Privacy Policy

Effective date: 22 April 2026
Version: 2

1. Introduction

Mediora is an AI-powered tool that helps adults understand their personal lab test results.
The service is operated by SLAtech Ltd, an Israeli company with registered offices at
[to be confirmed]. References in this policy to "we", "us", "Mediora",
or "the service" mean SLAtech Ltd acting as the controller of your personal data.

This policy explains what personal data we collect when you use Mediora, why we process it,
who we share it with, and which rights you have under the EU General Data Protection
Regulation (GDPR) and the Israeli Privacy Protection Law, 5741-1981 (PPL).

2. What data we collect

Account data. Email address, preferred language, optional first / last name, date of
birth, sex, phone number, chronic conditions and medications you choose to share in your
profile. Your date of birth is required by our 18+ age gate.

Health data (GDPR special category under Article 9). Lab reports you upload
(PDF / images), lab markers we extract from them, AI-generated analyses and trend
narratives, messages you exchange with the AI assistant, and the record of whether a
message triggered one of our safety filters.

Technical data. IP address, browser user agent, browser language, approximate
geolocation inferred from IP, and the session cookies listed in our Cookies Policy.

Usage data. Which features you use (uploads, report views, chat interactions), email
delivery history (welcome, analysis-ready, critical-alert), and admin audit log entries
that relate to your account when a staff member interacts with it.

3. Legal basis for processing (GDPR Article 6 + Article 9)

We process your personal data on the following legal bases:

  • Contract performance — Art. 6(1)(b). Delivering the core product: parsing your
    reports, generating analyses, emailing you when they're ready, maintaining your history.
  • Consent — Art. 6(1)(a). Analytics cookies, marketing emails (opt-in in Profile),
    and non-essential features such as similar-case comparison.
  • Vital interests — Art. 6(1)(d). Sending "critical marker" alerts when one of your
    results is clinically significant — we treat these as a safety issue, not a marketing
    channel.
  • Special-category explicit consent — Art. 9(2)(a). Processing your health data
    requires a separate affirmative consent, captured on signup as part of the "I accept
    the Privacy Policy" checkbox. You can withdraw this consent at any time by deleting
    your account (see Section 8).

Under the Israeli PPL we rely on §11 for processing with the data subject's consent and on
§2(9) for processing that is necessary to provide the service you requested.

4. How we use your data

  • Run the analysis pipeline that processes your lab reports and produces the report you
    see in the app.
  • Send transactional emails: account welcome, analysis-ready notification, critical-marker
    alert, re-engagement nudge if you never returned after signup.
  • Track longitudinal trends across multiple uploads for the same marker.
  • Improve the service using aggregated, de-identified metrics. We do not use your
    identifiable data to train AI models.
  • Detect abuse (rate limits, spam, repeated safety-filter triggers).

5. Categories of processors

We share the minimum necessary personal data with the following categories of
processors to provide the service. Individual processor identities are available on
request — see the disclosure clause at the end of this section.

Category Purpose Primary Location Safeguards
AI service providers Analysis of lab reports, chat responses, semantic search over your history United States Data Processing Agreement with no-training-on-your-data clause; Standard Contractual Clauses for EU personal data transfers
Cloud infrastructure providers Secure file storage and transactional email delivery United States Server-side encryption at rest; Data Processing Agreement; Standard Contractual Clauses for EU personal data transfers
Vector search services Semantic similarity search across your own analysis history [to be confirmed] User-level isolation: every query is strictly filtered to the authenticated user's data
Our secure infrastructure Primary application database and computation Israel Access controls, encryption, managed under this policy

All processors are contractually bound to:

  • Process your data only to provide the service to you.
  • Implement appropriate technical and organisational security measures.
  • Never use your health data to train AI models.
  • Return or delete your data when our contract with them ends.

We do not sell personal data, and we do not share it with advertisers.

Specific names of our processors are available on request — email
[email protected], or exercise your GDPR Art. 15 right and the names will be
included in your Data Access Report (see Section 8).

6. International data transfers

When we use processors located outside your country, we apply the safeguards required
by GDPR and the Israeli Privacy Protection Law:

  • EU users: transfers to the United States are covered by the European Commission's
    Standard Contractual Clauses (SCCs) [to be confirmed].
  • All users: Israel is currently recognised by the European Commission as providing
    an adequate level of data protection (Decision 2011/61/EU) [to be confirmed].
  • Processors in other countries: bound by our Data Processing Agreement with
    equivalent safeguards.

You can request the specific transfer mechanisms in use by emailing [email protected].

7. Retention

  • Account active: we retain your data while your account is active.
  • Account deleted (user-initiated): 30-day grace period during which you can cancel,
    then permanent hard delete (see Section 8). The only data we retain after hard delete
    are aggregated, irreversibly de-identified metrics.
  • Chat history: retained while your account is active; you can soft-delete
    individual messages from the sidebar.
  • Backups: rolling 90-day encrypted backups; hard deletes propagate into the current
    backup within 24 hours and drop out of rotation within 90 days.

8. Your GDPR rights

You can exercise the following rights at any time, free of charge:

  • Access (Art. 15). The Profile page includes a "Download my data" button that
    exports a machine-readable JSON bundle of everything we hold about you, including
    the specific names of the processors we have shared data with.
  • Rectification (Art. 16). Edit your profile directly; lab-marker values can be
    corrected in the analysis editor.
  • Erasure (Art. 17). The Profile page includes a "Delete my account" button that
    triggers the 30-day deletion flow described in Section 7.
  • Restriction (Art. 18). Contact [email protected].
  • Portability (Art. 20). Same export button as for Access.
  • Object (Art. 21). Contact [email protected].
  • Withdraw consent. Any consent you gave (analytics cookies, marketing emails) can
    be withdrawn from the Profile page without affecting the lawfulness of prior processing.

9. Israeli PPL rights

Israeli data subjects have equivalent access rights under §13 of the PPL and may request
correction of inaccurate data under §14. To exercise these rights, email
[email protected] from the address on your Mediora account.

10. Security measures

  • Transport: industry-standard encryption in transit for every browser-to-server
    connection.
  • Authentication: short-lived session tokens + one-time-passcode login (no password
    stored on your device).
  • Infrastructure: private network segmentation, firewalled database, least-privilege
    service accounts, encrypted logs.
  • Chat safety: a multi-layer content filter (input screening, refusal templates,
    output review) so the assistant cannot produce prescriptions or diagnoses.

[TECH DEBT — PII encryption at rest is scheduled for Sprint-2.5.] Extracted patient
identifiers (name, DOB, ordering doctor) are currently stored unencrypted in our primary
database. The columns are marked in code and will be encrypted with a managed-key scheme
before 1 October 2026.

11. Children

Mediora is a service for adults. We do not knowingly collect personal data from anyone
under 18. You must tick an explicit "I am 18 or older" checkbox on signup, and the
service will refuse to save a profile whose date of birth corresponds to an under-18 age.
If you believe a minor has created an account, please email [email protected] and we
will delete it.

12. Changes to this policy

We will notify you by email at least 30 days before a material change takes effect. For
changes that affect the legal basis of processing or add a new category of data, we will
ask for your fresh consent before continuing to process your data under the new terms.

13. Contact

14. Supervisory authority

EU-based users have the right to lodge a complaint with the national data-protection
authority where they live or work. [to be confirmed]

Israeli users may contact the Privacy Protection Authority (Ministry of Justice).

Document version 2 — last updated 2026-06-05