1. Introduction
meda AI GmbH (“meda”, “we”, “us”, or “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you visit our website at www.mymeda.ai, contact us or request information about our products and services, register for or use the beta version of our physician platform, or take part in clinical research conducted with our partner medical institutions.
We treat your personal data confidentially and in accordance with statutory data protection regulations, in particular Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) and applicable German data protection law (the Federal Data Protection Act, BDSG, and the Digital Services Act, DDG).
We act as a data controller for the personal data we process to operate this website and to communicate with prospective and existing customers. When our platform is used by a healthcare provider, we instead act as a data processor, as explained in Section 3.
Important notice for patients: If your personal data is processed within the platform by your healthcare provider, this Privacy Policy does not govern how that provider uses your data. Your healthcare provider is the data controller for that processing, and you should refer to their own privacy notice. See Section 3 for details of our role as a data processor.
This Privacy Policy serves to inform you in accordance with Articles 13 and 14 GDPR.
2. Who We Are and How to Contact Us
Data Controller: meda AI GmbH, Distlhofweg 18, 81369 Munich, Germany.
Email: support@mymeda.ai
Phone: +49 152 02544938
For any privacy-related enquiry, please contact us by email at support@mymeda.ai or by post at the address above.
3. Our Role: Data Controller and Data Processor
meda as data controller. When you visit our website, submit an enquiry, request information, register for the beta programme, or otherwise interact with us as a prospective or existing customer, meda determines the purposes and means of processing your personal data and acts as the data controller in accordance with this Privacy Policy.
meda as data processor. When our platform is used by a customer organisation (such as a medical practice, clinic, or hospital), that organisation is the data controller for the personal data processed within the platform, including:
patient data, health records, and clinical information;
account data for healthcare professionals and practice staff; and
other personal data entered, uploaded, or generated within the platform by the customer.
Acting as a data processor, we process such data only on the customer’s documented instructions as set out in the applicable Data Processing Agreement (DPA). We do not use it for our own purposes, we apply appropriate technical and organisational security measures, we assist the customer with data subject rights requests, we notify the customer without undue delay of any personal data breach, and we delete or return the data at the end of the service, unless retention is required by law.
If you are a patient whose data is processed within the platform provided to your healthcare provider, that provider — not meda — is the controller responsible for your data. Please direct any questions, requests, or complaints to your healthcare provider, whose privacy notice applies to that processing.
4. Categories of Personal Data We Process
4.1 Website Visitor Data
Browser information (type, version, operating system)
Usage data (pages visited, time spent, click patterns)
Referrer URL and search terms
Device information (screen resolution, device type)
Cookies and tracking technologies (see Section 12)
4.2 Professional User Registration Data
First and last name
Email address
Professional information (medical practice, specialty, licence)
Phone number (optional)
Feedback and support requests
4.3 Beta Platform Usage Data
Authentication data (login credentials, session tokens)
Usage analytics (feature usage, session duration, error logs)
Performance metrics (system response times, error rates)
Feedback and support communications
Technical logs (automatically anonymised after 30 days)
4.4 Special Categories of Data (Health Data)
Where our platform is used to support clinical documentation, we process special categories of data — in particular health data — solely as a data processor on behalf of our customers. Consultation audio is processed in real time and deleted immediately; it is never permanently stored.
5. Legal Bases for Processing
We only process your personal data where we have a lawful basis under the GDPR. Depending on the context, we rely on:
Art. 6(1)(a) GDPR — consent (e.g. contact forms, newsletter, non-essential cookies);
Art. 6(1)(b) GDPR — performance of a contract (e.g. beta platform access);
Art. 6(1)(c) GDPR — compliance with a legal obligation;
Art. 6(1)(f) GDPR — legitimate interests (e.g. website operation, security, product development).
Where health data is processed within the platform, the relevant conditions of Art. 9(2) GDPR apply and are determined by the healthcare provider acting as controller. You may withdraw any consent at any time without affecting the lawfulness of processing carried out beforehand.
6. Purposes of Data Processing
6.1 Website Operation
Website provision and technical optimisation
Usage statistics analysis (see Section 8)
IT security assurance
6.2 Beta Testing and Product Development
Function testing of AI-powered documentation software
User feedback collection for product improvement
Performance optimisation of our medical AI models
6.3 Communication and Support
Processing enquiries and technical support
Information about product updates and new features
Clinical study coordination with partner institutions
7. How We Share Your Personal Data
We do not sell, rent, or trade your personal data. We only disclose it where necessary for the purposes described in this policy and as permitted by law, with appropriate contractual safeguards in place. We may share data with:
Service providers and sub-processors who process data on our documented instructions (see Section 8);
Professional advisers such as lawyers, auditors, and tax advisers, where required;
Authorities where required or permitted by law, or to establish, exercise, or defend legal claims;
Successors in connection with a merger, acquisition, or reorganisation, subject to equivalent safeguards.
All third-party providers are bound by contract to protect your data, process it only on our instructions, and implement appropriate technical and organisational security measures.
8. Sub-Processors and Third-Party Services
8.1 EU Cloud Hosting
Server location: exclusively within the EU (France) — GDPR compliant
Full audit logging of all access; medical notes encrypted with AES-256
8.2 AI Processing (Medical Documentation)
Provider: meda AI GmbH — our own in-house AI models. We do not use any third-party or US-based AI providers (such as OpenAI or Google).
Purpose: real-time speech-to-text transcription and structuring of medical documentation.
Data location: exclusively on secure EU-based servers — no health data leaves the EU.
Retention: audio is processed in real time and deleted immediately — no permanent storage.
8.3 Website Analytics
Google Analytics (Google Ireland Limited) — anonymised website usage statistics only, with IP anonymisation enabled and a reduced retention period.
Loaded only after you consent via our cookie banner. You can opt out at any time via your browser or Google’s opt-out tool.
Other non-essential trackers (such as marketing and form tools) are loaded only after you provide consent through our cookie banner.
9. International Data Transfers
We process personal data exclusively within the European Union. No patient or health data leaves the EU. The only limited exception is website analytics, which may involve a transfer under the EU-US Data Privacy Framework with IP anonymisation applied. Where any transfer outside the EEA occurs, we ensure an appropriate safeguard recognised under the GDPR is in place.
10. Data Retention Periods
Audio recordings: deleted immediately after processing — never stored
Website logs: 7 days
Website analytics data: 14 months
Contact/registration data: until consent is withdrawn
Beta usage data: until end of beta phase + 3 months
Medical documentation: retained by the healthcare provider per medical retention requirements (typically 10 years)
Support communication: 3 years
11. Data Security and Technical Measures
EU-only server location (France) — GDPR compliant
Complete audit logging of all access
Consultation audio never stored (real-time processing only)
Medical notes encrypted with AES-256; data encrypted in transit (TLS)
Separate systems for different medical practices
Regular penetration testing and security assessments
12. Cookies and Tracking Technologies
12.1 Essential Cookies
Session management: user authentication and session maintenance
Security: CSRF protection and security headers
Functionality: language preferences and accessibility settings
12.2 Analytics and Marketing Cookies
Loaded only with your consent for website optimisation and marketing purposes
Managed through our consent banner with granular options; consent can be withdrawn at any time
13. Your Data Protection Rights (Articles 15–22 GDPR)
Under the GDPR you have the following rights in relation to your personal data:
Right of access (Art. 15): confirmation of whether we process your data and a copy of it.
Right to rectification (Art. 16): correction of inaccurate or incomplete data.
Right to erasure (Art. 17): deletion of your data in the circumstances set out in the GDPR.
Right to restriction (Art. 18): limitation of processing in certain cases.
Right to data portability (Art. 20): receipt of your data in a structured, machine-readable format.
Right to object (Art. 21): objection to processing based on legitimate interests or for direct marketing.
Right to withdraw consent: at any time, without affecting prior lawful processing.
How to exercise your rights: contact us at support@mymeda.ai. We will respond within one month of receipt, extendable by two further months for complex or numerous requests. meda does not engage in solely automated decision-making producing legal effects within the meaning of Art. 22 GDPR; any AI features support, and do not replace, human decision-making.
If your data is processed within the platform by your healthcare provider, please direct rights requests to that provider as the responsible controller.
14. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. The competent authority for meda is:
Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany. Email: poststelle@lda.bayern.de · Phone: +49 981 180093-0
15. Changes to This Privacy Policy and Contact
We may update this Privacy Policy when there are material changes to our data processing practices or legal requirements. We will notify you of significant changes by email and post the updated version at www.mymeda.ai with a new “Last updated” date.
Contact: meda AI GmbH · support@mymeda.ai · +49 152 02544938
Last updated: 06.07.2026
This notice is available in German and English. In case of any conflict between the versions, the German version takes precedence.
