MedMETs
LoginSign Up
Data Privacy

Data Privacy

MedMETs processes sensitive patient health information on behalf of healthcare providers. We are committed to transparency about how data is collected, used, stored, and protected — in plain English, not legalese.

  • GDPR
  • HIPAA
  • PDPA
  • PIPEDA
  • Data Residency
  • DSR Support
Roles + responsibilities

Who is the controller and who is the processor?

For patient health data captured in the consult, the clinic is the data controller and MedMETs acts as a data processor on your behalf. Our Data Processing Agreement reflects this — and includes the GDPR Article 28 obligations, HIPAA Business Associate terms, and the equivalents in every region we operate in.

Clinic = controller

You decide why patient data is collected, what fields, and how long it's retained. You hold the direct relationship with the patient and any provincial / state regulator.

MedMETs = processor

We process the data only on your documented instructions (configured in the platform), under the contractual safeguards of the DPA / BAA / PDPA Schedule, and never for our own purposes.

Patient = data subject

The patient retains all standard rights: access, rectification, erasure, portability, objection, and restriction. The patient app lets them exercise most of them with one tap.

Data Residency

Store data where you need it

MedMETs supports configurable data residency for every enterprise customer — and defaults to in-country residency for the regions where we operate today.

Australia

Sydney + Melbourne data centres. Meets the Australian Privacy Act 1988 and state-level Health Records Acts (NSW HRIP, VIC HRA, ACT HRPP).

European Union

Frankfurt + Dublin regions. Full GDPR data residency with EU Standard Contractual Clauses for any onward transfer.

United Kingdom

London region. UK GDPR compliant with ICO Data Protection Act 2018 alignment; ICO registration in place.

United States

US East + US West regions. HIPAA-compliant hosting with Business Associate Agreement available for every customer.

Canada

Toronto region. PIPEDA federal compliance plus provincial alignment (PHIPA, PIPA, Loi 25).

Singapore

Singapore region. PDPA compliance plus CSA Cybersecurity Code of Practice for Healthcare alignment.

Data Principles

How we handle patient data

  • Patient health data is processed only for the purpose of delivering MedMETs services to the contracted clinician or clinic
  • Data is never sold, shared with advertisers, or used to train models for third parties
  • All processing activities are documented in a formal Register of Processing Activities (RoPA)
  • Data minimisation applied — only data necessary for clinical function is collected
  • Retention periods aligned with applicable clinical record-keeping regulations (typically 7 years post-last-contact for adults; jurisdiction-specific for paediatric)
  • Patients may access, correct, export, and request deletion of personal data via the app or by emailing the DPO
  • Pseudonymisation applied to any data used for product improvement, with a documented re-identification ban
  • Encryption: AES-256 at rest; TLS 1.3 in transit; per-tenant KMS keys available on Enterprise plans
Data Subject Rights

Exercise your rights — in four steps

Every patient and every clinician can exercise their data rights under GDPR, UK GDPR, HIPAA, PIPEDA, PDPA, and the Australian Privacy Principles. The process is identical regardless of jurisdiction — the underlying obligations vary, but our response standard is the strictest applicable.

  1. Submit a request

    Email dpo@medmets.com or use the in-app DSR form. Include the data subject's name, account email, and the type of request (access / rectification / erasure / portability / objection / restriction).

  2. Verification

    We verify the requester's identity through the linked account or by sending a verification challenge to the registered email. We do this to stop bad actors using the DSR process to harvest someone else's data.

  3. Action + response

    Standard requests are actioned within 30 days (GDPR Art. 12), often within 7. Complex requests may extend to 60 days with written notice. Responses include a machine-readable export where applicable.

  4. Appeal

    If you disagree with our decision, reply to the response thread for an escalation review. Unresolved complaints can be referred to your supervisory authority (ICO, CNIL, OAIC, etc.).

Email the DPO

Sub-processor register

Every vendor we send data to — and why

The complete list of sub-processors used to deliver MedMETs. Every entry has a written Data Processing Agreement or BAA, and every onward transfer is covered by Standard Contractual Clauses (or the regional equivalent). New sub-processors trigger a 30-day notice before activation.

Amazon Web Services

Purpose
Hosting, storage, encryption KMS
Region
AU, EU, UK, US, CA, SG
Contract
AWS DPA + SCCs

Supabase

Purpose
Managed Postgres, Auth, Edge Functions
Region
Per-tenant (matches customer residency)
Contract
Supabase DPA + SCCs

Cloudflare

Purpose
Edge network, DDoS protection, TLS termination
Region
Global edge with regional pinning
Contract
Cloudflare DPA + SCCs

Anthropic

Purpose
Clinical AI inference (zero-retention API)
Region
Per-tenant routing; no data retained by sub-processor
Contract
Anthropic Zero-Retention Agreement

Resend

Purpose
Transactional email (account, DSR, notifications)
Region
EU + US
Contract
Resend DPA + SCCs

Vercel

Purpose
Static marketing site (non-PHI)
Region
Global edge
Contract
Vercel DPA + SCCs
Retention schedule

How long we keep what

Retention aligns with applicable clinical record-keeping regulations. Local law overrides where it's stricter — for example, Victoria's 15-year minimum for minors' records.

Clinical notes + transcripts7 years from last patient contact (longer where jurisdiction requires)
Account + practitioner profileUntil account closure; 90 days post-closure for audit
AI invocation audit log2 years; required for clinical safety reviews
Patient app usage logs13 months rolling; no PHI in logs by policy
Billing + invoicing records7 years (tax + corporations law requirements)
Backup snapshots30 days encrypted; geographically distributed; not used as primary record store
Breach notification

What happens if there's an incident

We follow the strictest applicable breach-notification clock for every customer. In practice that means:

0–24 hours — internal incident response triggered, affected customers contacted with provisional notice and the technical containment status.
24–72 hours — supervisory-authority notification prepared and filed where the breach meets the regulatory threshold (GDPR Art. 33; HIPAA Breach Notification Rule; OAIC Notifiable Data Breaches scheme; PDPA mandatory notification).
72 hours – 30 days — patient and data-subject notifications coordinated with the controller, plus a full post-incident review delivered to affected customers within 30 calendar days.

Report a security concern
International transfers

When data crosses a border, what protects it?

Most customer data never leaves its primary region. When a transfer is necessary — for example, an EU customer using a support engineer rotated through Sydney — the transfer is covered by the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, or the Australian APP 8 cross-border disclosure framework as applicable. Transfer Impact Assessments are documented and reviewed annually.

Contact the privacy team

Data Protection Officer

All privacy enquiries — DSRs, vendor due diligence, regulator questions, breach reports — route through our Data Protection Officer.

dpo@medmets.com

Policy version 1.4 · last reviewed 27 May 2026 · next review due 27 May 2027. Material changes will be emailed to active customers at least 30 days before taking effect.

Ready to transform your clinical workflow?

Join thousands of clinicians who have reduced documentation time, improved care quality, and reclaimed time for their patients.

Book a DemoView Pricing