Privacy Policy
This privacy policy describes how the Medical Association of French-Speaking Students of Iași (AMSFI) collects, uses, and protects your personal data in accordance with Regulation (EU) 2016/679 of April 27, 2016 (General Data Protection Regulation - GDPR) and applicable Romanian legislation.
1. Data Controller
The data controller for your personal data is:
Asociaţia Medicală a Studenţilor Francofoni din Iaşi (Medical Association of French-Speaking Students of Iași - AMSFI)
- CIF: 40833956
- National NGO Register: Position 27210/A/2018
- Address: Centrul de Limbi Moderne și Integrare Culturală "Grigore T. Popa", Str. Gheorghe Săulescu nr. 4, Iași 700259, Romania
- Email: contact@congresmedicis.com
- Website: https://congresmedicis.com
2. Personal Data Collected
2.1 Identification and Contact Data
When creating your account and registering for the Congress, we collect:
- First and last name
- Email address
- Phone number
- Postal address (for billing)
- Country of residence
2.2 Educational Background Data
- Field of study (medicine, dentistry, other)
- Status (student, graduate, resident, physician)
- University and year of study
- Medical specialty (if applicable)
- Workplace (if applicable)
2.3 Order and Payment Data
- Order details (chosen pack, options)
- Billing data
- Transaction history
- Promotional code used
Important note: Banking data (card number, expiration date, CVV) is never stored by AMSFI. This data is processed directly and exclusively by our PCI-DSS certified payment provider, Netopia Payments.
2.4 Participation Data
- Activity registrations (workshops, conferences, discussions)
- Event attendance
- Certificates obtained
- Submitted abstracts (if applicable)
2.5 Technical Data
- IP address
- Browser type
- Session and authentication data
2.6 Personal Preferences
- Transportation preferences (bus departure city)
2.7 Sensitive Data (Special Categories - Article 9 GDPR)
We collect the following data which may constitute health data within the meaning of Article 9 of the GDPR:
- Dietary preferences (regular, vegetarian)
- Declared food allergies
Legal basis: This data is collected on the basis of your explicit consent (Article 9(2)(a) GDPR), which you provide by voluntarily entering this information in your profile. This data is used exclusively to adapt catering services during the Congress and ensure your food safety. You may withdraw this consent at any time by deleting this information from your profile or by contacting us.
3. Purposes of Processing
Your personal data is collected and processed for the following purposes:
3.1 Contract Performance
- Managing your registration for the MÉDICIS Congress
- Processing your orders and payments
- Allocating places for reserved activities
- Issuing participation certificates
- Managing transportation (shuttles, buses)
- Communicating practical information about the Congress
3.2 Legal Obligations
- Issuing invoices and accounting documents
- Compliance with tax obligations
- Retention of required legal documents
3.3 Legitimate Interests
- Improving our services and the Website
- Fraud prevention
- Transaction security
- Anonymized statistics
3.4 Consent
- Sending marketing communications (with your prior agreement)
- Using your image in our communication materials
4. Legal Bases for Processing
In accordance with Article 6 of the GDPR, we process your data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Registration management | Contract performance |
| Payment processing | Contract performance |
| Billing and accounting | Legal obligation |
| Organizational communications | Contract performance |
| Direct marketing | Consent |
| Service improvement | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
5. Data Retention Periods
We retain your personal data only for as long as necessary for the purposes for which it was collected:
| Type of Data | Retention Period |
|---|---|
| Account data | Until deletion request or 3 years of inactivity |
| Order and billing data | 10 years (accounting and tax obligations) |
| Payment data | Not retained (processed by Netopia) |
| Participation certificates | 5 years after issuance |
| Marketing communications | Until consent withdrawal |
| Technical logs | 12 months |
6. Data Recipients
Your personal data may be transmitted to the following categories of recipients:
6.1 Processors
We use the following processors for the proper functioning of our services:
| Processor | Service | Data Processed | Country / Safeguards |
|---|---|---|---|
| Convex, Inc. | Database | Account data, orders, registrations | United States (Standard Contractual Clauses) |
| Vercel Inc. | Web hosting | Connection logs, IP address | United States (Standard Contractual Clauses) |
| Resend, Inc. | Email delivery | Name, email address | United States (Standard Contractual Clauses) |
| Netopia Payments S.R.L. | Payment processing | Payment data (PCI-DSS certified) | Romania (EU) |
| Sentry (Functional Software, Inc.) | Error tracking | Anonymized technical data | United States (Standard Contractual Clauses) |
| Axiom, Inc. | Logging and error monitoring | Technical data, application logs | United States (Standard Contractual Clauses) |
All our processors are subject to data processing agreements (DPA) in compliance with Article 28 of the GDPR.
6.2 Partners
As part of your participation in Congress activities, your participation data may be shared with our institutional partners for the issuance of certifications or EMC credits.
6.3 Authorities
Your data may be disclosed to competent authorities in case of legal obligation or judicial request.
7. Transfers Outside the EU
Our operations primarily target the European Union. If a transfer of data to a third country is necessary, we ensure that:
- The country benefits from an adequacy decision by the European Commission, or
- Appropriate safeguards are in place (standard contractual clauses, binding corporate rules)
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data against:
- Unauthorized access
- Unauthorized modification or disclosure
- Accidental loss or destruction
These measures include:
- Encryption of data in transit (HTTPS/TLS)
- Secure authentication
- Strict access controls
- Access logging
- Regular backups
9. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
9.1 Right of Access
You can request to know what personal data we hold about you and obtain a copy.
9.2 Right to Rectification
You can request correction of inaccurate data or completion of incomplete data.
9.3 Right to Erasure
You can request deletion of your personal data, subject to our legal retention obligations.
9.4 Right to Restriction of Processing
You can request restriction of processing of your data in certain circumstances.
9.5 Right to Object
You can object to processing of your data based on our legitimate interests or for direct marketing purposes.
9.6 Right to Data Portability
You can request to receive your data in a structured, commonly used, and machine-readable format.
9.7 Right to Withdraw Consent
When processing is based on your consent, you can withdraw it at any time.
9.8 Exercising Your Rights
To exercise your rights, contact us at: contact@congresmedicis.com
We will respond to your request within one month. This period may be extended by two months in case of complex requests, in which case we will inform you.
We may ask you to verify your identity before processing your request.
9.9 Complaint to Supervisory Authority
If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with a supervisory authority, including:
- In Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) - https://www.dataprotection.ro
- In France: Commission Nationale de l'Informatique et des Libertés (CNIL) - https://www.cnil.fr
10. Cookies
Our website uses only strictly necessary cookies for technical operation. These cookies are exempt from consent requirements in accordance with Article 5(3) of Directive 2002/58/EC (ePrivacy Directive).
10.1 List of Cookies Used
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
better-auth.session_token | Authentication and session management | Session (until logout or 7 days) | Essential |
Note: In development environments only, additional technical cookies may be used by our hosting provider (Vercel) for preview functionality. These cookies are not present in production.
10.2 Third-Party Cookies
During payment, you are redirected to the secure Netopia Payments platform which may use its own cookies necessary for processing your transaction. These cookies are governed by Netopia Payments' privacy policy.
10.3 What We Do Not Use
We do not use any:
- Advertising or targeting cookies
- Third-party tracking cookies for marketing purposes
- Tracking pixels or similar technologies
- Audience analytics cookies (no Google Analytics, etc.)
- Profiling or retargeting technologies
10.4 Cookie Management
You can configure your browser to refuse all cookies. However, if you refuse essential cookies, you will not be able to log into your account or use features requiring authentication.
11. Minors
Our services are primarily intended for adult students and healthcare professionals. We do not knowingly collect personal data from minors under 18 years of age.
If you are a minor, you must obtain authorization from your legal representative before registering.
12. Image Rights
12.1 Prior Information
During the MÉDICIS Congress, photos, videos, and audio recordings may be taken in common areas and during events. These materials may be used by AMSFI and its partners for institutional communication, promotion of future editions, and documentation purposes.
12.2 Legal Basis
The processing of your image is based on our legitimate interest (Article 6(1)(f) GDPR) in documenting and promoting our association activities. We have assessed that this interest does not disproportionately affect your rights, given the public event context.
12.3 Right to Object
You have a right to object to the use of your image:
- Before the Congress: Contact contact@congresmedicis.com at least 20 days before the Congress begins to be identified and avoid being photographed
- After the Congress: Request removal of materials clearly identifying you by contacting contact@congresmedicis.com
13. Policy Modifications
We reserve the right to modify this privacy policy at any time. In case of substantial modifications, we will inform you by email and/or by a notification on our website.
The date of the last update is indicated at the top of this page.
14. Contact
For any questions regarding the protection of your personal data or to exercise your rights:
Asociaţia Medicală a Studenţilor Francofoni din Iaşi
- Email: contact@congresmedicis.com
- Address: Centrul de Limbi Moderne și Integrare Culturală "Grigore T. Popa", Str. Gheorghe Săulescu nr. 4, Iași 700259, Romania