Privacy Policy
At Medalty ("we", "us"), we respect your privacy. This policy explains what data we collect, the legal basis for processing, recipients, retention, and your rights under the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), the Greek Law 4624/2019, and the ePrivacy Directive.
1. Data Controller & contact
- Entity: Medalty Health
- Privacy email: privacy@medalty.com
- Legal: legal@medalty.com
- DPO: we are not required to designate one under Article 37 GDPR; data-protection inquiries are handled by the privacy team.
2. Categories of data we process
- Account info: email, full name, role (patient / doctor / lab / admin), preferred language, timezone.
- Special-category health data (Article 9 GDPR): conditions, appointments, doctor notes, medical records, lab results, vitals, device measurements, longevity goals, reminders. Encrypted at rest (AES-256) and in transit (TLS 1.3).
- Practitioner credentials: doctors and labs — license number, specialty, verification info from official authorities.
- Technical data: IP address, user-agent, sign-in times, audit log of sensitive actions (who viewed which record, when).
- Device data: if you explicitly connect a health device (Oura, Apple Watch, Fitbit, Withings, Dexcom, FreeStyle Libre, etc.), we receive only the metrics you authorize.
- Cookies: see our Cookie Policy.
3. Legal basis for each processing activity
- Contract (Art. 6.1.b): to provide the service and execute the Terms of Service.
- Explicit consent (Art. 9.2.a): for any processing of special-category health data. Captured at sign-up and revocable at any time without justification.
- Legitimate interest (Art. 6.1.f): security, audit logs, fraud prevention. We perform a balancing test before each use.
- Legal obligation (Art. 6.1.c): medical-record retention, tax records, professional registries.
4. Purposes
- Provide Medalty across your roles.
- Service-related communication (appointment confirmations, security alerts).
- Security, audit, abuse detection.
- Comply with legal obligations.
We never sell your data. Never use it for third-party advertising. Never train AI models on your data. Never perform automated decision-making or profiling that produces legal effects (Article 22 GDPR).
5. Recipients & sub-processors
We do not share data with third parties other than the processors below, each bound by a Data Processing Agreement (DPA) under Article 28 GDPR:
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, auth, file storage | EU (Dublin, eu-west-1) |
| Railway | Application hosting | EU |
| Google (OAuth) | Sign-in with Google — email + name only | EU/Global (SCCs) |
| Vital (when enabled) | Health-device connectivity — only metrics you authorize | EU (Frankfurt) |
We maintain a current sub-processor register; new processors are announced on this page at least 30 days in advance.
6. International transfers
All personal data stays within the EEA. Where a processor has global infrastructure (e.g. OAuth identity providers), the transfer is covered by the EU Standard Contractual Clauses (Decision 2021/914).
7. Retention
| Category | Retention period |
|---|---|
| Active accounts | For the duration of your subscription |
| Deleted accounts | Permanent removal within 30 days |
| Medical records of active users | 10 years from last visit (Greek medical-records law 4600/2019) |
| Audit logs of sensitive actions | 6 years |
| Backups | Encrypted, 7 days (free) or 30 days (Team tier) |
| Sign-in logs | 90 days |
8. Your rights (Art. 15–22 GDPR)
- Access your data — structured JSON export.
- Rectification of inaccurate data.
- Erasure ("right to be forgotten") where no legal retention applies.
- Portability of your data to another controller.
- Restriction of processing.
- Objection to processing based on legitimate interest.
- Withdraw consent at any time — does not affect lawfulness of prior processing.
- Not be subject to automated decision-making (Art. 22) — N/A here, we don't use it.
Email privacy@medalty.com. We respond within 30 days (extendable to 60 days for complex cases, with notice). Identity verification is required to prevent abusive requests.
9. Lodging a complaint
You have the right to lodge a complaint with the Hellenic Data Protection Authority (Kifisias 1-3, Athens, www.dpa.gr) or with the supervisory authority of your EU country of residence.
10. Data breaches (Art. 33–34 GDPR)
In the event of a data breach, we notify the supervisory authority within 72 hours. If the breach is likely to result in a high risk to your rights and freedoms, we notify you directly via email and an in-app banner without undue delay.
11. Security
TLS 1.3 everywhere; AES-256 at rest; Row-Level Security on every table; complete audit log of sensitive actions; least-privilege access for all employees with mandatory MFA.
12. Children
Medalty is not intended for children under 15 (the Greek Law 4624/2019 Article 21 threshold). For ages 15–17 a parent/guardian's consent is required. We do not knowingly collect data from minors without parental consent.
13. Sources of data
Most data comes directly from you. Exceptions: lab results may be uploaded by your laboratory with your prior consent; device measurements when you explicitly connect a device.
14. Changes to this policy
For material changes we notify you by email at least 30 days before they take effect. The last-updated date is shown at the top.