Vertix.

Data Protection

Data Protection Statement

Last updated: May 2, 2026 · Currently available to licensed clinicians in the United States.

This Data Protection Statement explains how THE HUB INITIATIVE SLU ("Cited", "we", "us"), an Andorran company, processes personal data in compliance with Andorran data protection law and the US Health Insurance Portability and Accountability Act (HIPAA). It complements our Privacy Policy by setting out the Andorran-law specifics that apply because the data controller is established in Andorra.

1. Data controller

THE HUB INITIATIVE SLU
Avinguda Doctor Mitjavila 26, AD500 Andorra La Vella, Principality of Andorra
Andorran tax registration (NRT): A8-552836-Y
Contact for data-protection enquiries: [email protected]

2. Data Protection Officer (DPO)

Pursuant to article 33 of the Llei qualificada 29/2021 de protecció de dades personals (LQPDP), Cited is required to designate a Data Protection Officer because we systematically process special categories of data (health information) at scale. The DPO designation is currently in procurement; an external DPO firm specialized in Andorran data protection law will be appointed before any production processing of patient health information begins. The DPO designation will be notified to the APDA within thirty days of appointment, and the contact details will be published on this page and at [email protected].

3. Applicable law

  • Andorra (controller’s jurisdiction): Llei qualificada 29/2021 de protecció de dades personals and its implementing regulations. Supervisory authority: Agència Andorrana de Protecció de Dades (APDA).
  • United States (where the platform operates and where clinical clients are located):HIPAA Privacy Rule (45 CFR §164.500–534), HIPAA Security Rule (45 CFR §164.302–318), HIPAA Breach Notification Rule (45 CFR §164.400–414), and applicable state privacy laws (CCPA/CPRA, CDPA, CPA, UCPA, CTDPA, TDPSA, OCPA among others).
  • Out of scope: The European Union General Data Protection Regulation (GDPR) does not apply to Cited because Andorra is not an EU member state and we do not target the EU market. If we ever offer Cited to EU-resident clinicians or patients, this section will be updated and the corresponding obligations will be activated.

4. Lawful bases for processing

Cited processes personal data only when at least one of the following lawful bases applies (article 6 LQPDP, with article 9 reinforcement for special categories):

  • Performance of contract with the clinician customer or the clinic that licenses Cited.
  • Explicit consent of the data subject when contract and legitimate interest are not sufficient (e.g., marketing subscriptions).
  • Legal obligation (Andorran tax and corporate accounting; HIPAA audit retention obligations).
  • Provision of medical care, diagnosis, or treatment by a healthcare professional under a confidentiality obligation (article 9.2.h LQPDP) for clinical data.
  • Defense of legal claims and audit trails required by HIPAA and Andorran law.

5. Categories of personal data processed

  • Account data of clinician users: name, professional credentials, license state, NPI, email, billing data, login telemetry.
  • Special categories of data (article 9 LQPDP): patient health information (PHI) entered or generated by clinicians using the platform, including clinical notes, assessments, diagnoses, and treatment plans. PHI is processed under HIPAA Business Associate Agreement (BAA) terms and never used to train artificial intelligence models.
  • Usage data: log files, IP address, device type, browser, page interactions, feature usage, aggregated and de-identified for product improvement.

6. International transfers (Andorra to United States)

Cited’s production infrastructure is located in the United States (AWS US-East and US-West regions). The Andorran data controller accesses this infrastructure on a restricted, audited basis for administration, development, and support. This cross-border flow is documented as an intra-group administrative access governed by:

  • The HIPAA Business Associate Agreement signed with each US clinical customer, which extends HIPAA safeguards to all access points regardless of geographic location.
  • Internal access policies that mirror HIPAA administrative, physical, and technical safeguards on the Andorran side (multi-factor authentication, role-based access control, immutable audit logging with country-of-origin attribution).
  • A formal cross-border access policy maintained at THE HUB INITIATIVE SLU and reviewed annually.

7. Subprocessors

Cited engages a limited set of subprocessors, each bound by a Business Associate Agreement (BAA) where they process PHI, or a Data Processing Addendum (DPA) for non-PHI processing. The current and planned subprocessor list is published at /security#subprocessors. We provide thirty days’ advance notice (by email and in-product banner) before adding any new subprocessor that will process PHI.

8. Data retention

Retention periods are summarized in our Privacy Policy §5 and detailed in our internal retention policy. In short:

  • Account data: lifetime of account plus five years post-closure.
  • Patient health information: seven years from last patient interaction (HIPAA minimum and applicable state law).
  • Audit logs with HIPAA chain-of-custody attribution: retained indefinitely with immutable lock.
  • Marketing data: until consent withdrawal plus thirty days for processing of the withdrawal itself.

9. Your rights as a data subject

Under articles 13 to 22 LQPDP, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Delete your data, subject to legal retention obligations and the defense of legal claims.
  • Object to processing based on legitimate interest or for direct marketing purposes.
  • Restrict processing while a dispute is being resolved.
  • Data portability: receive your data in a structured, commonly used, machine-readable format (FHIR R4 or JSON).
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. Cited never makes such automated decisions: every clinical recommendation requires explicit clinician review and action.

To exercise any of these rights, write to [email protected] or by post to the address in §1. We will acknowledge your request within seven days and respond substantively within one month, extendable to three months for complex requests with explicit notification. The exercise of these rights is free of charge unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse, in writing and with reasons.

10. Right to lodge a complaint with the APDA

If you believe that Cited’s processing of your personal data infringes Andorran law, you have the right to lodge a complaint with the Agència Andorrana de Protecció de Dades (APDA), the supervisory authority of the Principality of Andorra:

Agència Andorrana de Protecció de Dades
Casa Bauró, Carrer Bonaventura Armengol 6–8, 4t. pis, AD500 Andorra La Vella
Web: www.apda.ad

Lodging a complaint with the APDA does not waive any other administrative or judicial remedy available to you.

11. Data Protection Impact Assessment (DPIA)

Pursuant to article 35 LQPDP, Cited maintains a Data Protection Impact Assessment for its processing of patient health information, which qualifies as high-risk processing of special categories of data at scale. The DPIA is reviewed every two years or upon any material change to the processing operations, and it is available to the APDA upon request.

12. Security safeguards

AES-256 encryption at rest. TLS 1.3 in transit. Multi-factor authentication for all administrative access. Role-based access control with least-privilege defaults. Immutable audit logs with hash-chained chain of custody. SOC 2 Type II audit in progress (Q3 2026 target). Quarterly vulnerability scanning. Annual third-party penetration testing. For the full security disclosure, see /security.

13. Breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the APDA within seventy-two hours of becoming aware (article 38 LQPDP). When the breach is likely to result in high risk to data subjects, we will notify affected individuals without undue delay. For breaches of unsecured PHI, we also follow the HIPAA Breach Notification Rule, including notification to the US Department of Health and Human Services Office for Civil Rights and to affected individuals within sixty days.

14. Children

Cited is a B2B platform for licensed mental health professionals and is not directed to children. Patients of any age may have their data entered by their treating clinician under the clinician’s lawful authority and the clinic’s consent procedures, including specific protections for minors under applicable Andorran and US law.

15. Updates to this statement

We will notify users by email at least thirty days before any material change to this Data Protection Statement takes effect. The last updated date at the top of this page reflects the most recent revision. Historical versions are retained internally for compliance audit purposes.

16. Contact

Privacy and data protection inquiries: [email protected]
Data Protection Officer (once designated): [email protected]
Postal mail: THE HUB INITIATIVE SLU, Avinguda Doctor Mitjavila 26, AD500 Andorra La Vella, Principality of Andorra.

Questions about this document? Reach our compliance team.

Contact complianceBack to home