Privacy, stated plainly
MedScan AI is a market-intelligence tool for AI medical devices. We hold as little personal data as the product allows, name every processor we rely on, and never store patient health records. This notice explains what we collect, why, on what legal basis, and how you exercise your rights under the EU General Data Protection Regulation (GDPR).
01Who is responsible for your data
The data controller is MEDTEK KI AS, a Norwegian limited company (aksjeselskap), organisation number 937 565 704, registered in Stavanger, Norway. We operate MedScan AI at app.medtekki.no. For any question about this notice or to exercise a right below, write to support@medtekki.no.
02What we collect
We collect only what a decision-support account needs. Depending on how you use MedScan AI, that is:
- Account data — email address and authentication credentials when you create an account or sign in with Google.
- Reviewer credentials — if you apply to contribute a verified clinician review, your name, professional registration number, issuing regulator, jurisdiction, and specialty, so we can confirm you against a public regulator register.
- Waitlist data — your email address if you join the waitlist before creating an account.
- Billing data— subscription tier and payment status. Card numbers are entered directly with our payment processor; we store only the processor's customer and subscription identifiers, never card details.
- Usage and diagnostic data — coarse product-analytics events and error reports (pages viewed, features used, exceptions thrown) so we can keep the service working and improve it.
We do not ask for, and you should never submit, patient health records or any special-category health data. MedScan AI is market intelligence about devices, not a clinical system.
03Why we use it, and our legal basis
Under GDPR Article 6 (and Article 9 where relevant, which does not apply here because we hold no health data), each purpose rests on a specific legal basis:
- Providing your account and subscription — performance of a contract. We use account and billing data to give you access to the tiers you sign up for and to process payment.
- Verifying reviewer credentials and the waitlist — your consent. When you apply to contribute a review you explicitly consent to us checking your professional registration against a public regulator register. Joining the waitlist is likewise consent-based. You may withdraw either at any time.
- Security, fraud prevention, analytics, and improving the product — our legitimate interests in running a reliable, trustworthy service, balanced against your rights. You can object to processing based on legitimate interest (see your rights below).
04Who processes data on our behalf
We keep our supplier list short and disclose all of it. Each processor below acts under our instructions and is limited to the purpose named. We do not sell personal data, and we run no advertising trackers.
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage for accounts, subscriptions, and reviewer records | United States |
| Stripe | Payment processing and subscription management — customer and subscription identifiers only, never card data | United States |
| Vercel (incl. Workflow Development Kit) | Application hosting, serverless compute, and report generation | United States |
| Resend | Transactional email delivery | United States |
| PostHog | Product analytics — server-side event capture only, no advertising cookies | United States |
| Sentry | Error monitoring and diagnostics | United States |
| Anthropic (via Vercel AI Gateway) | AI generation of device summaries, comparisons, and procurement reports you request | United States |
| Typesense (self-hosted, Hetzner) | Search index over the device catalogue — indexes device data, not personal data | European Union (Germany) |
05International transfers
Several of our processors are based in the United States, so some personal data is transferred outside the European Economic Area. Where that happens, transfers are made under the European Commission's Standard Contractual Clauses or an equivalent lawful transfer mechanism offered in each provider's standard data-processing terms. We rely on those providers' published terms; we do not claim any bespoke or separately negotiated data-processing agreement beyond them.
06How long we keep it
We retain personal data only as long as needed for the purpose it was collected for. Account and billing data are kept for the life of your account and then deleted or anonymised, subject to any retention period Norwegian bookkeeping law requires for financial records. Reviewer credential data is kept while you are an active contributor. Waitlist entries are removed once you create an account or ask to be removed. Diagnostic and analytics data are kept on a rolling short-term basis. If you close your account, we delete or anonymise your personal data except where we must retain it to meet a legal obligation.
07Your rights
Under the GDPR you have the right to access your personal data; to have inaccurate data rectified; to have data erased; to receive your data in a portable format; to restrict or object to processing; and, where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal. To exercise any of these, email support@medtekki.no. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or with the supervisory authority in your own country.
08Cookies
We use only essential cookies — those required to keep you signed in and to keep the service secure. We do not run advertising or cross-site tracking cookies, and our analytics is captured server-side rather than through third-party ad tags. Because we set no non-essential cookies, there is no consent banner to dismiss.
09What we do not do
Two boundaries define this product. First, we do not store patient health data — MedScan AI is intelligence about devices and their regulatory status, not a health-record system, and no clinical patient information should ever be entered into it. Second, we do not make clinical, diagnostic, or purchasing recommendations. Nothing on the platform tells you what to diagnose, treat, or buy; the catalogue and reports are neutral reference material for your own judgement.
10Changes and how to reach us
If we make a material change to this notice we will update the version and effective date above and, where appropriate, tell account holders. Questions, requests, and complaints go to support@medtekki.no, or see our contact page for other routes.
Privacy Notice v1.0 — 8 July 2026 — MEDTEK KI AS · Stavanger, Norway.