Privacy Policy

What data we collect

We collect account data (email, name), profile data (travel preferences, vaccination history), usage data (pages visited, features used), and communication data (messages, support requests).

Why we process data

To provide and improve our services, personalize your experience, ensure security, comply with legal obligations, and communicate with you about your account.

Your rights

You can access, rectify, erase, restrict, port your data, object to processing, and lodge complaints with supervisory authorities.

We have appointed a Data Protection Officer (DPO) in accordance with GDPR Art. 37. You can contact our DPO for any questions regarding the processing of your personal data or the exercise of your rights under GDPR:

Data Protection Officer
Email: dpo@medova.health
EPKO SP. Z O.O., ul. Podleśna 2, 05-270 Marki, Poland

The data controller is EPKO SP. Z O.O., ul. Podleśna 2, 05-270 Marki, Poland. Contact: office@medova.health

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access controls with role-based permissions
• Regular security audits and penetration testing
• Multi-factor authentication available for all accounts
• Automated threat detection and monitoring

Security contact

To report security vulnerabilities, contact us at security@medova.health. We follow responsible disclosure practices.

Some of our service providers are located outside the European Economic Area (EEA). We ensure appropriate safeguards through Standard Contractual Clauses (SCCs) approved by the European Commission.

We use automated processing to generate informational health summaries based on publicly available WHO data and your optional health profile. These summaries are for educational purposes only and do not constitute medical advice or clinical recommendations. You may request a manual review of any automated output by contacting us at dpo@medova.health. Any personalization is based on your explicit preferences and can be adjusted or deleted at any time.

If you choose to create a health profile, we process the following data to generate informational travel health summaries. This processing is based on your explicit consent (GDPR Art. 9(2)(a)) and is for educational purposes only:

• Data processed: Age group, pregnancy status, immunosuppression status, chronic conditions, allergies, blood type (all optional)
• How it works: Your profile data is combined with publicly available WHO health indicators to generate informational summaries about commonly required vaccinations for your destination
• Transparency: The methodology is based on WHO International Travel and Health recommendations. Score thresholds and data sources are documented on each country page
• Right to opt out: You can delete your health profile at any time in Settings → Privacy. This will immediately remove all health-related data and disable personalized summaries
• No clinical decisions: Outputs are informational only and must not replace consultation with a qualified healthcare professional

In the event of a personal data breach, we follow GDPR Art. 33 and Art. 34 procedures:

• Supervisory authority notification: We will notify PUODO (the Polish Data Protection Authority) within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms
• User notification: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via email and a prominent notice on our website
• Notification content: We will describe the nature of the breach, the likely consequences, the measures taken or proposed to address the breach, and contact details of our DPO
• Documentation: We maintain a register of all data breaches, including their effects and remedial actions taken, regardless of whether they are reportable

You have the right to lodge a complaint with the supervisory authority responsible for data protection. The competent authority for Medova is:

Prezes Urzędu Ochrony Danych Osobowych (PUODO)
ul. Stawki 2, 00-193 Warszawa, Poland
Tel.: +48 22 531 03 00
Website: www.uodo.gov.pl
Email: kancelaria@uodo.gov.pl

1. Log in to your account and go to Settings → Privacy
2. Select the action you want to perform (access, download, delete, etc.)
3. For complex requests, contact our DPO at dpo@medova.health
4. We will respond within 30 days (extendable by 60 days for complex requests)
5. You can lodge a complaint with PUODO at any time (see Supervisory Authority section above)

Our services are not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately and we will delete it.

• This Privacy Policy describes how EPKO SP. Z O.O. ("we", "us", "Medova") processes your personal data.
• We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and applicable Polish law.
• By using our services, you acknowledge that you have read and understood this Privacy Policy.

• We process personal data that you provide directly (registration, forms, communication).
• We collect technical data automatically (IP address, browser type, device information).
• We may receive data from third parties (social login providers, payment processors).
• Health-related data (vaccination history) is processed only with your explicit consent.

• Account data: email address, name, password (hashed), profile picture
• Profile data: travel preferences, vaccination history, health conditions (optional)
• Usage data: pages visited, features used, time spent, device information
• Communication data: messages, support tickets, feedback
• Transaction data: payment history, subscription status

• Hosting and infrastructure providers (Supabase, Vercel)
• Payment processors (Stripe) - for premium services
• Analytics services (Google Analytics) - anonymized data only
• Clinics - only when you explicitly choose to share your data for appointment booking
• Legal authorities - when required by law or court order

• Some service providers are located outside the EEA (primarily USA).
• We ensure adequate protection through EU-approved Standard Contractual Clauses.
• We only use providers that comply with GDPR requirements or equivalent standards.

1. Right of access - obtain a copy of your personal data
2. Right to rectification - correct inaccurate data
3. Right to erasure - delete your data ("right to be forgotten")
4. Right to restriction - limit how we process your data
5. Right to data portability - receive your data in a machine-readable format
6. Right to object - object to processing based on legitimate interests
7. Right to withdraw consent - withdraw consent at any time
8. Right to complain - lodge a complaint with your supervisory authority (PUODO in Poland)

• Account data: retained while your account is active, plus 5 years after deletion for legal compliance
• Transaction data: 7 years (Polish tax law requirement)
• Analytics data: anonymized after 26 months
• Communication data: 3 years after last contact
• You can request deletion at any time, subject to legal retention requirements

• We implement technical and organizational measures to protect your data.
• All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• We conduct regular security audits and penetration testing.
• Access to personal data is limited to authorized personnel only.
• We maintain incident response procedures for data breaches.

• We may update this Privacy Policy from time to time.
• Significant changes will be communicated via email or prominent website notice.
• Continued use of our services after changes constitutes acceptance.
• Previous versions are archived and available upon request.