Privacy Policy

Updated 24 August 2022

The following Privacy Policy (hereinafter referred to as the ”Policy” / „Privacy Policy”) was designed for the users of the website www.medicai.io and it will be reviewed and updated periodically according to all applicable laws and regulations. 

The purpose of this Privacy Policy is to easily inform you about:

  1. The definitions of the terms provided by the GDPR
  2. Who is MEDICAI
  3. Where can you find us and how can you contact us
  4. Categories of personal data, purpose, legal basis, collection method, and retention period
  5. The disclosure of your personal data to third parties
  6. Which are your rights and how can you effectively exercise them
  7. Children’s personal data. We do not process data for children under 16 years old!
  8. What security precautions does MEDICAI have in place to protect your personal data
  9. Links to other websites
  10. Updates to this Privacy Policy
  11. Information concerning Data Protection Supervisory Authority


  1. The definitions of the terms provided by the GDPR

NSAPDP represents The National Supervisory Authority for Personal Data Processing, the Romanian independent public authority responsible for compliance with the protection of personal data requirements;

Personal data represents any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing represents any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Restriction of processing represents the marking of stored personal data with the aim of limiting their processing in the future;

Controller represents the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

The processor represents a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;

The recipient represents a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether it is a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with the European Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

Third-party a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

Data Breach represents a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

1. Who is MEDICAI?

www.medicai.io is the official website (hereinafter referred to as the ”Platform”) of INNOVATOR ARTIFICIAL TECH S.R.L., a Romanian legal entity, based in Bucharest, district 1, 29 Mușetești street, lot 1, ground floor, room 4, ap. 42, registered at the Trade Register under no. J40/10801/2017, CUI (fiscal code) 37862579 (hereinafter referred to as “MEDICAI”).

According to the provisions of the General Regulation no. 2016/679 on data protection (“GDPR” / “GDPR Regulation”) and the national legislation in force, in relation to personal data processed through the website www.medicai.io, MEDICAI has the capacity of controller of personal data, and visitors of the site and the persons who register on our website are data subjects.

MEDICAI observes the confidentiality and security of the personal data constantly ensuring that all personal data is processed only for specific, explicit, and legal purposes, according to the principles and provisions of the GDPR. 

2. Where can you find us and how you can contact us

With respect to any information regarding the personal data we process you can contact us:

  • by e-mail at: dpo@medicai.io
  • by postal service with registered letter and confirmation of receipt at 53-55 Nicolae Filipescu street, room 5, floor 4, district 2, Bucharest

3. Categories of personal data, purpose, legal basis, collection method, and retention period

Generally, we collect personal data directly from you so that you have control over the type of information you provide to us. 

To easily identify the personal data we process, we have combined them into several categories according to the purpose of processing.

Therefore, MEDICAI processes the users’ Personal data, as follows: 

Category A – Creating the account on the Platform

Data subject

The patient and the doctor create a user account on the Platform.

In this Policy, any reference to the doctor, as a data subject, includes, in a broad sense, both the medical and non-medical auxiliary staff, such as nurses and receptionists, as well as the administrator of the medical unit or any other delegated medical representative, who have user accounts on the Platform.

Personal data

Name, surname, e-mail address. 

In addition, for the configuration of the user profile of the patient a series of personal data can be processed, such as country and city of residence, phone number, personal numeric code, and an avatar image, these data being optional and not limiting the use of the Platform.

For the configuration of the user profile of the doctor, we process the following additional personal data: country and city of residence, phone number, professional title, and medical specialization.

Purpose and legal basis

MEDICAI processes personal data to register user accounts on the Platform in order to offer access to the functions of the Platform.

Personal data are processed on the basis of the consent of the data subject, provided by art. 6 para. (1) let. a) of the GDPR.

Collection method and retention period 

The collection of personal data is done directly, by the voluntary transmission by the data subject in order to use the functions of the Platform at the time of creating the account on the Platform.

Personal data is stored for as long as the data subject's account is active on the Platform. 

Category B – Use of the Platform for medical assistance, diagnosis, and treatment

Data subject

The patient who wants to access the services offered by doctors through the Platform.

Personal data

In addition to the processing of personal data mentioned in Category A above, MEDICAI may process, as appropriate, medical data such as medical imaging analysis (MRI, CT, PET-CT, X-ray, Ultrasound); symptoms, past illnesses, allergies, diagnosis, medical tests and medications administered in the past, blood type, medical recommendations, medical history of your family, other information you give us about your family members and to your kinship relations, the medical data contained in the referral note and in the medical report, genetic data.

Also, MEDICAI may process the content of medical-specific conversations carried out between the patient and the doctor/ medical entity through the Platform.


Purpose and legal basis

MEDICAI processes personal data for the provision of our services for the purpose of (i) hosting your MRI, CT, X-ray, Ultrasound, and PET-CT investigations on the MEDICAI Platform, as well as the documents in the usual PDF, DOC, and JPG format, as well as viewing them; (ii) evaluation of such documentation by doctors who have accounts created on the MEDICAI Platform, at your request and following their contact by you; (iii) online imaging interpretation for MRI, CT, X-ray, Ultrasound, and PET-CT, performed by doctors, at your request, (iv) facilitating patient-doctor collaboration for purposes related to the establishment of a medical diagnosis, the provision of medical services and healthcare, requested by you; (v) the online submission of your medical imaging investigations at your request.

Personal data are processed on the basis of the explicit consent of the data subject, provided by art. 6 para. (1) lit. a) of the GDPR, when the processing is necessary for purposes related to the provision of medical services and medical assistance, the establishment of a medical diagnosis and treatment by doctors/ medical entities having accounts created on the Platform, following your request. The consent for the personal data processing activities in this section can be withdrawn at any time by the data subject, through a written request sent to the e-mail address dpo@medicai.io. The withdrawal of consent does not affect the legality of the processing carried out up to that point.

In this Policy, any reference to medical entities includes clinics, hospitals, and any medical institutions, both public and private, with which MEDICAI has entered into contractual relationships, as long as such medical entities have an active user account on the Platform.

Collection method and retention period 

The collection of personal data is made directly by the data subject, by uploading on his/her account on the Platform the medical information and documents (MRI, CT, PET-CT, X-ray, Ultrasound, medical blood tests, medical reports, documents containing medical diagnoses, etc.).

The collection of personal data is also made directly when the data subject communicates with the doctor/ medical entity having an account on the Platform, through the messaging and chat functions integrated into the Platform.

The collection of the personal data can also be done indirectly, by uploading such data by the medical entity and/ or the doctor who treated the patient, following the request made by the patient in this regard.

Medical data is processed by MEDICAI following the patient's request for medical assistance, diagnosis and treatment addressed to a doctor/ medical entity with an active account on the Platform. 

Under no circumstances does MEDICAI process medical data in the absence of a prior request initiated by the patient regarding the receipt of medical care, diagnosis, and treatment by a doctor/ medical entity with an active account within the Platform.

Personal data is stored for as long as the data subject's account is active on the Platform unless otherwise provided by law.

If there is no legal requirement, we will only store medical data for as long as is necessary for the processing of data for the purposes indicated in this Policy. 

From the moment you deactivate your account created on the Platform, your personal data will be deleted or anonymized. 

If your data is anonymized, such data can be used by MEDICAI for scientific research purposes, as indicated below.

Considering the specificity of our activity of hosting medical documentation and investigations in order to be further evaluated and interpreted by doctors/ medical entities with which MEDICAI has contractual relations, respectively the specificity of our activity of scientific research in the medical field (for example for the development of the AI-type Systems), your medical data will be stored in accordance with specific legal provisions in the field of health. 

In addition, your data may be stored for the purpose of complying with a legal obligation to which we are subject, such as reporting to the competent health authorities or carrying out any checks done by the legal authorities. 

In accordance with specific health regulations, the medical history cannot be deleted.

Data related to payments/ invoicing will be stored in accordance with the applicable legislation.

To store your data in electronic format, we use our own servers or those of other companies specialized in electronic archiving.


*Please note that MEDICAI does not provide healthcare or diagnostic and treatment activities, having only the function of hosting the data collected according to this Policy and mediating the relationship between patients and doctors/ medical entities having active accounts on the Platform. MEDICAI is not responsible for the processing activities carried out in their own name by doctors/ medical entities, as data controllers. In this regard, please refer to the privacy policies available on their websites.


Category C – Subscribe to the newsletter

Data subject

Visitors to our website who do not have an active user account on the Platform, as well as the patient and doctors who create a user account on the Platform, when they subscribe to our newsletter.  

Personal data

E-mail address. 

Purpose and legal basis

MEDICAI processes personal data in order to transmit personalized communications to the data subjects.

Personal data are processed on the basis of the consent of the data subject, provided by art. 6 para. (1) lit. a) of the GDPR.

Collection method and retention period 

The collection of personal data is done directly by the data subject, by the voluntary transmission made on the occasion of subscribing to our newsletter.

Personal data is stored for as long as you remain a subscriber to the newsletter, or until you unsubscribe from the newsletter.


Category D – Visiting the Platform 

Data subject

Visitors to our website who do not have an active user account on the Platform, as well as the patient and the doctor who have an active user account on the Platform and use its functions.

Personal data

Essential data - standard technical information for connecting to the internet, which may include: information about the computer or device used to access the Platform (device type, operating system, screen resolution, language, country where you are, type of web browser used, etc.), a truncated version of the IP address or your preferences regarding cookies that process personal data;

Non-essential data - statistical data such as the city of connection to our site, demographic information, number of visitors, interval and duration of access to the site, the share of viewing sections, as well as other information regarding the online interests and actions of our website visitors;

Purpose and legal basis

MEDICAI may process personal data collected through the Platform for the following purposes and legal basis:

Essential data - standard technical connection data is required to technically ensure the functionality, optimization, and security of the Platform.

The technical data is processed to facilitate your access to the Platform (for example, to adjust the size of the site according to the characteristics of the device used), to recognize and stop any improper use of the Platform, etc.

Personal data in this category are processed under art. 6 para. 1 letter f) of the GDPR Regulation, which allows us to process personal data when it is necessary for the purpose of our legitimate interests related to the functionality of the Platform.

Non-essential data - personal data in this category is collected to improve our services as well as for marketing purposes. 

We may collect aggregate analytical statistics, as defined above, using cookies created by other companies such as Google Analytics.

According to Google Analytics policy, "Google Analytics is an easy-to-use tool that helps site owners measure how users interact with the content of a webpage."

You can disable or restrict the transmission of cookies by changing the settings of the browser used. At the same time, cookies that are already stored can be deleted at any time.

For more information on how you can modify or delete the data processed by each cookie, see the Cookies Policy, available on our site.

Personal data in this category are processed under art. 6 para. 1 letter a) of the GDPR - the consent of the data subject.

Collection method and retention period 

The collection of data is made automatically on the occasion of accessing the Platform, through essential and non-essential cookies. Personal data is stored according to the periods indicated in the Cookie Policy.


Category E – Using the book a demo function 

Data subject

Visitors to our website who do not have an active user account on the Platform, as well as the patient and doctor who have an active user account on the Platform, when they want to benefit from the book a demo function.

Personal data

Name, surname, e-mail address, and phone number.

Purpose and legal basis

MEDICAI processes your personal data when you fill in the form related to book a demo function, available within the Platform, in order to schedule a free phone call with a MEDICAI representative to provide additional information on the services integrated into the MEDICAI Platform, such as online uploading of the patient's archive, the transmission of investigations and communication (including video) between the patient and the doctor.

Personal data in this category are processed under art. 6 para. 1 letter f) of the GDPR Regulation, which allows us to process personal data when it is necessary for the purpose of our legitimate interests.

Collection method and retention period

The collection of personal data is carried out directly by the data subject, by voluntary transmission on the occasion of completing the book a demo form, available within the Platform.

Personal data is stored for the period necessary to manifest our legitimate interests.

Category F – Using the lead magnets marketing feature

Data subject

Visitors to our website who do not have an active user account on the Platform, as well as the patient and doctors who have an active user account on the Platform, when they use the lead magnets marketing feature.

Personal data

Name, surname, e-mail address, and the name of the employing company.

Purpose and legal basis

MEDICAI processes your personal data when completing the fields related to the marketing function through the lead magnets services, in order to: (i) provide materials regarding the activity carried out by MEDICAI and the services provided through the Platform, as well as other information of interest for the person concerned; (ii) subsequent contact by MEDICAI through means of communication with a human operator, as well as electronic means, in order to provide additional information; (iii) providing, in the future, other materials and information similar to those received at the time of initial collection of personal data.

Personal data in this category are processed under art. 6 para. 1 letter f) of the GDPR Regulation, combined with the provisions of art. 12 para. (2) from Law no. 506/2004, which allows us to process personal data when it is necessary for the purpose of our legitimate interests. For the purpose of further contacting the data subjects by means of electronic means, MEDICAI processes personal data based on the consent of the data subject, provided by art. 6 para. (1) lit. a) from the GDPR.

Collection method and retention period

The collection of personal data is carried out directly by the data subject, by voluntary transmission on the occasion of completing the fields related to the marketing function through the lead magnets services. The data subject has the right to object to the processing of his/her personal data, respectively to withdraw their consent, at any time, by sending a written request to the e-mail address dpo@medicai.io.

Personal data is stored for the period necessary to manifest our legitimate interests, respectively until the time when the data subject withdraws his consent.


Category G – Contacting us

Data subject

Visitors to our website who do not have an active user account on the Platform, as well as the patient and doctors who have an active user account on the Platform, when they want to contact us through the Platform.

Personal data

Email address – when you contact us via email or through the live chat function; name, surname, e-mail address, telephone number, and the content of the message if it refers to other personal data - when you contact us through the contact form and through the support form (ticket), available on the Platform.

Purpose and legal basis

MEDICAI processes your personal data whenever you contact us: (i) at the e-mail address indicated on the Platform; (ii) through the live chat function available on the Platform; (iii) through the contact form available on the Platform; (iv) through the support form (ticket) available on the Platform, in order to provide additional information regarding the services offered by us, the functionality of the Platform, your account, or any possible questions you may have in relation to the use of the Platform.

Personal data in this category are processed under art. 6 para. 1 letter f) of the GDPR Regulation, which allows us to process personal data when it is necessary for the purpose of our legitimate interests - the functionality of the website.

Collection method and retention period 

The collection of personal data is carried out directly by the data subject by voluntary transmission on the occasion of completing the necessary information at the time of contacting us.

Personal data is stored for the period necessary to manifest our legitimate interests.

Scientific research

MEDICAI may use the medical data of patients under the condition that they are anonymized as stated herein, so that it becomes impossible to identify the persons to whom they refer, for the purpose of scientific research for the development of software of advanced systems (for example for the development of AI-type systems - diagnostics by means of Artificial Intelligence -, hereinafter also referred to as "AI-type Systems"), with the exception of scientific research activities within clinical trials.

By combining research results, MEDICAI aims to obtain valuable new knowledge in the medical field, including regarding widespread diseases with difficulties in diagnosis and treatment. MEDICAI can then develop and implement knowledge-based policies that can improve the quality of life for large numbers of people and increase the efficiency of social health services.

In this context, MEDICAI ensures that it keeps the data used in research studies in an anonymized and confidential manner. Also, with regard to AI-type Systems, MEDICAI ensures that it constantly improves its related software.

Additionally, MEDICAI offers adequate guarantees for data subjects, in the sense of the effective exercise of the rights provided for by the GDRP Regulation, namely the right to rectification, deletion, restriction of processing, opposition, data portability, and the right to be forgotten.

  1. The disclosure of your personal to third parties

Our members and employees

MEDICAI`s members and employees having access to personal data have been trained to observe the security and confidentiality of the personal data they have access to in performing business activities. MEDICAI’s members’ and employees` access to personal data is limited to the information required in performing their specific tasks.

Suppliers

In order to carry out OUR activity, we collaborate with various partners who contribute to the development of our projects and, inevitably, we make available to them some of your personal data.

In such cases, the transmission of personal data will be limited to the data strictly necessary for the partners to carry out the necessary activities in our projects and we have implemented contractual clauses to ensure that they comply with the provisions of this Privacy Policy and all applicable law.

Also, trying to do the best in our industry, sometimes we choose to work with other companies to facilitate certain technical or administrative functions that fall within their scope of activity such as data hosting services, data services payment, marketing services, technical systems security services, software development services, IT support and maintenance services, legal services, etc.

In cases where we decide to use third parties to benefit from their services, we will only provide them with the information they need to perform their specific functions, provided that they comply with the provisions of the GDPR Regulation.

When our contractual partners act as proxies for the processing of your personal data, we will ensure that they process the data in accordance with applicable personal data protection legislation, in accordance with our prior instructions.

For the purchase of our services and all subsidiary transactions, such as the provision of bank details, the billing of our services, the recording of payments made, and the communication of any questions or concerns you may have regarding payments made, MEDICAI collaborates with the Stripe payment processor, who acts as an individual operator. In this context, MEDICAI does not have access to any banking data provided by the data subjects for the purpose of purchasing the services on our Platform. For more details on Stripe's processing activities and security measures, please see the privacy policy available here.

Legal requirements

Your personal data may be communicated to governmental authorities and/or law enforcement agencies if required by the applicable law. 

Which are your rights regarding the processing of personal data and how can you effectively exercise them

MEDICAI, as data controller, has implemented technical and organizational measures to ensure that the following rights of data subjects are respected:

Right of access 

You have the right to obtain confirmation as to whether or not personal data concerning you are being processed by us, and, where that is the case, access to your personal data and information on how they are processed.

Right to data portability 

You have the right to receive the personal data processed in a structured, commonly used, and machine-readable format including the right to have this data transmitted directly to another controller if this is technically feasible.

Right to object 

You have the right to object to the processing of your personal data when processing is necessary for the performance of a task carried out in the public interest or for the purposes of the legitimate interests pursued by us. You have the right to object at any time if your personal data are being processed for direct marketing purposes.

Right to rectification 

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. The rectification must be communicated by the controller to each recipient to whom the data subject's data have been transmitted unless this proves impossible or involves disproportionate (demonstrable) efforts.

Right to erasure (“right to be forgotten”)

You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies: (i) your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) you withdraw consent on which the processing is based and there is no other legal ground for the processing; (iii) you object to the processing and there are no overriding legitimate grounds for the processing; (iv) your personal data have been unlawfully processed; (v) your personal data have to be erased for compliance with a legal obligation; (vi) your personal data have been collected in relation to the offer of information society services.

Right to restriction of processing

You have the right to obtain from us restriction of processing where one of the following applies: (i) you contest the accuracy of your personal data, for a period that allows the verification of the correctness of the data; (ii) the processing is unlawful and you oppose the erasure of your personal data and request the restriction of their use instead; (iii) we no longer need your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; (iv) you have objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

Right not to be subject to a decision based solely on automated processing

You have the right not to be subject to a decision solely based on automated processing, including profiling, which produces legal effects concerning you or similarly affects you in a significant manner. Therefore, we hereby state that MEDICAI does not use applications, algorithms, artificial intelligence, or automatic process to make automatic decisions (without human intervention) that produces legal effects for you. 

To exercise your rights listed above you can send us your request (accompanied by your contact details) both electronically at the e-mail address dpo@medicai.io, as well as by postal services with a registered letter and confirmation of receipt at 53-55 Nicolae Filipescu street, room 5, floor 4, district 2, Bucharest. 

Children’s personal data. We do not process data for children under 16 years old!

MEDICAI does not collect any personal data from children under the age of 16. 

So, if you are under 16, please do not submit to us any personal data.

What security precautions does MEDICAI take to protect your personal data

MEDICAI has assumed the responsibility of implementing appropriate technical and organizational measures regarding the protection of privacy, ensuring the security of personal data, as well as in order to avoid, altering, access, modify, destroy or disclose unauthorized data:

  1. MEDICAI’s employees and collaborators who have access to the databases are expressly nominated; access to the computer system is made using individual accounts and passwords that are changed periodically;
  2. all employees, collaborators, and service providers who are in contact with personal data act in accordance with the principles and policies regarding the processing of personal data provided by the applicable legislation, respectively by the standards of confidentiality; thus, they have been informed and have the obligation to comply with the provisions of the GDPR Regulation by signing Agreements for the processing of personal data or as a result of the law;
  3. personal data are printed, only by authorized users, if necessary for the performance of the activity or according to legal obligations; however, we mention that we do not print personal data because is not necessary for our activity;
  4. MEDICAI’s employees and collaborators have access only to the personal data necessary, adequate and relevant for the performance of their duties and only in accordance with the stated purpose of data collection;
  5. computers and terminals used to access the computer system are password protected and have antivirus, antispam, and firewall security updates;
  6. we take the necessary measures to protect your personal data against the loss, misuse, and unauthorized access, disclosure, modification, or destruction of your data;
  7. we carry out, at regular intervals, security audits on the computer systems we use for the processing of personal data;
  8. we anonymize the personal data that we process so that it becomes impossible to identify the person to whom they refer, where possible and appropriate to our activity;
  9. we adopt and review data processing practices and policies, including physical and electronic security measures, regularly train MEDICAI’s employees and collaborators, and constantly monitor how we apply our own practices and policies.

Please select carefully what personal data you choose to send, including the email addresses listed on the site.

The Internet or e-mails are not impenetrable, and an unexpected technical error can lead to an unfortunate event involving personal data transmitted.

While we take all reasonable steps to ensure the security of your data, MEDICAI cannot guarantee the absence of any breach of security or the inability to penetrate security systems. In the unlikely event that such a breach occurs, we will follow the legal procedures for limiting the effects and informing the data subjects as soon as possible.

Links to other websites

On our website, you may find links to other organizations or web pages. This Policy does not cover the personal data processed by them. 

If you decide to access such links displayed on our site, we encourage you to carefully read their privacy policies. 

Updates to this Privacy Policy

As we plan to develop and offer you new services, we will need to update this Privacy Policy.

In order to keep you informed, we always publish the latest version of the Privacy Policy on our website, without any specific notice in this respect.

We encourage you to constantly review this Privacy Policy in order to be constantly informed with respect to the categories, purposes, and manners MEDICAI processes your personal data. 

If you have any questions about our Privacy Policy, please contact us at: dpo@medicai.io

Information concerning Data Protection Supervisory Authority  

If you consider that your rights provided by Regulation no. 679/2016 have been violated, you have the possibility to communicate this to us at the address: dpo@medicai.io or to contact the NSAPDP by submitting a complaint.

The contact details of NSAPDP are the following:

Complaint Form: https://www.dataprotection.ro/?page=Plangeri_pagina_principala 

Contact link: https://www.dataprotection.ro/?page=contact&lang=ro 

Website: https://www.dataprotection.ro/ 

Address: B-dul G-ral. Gheorghe Magheru 28-30, District 1, postal code 010336, Bucharest, Romania

Phone: +40.318.059.211 or +40.318.059.212; Fax: +40.318.059.602

Join Medicai now and start saving time

Popular articles