Mednecta

If you cannot access the application or have already uninstalled it, submit your request at mednecta.com/account-deletion.html. We will acknowledge your request within 72 hours and complete verified deletion within 30 days (subject to statutory retention obligations set out in Section 9 below).

1. Definitions

The following capitalised terms have the meanings set out below throughout this Policy:

• "Controller" — the entity that determines the purposes and means of processing Personal Data. Mednecta is the Controller with respect to all data described in this Policy unless otherwise stated.
• "Processor" — a natural or legal person that processes Personal Data on behalf of the Controller pursuant to a written Data Processing Agreement.
• "Personal Data" — any information relating to an identified or identifiable natural person ("Data Subject"), including information that can be used directly or in combination to identify a person.
• "Special Category Data" — Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health, or data concerning a person's sex life or sexual orientation (GDPR Art. 9(1)).
• "Processing" — any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
• "Service" — the Mednecta website, Android application, APIs, and all associated digital products operated by Mednecta.
• "User" / "you" — any natural person who accesses or uses the Service, including registered Members and visitors.
• "Member" — a User who has created a verified account on the Service.
• "Consent" — a freely given, specific, informed, and unambiguous indication of the Data Subject's agreement to the processing of their Personal Data, as defined in GDPR Art. 4(11).
• "Legitimate Interest" — a lawful basis for processing under GDPR Art. 6(1)(f) where the interests of the Controller or a third party are not overridden by the interests or fundamental rights of the Data Subject.
• "Sensitive Personal Data" — for the purposes of India DPDPA and CCPA/CPRA, personal data that is deemed sensitive under those instruments, including precise geolocation, health data, and biometric data.
• "Aggregate Data" — data that has been irreversibly anonymised such that no individual can reasonably be identified, directly or indirectly.

2. Data Controller Identity & Contact

Mednecta acts as the sole Data Controller for Personal Data processed through the Service. Controller contact details, including the name of the responsible officer, are available at mednecta.com/reach-us.html. All formal data subject requests, legal notices, and Data Protection Authority correspondence must be directed to that address.

Where required by applicable law (including GDPR Art. 37 and UK GDPR), Mednecta will appoint or maintain a Data Protection Officer ("DPO") or equivalent responsible person. The current DPO contact, if applicable, is published at the contact page above.

3. Scope & Applicability

This Policy applies to:

• All Personal Data collected via the Mednecta website (www.mednecta.com) and all subdomains;
• All Personal Data collected via the Mednecta Android mobile application;
• Personal Data provided directly to Mednecta through email, forms, or other communications;
• Personal Data received from third-party sources as described in Section 5.

This Policy does not apply to: (a) third-party websites or services linked from the Service; (b) data processed by Members about other individuals in their capacity as independent controllers; or (c) anonymised or aggregated data that cannot reasonably be used to identify any individual.

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree, you must cease use of the Service immediately and may request deletion of your account as described in Section 13.

4. Categories of Personal Data Collected

4.1 Identity & Professional Data

• Full legal name, professional title, and designated medical specialty;
• Email address (used as primary account identifier);
• Password credential (stored exclusively as a salted cryptographic hash; the plaintext is never stored or transmitted after receipt);
• Profile photograph (where voluntarily uploaded);
• Medical institution, hospital, or practice affiliation;
• Professional registration number and licensing body (where voluntarily provided for verification purposes);
• Professional biography and publicly stated credentials.

4.2 User-Generated Content

• Posts, comments, reactions, polls, and media shared in the social feed;
• Clan (group) discussions, direct communications, and collaborative content;
• Academy course enrolment records, progress data, quiz responses, and H5P interactive learning completion data, including xAPI statements;
• Research alert subscriptions, saved references, and annotation data;
• Gamification data including badges earned and experience points (XP) accumulated.

4.3 Technical & Usage Data

• Internet Protocol (IP) address and derived approximate geolocation at country or region level (not precise geolocation);
• Device identifiers, device type, operating system version, and application version;
• Browser type and version (for web users);
• Session data including pages visited, features used, interaction events, and session duration;
• Crash reports, stack traces, and performance diagnostics collected by the Android application.

4.4 Communications Data

• Content of emails, support tickets, and messages you send to Mednecta;
• Feedback submissions and bug reports;
• Records of consent and opt-in/opt-out choices.

4.5 Data We Do Not Collect

Mednecta does not collect and explicitly prohibits the submission of:

• Patient health records, clinical notes, or any protected health information (PHI) as defined under HIPAA or equivalent legislation;
• Payment card numbers or banking credentials (all payment processing, if applicable, is performed by PCI-DSS-compliant third-party processors under their own privacy terms);
• Precise or continuous real-time geolocation;
• Biometric identifiers (fingerprints, facial geometry, voiceprints) except profile photographs voluntarily uploaded by the User;
• Social security numbers or national identity document numbers.

5. How We Collect Personal Data

6. Purposes of Processing & Lawful Bases

We process Personal Data only for the purposes listed below. Each purpose is supported by a specific lawful basis under GDPR Art. 6 (and, where applicable, Art. 9 for Special Category Data). Where we rely on Legitimate Interest, we have conducted and documented a balancing test confirming that our interests are not overridden by your rights and freedoms.

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on Data Subjects (GDPR Art. 22).

7. Special Category & Sensitive Data

Mednecta does not intentionally collect Special Category Data as defined in GDPR Art. 9(1). However, Members may voluntarily disclose information relating to their health specialisation (e.g. "oncologist") which could in some contexts constitute health-related data. Such information is processed solely on the basis of the Member's explicit voluntary disclosure (Art. 9(2)(e) — manifestly made public by the Data Subject) and is used only to provide relevant professional community features.

If you become aware that Special Category Data has been submitted to the Service in a manner inconsistent with this Policy, please contact us immediately at the address in Section 19 and we will take appropriate remedial action.

8. Disclosure & Third-Party Sharing

Mednecta does not sell Personal Data. We do not share Personal Data with third parties for their own independent marketing purposes. Disclosure occurs only in the following circumstances:

8.1 Service Providers (Processors)

We engage third-party vendors to provide infrastructure and operational services on our behalf. All such vendors are engaged under written Data Processing Agreements (DPAs) that restrict their use of Personal Data to the provision of services to Mednecta and impose security and confidentiality obligations no less protective than those in this Policy. Categories of sub-processors include: cloud hosting and content delivery; transactional and marketing email delivery; application performance monitoring and crash diagnostics; and data analytics.

8.2 Visibility to Other Members

Content you post publicly on the Service (including profile information, feed posts, and Clan contributions) is visible to other verified Mednecta Members. You control the visibility of your profile content through your account privacy settings. Private or direct communications are accessible only to their intended recipients and to Mednecta staff for moderation and safety purposes as necessary.

8.3 Legal Disclosure

We may disclose Personal Data where required to do so by:

• Applicable law, regulation, or binding governmental order;
• A valid court order, subpoena, or equivalent legal process;
• Law enforcement or regulatory authorities with lawful authority to require disclosure;
• Protection of the vital interests of any person where the Data Subject is incapable of giving consent;
• Prevention, investigation, or prosecution of criminal offences.

Where legally permitted to do so, we will endeavour to notify affected Members before making such disclosure.

8.4 Corporate Transactions

In the event of a merger, acquisition, reorganisation, asset sale, or insolvency proceeding involving Mednecta, Personal Data may be transferred to the successor entity as a business asset, subject to the following conditions: (a) the successor entity must assume the obligations of this Policy or provide equivalent protection; and (b) we will provide affected Members with at least 30 days' advance notice via email and in-app notification prior to any such transfer, along with the opportunity to delete their account before the transfer completes.

8.5 Professional or Medical Safety Disclosures

Where Mednecta has a good-faith reasonable belief that disclosure is necessary to prevent imminent harm to an identified individual or to the public arising from conduct observed on the Service, we may disclose relevant Personal Data to appropriate regulatory, professional, or emergency authorities. Such disclosures are logged and reviewed by our data governance function.

9. Data Retention & Deletion

Upon expiry of the applicable retention period, Personal Data is securely deleted or irreversibly anonymised using industry-standard methods. Where deletion is technically delayed by backup cycles, data is logically suppressed from active processing pending physical deletion within the next scheduled cycle, not to exceed 60 days beyond the stated retention period.

10. International Data Transfers

Mednecta operates globally and may transfer Personal Data to countries outside the European Economic Area ("EEA"), United Kingdom, or other jurisdictions with data localisation requirements. Where such transfers occur, we ensure an adequate level of protection by relying on one or more of the following mechanisms:

• Adequacy decision: Transfer to a country recognised by the European Commission or UK ICO as providing adequate protection;
• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs (Implementing Decision (EU) 2021/914) or UK International Data Transfer Agreements (IDTAs) incorporated into our agreements with sub-processors;
• Binding Corporate Rules (BCRs): Where applicable for intra-group transfers;
• Derogations: In limited circumstances, your explicit consent or the necessity to perform the contract with you (GDPR Art. 49).

You may request a copy of the transfer mechanisms we rely on for specific sub-processors by contacting us at the address in Section 19.

11. Security Measures

We implement technical and organisational measures appropriate to the risk presented by our processing activities, including:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher;
• Encryption at rest: Sensitive database fields are encrypted at rest using AES-256 or equivalent;
• Password storage: User passwords are stored as salted hashes using bcrypt or equivalent adaptive hashing function; plaintext passwords are never persisted;
• Access controls: Role-based access control (RBAC) limits staff access to Personal Data on a need-to-know basis; privileged access is logged and reviewed;
• Security assessments: We conduct periodic security reviews and vulnerability assessments;
• Incident response: We maintain a documented incident response plan with defined roles and escalation procedures.

No security measure is infallible. We cannot guarantee the absolute security of information transmitted over the internet. You bear responsibility for maintaining the confidentiality of your account credentials and for ensuring that your devices are secured with appropriate access controls. You must notify us immediately if you suspect unauthorised access to your account.

12. Cookies & Tracking Technologies

12.1 Categories of Cookies We Use

We do not use advertising cookies, cross-site tracking pixels, or third-party behavioural profiling technologies.

12.2 Managing Cookies

You may withdraw consent for non-essential cookies at any time through your browser settings or our cookie preference centre. Withdrawing consent will not affect the lawfulness of prior processing. Note that disabling strictly necessary cookies will impair your ability to use the Service.

13. Your Rights & How to Exercise Them

Subject to applicable law and the verification of your identity, you have the following rights in respect of your Personal Data:

13.1 Rights Available to All Users

13.2 California-Specific Rights (CCPA/CPRA)

If you are a California resident, you additionally have:

• Right to Know — the categories and specific pieces of Personal Information collected, disclosed, and sold in the preceding 12 months;
• Right to Delete — request deletion of Personal Information, subject to exceptions under Cal. Civ. Code § 1798.105;
• Right to Correct — request correction of inaccurate Personal Information;
• Right to Opt Out of Sale or Sharing — Mednecta does not sell or share Personal Information for cross-context behavioural advertising; this right is therefore satisfied by our existing practices;
• Right to Limit Use of Sensitive Personal Information — to limit the use of Sensitive Personal Information to purposes reasonably necessary to provide the Service;
• Right of Non-Discrimination — we will not discriminate against you for exercising any CCPA/CPRA right.

To submit a verifiable consumer request under CCPA/CPRA, contact us as specified in Section 19. We will respond within 45 days, with a single 45-day extension where reasonably necessary.

13.3 Response Timescales

We will acknowledge all data subject requests within 72 hours of receipt and fulfil verified requests within 30 days. Where the request is complex or numerous, we may extend this period by a further 60 days (GDPR Art. 12(3)), subject to notification within the initial 30-day period. We may request reasonable verification of your identity before fulfilling a request. We will not charge a fee unless requests are manifestly unfounded or excessive (in which case we may charge a reasonable administrative fee or refuse the request).

14. Children's Privacy

The Service is exclusively for verified medical professionals. We do not knowingly collect Personal Data from any person under the age of 18. Registration on the Service requires affirmative confirmation that the user is a qualified or training medical professional; users under 18 are not eligible for any professional medical qualification in the jurisdictions we serve.

If we become aware that Personal Data has been collected from a person under 18, we will take immediate steps to delete that data and terminate the associated account without notice. If you believe a minor has registered, please contact us immediately at the address in Section 19.

For United States users: the Service is not directed to children under 13 and we do not knowingly collect information from children under 13 in violation of the Children's Online Privacy Protection Act (COPPA).

15. Data Breach Notification

In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will:

• Notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (GDPR Art. 33);
• Communicate the breach directly to affected Data Subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34), including through in-app notification and email to the registered address;
• Maintain an internal register of all Personal Data breaches regardless of whether notification to the supervisory authority is required (GDPR Art. 33(5)).

Breach notifications to Data Subjects will include: (a) a description of the nature of the breach; (b) the categories and approximate number of individuals and records concerned; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach and mitigate its effects.

16. Data Processing Agreements

All third-party service providers who process Personal Data on our behalf are engaged under written Data Processing Agreements complying with GDPR Art. 28. These agreements mandate that sub-processors: (a) process Personal Data only on documented instructions; (b) ensure that persons authorised to process have committed to confidentiality; (c) implement appropriate technical and organisational security measures; (d) assist us in responding to Data Subject rights requests; (e) delete or return all Personal Data upon termination of services; and (f) provide all information necessary to demonstrate compliance.

We maintain a current register of sub-processors. You may request a list of our sub-processors by contacting us as specified in Section 19. We will inform you of any intended changes to our sub-processor list at least 14 days before such changes take effect, giving you the opportunity to object.

17. Changes to This Policy

We reserve the right to amend this Policy at any time. The revised Policy will be published at www.mednecta.com/privacy-policy.html with an updated effective date. For any change that materially affects how we process your Personal Data, or that reduces your rights, we will:

• Provide at least 30 days' advance notice via email to your registered address and via in-app notification;
• Where required by law (e.g. change to processing purpose under GDPR Art. 6), seek fresh Consent before the change takes effect;
• Preserve a version history of this Policy accessible at the same URL.

Your continued use of the Service after the effective date of a non-material amendment constitutes your acknowledgement of the updated Policy. For material amendments requiring Consent, your continued use constitutes consent only after you have been presented with and actively accepted the revised terms.

18. Dispute Resolution & Supervisory Authorities

If you have a complaint regarding our processing of your Personal Data, we encourage you to contact us first using the details in Section 19 so that we may address your concern. We will respond within 30 days.

If you are not satisfied with our response, or if you believe our processing violates applicable law, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction, including:

• EEA: Your national Data Protection Authority (DPA) — a directory is maintained by the European Data Protection Board at edpb.europa.eu;
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk;
• India: Data Protection Board of India — once established under the DPDPA 2023;
• South Africa: Information Regulator — inforegulator.org.za;
• Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca.

These rights are in addition to, and do not prejudice, any right to seek judicial remedy.

19. Contact & Data Subject Requests

All privacy-related enquiries, data subject access requests, complaints, and formal legal notices should be directed to:

Please include in your request: your full name, registered email address, a clear description of your request, and sufficient information to allow us to verify your identity. We may ask for additional verification before processing requests that could affect the Personal Data of others.

This Policy was last reviewed by Mednecta's data governance function on 8 June 2026.