Privacy Policy
Last updated: December 24, 2025
π GDPR Compliant: Medbash.ai is fully compliant with the EU General Data Protection Regulation (GDPR). Your data is stored and processed within the European Union.
1. Data Controller
The data controller for the processing of your personal data is:
Medbash GmbH
Munich, Germany
Email: privacy@medbash.ai
Data Protection Officer: dpo@medbash.ai
2. Data We Collect
2.1 Account Information
- Email address
- Full name
- Job title
- Organization name
- Profile picture (optional)
2.2 Device & Compliance Data
- Medical device information you enter
- Compliance documentation you upload
- Ticket and task information
- AI chat conversations
2.3 Technical Data
- IP address
- Browser type and version
- Device information
- Usage analytics (anonymized)
3. Legal Basis for Processing
We process your data based on:
- Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide our services
- Legitimate Interests (Art. 6(1)(f) GDPR): Analytics and service improvement
- Consent (Art. 6(1)(a) GDPR): Marketing communications (when opted in)
- Legal Obligation (Art. 6(1)(c) GDPR): Tax and accounting requirements
4. How We Use Your Data
- Providing and maintaining the Platform
- Processing AI-assisted compliance assessments
- Sending service-related notifications
- Providing customer support
- Improving our services through analytics
- Complying with legal obligations
5. AI Data Processing
Medbash.ai uses Google Gemini AI to power our compliance assistant (Bashi). When you interact with Bashi:
- Your messages are sent to Google's AI services for processing
- We do not share your device-specific data with AI services
- AI interactions are logged for quality and audit purposes
- You can request deletion of your AI conversation history
6. Data Sharing
We share your data with:
- Supabase (Database): Data storage and authentication - EU servers
- Google Cloud (AI): AI processing - EU data processing agreement in place
- Analytics providers: Anonymized usage data only
We never sell your personal data to third parties.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Device & compliance data | Until account deletion + 30 days |
| AI conversation logs | 12 months (for audit purposes) |
| Analytics data | 26 months (anonymized) |
| Legal/accounting records | 10 years (as required by law) |
8. Your Rights (GDPR)
Under GDPR, you have the right to:
π Access
Request a copy of your personal data
βοΈ Rectification
Correct inaccurate personal data
ποΈ Erasure
Request deletion of your data
π¦ Portability
Receive your data in a portable format
βΈοΈ Restriction
Restrict processing of your data
β Object
Object to certain processing activities
To exercise these rights, contact us at privacy@medbash.ai. We will respond within 30 days.
9. Cookies
We use cookies for:
- Essential cookies: Authentication and security (required)
- Functional cookies: Preferences and settings
- Analytics cookies: Usage analytics (with consent)
You can manage cookie preferences through our cookie consent banner.
10. Data Security
We protect your data with:
- TLS 1.3 encryption in transit
- AES-256 encryption at rest
- Row-level security in our database
- Regular security audits
- Access controls and audit logging
11. International Transfers
Your data is primarily stored within the EU. When we use service providers outside the EU (e.g., Google AI), we ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) or adequacy decisions.
12. Changes to This Policy
We may update this policy periodically. Material changes will be communicated via email at least 30 days before taking effect.
13. Contact & Complaints
For privacy-related inquiries:
Email: privacy@medbash.ai
DPO: dpo@medbash.ai
You have the right to lodge a complaint with your local data protection authority. In Germany, this is the Bavarian State Office for Data Protection Supervision (BayLDA).