Privacy Policy
Effective Date: 5 March 2026 Last Updated: 20 March 2026
1. Who We Are
Giatroi.info is a free multilingual healthcare directory for Cyprus, listing doctors and healthcare providers registered with the General Healthcare System (GeSY).
Data Controller: Vladimir Bugay Location: Cyprus Privacy Contact: privacy@giatroi.info General Contact: v@bougay.com
This privacy policy explains how we collect, use, and protect your personal data when you use giatroi.info, in compliance with the EU General Data Protection Regulation (GDPR) and Cyprus Law 125(I)/2018.
2. Data We Collect About Website Visitors
2.1 Cookie Consent
When you first visit giatroi.info, a cookie consent banner asks you to accept or reject analytics cookies. Your choice is stored in a giatroi_consent cookie (valid for 1 year) so the banner does not reappear.
- If you accept: PostHog and Google Analytics set cookies for full analytics tracking, including persistent user identification.
- If you reject (or before you make a choice): No analytics cookies are set. PostHog operates in cookieless server-hash mode (aggregate analytics only, no persistent identifiers). Google Analytics operates in Consent Mode v2 with
analytics_storage: denied(cookieless pings for modeled/aggregate data only).
In both cases, basic analytics data is still collected in an anonymous, aggregate form that does not identify you personally.
2.2 Analytics Data (PostHog)
We use PostHog, hosted on EU servers (eu.posthog.com), to understand how visitors use the site. PostHog collects:
- Page views and session data: pages visited, time spent, referral source
- Device and browser information: browser type, operating system, screen resolution, language
- Usage events: opening the search dialog, selecting a search result (entity type, name, specialty), setting or refreshing your location
- Error data: JavaScript exceptions are captured to help us fix bugs
- Persistent identifiers (consent required): When you accept analytics cookies, PostHog assigns a unique identifier to recognize returning visitors. Without consent, PostHog uses server-side hashing for anonymous aggregate analytics only.
PostHog analytics requests are routed through our domain (/ingest) rather than directly to PostHog servers.
Legal basis: Consent (GDPR Article 6(1)(a)) for cookie-based tracking. Legitimate interest (GDPR Article 6(1)(f)) for anonymous aggregate analytics in cookieless mode.
2.3 Analytics Data (Google Analytics)
We use Google Analytics 4 (GA4) with Consent Mode v2 to complement our analytics. Google Analytics collects:
- Page views and session data: pages visited, time spent, referral source
- Device and browser information: browser type, operating system, screen resolution, language
- Usage events: the same custom events sent to PostHog (search interactions, contact actions, profile views, location setting, issue reports)
- IP address: anonymized by Google before storage
When you accept analytics cookies, Google Analytics uses cookies (_ga, _ga_*) to distinguish unique users. Without consent, GA operates in Consent Mode v2 (analytics_storage: denied), sending cookieless pings that Google uses for modeled/aggregate reporting only. Data is processed by Google in the United States under Standard Contractual Clauses (SCCs).
Legal basis: Consent (GDPR Article 6(1)(a)) for cookie-based tracking. Legitimate interest (GDPR Article 6(1)(f)) for anonymous aggregate analytics via Consent Mode v2.
2.4 Performance Data (Vercel Analytics)
We use Vercel Analytics to monitor website performance (page load times, Web Vitals). This service does not set cookies, does not collect personal data, and does not track individual users.
Legal basis: Legitimate interest (GDPR Article 6(1)(f)).
2.5 Location Data
The "Near Me" feature lets you find nearby healthcare providers. Location data is collected only when you actively choose to use this feature by either:
- Granting browser geolocation permission (GPS coordinates), or
- Entering your postal code (which is converted to approximate coordinates)
Your location is stored in your browser's local storage (giatroi-location) and sent to our server only as query parameters when fetching nearby results. We do not store your location on our servers. The location data remains in your browser until you clear it.
2.6 Search Queries
When you use the search feature, your query is sent to our server to return results. Search queries are processed in real time and are not logged or stored on our servers. PostHog records that you opened the search dialog and which result you selected (if any), but does not record the search query text itself.
2.7 Theme Preference
Your dark/light mode preference is stored in your browser's local storage (giatroi-theme). This is a functional preference and is not personal data.
2.8 User Account Data
You may optionally create an account by signing in with Google. Creating an account is not required to use the site. When you sign in with Google, we receive and store:
- Name (as set in your Google account)
- Email address
- Profile picture URL
This data is stored in our database (see Section 4.7). Your account enables personalized features such as bookmarks and cross-device recently viewed history.
Legal basis: Consent (GDPR Article 6(1)(a)). You actively choose to create an account by clicking "Sign in with Google."
2.9 Bookmarks and Recently Viewed
If you have an account, you can bookmark doctors and healthcare providers for quick access. You can also sync your recently viewed profiles across devices.
- Bookmarks: Stored server-side, linked to your account. You can add or remove bookmarks at any time.
- Recently viewed: When you sign in for the first time, your browser's recently viewed history is uploaded to our server. After that, profile views are recorded server-side (up to 12 items). For anonymous users, recently viewed data remains in browser local storage only.
Legal basis: Contract performance (GDPR Article 6(1)(b)) — providing the personalization features you opted into by creating an account.
2.10 Telegram Account Linking
You may optionally link your Telegram account to your giatroi.info profile. When you do, we store:
- Telegram user ID
- Telegram username
This enables a connected experience between the website and the Giatroi Telegram bot. You can unlink your Telegram account at any time from your account settings.
Legal basis: Consent (GDPR Article 6(1)(a)).
3. Healthcare Provider Data
We display professional information about doctors and healthcare providers, including names, specialties, contact details, districts, and municipalities. This data is sourced from the official GeSY (General Healthcare System) public registry at gesy.org.cy.
Legal basis: Legitimate interest (GDPR Article 6(1)(f)). The public has a legitimate interest in accessing information about healthcare providers, and this information is already publicly available through the GeSY registry.
Provider rights: Healthcare providers listed on our platform may request correction of inaccurate information or object to their listing by contacting privacy@giatroi.info. We will respond within 30 days and evaluate requests in accordance with the GDPR Article 21 balancing test.
4. Third-Party Services
We use the following third-party services that may process your data:
4.1 PostHog (Analytics)
- Provider: PostHog Inc.
- Data location: European Union (eu.posthog.com)
- Purpose: Website analytics and error tracking
- Data processed: See Section 2.2
- Their privacy policy: posthog.com/privacy
4.2 Google Analytics (Analytics)
- Provider: Google LLC, USA
- Purpose: Website analytics
- Transfer mechanism: Standard Contractual Clauses (SCCs)
- Data processed: See Section 2.3
- Their privacy policy: policies.google.com/privacy
4.3 Vercel (Hosting)
- Provider: Vercel Inc., USA
- Purpose: Website hosting and performance analytics
- Transfer mechanism: Standard Contractual Clauses (SCCs)
- Data processed: Server logs (IP addresses, request data) processed as part of normal web hosting
- Their privacy policy: vercel.com/legal/privacy-policy
4.4 Google Maps (Embedded Maps)
- Provider: Google LLC, USA
- Purpose: Displaying doctor and provider locations on maps
- How it works: Doctor and provider profile pages may contain an embedded Google Maps iframe showing the practice location. When this iframe loads, Google may collect data and set cookies according to their own policies.
- Transfer mechanism: Google's Standard Contractual Clauses
- Their privacy policy: policies.google.com/privacy
4.5 Google OAuth (Authentication)
- Provider: Google LLC, USA
- Purpose: User sign-in (optional)
- Data received: Name, email address, profile picture
- Transfer mechanism: Standard Contractual Clauses (SCCs)
- Their privacy policy: policies.google.com/privacy
4.6 Neon (Database)
- Provider: Neon Inc., USA
- Data location: European Union (eu-central-1, Frankfurt)
- Purpose: Stores user accounts, bookmarks, recently viewed history, and Telegram account links
- Transfer mechanism: Standard Contractual Clauses (SCCs)
- Their privacy policy: neon.tech/privacy
5. Cookies and Local Storage
Cookies
| Name | Provider | Purpose | Consent required | Duration |
|---|---|---|---|---|
giatroi_consent | giatroi.info | Stores your cookie consent choice | No (essential) | 1 year |
better-auth.session_token | BetterAuth | Maintains your login session (set only when you sign in) | No (essential) | 7 days |
ph_* | PostHog | Identifies returning visitors for analytics | Yes | 1 year |
_ga | Google Analytics | Distinguishes unique users | Yes | 2 years |
_ga_* | Google Analytics | Maintains session state | Yes | 1 year |
Analytics cookies (ph_*, _ga, _ga_*) are only set after you accept cookies via the consent banner. If you reject or have not yet responded, these cookies are not set.
Browser Local Storage
| Key | Purpose | Persistence |
|---|---|---|
giatroi-location | Stores your location (lat/lng, source, label) for the Near Me feature | Until you clear it |
giatroi-theme | Stores your dark/light mode preference | Until you clear it |
giatroi-recently-viewed | Stores recently viewed doctors and providers for quick access | Until you clear it |
giatroi-rv-synced | Tracks whether recently viewed items have been synced to your account | Until you clear it |
Google Maps Cookies
When a Google Maps embed loads on a doctor or provider profile page, Google may set its own cookies within the iframe. These are governed by Google's cookie policy.
6. Data Retention
| Data | Retention Period |
|---|---|
| PostHog analytics data | Per PostHog's retention settings (configurable; currently default) |
| Google Analytics data | 14 months (event-level); 2 months (user-level) per Google's default settings |
| Vercel Analytics | 30 days |
| Vercel server logs | Per Vercel's standard retention policy |
| Browser local storage | Until you clear your browser data |
| User account data | Until you delete your account |
| Bookmarks | Until you remove them or delete your account |
| Recently viewed history | Rolling 12 items; deleted with account |
| Telegram link data | Until you unlink or delete your account |
| Healthcare provider data | Updated periodically from the GeSY registry |
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Article 15) -- request a copy of the data we hold about you
- Right to rectification (Article 16) -- request correction of inaccurate data
- Right to erasure (Article 17) -- request deletion of your data
- Right to restriction (Article 18) -- request that we limit how we use your data
- Right to data portability (Article 20) -- receive your data in a structured, machine-readable format
- Right to object (Article 21) -- object to processing based on legitimate interest
- Right to withdraw consent (Article 7(3)) -- where processing is based on consent, withdraw it at any time
How to exercise your rights: Email privacy@giatroi.info with your request. We will respond within one month. This period may be extended by two months for complex requests, in which case we will inform you of the extension within the first month.
Note: User accounts are optional. If you have an account, you can view, export, and delete your data from your account settings page. For analytics data, which is pseudonymous, we may need you to provide additional information to verify your identity and locate your data.
8. Right to Lodge a Complaint
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority:
Commissioner for Personal Data Protection (Grapheio Epitropou Prostasias Dedomenon Prosopikou Charactira)
- Website: dataprotection.gov.cy
- Address: Iasonos 1, 1082, Nicosia, Cyprus
- Phone: +357 22 818 456
- Email: commissioner@dataprotection.gov.cy
9. Children's Privacy
Giatroi.info is not directed at children. Under Cyprus Law 125(I)/2018, the age of digital consent is 14 years. We do not knowingly collect personal data from children under 14. If you believe a child under 14 has provided us with personal data, please contact us at privacy@giatroi.info and we will take steps to delete it.
10. Security
We take appropriate measures to protect your data:
- All connections use HTTPS encryption (enforced by default)
- The healthcare provider database is read-only
- User accounts are optional and use Google OAuth (no passwords are stored on our servers). Session data is encrypted and secured with HTTP-only cookies
- Analytics data is routed through our own domain rather than directly to third-party servers
- PostHog data is stored within the European Union
11. Changes to This Policy
We may update this privacy policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page. For significant changes, we will provide notice through the website.
We encourage you to review this policy periodically for any changes.
12. Contact
- Privacy inquiries: privacy@giatroi.info
- General inquiries: v@bougay.com