Legal information & data sources

1. Primary source. The Service uses content derived from the International Statistical Classification of Diseases and Related Health Problems, Eleventh Revision ("ICD-11"), developed, published, and maintained by the World Health Organization (WHO) in Geneva. The scope of references includes nosological category titles, alphanumeric identifiers, hierarchical structure, normative descriptions, inclusion and exclusion criteria, synonyms, and contextual notes.

2. Legal status of WHO content. ICD-11 is protected by copyright owned by the WHO. Public-facing distribution is governed by the international Creative Commons Attribution-NoDerivatives 3.0 IGO license ("CC BY-ND 3.0 IGO") – the "IGO" designation indicating the inter-governmental-organization license regime. The license imposes a duty of attribution and a general prohibition on creating derivative works of the classification itself, including any modification of category titles, identifiers, or nosological hierarchy.

3. Authoritative version. The authoritative version of ICD-11 – for any interpretive doubt – is the original English text published by the WHO. Any non-English translation circulated for reference purposes is non-binding for terminology interpretation.

4. Author-original layer. ICD-11 textual content (codes, category titles, hierarchical structure) is preserved in the Service unchanged from the WHO original. All overlay layers – operational symptom indicators, weights, scoring logic, exclusion rules, AI-Assist verification – are author-original work of the operator and are not part of the ICD-11 normative classification.

5. WHO public API integration. Where the Service consults the WHO ICD-11 reference API (Geneva, Switzerland) for canonical entity look-ups, communication is server-to-server with OAuth 2.0 authorization. No User personal data, no Patient Data, and no User IP address is transmitted to the WHO – only the ICD-11 code being queried. WHO is therefore not a sub-processor of personal data within Article 28 GDPR.

6. Permitted use. ICD-11 content is used only in the reference and informational scope permitted by CC BY-ND 3.0 IGO, with the express exclusion of any interpretation that the displayed nosology or symptom-to-category mapping constitutes an official diagnosis, an official diagnostic criterion, an authorized interpretation of the classification, or any form of WHO endorsement. Interpretive questions should be resolved against the original ICD-11 Reference Guide and Clinical Descriptions and Diagnostic Requirements (CDDR), to which the WHO is the sole rights-holder.

7. Full attribution required by §1.3 WHO Terms of Use. The full attribution required by §1.3 of the WHO ICD-11 Terms of Use is reproduced verbatim: "International Classification of Diseases, Eleventh Revision (ICD-11), World Health Organization (WHO) 2019, https://icd.who.int/browse11. Licensed under the Creative Commons Attribution-NoDerivatives 3.0 IGO license (CC BY-ND 3.0 IGO)". This citation applies to all reports, PDF exports, clinical extracts, and any public material reproducing ICD-11 content from the Service.

8. Translations – §1.2.4 WHO Terms of Use. Per §1.2.4 of the WHO Terms of Use, translations of ICD-11 content are not covered by CC BY-ND 3.0 IGO and require separate written WHO consent. The Service does not distribute translations of WHO definitions, inclusion/exclusion criteria, synonyms, or coding notes. Any plain-language descriptions visible in the Service are author-original paraphrases by the operator for educational/orientation purposes – they are not translations of WHO documents. Detailed definitions, inclusions, exclusions, synonyms, and coding notes are fetched on demand in real time from the public WHO ICD-11 API and presented verbatim with a "WHO source" designation.

9. Provenance markers per data field – §1.2.5 WHO Terms of Use. Per §1.2.5, the operator distinguishes (i) WHO-origin fields (ICD-11 code, official English category title, URI under the icd.who.int domain), tagged in metadata as who_fields_per_entry; from (ii) all other fields (plain-language descriptions, symptom indicators, weights, scoring logic, locale synonyms, author-operationalized criteria), which are author-original work of the operator, tagged as author_fields_per_entry. Any field whose provenance cannot be unambiguously established as WHO is treated as author-original and is not part of ICD-11.

10. Trademark posture. "ICD" is a designation of the WHO; the operator does not seek registration of marks containing "ICD" or full classification titles, consistent with §4.2 of the WHO Terms of Use. The use of "ICD Diagnostica" is descriptive (the platform operates on the ICD-11 classification) and is not a claim to a WHO-affiliated mark. "ICD Diagnostica" is currently a trade name of the operator; no registered trademark is asserted at this stage. The operator does not use the WHO name or emblem in marketing or promotion.

1. Nature of the tool. The ICD Diagnostica algorithm is an author-original heuristic developed independently by the operator. It is structurally, semantically, and organizationally independent of the World Health Organization (WHO) and of any other officially certified or authorized diagnostic instrument. The Service is not a WHO product, is not endorsed by the WHO, and uses only the publicly available ICD-11 classification as a reference vocabulary of nosological categories.

2. How it works (overview). The user identifies symptom indicators present in the patient and the algorithm compares that set against an operationalized representation of ICD-11 criteria for each disorder. The output is a match-ranking expressed as a percentage, presenting disorders from highest to lowest fit against the selected symptom profile. The differential module additionally accounts for symptom-group interactions characteristic of related nosological entities. Weights, thresholds, and decision logic are author-original – they reflect the operator's interpretation of ICD-11 criteria but are not part of the classification itself and have not been endorsed by the WHO.

3. Coverage. The Service covers Mental, Behavioral, and Neurodevelopmental Disorders from ICD-11 Chapter 6 – mood, anxiety, psychotic, post-traumatic, neurodevelopmental, personality, impulse-control, substance-use, and neurocognitive disorders, among others. Specific coverage may evolve with platform updates.

4. Nature of the output – ranking, not diagnosis. The ranking produced by the Service is not a diagnostic determination and is not equivalent to a diagnosis made by a clinician in direct clinical contact with the patient. The clinician has access to the patient interview, observation, anamnestic data, somatic-state assessment, and where indicated laboratory, neuroimaging, and psychological-test results. The algorithm operates only on declared symptom indicators and does not model comorbidity, heterogeneity of clinical presentations, or the patient's environmental context.

5. No clinical validation. The algorithm outputs have not undergone formal clinical validation, have no validated psychometric parameters (sensitivity, specificity, positive/negative predictive values), and are not certified as a medical device under Regulation (EU) 2017/745 (MDR). After applying MDCG 2019-11 Rev.1 (June 2025) qualification criteria, the operator has determined that the Service is not Medical Device Software (MDSW). The Service does not replace clinical evaluation and does not relieve the qualified user of the duty to act in accordance with the professional standard of care or to verify diagnostic conclusions through independent assessment.

6. How to interpret the output. The percentage match should be treated as a relative indicator, not the probability of a disorder. The output is supportive – it informs the differential process and surfaces hypotheses for further verification, but the final diagnostic and therapeutic decision rests entirely with the licensed clinician.

7. AI-Assist (Clinical Plan). Optional feature surfacing informational suggestions. Patient Data is not transmitted to any third-party AI provider and is not used to train any model. AI-Assist is disclosed as an AI feature in line with Article 50(1) of the EU AI Act (Reg. (EU) 2024/1689). See Terms § 6.

1. Qualified user definition. The Service is a tool supporting the intellectual work of qualified mental-health professionals and is addressed exclusively to: (i) licensed physicians acting within their lawful scope of practice (in particular psychiatrists, child and adolescent psychiatrists, neurologists, and family physicians within their competence); (ii) clinical psychologists; (iii) certified psychotherapists in any recognized modality; (iv) students and residents of the foregoing disciplines acting under the supervision of an academic or specialty supervisor. Users must be at least 18 years of age and have legal capacity to enter into a binding contract under the laws of their jurisdiction.

2. Self-diagnosis prohibited. The Service is not, and has never been intended for, self-diagnosis by persons without clinical training – including patients, family members, or persons interested in psychiatric content for purely educational reasons. Use of the Service contrary to its clinical intended purpose – in particular, drawing inferences about one's own mental-health state or that of third parties on the basis of self-entered symptom indicators without consultation with a qualified clinician – falls entirely on that person and lies outside the operator's liability. The red banner at the top of this page summarises the safety position.

3. Professional standard of care. The qualified user undertakes to use the Service in accordance with the professional standard of care applicable in their jurisdiction (lex artis) and to conduct the diagnostic process not by passively reading algorithmic output, but by integrating it with the full set of available clinical information – including a multi-axial psychiatric interview, mental-state examination, somatic-state assessment (including exclusion of organic aetiology consistent with the ICD-11 diagnostic hierarchy), psychometric testing where available, and consultation with other specialties where indicated.

4. Professional secrecy and patient protection. Entry of any data that could lead – directly or indirectly – to the identification of a specific patient is subject to strict professional-secrecy norms applicable to the user (in Poland, Article 40 of the Act on the Profession of Physician of 5 December 1996, and the equivalent obligations applicable to psychologists and psychotherapists; in other jurisdictions, the equivalent professional-secrecy duty – HIPAA "covered entity" status in the US, the GMC's Good Medical Practice in the UK, etc.). The user is solely and exclusively responsible for the type of data entered into the Service, including whether the data is anonymized or pseudonymised, bearing in mind that pseudonymised data remains personal data under Article 4(5) GDPR and is fully subject to the GDPR.

5. Discreet Mode (built-in protective layer). The Service provides a Discreet Mode that, in three progressive levels (Light, Standard, Max), modifies the presentation layer to mask patient data on the user's device (respectively: first name with surname initial, full initials, anonymized patient identifier), with auto-engage after idle and a global keyboard shortcut for instant masking when third parties enter the consulting room. The duty to organize the working environment for confidentiality remains with the user – system features do not substitute for the user's compliance.

6. Scope of user responsibility. The qualified user assumes full and exclusive responsibility: (a) for every clinical decision made after reviewing the platform's outputs, whether or not the decision aligns with them; (b) for proper, lege-artis maintenance of medical records under applicable health-information regulation; (c) for obtaining the patient's informed consent to the diagnostic process and to the use of digital tools as a supportive element; (d) for organizing the working environment so that third parties cannot view displayed content; (e) for applying appropriate end-device safeguards (multi-factor authentication, full-disk encryption, screen lock after idle).

7. Patient Data – controller / processor split. Where the user enters Patient Data into the Service, the user is the Data Controller within the meaning of Article 4(7) GDPR and the operator acts strictly as Data Processor under Article 4(8) and Article 28 GDPR. The processor's obligations – security, sub-processor flow-down, 72-hour breach notification, audit rights, return-or-deletion at end of processing – are set out in the published Data Processing Agreement at /en/dpa, which is incorporated into the Terms by reference and satisfies Article 28(3) GDPR. The lawful basis for processing Patient Data is the user-Controller's reliance on Article 9(2)(h) GDPR (provision of healthcare or treatment) read together with Article 9(3) (professional secrecy of the user as a licensed practitioner).

8. WHO indemnity (§4.5 WHO Terms of Use). By using the Service and indirectly the ICD-11 content delivered through it, the user irrevocably agrees to indemnify, hold harmless, and defend at their own cost the World Health Organization (WHO), its officers, agents, and employees against any and all claims, demands, causes of action, and liability of any nature arising out of or in connection with the user's use of ICD-11 content (the "indemnify, hold harmless and defend" clause in §4.5 of the WHO ICD-11 Terms of Use). The undertaking covers third-party claims (patients, family members, healthcare institutions, public-administration bodies, competitors) as well as legal-defense costs, expert fees, and litigation costs, regardless of outcome. The operator separately bears no liability to the WHO for the user's actions, and where the WHO directs a claim to the operator in connection with the user's actions, the operator may seek full recourse against the user.

1. "As is / as available" clause. The Service is provided to the User in the form in which it currently operates – "as is" and "as available" – to the maximum extent permitted by mandatory law. The operator therefore makes no warranty – express or implied, statutory or contractual – as to: the accuracy or completeness of presented symptom indicators; the completeness of nosological coverage of ICD-11 Chapter 6; the alignment of algorithmic output with any specific clinician's opinion; service availability within any specific SLA; compatibility with any specific device, operating system, or browser; or the absence of bugs, security vulnerabilities, or presentation-layer inconsistencies.

2. Disclaimer of implied warranties. To the maximum extent permitted by applicable law, the operator expressly disclaims all implied warranties, including: (i) warranty of merchantability; (ii) warranty of fitness for a particular purpose, including any diagnostic, therapeutic, or expert-witness purpose; (iii) warranty of non-infringement, in respect of any content the User itself enters into the Service; (iv) warranty of uninterrupted service; (v) warranty of result.

3. Contract and tort limitation of liability. To the maximum extent permitted by mandatory law, the operator shall not be liable for direct, indirect, incidental, consequential, special, exemplary, or punitive damages, including lost profits, lost contracts, lost reputation, lost goodwill, lost business opportunity, lost data, or time spent on data restoration – irrespective of the basis of the claim (contract, tort, quasi-tort, strict liability, statute, equity), even if the operator was informed of the possibility of such damages, and in particular for any damage suffered by a patient or third party as a consequence of a clinical decision made by the qualified User using algorithmic outputs.

4. Mandatory-law carve-out. The foregoing limitations do not apply to the extent prohibited by mandatory norms, in particular: (i) damage caused intentionally or by gross negligence (Article 473 § 2 of the Polish Civil Code, under which an advance exclusion of liability for intentional damage is null and void); (ii) personal injury or death; (iii) liability arising from breach of personal-data protection law within the meaning of Article 82 GDPR.

5. Cap on direct damages. Subject to paragraph 4 above, the aggregate liability of the operator and its affiliates is capped as follows: (a) for paid (Clinical-Plan) Users, the total fees actually paid to the operator during the twelve (12) months immediately preceding the event giving rise to the claim; (b) for Free-Plan Users, liability is capped at one hundred euros (EUR 100) per incident or in aggregate over any twelve-month period, whichever is greater. See Terms § 18.

6. Force majeure & continuity. The operator is not liable for delay or failure caused by force majeure or other events beyond reasonable control, including natural disasters, war, terrorism, sabotage, general strikes, outages of cloud-infrastructure providers (Google Cloud, Stripe, Cloudflare, Hostinger), DDoS attacks, internet-exchange-point failures, regulatory action, withdrawal of public WHO ICD-11 API access, or judicial orders in third-country jurisdictions. The operator maintains a documented incident-response procedure and undertakes to provide reasonable notice and a documented machine-readable export of User data in the event of permanent service termination.

7. Not a medical device. The Service is not a medical device under Regulation (EU) 2017/745 (MDR), is not CE-marked, does not appear in the EUDAMED database, and does not fall under URPL supervision. After applying MDCG 2019-11 Rev.1 (June 2025) qualification criteria, the operator has determined that the Service is not Medical Device Software (MDSW) – it is an informational and educational tool supporting the intellectual work of a qualified clinician. Inferring medical-device function from the Service's availability is contrary to these disclaimers and to the operator's documented intended purpose.

8. EU AI Act position (Reg. (EU) 2024/1689). The operator has performed an Article 6 classification analysis and takes the position that AI-Assist is not high-risk on the basis of the Article 6(3) derogation. The Article 50(1) AI-disclosure obligation is met by this notice and by Section 6 of the Terms.

9. WHO no-warranty (§§4.3, 4.4 WHO Terms of Use). Independently of the foregoing, the User acknowledges and accepts that – per §§4.3 and 4.4 of the WHO ICD-11 Terms of Use – ICD-11 content is provided "as is" and without warranty of any kind from the WHO. The WHO expressly disclaims all statutory or implied warranties as to accuracy, completeness, or fitness of any information, devices, products, or processes related to ICD-11, including without limitation warranties of design or fitness for a particular purpose, even if the WHO has been informed of such purpose. The WHO does not warrant that ICD-11 use does not infringe third-party property rights or that ICD-11 is free from defect, virus, or interruption. The WHO is not liable for any direct or indirect damage arising from User's use of ICD-11, including special, incidental, and consequential damages.

1. Subsidiary technological dependency. The Service – a web application in client-server architecture supported by cloud infrastructure – relies in several functional areas on professional third-party providers, which act as the operator's technological subcontractors and, in respect of personal data, as processors within the meaning of Article 4(8) GDPR under written sub-processing agreements satisfying Article 28(3) GDPR. The complete sub-processor list, with transfer-safeguard column, is in Annex A of the Data Processing Agreement and in Privacy Policy § 4.

2. Google LLC / Google Ireland Ltd. (Firebase / Google Cloud Platform). Operational backbone, including: (i) Firebase Authentication for user authentication; (ii) Cloud Firestore for the document database (user profiles, subscription data, patient records, audit logs); (iii) Firebase Hosting for the static layer; (iv) Cloud Functions for Firebase for server-side functions (classification API proxy, promo codes, subscription cancellation, administrative operations); (v) App Check + reCAPTCHA Enterprise (score-only) for anti-abuse; (vi) Cloud Logging. EU multi-region (eur3) where supported.

3. Stripe Payments Europe Ltd. / Stripe, Inc. (payments). Card processing, subscription management, fraud detection (Stripe Radar), Customer Portal redirects, and Stripe Tax. EU (Ireland) for EEA cards; US (Stripe, Inc.) for corporate fraud-detection and treasury. The operator does not store card data – full PAN, CVV, and expiry never reach the operator's systems (PCI-DSS Level 1).

4. Cloudflare, Inc. (CDN, security). Content delivery network, DDoS mitigation, bot management (__cf_bm), edge TLS termination. Global edge with EU points-of-presence; corporate processing in the US.

5. Hostinger International Ltd. (transactional e-mail). Outbound transactional e-mail (verification, password reset, 2FA codes, billing notifications) via SMTP. EU (Lithuania) – within the EEA, no third-country transfer mechanism required.

6. International transfers – Schrems II. Where personal data transfers to a third country occur, the operator relies on: (a) the EU-US Data Privacy Framework adequacy decision (Commission Decision (EU) 2023/1795 of 10 July 2023, upheld by the EU General Court on 3 September 2025 in Latombe T-553/23) – Google LLC, Stripe Inc., and Cloudflare Inc. are DPF-certified; (b) Standard Contractual Clauses (Decision (EU) 2021/914) as belt-and-braces; (c) supplementary measures per EDPB Recommendations 01/2020 – encryption-in-transit (TLS 1.3), encryption-at-rest, IAM access restrictions, edge-only TLS termination at Cloudflare with no application-layer payload inspection, contractual restrictions on government access requests, and transparency-report commitments. A copy of the relevant SCCs is available on request to [email protected].

7. WHO ICD-11 API (note – not a sub-processor). The operator consults the public WHO ICD-11 API (Geneva, Switzerland) server-side for canonical entity look-ups via OAuth 2.0. No User personal data, no Patient Data, and no User IP address is transmitted – only the ICD-11 code being queried. The WHO is therefore not a sub-processor of personal data within Article 28 GDPR. Switzerland in any event benefits from a European Commission adequacy decision.

8. Sub-processor changes & right to object. The operator will inform the controller of any intended addition or replacement of a sub-processor at least thirty (30) days in advance, by e-mail or in-app notice, giving the User-Controller the opportunity to object on reasonable data-protection grounds. The objection mechanism is governed by Section 9 of the Data Processing Agreement.

9. Carve-out for sub-processor failure. Without prejudice to mandatory law, the operator is not liable for outages, security incidents, contractual non-conformities, delays, data inconsistencies, or other irregularities at any third-party provider, nor for changes in their pricing, feature scope, geographic availability, or licensing terms. Where any such circumstance materially affects platform availability, the operator will use reasonable efforts to implement substitute solutions within the normal release cycle.

1. Lawful bases. Personal-data processing is governed by Regulation (EU) 2016/679 (the GDPR) and applicable Polish national implementing legislation. The lawful bases for the operator (as Controller for clinician account data) are: (i) Article 6(1)(b) GDPR – performance of a contract (account, subscription); (ii) Article 6(1)(c) GDPR – legal obligation (tax, accounting, anti-fraud); (iii) Article 6(1)(f) GDPR – legitimate interests (security, abuse prevention, audit logging – read together with the explicit disclaimer that the operator does not invoke Article 6(1)(d) vital interests for ordinary security/audit purposes); (iv) Article 6(1)(a) GDPR – consent (optional features). A copy of the relevant Legitimate Interest Assessment is available on request to [email protected].

2. Article 9 GDPR – special-category data. Where the qualified User enters mental-health data into the Service (special-category data under Article 9(1) GDPR), the lawful basis relied upon by the User-Controller is Article 9(2)(h) GDPR (provision of healthcare or treatment) read together with Article 9(3) GDPR (processing under professional secrecy of the User as a licensed practitioner – in Poland, Article 40 of the Act on the Profession of Physician of 5 December 1996; equivalents in other jurisdictions). In this scenario the User is the Controller (Article 4(7) GDPR) and the operator is the Processor (Article 4(8) and Article 28 GDPR), acting on the User's documented instructions per the published Data Processing Agreement at /en/dpa.

3. Data minimization. The operator applies the Article 5(1)(c) GDPR data-minimization principle, limiting processing to: (a) qualified-User account data (e-mail, name, display name, password – stored only as a one-way salted hash by Firebase Authentication); (b) subscription and billing reference metadata (plan status, expiry dates, Stripe Customer ID, last-4 of card for display only); (c) operational data (audit logs, last-sign-in timestamp, locale and UI preferences); (d) optional Patient Data and clinical-event history – scope determined by the User-Controller. Direct identifiers (national ID, full name, full address) are discouraged by the data model and are not required.

4. Access-control architecture. Authorization is enforced server-side by Firestore security rules implementing the principle of least privilege. Only the account owner (the authenticated user) or an authorized system administrator can read account-scoped data. Privilege escalation is prevented by an owner-safe validator that blocks client-side mutation of admin / plan / billing / 2FA fields without administrator action.

5. Encryption. All data in transit between the User's device and the Service is protected by TLS 1.3 (RFC 8446) configured per NIST SP 800-52 Rev. 2. Data at rest is encrypted at the Google Cloud storage layer (AES-256). Sensitive client-side fields receive an additional AES-GCM layer with PBKDF2-derived keys bound to the user's UID. Passwords are never stored in plain text – only as one-way salted hashes by Firebase Authentication, with parameters tuned against current offline-attack estimates.

6. Discreet Mode (presentation-layer protection). A client-side Discreet Mode masks patient data on the User's screen at three progressive levels: (i) Light – first name with surname initial (e.g., "Jan K."); (ii) Standard – initials only (e.g., "J.K."); (iii) Max – anonymized identifier (e.g., "Patient #1234"). Mode state persists locally; activation via global keyboard shortcut and optional auto-engage after idle. Discreet Mode does not replace the User's own technical and organizational security measures.

7. Account deletion & patient soft-delete. Account deletion follows a multi-step procedure: a 30-day grace window (account remains active with a persistent visible deletion-status indicator and the User may cancel without data loss); on day 30 a scheduled function removes data from active systems within a further 30 days; up to 60 days of backup roll-off complete the cycle, with end-to-end deletion within up to 120 days. The deletion sweeps the user document and all subcollections (patients, diagnostic events, audit log, notifications); cancels active Stripe subscriptions and deletes the Stripe Customer object; revokes session tokens and the Firebase Auth account; clears MFA codes. Soft-deleted (archived) patient records are retained for 90 days for accidental-deletion recovery, then permanently purged by an automated daily Cloud Function (03:30 Europe/Warsaw).

8. Data-subject rights. Every data subject is entitled to all GDPR rights: (i) access (Art. 15); (ii) rectification (Art. 16); (iii) erasure (Art. 17, "right to be forgotten"); (iv) restriction (Art. 18); (v) data portability in a structured, commonly-used, machine-readable format such as JSON (Art. 20); (vi) objection (Art. 21); (vii) no automated decision-making (Art. 22); (viii) Article 19 notification – where rectification, erasure, or restriction is exercised, the operator will communicate the change to recipients (sub-processors) unless impossible or disproportionate; (ix) the right to lodge a complaint with the competent data-protection supervisory authority (Article 77 GDPR).

9. Retention. Differentiated retention applies by data category: account data – until deletion plus the period required by mandatory tax/accounting law (typically 5 years from the end of the calendar year of the relevant transaction); subscription/billing – analogous; audit and security logs – typically 12 months, extended on suspected incident; Patient Data – at the User-Controller's instruction within applicable medical-records retention rules of the User's jurisdiction.

10. Article 33-34 breach notification – explicit 72-hour commitment. The operator notifies the Polish supervisory authority (UODO) without undue delay and, where feasible, within 72 hours of becoming aware of a personal-data breach (Article 33(1) GDPR), unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Affected data subjects are notified without undue delay where the breach is likely to result in a high risk (Article 34(1) GDPR). For Patient Data breaches in the operator's processor capacity, the User-Controller is notified without undue delay (Article 33(2) GDPR). The operator maintains a register of breaches per Article 33(5).

11. DPIA & Article 30 records. The operator has carried out a Data Protection Impact Assessment under Article 35 GDPR for the Service, with focus on Article 9 special-category processing, the closed AI-Assist component, and international transfers; reviewed at least annually. Article 30 records of processing activities are maintained for both controller and processor capacities. Both are made available to UODO on request under Articles 30(4) and 35(9) GDPR.

12. Data Protection Officer (Inspektor Ochrony Danych). A DPO has been appointed under Article 37(1)(c) GDPR (core activity = large-scale processing of special-category data under Article 9). Contact: [email protected]. Notification to UODO under Article 37(7) has been filed.

1. Choice of law. The Terms and any related legal relationships are governed by the substantive law of Poland, excluding conflict-of-laws rules.

2. Exclusion of CISG. The parties expressly exclude the United Nations Convention on Contracts for the International Sale of Goods (Vienna, 11 April 1980 – CISG) and other conventions unifying material law, to the extent of their dispositive provisions.

3. Jurisdiction. The Service is offered to professional Users only. Disputes between the operator and a User are subject to the exclusive jurisdiction of the courts competent for the operator's seat (Łódź, Poland).

4. Pre-litigation mediation. Before initiating court proceedings, the parties undertake in good faith to attempt amicable resolution by sending a written notice describing the dispute. The receiving party shall respond within 30 days. Failure of mediation does not preclude either party from seeking interim relief or urgent court protection.

6. Severability. If any provision is held invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions remain in full force and effect; the invalid provision is replaced with a valid provision that most closely reflects the original commercial intent.

7. WHO ICD-11 jurisdictional segregation (§4.10 WHO Terms of Use). Independently of paragraphs 1-3 above (which govern the user-operator relationship under Polish law), the WHO ICD-11 Terms of Use governing the use of ICD-11 content are subject to Swiss law. Per §4.10 of the WHO Terms of Use, disputes about ICD-11 license interpretation or application – if not resolved amicably – proceed first to conciliation and, in default, to arbitration under the UNCITRAL Arbitration Rules, with the parties accepting the arbitral award as final. This clause does not waive the privileges and immunities of the WHO under national or international law (§4.11 WHO Terms of Use) and does not subject the WHO to the jurisdiction of any national court.

8. Automatic license termination on User breach (§4.7 WHO Terms of Use). User breach of any WHO ICD-11 Terms of Use provision – in particular the prohibition on adaptation under CC BY-ND 3.0 IGO, the prohibition on distributing translations without separate WHO consent (§1.2.4), the prohibition on registering trademarks containing "ICD" or full classification titles (§4.2), and the prohibition on using the WHO name or emblem (§4.1) – causes automatic termination of the User's WHO-granted rights to ICD-11 content, with immediate effect and without any cure-notice requirement. The operator reserves the right to immediately restrict or suspend the User's access on credible information of WHO-license breach. Per §4.8 WHO Terms of Use, the WHO reserves the right to amend the Terms of Use at any time without prior notice, effective on issuance.

9. Subscription vs. WHO license – separation of obligations. The Clinical Plan subscription (billed via Stripe) is an electronic-services contract between the User and the operator. The subscription does not grant the User any license to ICD-11 itself. ICD-11 content is made available to the User solely under the WHO ICD-11 license (CC BY-ND 3.0 IGO + WHO Terms of Use), independently of subscription status, and may be downloaded free of charge directly from icd.who.int/browse11. The economic value of the subscription consists exclusively in author-original differential-diagnosis tools, the patient panel, document exports, technical support, and priority access to software updates – it is in no part a fee for ICD-11 access.

10. Trademark posture – §4.2 WHO Terms of Use. The operator does not seek registration of any trademark containing "ICD" or full WHO classification titles, consistent with §4.2. Use of "ICD Diagnostica" is descriptive – informing the User that the platform operates on the ICD-11 classification – and is not a claim to a trademark, service mark, or other commercial designation associated with the WHO. The operator does not use the WHO name or emblem in marketing or promotion. "ICD Diagnostica" is currently a trade name of the operator; no registered trademark is asserted at this stage.

11. Authoritative language. These pages and the five governing legal documents are drafted in English, which is the controlling language.

12. Modifications policy. The operator may amend these documents to reflect changes in law, the Service, or operational reality. Material changes are notified at least 30 days in advance by e-mail and an in-app banner. Continued use of the Service after the effective date constitutes acceptance. Non-material changes (clarifications, corrections, contact-detail updates, sub-processor list updates) take effect on publication. See Terms § 21.

13. Entire agreement. The five governing documents – Terms, Privacy Policy, Cookie Policy, DPA, Imprint – together with any executed addendum, constitute the entire agreement between the parties on the subjects they cover and supersede prior or contemporaneous communications on those subjects.

14. Acceptable use (summary). Users will not (a) use the Service for self-diagnosis or any layperson use; (b) upload Patient Data without lawful basis or in violation of professional secrecy; (c) scrape, mirror, or systematically extract content (including ICD-11) in breach of the WHO license or applicable law; (d) circumvent authentication, App Check, rate limits, or other security controls; (e) reverse-engineer or attempt to derive a competing product, except to the limited extent expressly permitted by Articles 5(3) and 6 of Directive 2009/24/EC; (f) upload malware, mount denial-of-service attacks, or use the Service to infringe third-party rights. See Terms § 8.

1. Operator. The Service is operated under the brand "ICD Diagnostica", established in the European Union. The full statutory imprint (legal name, registered place of business, registration numbers) under UŚUDE Article 5 + Directive 2000/31/EC Article 5 will be published at /en/imprint upon completion of registration formalities.

2. Early-access status. "Early access" reflects the stage of operations rather than a different legal product. It signals that (i) CEIDG registration of the sole proprietorship is in progress and the operator's NIP / REGON / CEIDG identifiers will be published in the Imprint as soon as they are issued; (ii) the Service is offered to a limited group of professional Users while feature work continues. The full legal framework described on this page applies in full from day one.

3. Pre-incorporation note. Until the CEIDG registration numbers are populated in the Imprint, paid Service activation is contingent on completion of registration; until then, the Service operates as a personal/research project in respect of any function that would constitute paid commercial activity in Poland. The operator commits to publish the issued NIP / REGON / CEIDG numbers in all governing documents immediately upon their issuance.

4. Contact. General: [email protected]. Legal / GDPR / DSAR: [email protected]. DPO: [email protected]. Security disclosures: /.well-known/security.txt.