← Back to app

Privacy Policy

Last updated: April 2026

1. Who we are

This Privacy Policy describes how the MedOs platform ("the Service") processes personal data on behalf of healthcare providers ("Clinics") who use the Service to manage their patient records, appointments, billing and communications.

The Clinic is the data controller of patient personal data. MedOs (the platform operator) is the data processor under EU General Data Protection Regulation (GDPR) Article 28.

2. What data we process

  • Identification: name, date of birth, gender, contact details (email, phone, address)
  • Health data: medical history, allergies, medications, treatment notes, lab results, photos
  • Financial: invoices, payments, package balances
  • Operational: appointments, communications log, consent forms
  • Account: staff sign-in credentials, role, audit trail

3. Where data is stored

All data is stored within the European Economic Area on infrastructure operated by Supabase (eu-west-1, Dublin, Ireland). Backups are encrypted and held in the same region. No patient data is transferred outside the EEA without explicit safeguards (Standard Contractual Clauses).

4. Sub-processors

We use the following sub-processors. All have signed GDPR-compliant data processing agreements:

  • Supabase (Ireland) — database, authentication, file storage
  • Stripe (Ireland) — payment processing
  • Vercel (USA, Frankfurt edge) — application hosting
  • Resend (USA / EU edge) — transactional email (if enabled by your clinic)
  • Twilio / MessageBird (EU) — SMS (if enabled)
  • Anthropic / Azure OpenAI (EU) — AI features (if enabled)

5. Your rights (GDPR)

You have the right to:

  • Access your personal data (Article 15)
  • Rectify inaccurate data (Article 16)
  • Erasure of your data (Article 17 — "right to be forgotten")
  • Restrict processing (Article 18)
  • Data portability (Article 20) — export in machine-readable format
  • Object to processing (Article 21)
  • Lodge a complaint with your local supervisory authority (in Hungary: NAIH)

To exercise these rights, contact your clinic directly. As the data controller, they handle these requests.

6. Retention

Patient records are retained for the legally mandated period (in most EU jurisdictions, 30 years for healthcare records). Financial records are retained for 8 years per accounting law. Other data is deleted upon request or 90 days after subscription termination.

7. Security

We employ industry-standard technical and organisational measures including:

  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Row-level security ensuring tenants only see their own data
  • Optional two-factor authentication for staff accounts
  • Audit logs of all access to patient records
  • Regular security reviews and dependency scanning

8. Cookies

We use the minimum necessary cookies to keep you signed in and the app working. Analytics and marketing cookies are opt-in only. You can change your preferences any time by clearing the consent stored in your browser.

9. Contact

For data protection enquiries, contact your clinic's data protection officer. For platform-level questions: privacy@medos.app.

10. Changes

We may update this policy. Material changes will be communicated via in-app notification and email.