Current as of 05/31/2026
Privacy Policy & Cookie Policy
1. Introduction
This Privacy Policy applies to the Wisen platform ("Wisen", "Platform"), operated by Challenging Theorem, Lda. ("Challenging Theorem", "the Company" or "we"), a legal entity incorporated under the laws of Portugal, with registered office at Rua São Sebastião da Pedreira 38, 2D, 1050-209 Lisbon, Portugal, NIPC PT519274571.
Wisen is a digital health platform that connects patients with healthcare professionals and clinics, offering tools for appointment scheduling, a marketplace, secure messaging, reminders, and clinical documentation. Protecting your privacy and safeguarding your personal and health data is one of our fundamental commitments.
This Policy describes in detail the processing already set out in clause 8 of the Terms of Use and Conditions. Both documents should be read together.
Challenging Theorem acts as:
Data controller (controller) with respect to account data, billing, Platform usage, and other data strictly necessary for the operation of the Services;
Data processor (processor) on behalf of healthcare professionals, under Article 28 of the GDPR, with respect to the clinical data of Patients entered by professionals in the course of their activity. In these cases, the relationship is governed by a Data Processing Agreement (DPA) concluded with each professional or clinic.
2. Data Controller and Contact Details
Challenging Theorem, Lda.
Rua São Sebastião da Pedreira 38, 2D
1050-209 Lisbon, Portugal
NIPC: PT519274571
Contacts:
If you have any questions about this Policy or wish to exercise your rights, please address your request to privacy@wisen.pt.
3. Legal Framework
The processing of personal data carried out by Wisen is governed, in particular, by:
Regulation (EU) 2016/679 (GDPR);
Law No. 58/2019 of 8 August (national implementation of the GDPR);
Law No. 12/2005 of 26 January on personal genetic information and health information;
Law No. 41/2004 of 18 August on electronic communications;
Other applicable legislation on health, professional secrecy, and taxation.
4. Data We Collect
Depending on your role (Patient, healthcare professional, or visitor), we may collect:
Identification and Contact Data
Name, email, phone number, gender, date of birth.
Professional title, specialty, clinic name, and professional licence number (for professionals).
Health and Clinical Data
Information voluntarily shared by Patients to make appointments or use health features of the Platform.
Data entered by healthcare professionals during consultations, under their clinical and professional responsibility, in the context of care delivery.
Account and Technical Data
Login credentials, profile settings, communication preferences.
Device identifiers, IP address, browser type, operating system, cookies, and usage logs.
Financial and Transaction Data (professionals only)
Subscription payment history, processed through Stripe Payments Europe, Ltd., an EU-authorised payment service provider compliant with PCI-DSS;
Billing address and VAT/NIPC number for invoice issuance via Moloni, software certified by the Portuguese Tax and Customs Authority.
Wisen does not store or directly process bank card data — these are managed exclusively by Stripe. Wisen does not process payments between Patients and professionals — those payments and the related billing are managed directly between the parties.
5. Purposes and Legal Bases for Processing
| Purpose | Legal basis (GDPR) |
|---|
| Account creation and authentication | Performance of a contract — Art. 6(1)(b) |
| Appointment scheduling and management | Performance of a contract — Art. 6(1)(b) |
| Processing of health data for care delivery (consultation, teleconsultation, clinical records) | Art. 9(2)(h) — preventive medicine, diagnosis, and provision of health care, under professional secrecy |
| Processing of health data outside the direct clinical context (e.g., optional wellness tools) | Explicit consent — Art. 9(2)(a) |
| Subscription management, payments, and billing | Legal obligation — Art. 6(1)(c) |
| Platform maintenance, security, and aggregated analytics | Legitimate interest — Art. 6(1)(f) |
| Operational communications and service notifications | Performance of a contract / legitimate interest — Art. 6(1)(b) and (f) |
| Marketing of Wisen services | Consent — Art. 6(1)(a) |
| Regulatory compliance and fraud prevention | Legal obligation — Art. 6(1)(c) |
6. How We Use Your Data
To create and manage your Wisen account.
To allow Patients to find and book appointments with verified professionals.
To facilitate teleconsultations and secure messaging between Patients and professionals.
To manage subscriptions, issue invoices, and process professional payments.
To provide technical support and communicate service updates.
To improve the Platform, conduct aggregated and anonymised analytics, and ensure service quality.
To send marketing communications (only with prior consent).
To comply with applicable laws on health, taxation, and data protection.
7. How We Share Your Data
We only share data when necessary and always with strict contractual and technical controls:
Professionals selected by the Patient: data shared exclusively in the context of care delivery.
Technical processors: under Art. 28 of the GDPR, namely:
Stripe Payments Europe, Ltd. — subscription payment processing;
Moloni — invoice issuance (AT-certified software);
EU-based hosting providers, transactional SMS/email sending, and clinical documentation tools.
An updated list of processors is available on request at privacy@wisen.pt.
Public authorities — when legally required (judicial, tax, regulatory, or public health obligations).
Third-party integrations — only when the user explicitly uses or authorises them (e.g., video platform for teleconsultation).
Data is never sold to advertisers or unauthorised third parties.
8. Data Retention
We retain personal data only for as long as necessary for the intended purpose or to comply with legal requirements:
| Data type | Retention period |
|---|
| User account data | Until account deletion or 2 years after inactivity |
| Clinical data under the professional's responsibility | While the professional's account remains active and in accordance with applicable legislation on clinical records (generally a minimum of 5 years under Decree-Law No. 26/2016) |
| Secure messages between Patient and professional | Active retention as a rule for 2 years; thereafter, archiving or deletion, preserving any necessary audit trails |
| Billing records | 10 years (Art. 123 of the CIRC) |
| Customer support communications | 2 years |
| Cookies and analytics | As detailed in the Cookie Policy |
You may request deletion of your data at any time, except where the law requires its retention.
9. Data Security
Challenging Theorem implements technical and organisational measures appropriate to the risk of processing, including:
Infrastructure hosted in the European Union, operated by certified providers;
Encryption of data in transit (HTTPS/TLS) and at rest;
Role-based access control (RBAC), strong authentication, and audit logging;
Access to clinical data strictly limited to healthcare professionals authorised by the Patient and Wisen staff bound by a duty of confidentiality;
Formal incident response procedures and notification to the CNPD within statutory deadlines (Arts. 33 and 34 of the GDPR);
Regular audits and compliance checks.
10. Your Rights Under the GDPR
You have the following rights regarding your personal data:
Access — obtain confirmation and a copy of your data;
Rectification — correct inaccurate or incomplete data;
Erasure — request deletion ("right to be forgotten"), without prejudice to legal retention obligations;
Restriction — limit processing under certain conditions;
Portability — receive your data in a structured, commonly used, machine-readable format;
Objection — object to processing based on legitimate interest or for marketing purposes;
Withdrawal of consent — at any time, without affecting the lawfulness of prior processing;
Not to be subject to solely automated decisions that produce significant legal effects.
To exercise these rights, contact
privacy@wisen.pt. We will respond within one month of receiving the request, extendable by a further two months in cases of particular complexity (Art. 12 of the GDPR).
You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) at
https://www.cnpd.pt.
11. Minors
The Platform is not intended for direct use by persons under 16 years of age. Appointments and data relating to minors must be managed by their respective legal representatives, in accordance with Art. 8 of the GDPR and Art. 16 of Law No. 58/2019.
12. International Data Transfers
Personal and clinical data are processed within the European Union, in data centres located in the EEA.
Should any transfer outside the EEA be necessary — for example, the use of technical providers with global infrastructure —, such transfer will be carried out solely on the basis of the mechanisms set out in Chapter V of the GDPR, namely:
Adequacy decision by the European Commission;
Standard Contractual Clauses (SCCs) approved by the European Commission, accompanied by any additional safeguards required following a Transfer Impact Assessment (TIA);
Other appropriate safeguards provided for in the GDPR.
13. Cookies
The use of cookies and similar technologies is described in detail in the Cookie Policy, available on the Website and managed through our consent platform.
14. Updates to This Policy
We may periodically update this Privacy Policy. Any changes will be published on this page with a new "Updated on" date.
Material changes will be communicated with at least 30 days' notice by email or through a notice on the Platform, and, where applicable, new consent will be requested.
Wisen Cookie Policy
