MedX Privacy Policy
Last Updated: 29 July 2025
At MedX Global ("MedX", "we", "us", or "our"), we value your privacy and are committed to being transparent about how we collect, use, and protect your information through our application and website (collectively, the "Services"). This policy combines our existing early‑launch policy with full EU/UK GDPR compliance, including GDPR-specific rights and procedures.
1. Who is the data controller?
- Data Controller: BRADEFLOW LTD, 124 City Road, London, England, EC1V 2NX
- Privacy Contact: privacy@medx.global
2. What personal data do we collect?
We may collect:
- Account data: email (required); name, gender, DOB (optional)
- Health & profile data: symptoms, lab results, medical files (PDFs/images)
- App usage data: session logs, device info, crash reports
- In‑app events: installs, app launches, subscription, etc. (via Meta SDK)
- AI‑generated content: interpreted output from your uploads via Gemini AI
- Payment data: encrypted Stripe tokens (no card data stored)
Note: Special category health data is only processed with your explicit consent (GDPR Art. 9(2)(a)).
3. Why we process your data (legal bases)
| Purpose | Legal Basis | Notes |
|---|---|---|
| Core app functions & payments | Art. 6(1)(b) | Contractual necessity |
| Health data analysis (Gemini AI) | Art. 9(2)(a) | You provide explicit consent before upload |
| Analytics & app improvement | Art. 6(1)(f) | Legitimate interest, aggregated only |
| Meta install tracking & ad optimization | Art. 6(1)(a) | Your opt‑in consent via in‑app settings |
| Payments via Stripe | Art. 6(1)(b) | Transaction processing |
4. How we use and share your data
Important: We do not sell your personal data. We share strictly as necessary:
- Gemini AI (Google Cloud, EU/US): analysis of content you upload (no PII)
- Vercel: backend hosting in EU
- Turso: encrypted SQLite DB in EU
- Stripe: handles billing securely
- Meta / Facebook SDK: only anonymized install & event metadata, no sensitive data
All subprocessors operate under Standard Contractual Clauses (SCCs) and encrypted protocols.
5. Consent & withdrawal
- All processing of your sensitive health data requires explicit opt‑in consent in-app.
- Your only way to fully withdraw consent is by deleting your account (via Settings → Delete Account). This action permanently removes your data and stops all processing.
- Deletion is irreversible.
6. Your GDPR rights
You have the right to:
- Access your data: via Settings → Request Data or support email
- Rectify data: edit fields in your profile
- Erase data ("right to be forgotten"): use Settings → Delete Account
- Restrict or withdraw processing: delete account or email privacy@medx.global
- Data portability: currently not automated; email us to receive your data
- Object to automation: opt out or delete account
- Complain to your local supervisory authority if unsatisfied
7. Cookies & tracking
We use cookies or similar tools for analytics and performance. Your rights include:
- Opt‑out of tracking for analytics or ad optimization
- View details in app settings
- Note: essential cookies may be required for functionality
8. Data security & retention
- Secure transmission: TLS 1.3
- At rest encryption: AES‑256 (Turso & file storage)
- Access control: Role‑based with audit logs
- Pen‑testing: Conducted periodically
Retention Periods
| Data Type | Retention Period |
|---|---|
| Health & Profile | Until you delete account or 5 years inactivity |
| App Usage & Analytics | Up to 24 months, then aggregated |
| Payment Records | Minimum 7 years (legal requirement) |
9. AI Disclaimer & Accuracy
- AI analysis (Gemini) is generated based on your uploaded data. We do not include PII or identifiers in API prompts.
- The Service is not a substitute for medical advice. Always consult a qualified medical professional.
- You are responsible for verifying AI-generated insights.
10. No regulatory compliance disclaimer (early launch phase)
As noted in our previous policy, MedX is in early launch and may not yet be subject to regulatory regimes such as HIPAA. We now aim for full GDPR compliance as our Services evolve—this policy supersedes earlier statements regarding non‑compliance.
11. Children's privacy
Not intended for use by individuals under 16 years old. We do not knowingly process data from minors. If discovered, such data will be deleted immediately.
12. Changes to this policy
We may update this policy as we enhance compliance or services. We'll notify you via app or email of material changes.
13. Contact
- General: myhealthwallet@medx.global
- Privacy/data rights: privacy@medx.global
📚 GDPR FAQ
| Question | Answer |
|---|---|
| Do you sell my data? | No. We use Meta SDK only for aggregated event tracking, never for health data. |
| How do I stop any data processing? | Delete your account via Settings. That deletes all data and withdraws consent. |
| Can I export my labs or records? | Not yet automatically. Email us and we'll provide them in JSON or PDF within 30 days. |
| Where's my data stored? | EU-based services: Vercel (backend), Turso (encrypted database). |
| Does Gemini AI see personal info? | We only send content extract (e.g. lab values), no name, email, or identifiers. |
| What analytics do you collect? | App installs, app launches, subscription events. No health data or sensitive info. |
| Who can see my uploads? | Only you. Data is encrypted and scoped to your user account. MedX team cannot view it without your explicit request. |
Thank you for trusting MedX with your health journey. We're committed to protecting your privacy with transparency, control, and security.