SBMA France
SBMA France

GDPR

Privacy policy

Last updated: March 2026

1. Data controller

SBMA France — 6 avenue du Poteau, 60300 Chamant
Email : contact@sbma-france.org

2. Data collected

Association members

  • Identity: last name, first name, date of birth
  • Contact: email, phone, WhatsApp number
  • Profession: specialty, RPPS number, ITS number
  • Professional and personal addresses
  • Profile photo (optional)

Health data (second opinions)

  • Anonymised medical records (patient reference only, never a full name)
  • Stored on HDS-certified infrastructure (OVHcloud)
  • Encrypted before storage (AES-256)
  • Access limited to the requesting physician, assigned expert and board

Donations

  • Donor name, first name, email (for tax receipt)
  • Payment data processed exclusively by HelloAsso (secure)

3. Purposes and legal bases

Membership managementPerformance of the membership contract
Organisation of humanitarian missionsLegitimate interest of the association
Sending transactional emailsPerformance of the contract
Second medical opinionsExplicit patient consent
Tax receipts for donationsLegal obligation (French Tax Code art. 200)
Service improvementLegitimate interest

4. Retention periods

  • Active member data: duration of membership + 5 years
  • Former member data: 3 years after end of membership
  • Medical records (second opinions): configurable duration, automatic purge after archiving
  • Donation data: 10 years (accounting obligation)

5. Data recipients

Your data is shared with the following technical sub-processors, strictly within the scope of their services:

  • Supabasedatabase and authentication (self-hosted, server in France)
  • Resendtransactional email sending
  • HelloAssopayment processing (donations)
  • OVHcloud HDShealth data storage (HDS-certified)
  • Vercelfrontend hosting (non-sensitive data only)

No data is sold or transferred to third parties for commercial purposes.

6. Your rights

Under the GDPR, you have the following rights over your personal data:

  • Right of access: obtain a copy of your data
  • Right of rectification: correct inaccurate data
  • Right to erasure: request deletion of your data
  • Right to portability: receive your data in a structured format
  • Right to object: object to certain processing
  • Right to restriction: limit the processing of your data

To exercise these rights: contact@sbma-france.org
If your complaint is not resolved, you may contact the CNIL (French data protection authority).

7. Security

SBMA France implements appropriate technical and organisational measures to protect your data: encryption of sensitive data (AES-256), role-based access control (Supabase RLS), mandatory HTTPS, audit logging of medical data access, and regular security audits.