Contact us

FULL PRIVACY POLICY

Symbiomed.org – Synapse Medical Skills 
Version: March 4, 2026 | Last updated: March 4, 2026

 

1. IDENTITY OF THE DATA CONTROLLER 

Synapse Medical Skills 

EURL with a capital of €1,000 | SIREN: 995308202 | SIRET: 99530820200010 Headquarters: 10 rue Roger Salengro, 69009 Lyon  

Phone: 07 82 86 43 76 | Email: marine@symbiomed.org 

Data Protection Officer (DPO) 

Name: Ms. Marine VALLIER | CNIL Certification No. DPO-171406 Email: marine@symbiomed.org

 

2. TECHNICAL DEFINITIONS 

  • Personal data : Any information relating to an identified or identifiable natural person (Art. 4.1 GDPR). 
  • Sensitive health data : Professional specialty (dental surgeon, implantologist, orthodontist), RPPS/ADER number, CPD history (Art. 9 GDPR). 
  • Cookies/Trackers : Technical cookies (PHPSESSID), analytics cookies (GA4 _ga), and advertising cookies (Google Ads). 
  • EEHRxF : European Standardized Health Record Format (EHDS 2025/327).

 

3. COMPREHENSIVE CATALOG OF COLLECTED DATA 

Category 

Accurate data 

Method  

collection

Character  

required

Professional Identity

Last name, first name, specialty, RPPS/ADER number, professional association, business mailing address, training certificates (CPD or other), degree obtained

Form  

registration 

Required

Contact 

Work email, phone number, employer

Form + Terms and Conditions 

Required

Training

Last name, first name, specialty, RPPS/ADER number, professional association, professional email and address, phone number, employer, selected training courses, dates, multiple-choice test scores, training certificates (CPD or other), degree obtained

Registration 

Required

Payment 

Credit card (hidden number), Oney (reference), Wero, bank account details (SEPA)

Stripe/Mollie + SEPA Direct Debit + ALMA and others

Required

Technical 

Anonymized (hashed) IP address, User-Agent, referrer, session duration

Server logs + GA4 

Automatic

Consent

Cookie click timestamps, granular control, browser ID

CMP  

Cookiebot 

Automatic

Communications 

Email IP addresses, newsletter opens/clicks 

BREVO  

(EU server) 

Optional


4. DETAILED LEGAL BASIS AND PURPOSES

Final No. 

Specific purpose 

Legal Basis under the GDPR 

Duration  

preservation 

Recipients

Create a business account, manage training records 

Section 6.1.b (Contract) 

5 years since the last training session

ANDPC, LMS hosting provider

Billing, accounting, litigation 

Sec. 6.1.c (statutory) 

10 years (taxation) 

Expert 

accountant, 

Submission of CPD certificates  

electronic

Section 6.1.b + Section L.4021-1 of the French Commercial Code

10 years  

(statute of limitations)

Treasure 

Registered professional

Monthly Professional Newsletter

Section 6.1.a  

(consent) 

Withdrawal or 3 years 

Brevo (EU)

Anonymized statistics (conversion rate)

Sec. 6.1.f (legitimate interest) 

14 months (CNIL) 

Internal  

only

Platform security (bot detection)

Sec. 6.1.f + Sec.  

6.1.e 

6 months 

Web host,  

ANSSI*

EHDS Compliance  

(interoperability)

Section 9.2.g (public health interest)

According to  

regulations 

MaSanté@UE (2029)

 

5. Advanced Cookie Management (CMP) 

Platform used : Cookiebot CMP v4.2 (CNIL-certified, EU-DK server) Technical categories: 

  1. ESSENTIALS (exempt from consent – Art. 4.1 of the ePrivacy Directive)  

 – PHPSESSID: user session (30 min)  

 – cf_clearance: Cloudflare bot protection (24 hours)  

 – cookielawinfo: consent management (1 year)  

  1. ANALYTICS (consent required)  

 – _ga/_gid: Google Analytics 4 (14 months, anonymized IP)  

 – cf_chl_2: Cloudflare Analytics (24 hours)  

  1. FUNCTIONAL (consent required)  

 – LMS_progress: training progress (1 year)  

 – wp-settings: WordPress settings (1 year)  

  1. ADVERTISERS (consent required)  

 – Google Ads (_gcl_aw), Facebook Pixel  

CMP mechanism: 

  1. First-visit banner: granular selection by purpose 
  2. "Manage My Cookies" button (footer) 
  3. Decline = no site deactivation (no cookie wall) 
  4. Auditable evidence: timestamp + browser ID (13 months) 

 

6. AUTHORIZED RECIPIENTS AND TRANSMISSIONS 

 TECHNICAL SERVICE PROVIDERS (all EU-based + signed DPA): 

  • Hosting: o2switch protects servers against DDoS attacks • CMS: WordPress.org  
  • Payments: Stripe Ireland + Mollie NL (3D Secure) 
  • Email Marketing: BREVO 
  • CMP: Cookiebot  
  • Analytics: GA4 (IP anonymization, BE server) 
  • AUTHORITIES: 
  • ANDPC: CPD validations (Art. R.4022-1 of the Public Service Code) 
  • CNIL: GDPR audits (upon request) 
  • ANSSI: Cybersecurity Incidents (NIS2) 
  • U.S. Treasury: Tax Obligations 

No transfers outside the EU without Standard Contractual Clauses (SCC 2021/914).

 

7. DETAILED TECHNICAL SECURITY (NIS2 + EHDS) 

TECHNICAL MEASURES: 

  • AES-256 encryption at rest + TLS 1.3 in transit 
  • HSTS preload + strict CSP 
  • Cloudflare WAF + OWASP ModSecurity 
  • 2FA required for admin/LMS accounts 
  • Encrypted backups 24/7 (OVH Object Storage) 
  • 12 months of SIEM logs (ELK Stack) 

EHDS 2026 COMPLIANCE: 

  • EEHRxF formats (Interoperability 2029) 
  • Annual penetration testing audit 
  • Systematic DPIA (health data) 
  • Business continuity plan: RPO=4 hours / RTO=12 hours 

 

8. YOUR GDPR/EHDS RIGHTS IN DETAIL

Law 

Terms and Conditions 

Deadline  

response 

Form

Access 

Complete list of treatments 

1 month 

symbiomed.org/access rights

Correction 

Immediate correction  

inaccuracies 

1 month 

Secure form

Deletion 

Deletion unless required by law 

1 month 

“Right to be forgotten”

Opposition 

Termination of Treatment: Legitimate Interest 

15 days 

Simple DPO email

Limitation 

Temporary treatment gel 

1 month 

Ongoing disputes

Portability 

Structured format (JSON/CSV) 

1 month 

For CPD professionals only


Health data : Possible but limited restriction (Art. 9.2.g public health interest).  CNIL Complaint : cnil.fr/fr/plaintes (60-day deadline).

 

9. EXERCISING RIGHTS – SECURE PROCEDURE 

  1. Online form (electronic signature) 
  2. Registered mail with return receipt and proof of identity 
  3. Email to the DPO with a read receipt within 48 hours 
  4. Encrypted PDF/A response (S/MIME)

 

10. MINORS AND PARENTAL RESPONSIBILITY 

Access Reserved exclusively for adult healthcare professionals, laboratories, and companies in the healthcare sector. Verification via an informational banner at the site’s entrance. 

 

11. AMENDMENTS AND NOTIFICATION 

Any notified change: 

  1. Email to subscribers (30 days' notice) 
  2. Site popup (versioning) 
  3. Updated dedicated page 

Disputes : Lyon Commercial Court (Art. 48 CPC).