Privacy Policy

1. Data Controller

The data controller for the processing of your personal data is MEDTEK KI AS (Norwegian org. nr. 937565704), operator of medtek.ki, registered in Norway. For questions about data protection, contact us at support@medtekki.no

2. Data We Collect

Account information:

• Email address
• Name (if provided)
• Country and regulatory region (for relevant guidance)
• Professional role

Usage data:

• Chat conversations (text messages you send and AI responses)
• Photos you upload of device nameplates, error screens, or equipment
• Work order drafts generated from conversations
• Device identifiers extracted from photos (serial numbers, model numbers, etc.)

Technical data:

• Browser type and device information
• IP address
• Usage patterns (pages visited, features used)

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

• Performance of contract (Art. 6(1)(b)) — processing necessary to provide the Service, including sending your messages to our AI provider, storing conversations, and generating work order drafts.
• Legitimate interest (Art. 6(1)(f)) — improving the Service, using past conversation context to provide more relevant AI responses, security monitoring, and fraud prevention.
• Legal obligation (Art. 6(1)(c)) — retaining records as required by applicable law.
• Consent (Art. 6(1)(a)) — where applicable, for optional features or communications. You may withdraw consent at any time.

4. How We Use Your Data

• To provide the Service: your conversations are sent to our AI providers (Anthropic Claude, and Google Gemini as a fallback) for generating responses. Conversation text is also embedded by OpenAI to power semantic search across your past chats.
• To improve your experience: past conversation context helps the AI give more relevant suggestions for devices you frequently work on.
• To send you important service-related communications.

5. Anonymized Public Knowledge Contributions

When you reach a resolution in a troubleshooting conversation, we may anonymize and aggregate that information into public knowledge content (such as device troubleshooting wiki pages) to help other technicians solve similar problems. This is the legal basis under GDPR Art. 6(1)(f) (legitimate interest) — building a shared repair-knowledge base for the clinical-engineering community.

What gets removed before publication:

• Your name and account information
• Your hospital, facility, or organization name
• City and country (we keep regulatory region only — e.g. EU, US)
• Specific serial numbers and asset tags (model numbers are kept)
• Any patient-identifiable references
• Email addresses, phone numbers, and other direct identifiers

What gets published:

• Manufacturer and device model
• Error code or symptom described
• Likely causes and verified fix steps
• Aggregate statistics (e.g. "based on 5 reports from clinical engineers")

Each candidate page is reviewed by a human (currently the founder, a clinical engineer) before publication. We do not auto-publish.

Opt out at any time: in Settingsyou can toggle "Share anonymized contributions to public wiki" off. When this is off, none of your conversations will be used to generate or update public wiki pages, going forward. Already-published aggregate content that includes your prior anonymized contributions cannot be selectively withdrawn, since it is no longer linked to you. You may still request full account deletion under Section 10 (Your Rights).

6. Third-Party Services (Sub-Processors)

We use the following third-party services to provide and operate the Service. We have data processing agreements (DPAs) in place with these providers where required by GDPR:

AI providers (process chat content):

• Anthropic (Claude) — processes your chat messages and images to generate troubleshooting responses. United States.
• Google (Gemini API) — processes chat messages as a fallback when Claude is unavailable, and during background content extraction tasks. United States.
• OpenAI — generates vector embeddings of conversation text and device knowledge to power semantic search. We do not send your photos to OpenAI. United States.

Infrastructure:

• Supabase — hosts our database and file storage. Data stored in EU region (Paris).
• Vercel — hosts our web application. United States.
• uniweb.no — relays transactional emails. Receives your email address and the message body. Norway / EEA.

Authentication:

• Clerk — manages sign-up and sign-in and sends verification-code emails. Receives your email address and authentication activity. Apple and Google sign-in, if you use them, are handled through Clerk. United States.
• Apple— handles "Sign in with Apple." Receives the authentication request; we receive your verified email and Apple user ID.
• Google— handles "Sign in with Google." Receives the authentication request; we receive your verified email and Google user ID.

Payments:

• Stripe — processes subscription payments if you subscribe to a paid plan. Receives your billing email, country, and (when paying) card details. Card numbers never touch our servers. United States.

7. International Data Transfers

Some of our sub-processors are based in the United States. When your data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:

• EU-US Data Privacy Framework (DPF) certification of the receiving party, or
• Standard Contractual Clauses (SCCs) approved by the European Commission, or
• Other valid transfer mechanisms under GDPR Chapter V.

You may request information about the specific safeguards in place by contacting us at support@medtekki.no

8. Data Storage and Retention

• Account and conversation data is stored in Supabase's EU region infrastructure.
• Conversations and work order drafts are retained as long as your account is active.
• You can delete individual conversations from the app at any time.
• If you delete your account, we will delete your personal data within 30 days, except where retention is required by applicable law.
• Technical logs are retained for up to 90 days for security and debugging purposes.

9. Automated Decision-Making (GDPR Article 22)

The Service uses AI to generate troubleshooting suggestions and work order drafts. This constitutes automated processing but does not produce legal effects or similarly significant effects on you. AI-generated content is advisory only — you make all final decisions about device repairs and work order submissions. No automated decisions are made about your account status or access based solely on automated processing.

10. Your Rights (GDPR)

Under the GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure— request deletion of your data ("right to be forgotten")
• Data portability — receive your data in a structured, machine-readable format
• Restriction — restrict processing of your data in certain circumstances
• Objection — object to processing based on legitimate interest
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise these rights, contact us at support@medtekki.no. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with your local data protection authority. For users in the EEA, this includes the supervisory authority in your country of residence.

11. Photos and Images

Photos you upload are:

• Sent to Anthropic (Claude) or Google (Gemini) for AI analysis during your chat session, depending on which model handles your request
• Not stored permanently on our servers after processing
• Your responsibility to ensure they do not contain patient-identifiable information (PHI/PII)

12. Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), row-level security in our database, secure authentication, and access controls. However, no system is 100% secure. You are responsible for keeping your login credentials confidential. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority as required by GDPR Articles 33 and 34.

13. Cookies

We use essential cookies for authentication and session management. These are strictly necessary for the Service to function and do not require consent under GDPR. We do not use tracking, analytics, or advertising cookies.

14. Children

The Service is not intended for use by anyone under 18 years of age. We do not knowingly collect data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notice at least 30 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

16. Contact

For questions about this Privacy Policy or to exercise your data protection rights, contact us at support@medtekki.no