Privacy Policy

Privacy Policy

1. Introduction

meda AI GmbH (“meda”, “we”, “us”, or “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you visit our website at www.mymeda.ai, contact us or request information about our products and services, register for or use the beta version of our physician platform, or take part in clinical research conducted with our partner medical institutions.

We treat your personal data confidentially and in accordance with statutory data protection regulations, in particular Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) and applicable German data protection law (the Federal Data Protection Act, BDSG, and the Digital Services Act, DDG).

We act as a data controller for the personal data we process to operate this website and to communicate with prospective and existing customers. When our platform is used by a healthcare provider, we instead act as a data processor, as explained in Section 3.

Important notice for patients: If your personal data is processed within the platform by your healthcare provider, this Privacy Policy does not govern how that provider uses your data. Your healthcare provider is the data controller for that processing, and you should refer to their own privacy notice. See Section 3 for details of our role as a data processor.

This Privacy Policy serves to inform you in accordance with Articles 13 and 14 GDPR.


2. Who We Are and How to Contact Us

Data Controller: meda AI GmbH, Distlhofweg 18, 81369 Munich, Germany.

Email: support@mymeda.ai

Phone: +49 152 02544938

For any privacy-related enquiry, please contact us by email at support@mymeda.ai or by post at the address above.


3. Our Role: Data Controller and Data Processor

meda as data controller. When you visit our website, submit an enquiry, request information, register for the beta programme, or otherwise interact with us as a prospective or existing customer, meda determines the purposes and means of processing your personal data and acts as the data controller in accordance with this Privacy Policy.

meda as data processor. When our platform is used by a customer organisation (such as a medical practice, clinic, or hospital), that organisation is the data controller for the personal data processed within the platform, including:

  • patient data, health records, and clinical information;

  • account data for healthcare professionals and practice staff; and

  • other personal data entered, uploaded, or generated within the platform by the customer.

Acting as a data processor, we process such data only on the customer’s documented instructions as set out in the applicable Data Processing Agreement (DPA). We do not use it for our own purposes, we apply appropriate technical and organisational security measures, we assist the customer with data subject rights requests, we notify the customer without undue delay of any personal data breach, and we delete or return the data at the end of the service, unless retention is required by law.

If you are a patient whose data is processed within the platform provided to your healthcare provider, that provider — not meda — is the controller responsible for your data. Please direct any questions, requests, or complaints to your healthcare provider, whose privacy notice applies to that processing.


4. Categories of Personal Data We Process

4.1 Website Visitor Data

  • Browser information (type, version, operating system)

  • Usage data (pages visited, time spent, click patterns)

  • Referrer URL and search terms

  • Device information (screen resolution, device type)

  • Cookies and tracking technologies (see Section 12)

4.2 Professional User Registration Data

  • First and last name

  • Email address

  • Professional information (medical practice, specialty, licence)

  • Phone number (optional)

  • Feedback and support requests

4.3 Beta Platform Usage Data

  • Authentication data (login credentials, session tokens)

  • Usage analytics (feature usage, session duration, error logs)

  • Performance metrics (system response times, error rates)

  • Feedback and support communications

  • Technical logs (automatically anonymised after 30 days)

4.4 Special Categories of Data (Health Data)

Where our platform is used to support clinical documentation, we process special categories of data — in particular health data — solely as a data processor on behalf of our customers. Consultation audio is processed in real time and deleted immediately; it is never permanently stored.


5. Legal Bases for Processing

We only process your personal data where we have a lawful basis under the GDPR. Depending on the context, we rely on:

  • Art. 6(1)(a) GDPR — consent (e.g. contact forms, newsletter, non-essential cookies);

  • Art. 6(1)(b) GDPR — performance of a contract (e.g. beta platform access);

  • Art. 6(1)(c) GDPR — compliance with a legal obligation;

  • Art. 6(1)(f) GDPR — legitimate interests (e.g. website operation, security, product development).

Where health data is processed within the platform, the relevant conditions of Art. 9(2) GDPR apply and are determined by the healthcare provider acting as controller. You may withdraw any consent at any time without affecting the lawfulness of processing carried out beforehand.


6. Purposes of Data Processing

6.1 Website Operation

  • Website provision and technical optimisation

  • Usage statistics analysis (see Section 8)

  • IT security assurance

6.2 Beta Testing and Product Development

  • Function testing of AI-powered documentation software

  • User feedback collection for product improvement

  • Performance optimisation of our medical AI models

6.3 Communication and Support

  • Processing enquiries and technical support

  • Information about product updates and new features

  • Clinical study coordination with partner institutions


7. How We Share Your Personal Data

We do not sell, rent, or trade your personal data. We only disclose it where necessary for the purposes described in this policy and as permitted by law, with appropriate contractual safeguards in place. We may share data with:

  • Service providers and sub-processors who process data on our documented instructions (see Section 8);

  • Professional advisers such as lawyers, auditors, and tax advisers, where required;

  • Authorities where required or permitted by law, or to establish, exercise, or defend legal claims;

  • Successors in connection with a merger, acquisition, or reorganisation, subject to equivalent safeguards.

All third-party providers are bound by contract to protect your data, process it only on our instructions, and implement appropriate technical and organisational security measures.


8. Sub-Processors and Third-Party Services

8.1 EU Cloud Hosting

  • Server location: exclusively within the EU (France) — GDPR compliant

  • Full audit logging of all access; medical notes encrypted with AES-256

8.2 AI Processing (Medical Documentation)

  • Provider: meda AI GmbH — our own in-house AI models. We do not use any third-party or US-based AI providers (such as OpenAI or Google).

  • Purpose: real-time speech-to-text transcription and structuring of medical documentation.

  • Data location: exclusively on secure EU-based servers — no health data leaves the EU.

  • Retention: audio is processed in real time and deleted immediately — no permanent storage.

8.3 Website Analytics

  • Google Analytics (Google Ireland Limited) — anonymised website usage statistics only, with IP anonymisation enabled and a reduced retention period.

  • Loaded only after you consent via our cookie banner. You can opt out at any time via your browser or Google’s opt-out tool.

Other non-essential trackers (such as marketing and form tools) are loaded only after you provide consent through our cookie banner.


9. International Data Transfers

We process personal data exclusively within the European Union. No patient or health data leaves the EU. The only limited exception is website analytics, which may involve a transfer under the EU-US Data Privacy Framework with IP anonymisation applied. Where any transfer outside the EEA occurs, we ensure an appropriate safeguard recognised under the GDPR is in place.


10. Data Retention Periods

  • Audio recordings: deleted immediately after processing — never stored

  • Website logs: 7 days

  • Website analytics data: 14 months

  • Contact/registration data: until consent is withdrawn

  • Beta usage data: until end of beta phase + 3 months

  • Medical documentation: retained by the healthcare provider per medical retention requirements (typically 10 years)

  • Support communication: 3 years


11. Data Security and Technical Measures

  • EU-only server location (France) — GDPR compliant

  • Complete audit logging of all access

  • Consultation audio never stored (real-time processing only)

  • Medical notes encrypted with AES-256; data encrypted in transit (TLS)

  • Separate systems for different medical practices

  • Regular penetration testing and security assessments


12. Cookies and Tracking Technologies

12.1 Essential Cookies

  • Session management: user authentication and session maintenance

  • Security: CSRF protection and security headers

  • Functionality: language preferences and accessibility settings

12.2 Analytics and Marketing Cookies

  • Loaded only with your consent for website optimisation and marketing purposes

  • Managed through our consent banner with granular options; consent can be withdrawn at any time


13. Your Data Protection Rights (Articles 15–22 GDPR)

Under the GDPR you have the following rights in relation to your personal data:

  • Right of access (Art. 15): confirmation of whether we process your data and a copy of it.

  • Right to rectification (Art. 16): correction of inaccurate or incomplete data.

  • Right to erasure (Art. 17): deletion of your data in the circumstances set out in the GDPR.

  • Right to restriction (Art. 18): limitation of processing in certain cases.

  • Right to data portability (Art. 20): receipt of your data in a structured, machine-readable format.

  • Right to object (Art. 21): objection to processing based on legitimate interests or for direct marketing.

  • Right to withdraw consent: at any time, without affecting prior lawful processing.

How to exercise your rights: contact us at support@mymeda.ai. We will respond within one month of receipt, extendable by two further months for complex or numerous requests. meda does not engage in solely automated decision-making producing legal effects within the meaning of Art. 22 GDPR; any AI features support, and do not replace, human decision-making.

If your data is processed within the platform by your healthcare provider, please direct rights requests to that provider as the responsible controller.


14. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. The competent authority for meda is:

Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany. Email: poststelle@lda.bayern.de · Phone: +49 981 180093-0


15. Changes to This Privacy Policy and Contact

We may update this Privacy Policy when there are material changes to our data processing practices or legal requirements. We will notify you of significant changes by email and post the updated version at www.mymeda.ai with a new “Last updated” date.


Contact: meda AI GmbH · support@mymeda.ai · +49 152 02544938

Last updated: 06.07.2026

This notice is available in German and English. In case of any conflict between the versions, the German version takes precedence.