Skip to main content

Privacy Policy

Effective date: February 19, 2026

1. Introduction

Medyca Tech Labs (“Medyca,” “we,” “us,” or “our”) operates a cloud-native, AI-powered clinical platform designed for healthcare professionals, institutions, and patients. This Privacy Policy explains how we collect, use, store, share, and protect your personal data — including sensitive healthcare data — when you access or use our services, website, and applications. By using Medyca, you acknowledge that you have read and understood this policy.

2. Data Controller

Medyca Tech Labs is the data controller responsible for your personal data under the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados — LGPD). If you have questions about how your data is processed, please contact us at contact@medyca.ai.

3. Data We Collect

We may collect the following categories of data:

  • Account data — name, email address, professional credentials, institutional affiliation, and authentication information.
  • Healthcare data — DICOM medical images, radiology reports, structured clinical findings, patient demographic information, and other health-related records processed through the platform.
  • Usage data — interactions with the platform, feature usage patterns, session duration, and workflow analytics.
  • Device data — browser type, operating system, IP address, and device identifiers collected automatically when you access our services.
4. Waitlist Data Collection

When you register for the Medyca product waitlist through our website, we collect the following information:

  • Email address — the email you provide to register your interest.
  • Plan interest — the specific product plan you select during registration (for example, Basic, Pro, or Hospital).
  • Locale — your language preference at the time of registration (English or Portuguese).
  • IP hash — a SHA-256 hash of your IP address, collected server-side. We do not store your raw IP address.
  • Consent timestamp — the date and time you submitted the waitlist form, recorded server-side.

This data is collected solely for the purpose of managing waitlist registrations and notifying you about product availability and launch updates related to the plan you selected.

The legal basis for processing this data is your explicit consent, in accordance with LGPD Article 7, Section I. By submitting the waitlist form and accepting the Privacy Policy, you consent to the collection and use of the data described above for the stated purposes.

Waitlist data is retained until the relevant product launches or until you request its removal, whichever occurs first. Once the data is no longer needed for its stated purpose, it is securely deleted.

Waitlist data is not shared with any third parties. It remains within Medyca’s own infrastructure and is used exclusively for the purposes described above.

To request removal of your waitlist data at any time, please contact us at contact@medyca.ai.

5. Legal Basis for Processing

Under the LGPD, we process your personal data based on the following legal grounds:

  • Consent — when you voluntarily provide personal data or opt in to specific features.
  • Contractual necessity — to deliver the services you have subscribed to and to fulfill our obligations under your service agreement.
  • Legitimate interest — to improve our platform, ensure security, prevent fraud, and conduct internal analytics, provided these interests do not override your rights.
  • Regulatory compliance — to meet legal and regulatory obligations in the healthcare sector.
  • Health protection — when processing is necessary to protect the life or physical safety of the data subject or a third party.
6. How We Use Your Data

We use the data we collect for the following purposes:

  • Service delivery — to provide, maintain, and improve the Medyca platform, including AI-powered report generation, template management, DICOM image processing, and clinical decision support.
  • Quality assurance — to validate AI model outputs, improve report quality scoring, and enhance clinical workflows.
  • Security — to detect, prevent, and respond to security incidents, unauthorized access, and fraudulent activity.
  • Communication — to send you service-related notifications, updates, and support responses.
7. Healthcare Data

Healthcare data is treated as a special category of sensitive personal data. This includes DICOM medical images, radiology reports, structured clinical findings, and any patient-related information processed through the platform. We apply the principle of data minimization — collecting only the healthcare data strictly necessary to deliver our clinical services. Healthcare data is encrypted at rest and in transit, and access is restricted to authorized personnel and systems on a need-to-know basis.

8. Data Sharing

We do not sell your personal data. We may share data with the following categories of recipients:

  • Cloud infrastructure providers — we use Google Cloud Platform to host and process data. All subprocessors are bound by data processing agreements that require equivalent levels of data protection.
  • Subprocessors — third-party services that assist in delivering specific features (such as email delivery or analytics) operate under contractual obligations to protect your data.
  • Legal obligations — we may disclose data when required by law, regulation, or valid legal process.
9. International Data Transfers

Your data may be processed in jurisdictions outside of Brazil. When we transfer personal data internationally, we implement appropriate safeguards as required by the LGPD, including standard contractual clauses, data processing agreements, and verification that receiving jurisdictions provide adequate levels of data protection.

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy or as required by applicable law. Healthcare data is retained in accordance with regulatory requirements for medical records, which may mandate retention periods of up to 20 years or longer depending on the jurisdiction and record type. When data is no longer needed, it is securely deleted or anonymized. You may request deletion of your personal data at any time, subject to our legal retention obligations.

11. Your Rights Under LGPD

Under the LGPD, you have the following rights regarding your personal data:

  • Confirmation and access — the right to confirm whether your data is being processed and to access it.
  • Correction — the right to request correction of incomplete, inaccurate, or outdated data.
  • Anonymization, blocking, or deletion — the right to request anonymization, blocking, or deletion of unnecessary or excessive data.
  • Data portability — the right to request transfer of your data to another service provider, in accordance with ANPD regulations.
  • Deletion of data processed with consent — the right to request deletion of personal data processed on the basis of your consent.
  • Information on sharing — the right to be informed about which entities your data has been shared with.
  • Consent revocation — the right to revoke consent at any time, without affecting the lawfulness of processing carried out prior to revocation.
  • Right to petition — the right to file a complaint with the Brazilian National Data Protection Authority (ANPD).
12. Security Measures

We implement technical and organizational measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data at rest and in transit, role-based access controls, multi-factor authentication, regular security assessments, and comprehensive audit logging of access to healthcare data. While no system is completely secure, we are committed to maintaining industry-standard protections appropriate for healthcare data.

13. Cookies

The Medyca website is a static site that uses minimal cookies. We may use essential cookies required for the website to function properly (such as session management when you access the platform). We do not use advertising or third-party tracking cookies. If we introduce non-essential cookies in the future, we will provide you with clear notice and the ability to manage your preferences.

14. Children’s Data

Medyca is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate parental or guardian consent, we will take steps to delete that data promptly. Healthcare data pertaining to minors may be processed through the platform by authorized healthcare professionals and institutions in the course of clinical care.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable laws, or platform features. When we make material changes, we will notify you by posting the updated policy on our website with a revised effective date. We encourage you to review this policy periodically. Continued use of Medyca after changes are posted constitutes your acknowledgment of the updated policy.

16. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at contact@medyca.ai.