Privacy Policy
Last updated: April 2026
This Privacy Policy explains how Tobba (“we”, “us”, “our”) collects, uses, and protects information when you use tobba.app and its services, including the Doctor Finder, Symptom Guide, and Pharmacy Finder.
We are committed to protecting your privacy and complying with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the EU AI Act (Regulation 2024/1689).
1. Who We Are
If you have any questions about how we handle your personal data, or to exercise your rights, contact us at: privacy@tobba.app
2. What Data We Collect and Why
We collect the minimum data necessary to provide each feature. The table below sets out what we collect, why, and the lawful basis under GDPR.
2.1 Doctor Finder — Specialty and Name Search
| Data | Purpose | Lawful Basis |
|---|---|---|
| Device location (latitude / longitude) | Finding doctors near you | Legitimate interests (Art. 6(1)(f)) — you explicitly activate this by clicking “Near Me” |
| Specialty or doctor name query | Returning search results | Legitimate interests (Art. 6(1)(f)) |
No personal data is stored. Search queries are processed in real time and are not logged, saved, or associated with you in any way.
Location access is entirely optional. If you decline location permission in your browser, the search works without it.
2.2 Symptom Guide — AI-Powered Specialist Matching
| Data | Purpose | Lawful Basis |
|---|---|---|
| Symptom description (free text) | Processed by AI to recommend the most relevant medical specialist | Consent (Art. 6(1)(a) and Art. 9(2)(a) GDPR) – by submitting your symptom description you consent to it being processed by AI for the sole purpose of suggesting a specialist |
| Device location (latitude/longitude) | Finding specialists near you | Legitimate interests (Art. 6(1)(f)) – optional, activated by you |
Important information about the Symptom Guide:
Your symptom text is sent to an artificial intelligence system which analyses it and returns a recommended medical specialty. Anthropic acts as our data processor under a Data Processing Agreement and may not use your data for any other purpose.
Your symptoms are not stored on our servers or by Anthropic after the response is returned. There is no persistent record of your query.
This service is a specialist referral tool, not a medical diagnostic service. It does not diagnose conditions, prescribe treatment, or replace professional medical advice. Always consult a qualified healthcare professional about your health.
AI transparency notice (EU AI Act, Article 50): The Symptom Guide uses an AI system to match your described symptoms to an appropriate medical specialty. The AI operates within a fixed list of specialties available in Malta and cannot recommend any specialty outside that list. All results remain advisory; the final decision about which doctor to contact is always yours.
You can withdraw your consent at any time simply by not submitting a symptom description. Because we do not store your symptom data, there is nothing to delete upon withdrawal. If you prefer not to use the AI feature, the “Browse by Specialty” and “Search by Name” tabs are available without any AI processing.
2.3 Pharmacy Finder
| Data | Purpose | Lawful Basis |
|---|---|---|
| Device location (latitude/longitude) | Finding pharmacies near your current location | Legitimate interests (Art. 6(1)(f)) – you activate this by granting location permission. |
| Map viewport (centre point and zoom level) | Returning pharmacies visible on the map as you pan | Legitimate interests (Art. 6(1)(f)) |
No personal data is stored. Location coordinates are used in real time to query our pharmacy database and are not logged or retained.
The Pharmacy Finder uses Google Maps to display an interactive map. When the map loads, your browser connects to Google’s servers. Google’s own privacy policy governs that interaction: https://policies.google.com/privacy
2.4 Doctor Profile Claims
Healthcare professionals can submit a claim to manage their profile on tobba.app. When a doctor submits a claim, we collect:
| Data | Purpose | Lawful Basis |
|---|---|---|
| Full name, professional title | Identifying the claimant | Contract / pre-contractual steps (Art. 6(1)(b)) |
| Email address | Responding to and processing the claim | Contract / pre-contractual steps (Art. 6(1)(b)) |
| GMC/specialist registration number | Verifying professional credentials | Legal obligation / legitimate interests |
Claim submissions are retained until the verification process is complete, and for a reasonable period thereafter for our records. You may request deletion of your claim data at any time (see Section 6).
3. Cookies and Analytics
We use a small number of cookies and browser local storage items for essential site functionality and anonymised analytics. No advertising or profiling cookies are set by tobba.app. For a full breakdown of every cookie and storage item in use — including names, purposes, providers, and durations — see our Cookie Policy.
4. Third-Party Data Processors
We use the following third parties who may process data on our behalf:
| Processor | Purpose | Data Transferred | Location |
|---|---|---|---|
| Anthropic, PBC | AI processing of symptom descriptions (Symptom Guide only, and only with your consent) | Symptom text (no name, email, or other PII) | United States (covered by Anthropic’s DPA and EU standard contractual clauses) |
| Google LLC | Maps display in the Pharmacy Finder | Map tile requests, general IP address | United States (EU-US Data Privacy Framework) |
| Cloudways | Website hosting | Server logs (IP address, browser type, page visited) | |
| Cloudflare | Content delivery |
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Search queries (doctor, specialty, name) | Not stored — processed in real time only |
| Symptom descriptions | Not stored — processed by AI in real time and discarded |
| Location coordinates | Not stored — used in real time only |
| Doctor claim submissions | Until verification is complete, then up to 365 days for our records |
| Server access logs (hosted by Cloudways) | 365 days — standard server logs |
6. Your Rights Under GDPR
As a person in the EU/EEA, you have the following rights:
– Right of access (Art. 15): Request a copy of any personal data we hold about you.
– Right to rectification (Art. 16): Ask us to correct inaccurate data.
– Right to erasure (Art. 17): Ask us to delete your data. Note: because we do not store search queries, symptoms, or location data, this right is largely satisfied by design for the Doctor Finder, Symptom Guide, and Pharmacy Finder. For doctor claim data, we will honour erasure requests subject to any legal retention obligations.
– Right to restriction (Art. 18): Ask us to limit how we use your data while a dispute is resolved.
– Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (where applicable).
– Right to object (Art. 21): Object to processing based on legitimate interests.
– Right to withdraw consent (Art. 7(3)): Where processing is based on consent (i.e., the Symptom Guide), withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
– Rights related to automated decision-making (Art. 22): The Symptom Guide uses AI to suggest a specialist, but this does not constitute a solely automated decision with legal or similarly significant effects — you remain free to contact any doctor you choose. No profiling takes place.
To exercise any of these rights, contact us at: privacy@tobba.app
We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC) of Malta: https://idpc.org.mt
7. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
– All data is transmitted over encrypted HTTPS connections.
– API requests to third-party services (including Anthropic) are made server-side, so your symptom text is never exposed in your browser’s network requests to those endpoints in an unprotected way.
– Access to administrative systems is restricted to authorised personnel.
– We maintain a security patch and update schedule for our Website installation.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the IDPC within 72 hours and, where required, notify affected individuals without undue delay.
8. Children’s Privacy
Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has submitted personal data through our website, please contact us and we will delete it promptly.
9. Data Accuracy and Limitation of Liability
The information shown on tobba.app — including doctor profiles, specialties, contact details, pharmacy listings, opening hours, duty rosters, and AI-generated specialist suggestions — is compiled from public registers, third-party sources, and submissions by healthcare professionals. While we make reasonable efforts to keep this information accurate and up to date, we cannot guarantee that every detail is correct, complete, or current at any given time.
Information may be outdated, incomplete, or contain errors due to changes made by the underlying source, delays in updates, technical issues, or human error in data entry. Specialties, contact details, addresses, and availability can change without notice. AI-generated suggestions are advisory only and may produce inaccurate or unsuitable recommendations.
You use the information on tobba.app at your own risk. Always verify critical details (such as a doctor’s qualifications, a pharmacy’s opening hours, or whether a specialist is the right one for your condition) directly with the relevant professional or official source before relying on them. Nothing on this website constitutes medical advice, diagnosis, or treatment.
To the fullest extent permitted by law, Tobba, its operators, contributors, and data providers accept no liability for any loss, damage, harm, missed appointment, incorrect treatment, or other consequence arising from the display, distribution, use of, or reliance on any information made available through tobba.app, whether such information is inaccurate, incomplete, outdated, or otherwise. This includes — without limitation — direct, indirect, incidental, consequential, or punitive damages.
If you spot incorrect information on tobba.app, please let us know at contact@tobba.app so we can investigate and, where appropriate, correct it.
10. Prohibited Use — Scraping and Automated Access
All content on tobba.app — including but not limited to doctor profiles, pharmacy listings, duty rosters, and symptom information — is proprietary to Tobba and its data providers. Automated collection of this content is strictly prohibited without our prior written consent. This includes, without limitation:
- Web scraping, crawling, or spidering of any part of the website;
- Use of bots, scripts, or other automated means to access, query, or extract data;
- Systematic downloading or mirroring of content;
- Use of our data to train, fine-tune, or evaluate artificial intelligence or machine learning models.
Unauthorised scraping may violate the EU Database Directive (96/9/EC), the Computer Misuse Act, and other applicable laws. We reserve the right to take technical and legal measures against any party engaged in such activity.
If you have a legitimate need to access our data programmatically, please contact us at contact@tobba.app to discuss terms.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page will reflect any changes. For significant changes, we will provide a notice on the website. We encourage you to review this page periodically.
12. Contact Us
For any questions, requests, or concerns relating to this Privacy Policy or your personal data:
Email: privacy@tobba.app
Website: tobba.app