Medardix legal

Privacy Policy

This page displays the current Medardix Privacy Policy sourced from the maintained legal text file used by the application.

MEDARDIX PRIVACY POLICY

Effective date: March 29, 2026

This Privacy Policy explains how MedTrio s.r.o. ("MedTrio", "we", "us", "our") collects, stores, uses, discloses, and otherwise processes personal data in connection with Medardix websites, applications, products, and related services.

Company and contact information: MedTrio s.r.o. Registered address: Pod Harfou 933/62, Vysocany (Praha 9), 190 00 Praha, Czech Republic Represented by: Marek Wintersteiner, Managing Director General contact: info@medardix.com Privacy contact / Data Privacy Officer contact point: info@medardix.com

This Privacy Policy is intended to be used as a standalone legal notice. It can be read independently and does not require prior reading of any data processing agreement, license terms, or other contractual document.

1. Introduction and Applicable Privacy Frameworks

We value privacy and the importance of safeguarding personal data. "Personal data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identifiable natural person.

As a global service provider, we aim to comply with applicable privacy and data protection laws, including where applicable: - the EU General Data Protection Regulation (GDPR); - national laws implementing or supplementing GDPR, including Czech data protection law; - UK GDPR and the UK Data Protection Act 2018; - Switzerland's Federal Act on Data Protection (FADP); - Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws, including Quebec Law 25 where applicable; - Brazil's Lei Geral de Protecao de Dados (LGPD); - South Africa's Protection of Personal Information Act (POPIA); - Saudi Arabia's Personal Data Protection Law (PDPL), where applicable; - California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), and CalOPPA where applicable; - Colorado Privacy Act (CPA); - Utah Consumer Privacy Act (UCPA); - Connecticut Data Privacy Act (CTDPA); - Virginia Consumer Data Protection Act (VCDPA); - Texas Data Privacy and Security Act (TDPSA); - Oregon Consumer Privacy Act (OCPA); - Montana Consumer Data Privacy Act; - Delaware Personal Data Privacy Act; - Nebraska Data Privacy Law; - New Hampshire Data Privacy Act; - New Jersey Data Privacy Act; - Minnesota Consumer Data Privacy Act; - Maryland Online Consumer Protection Act; - Kentucky Consumer Data Protection Act (KCDPA); - Tennessee Information Protection Act (TIPA); - Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA); - Indiana Consumer Data Protection Act (INCDPA); - Iowa Consumer Data Protection Act (ICDPA); - and other applicable privacy, confidentiality, and security laws in jurisdictions where we operate or serve customers.

2. Scope

This Privacy Policy applies to Medardix websites, domains, applications, services, and products, including support and operational communications.

This Privacy Policy does not apply to third-party applications, websites, products, services, or platforms not controlled by MedTrio, even where linked from our services. Those third parties maintain their own privacy policies and practices.

3. Processing Activities Covered

This Privacy Policy applies when you interact with us by doing any of the following: - using Medardix as an authorized user, workspace administrator, or customer representative; - visiting websites or pages that link to this Privacy Policy; - communicating with us for support, onboarding, billing, legal, compliance, or security purposes; - receiving service notifications, product updates, newsletters, or other communications where permitted by applicable law.

4. Data Controller and Processor Context

Depending on context, MedTrio may act as: - Processor or subprocessor when processing personal data on behalf of healthcare providers or organizational customers using Medardix; and - Controller for limited processing related to account management, billing, support, security, abuse prevention, legal compliance, and direct business operations.

Where we process personal data on behalf of a customer, that customer is responsible for determining lawful basis, giving required notices, obtaining required permissions or consents, and handling data-subject requests unless applicable law requires otherwise.

5. Personal Data We Collect and Process

The personal data we process may include:

Account and identity data: - full name; - work email address; - username and account identifiers; - authentication credentials and login verification data; - organizational role and permissions.

Professional and organizational data: - employer or organization name; - professional role, department, and workplace details; - subscription/workspace assignment details.

Billing and transaction data: - billing address and contact details; - invoicing metadata; - payment-related references handled through payment providers.

Device and technical data: - IP address; - browser type and version; - operating system and device characteristics; - device identifiers and telemetry where provided by device or platform; - authentication logs, security logs, and access timestamps; - session identifiers and service diagnostics.

Usage and analytics data: - pages and product areas visited; - feature usage metrics; - interaction events; - performance and reliability telemetry; - approximate location inferred from IP or device settings where available.

Support and communication data: - support tickets and correspondence; - onboarding and implementation communications; - legal/compliance/security inquiries; - attachments and records provided in support workflows.

Service content and healthcare workflow data: - recordings submitted through the service; - transcripts and generated text; - structured notes, summaries, and workflow outputs; - content metadata and operational context required to provide the service.

Sensitive or special category data (where provided through service use): - health-related information and other special category data submitted under customer instructions; - data concerning vulnerable individuals where such data is included by customer workflows and permitted by law.

Children's data: - Medardix is a professional B2B healthcare service and is not intended for child consumer accounts. - We do not knowingly collect personal data directly from children for consumer use.

6. How We Collect Personal Data

We collect personal data from the following sources:

From you and your organization: - when accounts are created and configured; - when service inputs are uploaded, recorded, or entered; - when forms are completed; - when customer support is requested; - when onboarding, billing, legal, or operational details are provided.

Automated technologies: - cookies and similar technologies; - server logs and security monitoring systems; - usage and performance telemetry; - diagnostics generated by browsers, devices, and applications.

Third parties and integrations: - hosting, cloud, and infrastructure providers; - authentication and identity providers; - analytics providers including Google Analytics; - payment and billing providers; - customer-authorized integrations and communication platforms; - public authorities, law enforcement, courts, or regulators where legally required.

If you provide personal data about other individuals, you represent that you are authorized to do so and that such processing is lawful.

7. Purposes and Legal Bases for Processing

We process personal data for the following purposes: - to provide and operate Medardix services; - to authenticate users, manage access, and administer accounts/workspaces; - to process recordings and text workflows requested by customers, including transcription, summarization, and note structuring; - to maintain, monitor, secure, troubleshoot, and improve service reliability; - to provide support, onboarding, and customer communications; - to process invoicing and manage commercial relationships; - to detect, investigate, and prevent fraud, abuse, unauthorized access, and security incidents; - to enforce legal terms and protect rights, safety, and property; - to comply with legal, regulatory, and professional obligations; - to establish, exercise, or defend legal claims.

Legal bases may include: - performance of a contract or steps at your request prior to contract; - compliance with legal obligations; - legitimate interests (for example service security, fraud prevention, and product reliability); - consent, where required by law; - and where relevant, substantial public interest or healthcare-related legal bases under applicable law.

8. AI and Model Training Commitments

We do not use identified or identifiable customer clinical data, patient data, PHI, or other customer personal data to train, retrain, fine-tune, or improve general-purpose shared models for unrelated customers.

We may use de-identified, anonymized, or aggregated information that does not identify an individual or customer for lawful purposes such as service analytics, security, quality assurance, and product improvement, where permitted by law and contract.

9. Cookies and Similar Technologies

What are cookies: - Cookies are small files stored by your browser or device to support functionality, security, preference memory, and analytics.

How we use cookies and similar technologies: - Strictly necessary cookies: required for core service operation, authentication, and security. - Preference cookies: used to remember language, session, and interface preferences. - Analytics cookies: used to understand service use and improve performance and product quality.

Google Analytics: - We use Google Analytics to help us understand how visitors and users interact with our websites and services. - Information about how Google processes data is available at: https://policies.google.com/privacy - You can opt out of Google Analytics using: https://tools.google.com/dlpage/gaoptout

Cookie choices: - Browser and device settings may allow you to reject or delete cookies. - If strictly necessary cookies are disabled, parts of the service may not function properly.

10. Disclosure and Sharing of Personal Data

We may share personal data in the following cases: - with subprocessors and service providers acting on our instructions for hosting, storage, authentication, infrastructure, support, monitoring, and security; - with analytics providers including Google Analytics; - within MedTrio on a strict need-to-know basis; - with customer-authorized recipients and integrations; - with professional advisers and auditors under confidentiality obligations; - with competent authorities, law enforcement, courts, or regulators where legally required; - in connection with mergers, acquisitions, financing, restructuring, insolvency, or sale of business assets, subject to lawful safeguards.

We require service providers processing personal data on our behalf to implement appropriate confidentiality and security measures and to process data in accordance with applicable law and contractual restrictions.

11. International Data Transfers and Global Operations

Medardix serves global customers and may process personal data in multiple jurisdictions. Personal data may be transferred to, stored in, or accessed from countries outside your country of residence.

Where required by applicable law, we use appropriate safeguards, including: - adequacy decisions; - standard contractual clauses or equivalent approved transfer mechanisms; - supplementary contractual, technical, and organizational controls.

Where feasible, we seek to process data in regional infrastructure aligned with customer and legal requirements.

12. Retention and Deletion

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, considering legal, contractual, security, and operational obligations.

For customer service content in Medardix, unless otherwise configured by the customer, agreed in writing, or required by law, default retention may be up to thirty (30) days from collection or generation, followed by deletion or inaccessibility through our retention workflow and backup lifecycle.

After termination or expiration of services, limited retention may continue where reasonably necessary for export, recovery, deletion workflow completion, security, fraud prevention, dispute handling, legal compliance, and defense of legal claims.

13. Security

We maintain technical and organizational safeguards designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

These measures may include: - access controls and least-privilege restrictions; - encryption in transit and at rest where appropriate; - monitoring and logging; - vulnerability management and patching; - incident detection and response procedures; - backup and restoration controls; - confidentiality obligations for authorized personnel and service providers.

No method of transmission or storage is absolutely secure. We continuously evaluate and update safeguards in light of risk, technology, and legal requirements.

14. Data Breach Notification

If we become aware of a personal data breach, we will investigate, mitigate, and notify affected customers, individuals, and/or competent authorities as required by applicable law.

Where legally permitted and practical, we aim to provide timely information on the nature of the breach, likely impact, and remediation steps.

15. Your Rights Regarding Personal Data

Depending on your location and applicable law, your rights may include:

Right of access: - PIPEDA, GDPR Article 15, CCPA/CPRA, CPA, VCDPA, CTDPA, UCPA, LGPD, POPIA.

Right to rectification/correction: - PIPEDA, GDPR Article 16, CCPA/CPRA, CPA, VCDPA, CTDPA, LGPD, POPIA.

Right to erasure/deletion: - GDPR Article 17, CCPA/CPRA, CPA, VCDPA, CTDPA, UCPA, LGPD, POPIA, subject to legal exceptions.

Right to restrict processing: - GDPR Article 18, LGPD, where applicable.

Right to data portability: - PIPEDA, GDPR Article 20, LGPD, and similar laws where applicable.

Right to object: - GDPR Article 21, LGPD, POPIA, where processing is based on legitimate interests.

Right to withdraw consent: - where processing is based on consent, without affecting prior lawful processing.

Right to opt out (where applicable under U.S. state privacy laws): - targeted advertising; - sale of personal data; - profiling in furtherance of decisions that produce legal or similarly significant effects.

Right to nondiscrimination/nonretaliation: - as provided by CCPA/CPRA and certain U.S. state privacy laws.

Right to lodge a complaint: - GDPR Article 77, LGPD, POPIA, and similar complaint rights under applicable law.

16. Appeals and Complaints

Where required by applicable U.S. state law, you may have the right to appeal a rights-request decision.

To submit an appeal, contact info@medardix.com with subject line "Privacy Rights Appeal" and reference your original request.

If your appeal is denied, you may have the right to contact the relevant state attorney general or regulator.

For EEA data subjects, a list of supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

17. How to Exercise Your Rights

You can submit privacy rights requests by contacting info@medardix.com.

For security and fraud-prevention purposes, we may request reasonable information to verify identity and authority before fulfilling a request.

If we process your data solely as processor on behalf of a customer, we may direct your request to the relevant controller/customer while providing assistance where required by law or contract.

18. De-Identified and Aggregated Information

Where permitted by law and contract, we may use and disclose de-identified, anonymized, or aggregated information that does not identify an individual for purposes such as service analytics, quality improvement, security hardening, benchmarking, scientific collaboration, publications, and research support.

Where health data is de-identified, we apply methods and controls intended to reduce re-identification risk in line with applicable legal and contractual requirements.

19. Merger, Acquisition, and Corporate Reorganization

If MedTrio is involved in a merger, acquisition, financing, due diligence process, reorganization, bankruptcy, or sale of all or part of its assets, personal data may be disclosed or transferred as part of that transaction, subject to legal and contractual safeguards.

20. Third-Party Services and External Links

Our services may contain links to or integrations with third-party websites, applications, and services. We are not responsible for the privacy, security, or content practices of third parties not controlled by MedTrio.

You should review the privacy policies of those third parties before sharing personal data with them.

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, regulatory, operational, or product changes.

When we update this Privacy Policy, we will publish the revised version with an updated effective date. Where required by law, we will provide additional notice and/or seek required consent.

22. Contact Us

For privacy questions, requests, appeals, or complaints, contact:

Email: info@medardix.com

Write to: Data Privacy Officer Contact Point MedTrio s.r.o. Pod Harfou 933/62, Vysocany (Praha 9) 190 00 Praha Czech Republic