1. Data Controller
The data controller for personal data processed through the MediGuard platform is:
Ryad Guerroudj
Wielandstr. 14, 89073 Ulm, Deutschland
E-Mail: hello@mediguard.solutions
Full legal details are available in our Impressum.
2. Data We Collect
We collect the following categories of personal data:
- Account data: name, email address, and password (stored as a hashed value via Supabase Auth)
- Profile preferences: language selection, display theme
- Usage data: risk classifier answers, documentation content, compliance gap statuses, and activity log entries you create within the platform
- Billing data: subscription plan and status (Stripe handles payment card data directly; we never store card numbers)
- Technical data: IP address, browser type, and access timestamps, collected automatically for security and service operation
3. Legal Basis for Processing (GDPR)
We process your personal data under the following legal bases as defined in GDPR Article 6:
- Contract (Art. 6(1)(b)): processing necessary to provide the Service you signed up for
- Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, and service improvement
- Legal obligation (Art. 6(1)(c)): compliance with applicable tax and financial regulations
- Consent (Art. 6(1)(a)): where you have explicitly opted in (e.g. marketing communications)
4. How We Use Your Data
- To create and manage your account and authenticate you securely
- To store and synchronise your documentation, gap analysis, and classifier data across devices
- To process subscription payments and manage billing
- To power the AI Summariser feature (your input text is sent to Anthropic for processing — see §5)
- To send transactional emails (account confirmation, password reset, billing receipts)
- To detect and prevent abuse, fraud, or security incidents
5. Data Processors and Third-Party Sharing
We share data only with the following processors, each bound by a Data Processing Agreement:
| Processor | Purpose | Location |
|---|
| Supabase | Authentication and database hosting | EU (Frankfurt) |
| Stripe | Payment processing | EU / USA (SCCs) |
| Anthropic | AI Summariser (Growth plan only) | USA (SCCs) |
| Google (Workspace) | Transactional email delivery | EU / USA (SCCs) |
| Vercel | Application hosting and CDN | EU / USA (SCCs) |
We do not sell your personal data to any third party.
6. Data Retention
We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law (e.g. financial records for 7 years). Anonymised, aggregated usage statistics may be retained indefinitely.
7. Your Rights under GDPR
As a data subject in the EEA, you have the following rights:
- Access (Art. 15): request a copy of the personal data we hold about you
- Rectification (Art. 16): correct inaccurate data via your account Settings
- Erasure (Art. 17): request deletion of your account and all associated data
- Data portability (Art. 20): export your documentation data in machine-readable format
- Restriction (Art. 18): request that we restrict processing in certain circumstances
- Objection (Art. 21): object to processing based on legitimate interests
- Withdraw consent (Art. 7(3)): where processing is consent-based, withdraw at any time
To exercise any of these rights, email hello@mediguard.solutions. We will respond within 30 days. You also have the right to lodge a complaint with the competent supervisory authority — in Baden-Württemberg, Germany: Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg (LfDI BW), www.baden-wuerttemberg.datenschutz.de.
8. Cookies
We use strictly necessary cookies and browser storage to maintain your authenticated session and remember your language and theme preferences. We do not use advertising or cross-site tracking cookies. No cookie consent banner is shown because we only use technically necessary storage.
9. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS 1.3), encryption at rest (AES-256), row-level security policies in our database, and access controls. No internet transmission is 100% secure; use a strong, unique password and enable any available second-factor authentication.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 14 days in advance. The “Last updated” date at the top of this page will always reflect the current version.