Privacy Policy

Last Updated: April 26, 2025

1. Introduction

We at MedGuide Ltd. are committed to protecting your personal data and privacy. This policy explains what data we collect, why, how we use it, and your rights. We process data in compliance with GDPR, including Articles 6 and 9, and applicable international privacy laws.

2. Scope of This Policy

This Privacy Policy applies to all visitors, users, account holders, and contributors across our web and mobile platforms, including patients, healthcare professionals, pharmaceutical employees, and public users.

3. What Data We Collect

• Identity Information (e.g., name, date of birth, gender)
• Contact Details (e.g., email, phone, mailing address)
• Account and Authentication Data (e.g., passwords, session tokens, sign-in via Google/Facebook)
• Health Data (e.g., diagnoses, symptoms, medications, medical history)
• Professional Data (e.g., degrees, licenses, CV, specialties)
• Communication Data (e.g., messages, emails, chatbot input)
• Uploaded Files (e.g., documents, certificates, profile images)
• Device and Technical Data (e.g., browser type, IP, device ID, OS)
• Cookies and Usage Data (e.g., page views, session duration, interactions)
• Marketing and Preference Data (e.g., newsletter opt-in, language settings)
• Financial Data (e.g., billing address, payment info – processed via third-party gateways)

4. Legal Grounds for Processing – GDPR Article 6

We only process your data when we have a lawful basis to do so. These include:

• Consent – You have explicitly agreed to processing (e.g., for marketing, chatbot use, health data linkage).
• Contract – We process data to fulfill or prepare a contract with you (e.g., account setup, service delivery).
• Legal obligation – We are required to process data by law (e.g., tax, medical record retention).
• Vital interests – We may process data to protect your life or someone else’s (e.g., in a medical emergency).
• Public task – Where processing is in the public interest under relevant law.
• Legitimate interests – We may use your data for service improvement, fraud prevention, or analytics unless it infringes your rights.

5. Special Categories of Personal Data – GDPR Article 9

Health-related and biometric data are only processed under strict conditions, including:

• Your explicit consent (Art. 9(2)(a))
• Medical diagnosis or treatment (Art. 9(2)(h))
• Public health (Art. 9(2)(i))
• Scientific or research purposes (Art. 9(2)(j))

6. How We Use Your Data

• To register, authenticate, and manage accounts
• To match patients with trials and healthcare providers
• To operate support groups, chats, and community features
• To run AI-based chatbots and virtual assistants
• To process payments and subscriptions via trusted processors
• To send legal, transactional, or promotional emails (only with opt-in)
• To improve services via usage analytics and machine learning

7. Automated Decision-Making and Profiling

We may use algorithms to match you with clinical trials or suggest relevant professionals. You can request human intervention at any time.

8. Data Sharing

• With partners or HCPs when you consent to data sharing (e.g., submitting an application)
• With processors under signed agreements (e.g., AWS, OpenAI, Stripe, analytics tools)
• With regulators or authorities, if required by law

9. International Transfers

If data is transferred outside the EEA, we ensure GDPR-compliant safeguards, such as SCCs (Standard Contractual Clauses).

10. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, regulatory, or business requirements.

Under Article 17 of the GDPR, you have the right to request the deletion of your personal data from our systems. This includes, but is not limited to:

• When the data is no longer necessary for the purposes for which it was collected
• When you withdraw consent and no other legal basis exists
• When you object to processing and no overriding legitimate grounds exist
• If your data was unlawfully processed
• If erasure is required to comply with a legal obligation

To request deletion, contact us at: [email protected]

Please note:

• Please make sure to contact us from the email with which you created an account.
• We may retain certain information if required by law or for the establishment, exercise, or defense of legal claims.
• Backup copies may take up to 30 days to purge from our systems.

11. Cookies and Tracking

We use first- and third-party cookies for functionality, analytics, and preferences. You can manage cookies through your browser

12. AI and Chatbot Disclosures

Our chatbot is powered by AI and may record conversations for improving accuracy and safety. Sensitive information shared via the bot is stored securely.

13. Security Measures

• TLS/SSL encryption for all data in transit
• Hashed and salted passwords
• Access control and role-based permissions
• Monitoring, logging, and audit trails

14. Data Breach Notification

In the event of a personal data breach, we will notify users and authorities as required by law, within 72 hours.

15. Your Rights Under GDPR

• Right to access
• Right to rectify
• Right to erasure (right to be forgotten)
• Right to restrict processing
• Right to object to processing
• Right to data portability
• Right to withdraw consent
• Right to lodge a complaint with a Data Protection Authority

16. Contact Us

Data Protection Officer (DPO)

Email: [email protected]
Address: Mladost 3, 378, Sofia, Bulgaria