Политика конфиденциальности

The controller of your personal data processed via mediflo.ai is Mediflo sp. z o.o., with its registered office in Warsaw at ul. Marcina Kasprzaka 29/1801, 01-234 Warsaw, Poland, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw, 13th Commercial Division of the National Court Register, under KRS number 0001193874, NIP 5273181776, REGON 542709612, share capital PLN 5,000.00 (fully paid).

Correspondence address: Grzybowska 60, 00-844 Warsaw, Poland. Email: [email protected]. Phone: +48 732 144 308.

The controller has not appointed a Data Protection Officer (DPO). This decision was made following a written assessment in accordance with the accountability principle (Art. 24 GDPR) and the criteria set out in Art. 37(1) GDPR. For any matters related to the processing of personal data, please contact us at: [email protected].

Through the marketing website, we collect the following categories of personal data:

• Contact details voluntarily provided via the contact form: full name, email address, phone number (optional), company or clinic name, message content.
• Cookie consents and preferences stored in the mediflo_consent cookie to remember your choices.
• Technical data automatically collected on every visit: IP address, browser type, operating system, referring page, date and time of visit, pages viewed. This data is collected for statistical and security purposes.
• Consent metadata captured when you submit the contact form: timestamp, consent label version, marketing consent choices. This data is necessary to demonstrate GDPR compliance.

We process your personal data for the following purposes and on the following legal bases:

• Responding to your inquiry — legal basis: Art. 6(1)(b) GDPR (steps taken at the request of the data subject prior to entering into a contract) and Art. 6(1)(f) GDPR (legitimate interest in handling correspondence).
• Direct marketing by email — only with your explicit consent, legal basis: Art. 6(1)(a) GDPR in conjunction with Art. 398 of the Polish Electronic Communications Act.
• Direct marketing by phone — only with your explicit consent, legal basis: Art. 6(1)(a) GDPR in conjunction with Art. 398 of the Polish Electronic Communications Act.
• Website analytics — after you give consent in the cookie banner, legal basis: Art. 6(1)(a) GDPR.
• Security and abuse prevention — legal basis: Art. 6(1)(f) GDPR.
• Compliance with legal obligations (accounting, archiving, defense against claims) — legal basis: Art. 6(1)(c) GDPR.

In the course of providing our services, we use third-party processors that process data on our behalf under data processing agreements. We transfer your data to the following categories of recipients:

• Hosting infrastructure and CDN providers
• Web analytics providers
• Speech synthesis and recognition providers used by the voice bot demo on the homepage
• Transactional email service providers
• CRM and sales tooling providers
• External advisors (legal, accounting) acting under separate data processing agreements and confidentiality obligations

A full list of sub-processors, including vendor names, countries of establishment and safeguards applied, is available on request at [email protected].

For traffic analytics and content optimization, the mediflo.ai marketing website uses Google Tag Manager and Google Analytics 4 provided by Google LLC (United States). These scripts are loaded only after you give consent in the cookie banner — consent is denied by default.

Transfers to the United States take place on the basis of the European Commission's adequacy decision of 10 July 2023 under the EU-US Data Privacy Framework. Google LLC is a participant in this program. Standard Contractual Clauses (SCCs) are additionally in place as a fallback mechanism.

You can withdraw your consent at any time via the cookie settings panel in the site footer; withdrawal immediately stops further transfers.

This exception applies only to marketing-website analytics. Data processed by the Mediflo platform (SaaS product) remains within the European Economic Area without exceptions — see the section below.

All personal data entrusted to Mediflo in the context of the Mediflo SaaS platform (including call recordings, transcripts, patient data, clinic staff data, and platform user data) is processed exclusively on servers located in the European Economic Area (EEA).

This also applies to services delivered by technology vendors with their legal seat outside the European Union — we have contractual guarantees in place ensuring storage and processing exclusively in EEA regions. Platform data is not transferred to third countries (including the United States) regardless of the vendor's legal seat.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Contact-form inquiries: 3 years from the last contact, or until withdrawal of consent for marketing channels.
• Marketing consents (email, phone): until consent is withdrawn, plus an additional 3 years for accountability purposes.
• Analytics data (Google Analytics 4): 14 months.
• Cookie consent records: 12 months.
• Claims-related data: until the relevant limitation periods expire (3 years for B2B claims or 6 years for general civil claims).
• Data retained for legal obligations: in accordance with statutory retention periods (e.g., accounting, archiving).

Under GDPR, you have the following rights:

• Right of access (Art. 15 GDPR) — you may obtain information about what data we process.
• Right to rectification (Art. 16 GDPR) — you may request correction of inaccurate or incomplete data.
• Right to erasure ("right to be forgotten", Art. 17 GDPR) — you may request deletion of your data in specified cases.
• Right to restrict processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR) — you may receive your data in a structured, commonly used format.
• Right to object to processing (Art. 21 GDPR), in particular against direct marketing.
• Right to withdraw consent at any time (Art. 7(3) GDPR). Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

To exercise these rights, contact us at [email protected].

If you believe the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority:

President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stanisława Moniuszki 1A, 00-014 Warsaw, Poland. Website: https://uodo.gov.pl.

Providing personal data is voluntary, however some data is necessary to carry out specific actions. In particular, providing your name, email address, company name, and message content via the contact form is a condition for receiving a response to your inquiry. Failure to provide this data will prevent us from contacting you back.

On the mediflo.ai marketing website, we do not make automated decisions nor apply profiling within the meaning of Art. 22 GDPR that would produce legal effects or similarly significantly affect you.

The website uses cookies and similar technologies. We use strictly necessary cookies (no consent required) and analytics/marketing cookies (loaded only after your consent). For detailed information about cookie types, purposes, retention periods, and how to manage your consent, see our Cookie Policy.

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS 1.3) and at rest (AES-256), role-based access control, 24/7 monitoring, regular security audits, and employee training. Detailed information about our security measures is available on our Security page.

This Privacy Policy may be updated to reflect changes in our practices or applicable legislation. We will announce material changes on the website at least 14 days in advance. The current last-updated date is shown at the top of this policy.

For matters related to personal data processing, including to exercise your rights, please contact us:

Mediflo sp. z o.o., ul. Marcina Kasprzaka 29/1801, 01-234 Warsaw, Poland. Email: [email protected]. Phone: +48 732 144 308.