Privacy

Privacy Policy

Effective date: • Version: 1.0

This Privacy Policy explains how Doctor Assistant ("Doctor Assistant", "we", "our", or "us") collects, uses, discloses, and protects information in connection with our applications, websites, and services (the "Service").

Quick navigation

1. Information we collect

We collect information in the following categories:

CategoryExamplesSource
Account & contact Names, emails, phone numbers, organization, role, login identifiers, SSO/SAML data. Provided by you
Clinical inputs DICOM studies (ultrasound/MRI/CT), reports, measurements, lab data (e.g., β‑hCG, CBC, thyroid, glucose), metadata, tags. Uploaded by you or via integrations (PACS/EMR/LIS)
Usage & device App/web activity, IP address, device IDs, crash logs, performance metrics, pages viewed. Automatic collection
Integrations Limited data from connected services (e.g., FHIR/HL7, cloud storage, Meta authentication). Third‑party providers per your configuration
Support & communications Tickets, feedback, call/chat transcripts, email content. Provided by you

We may de‑identify or aggregate data for analytics, reliability, and safety improvements.

2. How we use information

  • Provide, maintain, and improve the Service, including AI‑assisted analysis for OB‑GYN workflows.
  • Authenticate users, prevent fraud, enforce policies, and secure systems.
  • Operate integrations (PACS, EMR, LIS, cloud storage, Meta Login).
  • Communicate with you about updates, security, and support.
  • Comply with law and exercise legal rights.
  • With consent, provide product tips, training materials, or marketing.

3. Legal bases (EEA/UK)

Where GDPR/UK GDPR applies, our processing relies on one or more of the following legal bases:

  • Contract — to provide the Service you requested.
  • Legitimate interests — e.g., to secure and improve the Service.
  • Consent — for optional features (e.g., certain analytics or marketing).
  • Legal obligation — to meet regulatory or court requirements.
  • Public interest / healthcare — where applicable for clinical safety.

4. Sharing & subprocessors

We share information only as needed to operate the Service, comply with law, or with your consent:

  • Subprocessors providing hosting, storage, compute, logging, email, and support tools, under data protection agreements.
  • Integrations you enable (e.g., PACS/EMR, Meta for authentication, cloud storage) per your settings.
  • Legal requests, to protect rights, safety, or prevent fraud.
  • Business transfers in connection with mergers/acquisitions per legal requirements.

We provide a current list of subprocessors upon request and notify enterprise customers before material changes where feasible.

5. Retention

We retain information only as long as necessary to provide the Service, fulfill the purposes described in this Policy, comply with law, resolve disputes, and enforce agreements. Enterprise customers may configure retention windows and data residency. When retention ends, we delete or de‑identify data.

6. Security

  • Encryption in transit (TLS 1.2+) and at rest (AES‑256) for supported data stores.
  • RBAC, SSO/SAML options, least‑privilege access, and audit logging.
  • Network isolation and vulnerability management.
  • Security reviews for subprocessors and incident response procedures.

7. International transfers

We may process data in countries other than yours. Where required, we use appropriate safeguards for international transfers (e.g., Standard Contractual Clauses). Regional data residency and on‑prem/VPC deployments are available for enterprise plans.

8. Your rights

Depending on your location, you may have rights to access, correct, delete, port, or restrict processing of your personal information, and to object to certain processing. You also have the right to withdraw consent where we rely on consent.

To exercise rights, email privacy@medgyno.ai. We may verify your request and, if we act as a processor for an enterprise customer, direct you to that customer (the controller).

For California residents, we honor rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of certain sharing. We do not sell personal information.

9. Cookies & tracking

We use essential cookies to operate the Service and, with your consent where required, analytics cookies to understand usage and improve performance. You can manage preferences in your browser or via our cookie banner where provided.

10. AI/ML & model improvement

By default, Customer Data is used only to provide the Service. If you opt in to model improvement, we may use de‑identified data to evaluate and enhance models. You can opt out at any time by contacting us. We do not use identifiable clinical data for advertising.

11. Healthcare data & PHI

For U.S. customers handling PHI, we can execute a Business Associate Agreement (BAA). For EEA/UK customers processing special categories of data, we implement appropriate safeguards. You are responsible for obtaining necessary consents, authorizations, and ensuring the lawful basis for processing patient data in your jurisdiction.

12. Children’s privacy

We do not knowingly collect personal information from children where parental consent is required by law without such consent. If you believe a child provided information, contact us and we will take appropriate steps.

13. Meta Platforms compliance (Facebook/Instagram)

If you connect Meta services (e.g., Facebook Login, Instagram Basic Display, or other Meta APIs):

  • Access & use. We only access the data types you authorize (e.g., basic profile, email) to provide login/linking. We do not sell Meta Platform Data.
  • Sharing. We do not share Meta Platform Data with third parties except subprocessors under contract.
  • Retention & deletion. We retain Meta Platform Data only as needed. If you revoke access or request deletion, we will delete related data promptly per Meta policies. See Data Deletion for instructions.
  • Security. Tokens and Platform Data are protected with industry‑standard controls and never embedded in client‑side code.

14. Changes

We may update this Policy from time to time. Material changes will be communicated via the Service or by email where feasible. Your continued use of the Service after changes become effective means you accept the updated Policy.

15. Contact & Data Protection Officer

Questions or requests? Contact us at privacy@medgyno.ai. If required by law, our Data Protection Officer (DPO) can be reached at the same address. Postal correspondence: Doctor Assistant, Cairo, Egypt (add your full address).

Enterprise customers: Additional terms in your Order Form, Data Processing Addendum (DPA), and Business Associate Agreement (BAA, where applicable) apply and will govern in the event of conflict.