MediRodina
CS EN
GDPR · Data Protection

Privacy Policy

Effective: 1 January 2025 MediRodina App

This Privacy Policy explains how MediRodina handles your personal data. Health data is special category data under GDPR Article 9 and we treat its protection with the utmost care.

1 Data Controller

The data controller for MediRodina is a company operating the application:

Operator
MediRodina s.r.o.
Contact email
administrator@medirodina.com

2 Data We Collect

Account Data

  • Email address (for login and authentication)
  • Display name

Family Member Profiles

  • Name, date of birth, gender, profile photo
  • Relationship to the user (e.g. child, partner, parent)
  • Insurance information

Health Records SENSITIVE DATA

  • Medications — name, dosage, frequency, dose logs
  • Vaccinations — type, date, provider, reminders
  • Illnesses and diagnoses — name, date, status, notes
  • Medical records — uploaded files (PDF, photos), category, specialty
  • Appointments — date, type, location, doctor
  • Development milestones — weight, height, growth records
  • Pregnancy — week, due date, statistics

Technical Data

  • Device type and operating system (for app functionality)
  • App settings stored locally (language, theme, PIN)
CategoryExamplesGDPR Sensitivity
Identity dataName, emailPersonal data
Health dataMedications, diagnoses, vaccinationsSpecial category (Art. 9)
Biometric filesProfile photosPersonal data
Technical dataDevice type, OSPersonal data

3 Purpose of Processing

  • Service delivery — providing access to the app, syncing data across devices
  • Health record management — storing and displaying health information entered by the user
  • Notifications and reminders — sending local notifications about medications, vaccinations, and appointments
  • Family sharing — sharing a profile with other users based on explicit consent
  • Security — authentication, account protection, PIN/biometric lock

4 Legal Basis for Processing

  • Performance of contract (Art. 6(1)(b) GDPR) — processing necessary to provide the app
  • Explicit consent (Art. 9(2)(a) GDPR) — for special category health data; consent is given by registering and voluntarily entering health information
  • Legitimate interests (Art. 6(1)(f) GDPR) — app security and fraud prevention

You may withdraw your consent to health data processing at any time by deleting your account and all data in the app settings.

5 Where Your Data is Stored

Cloud Storage

Data is stored on servers of Supabase Inc. (USA). Supabase uses AWS infrastructure in the EU region (Frankfurt, Germany). Data transfers to the USA are covered by Standard Contractual Clauses (SCCs) in compliance with GDPR.

Local Storage

Copies of data are stored locally on your device (AsyncStorage) for offline access. This data is protected by your device's security mechanisms.

Files

Uploaded files (PDFs, photos of medical records) are stored in Supabase Storage with private access restricted to the authorised user only.

6 Data Sharing with Third Parties

We do not sell or share your personal data with third parties for marketing purposes. Data is shared only in these cases:

  • Supabase Inc. — cloud database and authentication provider (data processor under Art. 28 GDPR)
  • Resend Inc. — email service provider for authentication emails
  • Family sharing — if you explicitly share a profile, the recipient gains access to selected data
  • Legal obligation — where required by applicable law or court order

7 Data Retention

  • Account data — for the duration of the account; deleted within 30 days of account deletion
  • Health records — for the duration of the account; deletion of a record or account results in permanent removal
  • Backups — may be retained by Supabase for up to 7 days for system recovery purposes

8 Your Rights

As a data subject you have the following rights under GDPR:

  • Right of access (Art. 15) — obtain a copy of your personal data
  • Right to rectification (Art. 16) — correct inaccurate data
  • Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten")
  • Right to restriction (Art. 18) — restrict processing under certain conditions
  • Right to data portability (Art. 20) — receive your data in a machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interests
  • Right to withdraw consent — at any time without affecting the lawfulness of prior processing

You can exercise your rights directly in the app (Settings → Delete data) or by emailing the controller. You may also lodge a complaint with the Czech Data Protection Authority (ÚOOÚ) at www.uoou.cz.

9 Data Security

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Row Level Security (RLS) in the database — each user can only access their own data
  • Authentication via Supabase Auth (secure JWT tokens)
  • Optional PIN or biometric lock within the app
  • Files stored in a private Supabase Storage bucket accessible only to the authorised user

10 Children

MediRodina is intended for users aged 16 and over. Records for minor children may only be entered by their legal guardian. If we discover that we have collected data from a person under 16 without parental consent, we will delete it immediately.

11 Changes to This Policy

We will notify you of material changes via email or in-app notification at least 14 days before they take effect. The current version is always available in the app (Settings → Legal).

12 Contact

To exercise your rights or for any data protection queries, please contact us:

Email
administrator@medirodina.com

We will respond to your request within 30 days of receipt.