Medipolia.

Privacy Policy

Last updated: 26 June 2026 · GDPR (EU 2016/679) & KVKK (Law No. 6698) compliant

Medipolia (“we”, “us”) is committed to protecting your privacy. This policy explains what personal data we collect, why and how we process it, how long we keep it, and the rights you have over it. Your medical data belongs to you — for life.

1. Data Controller

Medipolia is the data controller for the personal data processed through this platform. For any data-protection request you can reach our Data Protection Officer at privacy@medipolia.com.

2. What data we collect

  • Account data: email, username, password (hashed), locale.
  • Profile data: name, photo, occupation, location, languages, interests and anything you choose to add.
  • Health data (special category): your Medical Passport — blood type, allergies, conditions, medications, records and journey details. This is processed only with your explicit consent.
  • Identity documents: passport / national ID numbers, stored encrypted (AES-256-GCM) and never shown in full.
  • Usage data: posts, connections, messages, and technical logs needed to run and secure the service.

3. Lawful basis for processing

  • Consent (Art. 6(1)(a) & Art. 9(2)(a)) — for health data and marketing communications.
  • Contract (Art. 6(1)(b)) — to provide the account and services you request.
  • Legitimate interests (Art. 6(1)(f)) — to secure the platform and prevent abuse.
  • Legal obligation (Art. 6(1)(c)) — where retention is required by law.

4. How we use your data

To operate your Medical Passport, plan and coordinate your journey, connect you (only with opt-in) to other patients, provide AI guidance, secure your account, and — only if you opt in — send product updates. We never sell your personal data.

5. Consent-based sharing

Your data is private by default. Clinics, hotels, pharmacies or partners can only access the specific categories you explicitly authorise — for example by scanning your QR — and every access is logged. You can revoke any consent at any time.

6. Data security

Sensitive identity data is encrypted at rest, passwords are hashed, transport is encrypted (HTTPS), and access is logged. We host within the EU (Germany).

7. Data retention

We keep your data for as long as your account is active. When you delete your account, personal data is erased or anonymised, except where law requires retention (e.g. financial records). You can request erasure at any time.

8. Your rights (GDPR & KVKK)

  • Access — obtain a copy of your data.
  • Rectification — correct inaccurate data.
  • Erasure — “right to be forgotten”.
  • Restriction — limit how we process your data.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to certain processing, including marketing.
  • Withdraw consent — at any time, without affecting prior lawful processing.

To exercise any right, contact privacy@medipolia.com. You also have the right to lodge a complaint with your supervisory authority.

9. International transfers

Where data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses.

10. Cookies

See our Cookie Policy. We use only what is necessary to run the service, plus optional analytics with your consent.

11. Changes

We will notify you of material changes to this policy. Continued use after changes take effect constitutes acceptance.

Questions about your data? Contact our Data Protection Officer at privacy@medipolia.com.