose to share; communications between you and us (including platform messages and emails) may also be collected.
• Payment-related data is limited to the payment information (for example, payment status, transaction ID), as well as the card details are processed by our payment service providers and are not stored on our own servers.

Data collected automatically

When you visit the Website, we may collect certain information automatically, such as IP address and approximate location, device and browser type, pages visited and time spent, referrer URL (how you reached the Website), as well as cookies and similar technologies (see Section 8 and our Cookie Policy). This information is mainly used for security, analytics and improving the Website.

3. How We Use Your Information

We use the information we collect for the following purposes:

1. To provide our services

• Process your request and set up your case
• Share your medical data with the appropriate specialists and sub-reviewers
• Communicate with you about your case and deliver your second-opinion report

2. To operate and improve our Website and services

• Respond to your enquiries
• Monitor performance and user experience
• Prevent misuse and ensure security of the platform

3. To comply with legal obligations

• Accounting and invoicing
• Responding to requests from regulators or authorities, where required

4. To protect our rights

• Establish, exercise or defend legal claims
• Handle complaints and disputes

5. With your consent, for communication/updates

• Send you newsletters or information about our services
• You can unsubscribe at any time.

We will never sell your personal data.

4. Legal Bases for Processing (GDPR)

If you are in the EU/EEA/UK, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR):
  To provide the second-opinion services you requested, manage your case and communicate with you.
• Explicit consent for health data (Art. 9(2)(a) GDPR):
  To process your health data (special categories of data) for the purpose of providing a medical second opinion and to transfer such data outside the EU/EEA where necessary. This consent is obtained in the Patient Agreement and Informed Consent you accept when ordering the services.
• Legal obligation (Art. 6(1)(c) GDPR):
  To comply with legal and accounting obligations.
• Legitimate interests (Art. 6(1)(f) GDPR):
  For security, fraud prevention, service improvement and responding to your enquiries, provided these interests are not overridden by your rights and interests.

Where we rely on your consent, you can withdraw it at any time (see Section 9). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

5. Sharing Your Information

We do not sell your personal data.

We may share your data with:

• Symbian Health Co. and its medical staff :
  When you request a second opinion, your medical data are shared with Symbian’s physicians and clinical staff, who review your case and prepare the opinion.
• MMS Bulgaria (EU support) :
  MMS Bulgaria may access your data to coordinate your case, help with logistics, provide EU-based support and act as EU representative for data protection purposes.
• Specialist reviewers and partner institutions (“sub-reviewers”) :
  Radiologists, pathologists, oncologists, dermatologists, fertility experts and other specialists, who may be located in the USA or other countries, to review your imaging, pathology and medical records.
• Trusted service providers :
  IT hosting and cloud providers (servers located in the EU), telemedicine and communication tools, translation providers, payment processors and other suppliers who help us operate the Website and deliver the service. These service providers act as processors and are contractually required to protect your data and only process it as instructed.
• Authorities and legal advisors :
  Where required by law, court order or competent authority, or to establish, exercise or defend legal claims.

We share only the data that are necessary for each specific purpose.

6. International Transfers of Personal Data

Our servers are hosted in the European Union, and much of your data is stored there. However:

• Symbian Health Co. is based in the United States;
• Some medical specialists and sub-reviewers are located in the USA or other non-EU/EEA countries.

This means your personal data, including health data, may be accessed from countries that may not provide the same level of data protection as the EU/EEA or Switzerland.

When we transfer personal data internationally, we aim to use one or more of the following:

• Standard Contractual Clauses (SCCs) or other contractual safeguards approved under GDPR;
• Limited access for authorised persons who need the data to provide the service;
• Secure technical measures such as encryption and access controls.

For EU/EEA patients, we also ask for your explicit consent for certain transfers of health data outside the EU/EEA (particularly to the USA and other countries without an adequacy decision) as part of the Patient Agreement and Informed Consent. You may withdraw this consent at any time, but this may limit our ability to provide the service.

7. How Long We Keep Your Data

We keep your personal data only for as long as necessary for the purposes described in this Policy, including:

• To provide the second-opinion service and any follow-up you request;
• To comply with legal, regulatory and accounting obligations;
• To establish, exercise or defend legal claims within applicable limitation periods.

After this, we either delete your data securely or anonymise it so that it can no longer be linked to you personally.

If you would like more detailed information about retention periods for specific categories of data, you can contact us (see Section 10).

8. Cookies and Tracking Technologies

If you have any questions or concerns about this Privacy Policy, please contact us at:

• Enable basic site functionality;
• Remember your preferences;
• Analyse traffic and usage patterns;
• (Where applicable) support marketing or retargeting.

You can control or disable cookies through your browser settings. However, some parts of the Website may not function properly without certain cookies.

For more details about the types of cookies we use and how you can manage them, please see our Cookie Policy.

9. Your Rights

Depending on where you live and applicable law (including GDPR), you may have some or all of the following rights:

• Right of access – to obtain confirmation whether we process your data and receive a copy;
• Right to rectification – to correct inaccurate or incomplete data;
• Right to erasure – to request deletion of your data in certain circumstances;
• Right to restriction – to ask us to limit processing in certain cases;
• Right to data portability – to receive your data in a structured, commonly used, machine-readable format and transmit it to another controller;
• Right to object – to certain processing based on legitimate interests or for direct marketing;
• Right to withdraw consent – where processing is based on consent, you can withdraw it at any time;
• Right to lodge a complaint – with a data protection authority, in particular in the country where you live, work, or where you believe a violation occurred.

To exercise your rights, please contact us using the details in Section 10. We may need to verify your identity before responding.

10. Children’s Privacy

Our Website and services are not intended for children under 16 years of age (or the applicable age in your country) without the consent of a parent or legal guardian. We do not knowingly collect personal data from children without appropriate consent. If you believe that a child has provided us with personal data without such consent, please contact us so we can take appropriate steps.

11. Contact Us

For general privacy questions or to exercise your rights, please contact:

MMS Bulgaria – EU Contact / Local Support
Email: [eu-privacy@… / hello@morethanone.ch]

For matters relating specifically to medical second-opinion services and Symbian Health Co. as controller:

Symbian Health Co. – Privacy Contact
Email: [privacy@…]

If you are in the EU/EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our services or legal requirements. When we do so, we will post the updated version on this page and update the “Effective date” at the top.

We encourage you to review this Policy regularly.