Information we collect.

We collect three buckets of information, and they each get treated differently. We've named them plainly so you can tell which is which when we refer to them later.

Information you give us directly

When you sign up for Mediora, send us a message, or attend a Mediora event, you provide things like your name, work email, company name, role, phone number, and (for customers) billing details. We use this to give you an account, send you replies, and process your subscription.

Information we observe as you use Mediora

When you use the platform, our servers automatically log the device you're using, your IP address, the pages and features you visit, the actions you take, and how long they take. This is what we call usage data. We use it to keep the product working, to debug problems, and to understand which features are earning their place.

Information you upload as a customer

When your team puts records into Mediora — equipment serial numbers, service notes, photos, customer contacts, contracts — that's customer data. It's yours. We store it, back it up, and serve it back to you. We don't read it for any reason other than helping you, and we don't train models on it. Section 3 below covers customer data in more detail.

How we use information.

We use the data described above to do six things. That's the whole list.

To run Mediora

Authenticating you, syncing your records, sending automated reminders, and generally making the product do what it says on the box.

To support you

When you contact us, we'll look at relevant logs and account data so we can help. We don't read customer data we haven't been asked to.

To improve the product

Aggregated usage data helps us spot which features are confusing, which workflows break, and where we should invest next. This data is not tied back to identifiable individuals.

To stay safe

Detecting fraud, abuse, and security threats. Maintaining audit logs that satisfy our SOC 2 obligations.

To communicate

Sending you transactional emails (your account, your bill, your alerts) and — only if you've opted in — our monthly newsletter, The Daylight.

To meet legal obligations

Tax, accounting, regulatory disclosures, and lawful requests from authorities — handled with the principles in the rest of this policy in mind.

Customer data & healthcare records.

If you're a Mediora customer, your team is uploading information about medical and laboratory equipment, service histories, and the people who own that equipment. Some of this is sensitive. We treat it that way by default.

You are the data controller for the customer data inside your Mediora account. We act as a processor on your behalf, under the Data Processing Agreement signed when your account was created.

For customers operating in jurisdictions covered by HIPAA, we offer a Business Associate Agreement. We never use customer data to train AI models, build derivative datasets, or develop new products without your explicit, contract-level consent.

If your account is closed, your customer data is exported on request and then deleted from our active systems within thirty days, and from backups within ninety. See section 7 for the full retention schedule.

Cookies and similar technology.

Mediora uses cookies and similar technologies sparingly. We split them into two categories so you can decide about them with open eyes.

Strictly necessary cookies

These keep you logged in, remember your account preferences, and protect against cross-site request forgery. The platform doesn't work without them, so they aren't optional.

Analytics cookies

We use Plausible for product analytics. It does not use third-party cookies, does not collect personal information, and does not track you across other websites. Aggregated data — like which page you visited and how long you stayed — is the only thing it sees.

We don't use advertising cookies. We don't run remarketing pixels. There's no version of Mediora that follows you around the rest of the internet.

Where data is stored.

All Mediora customer data is stored in the European Union, primarily in our AWS Frankfurt region, with encrypted backups replicated to AWS Ireland for disaster recovery. Both regions are covered by the same European data-protection rules.

Some operational data — error logs, support transcripts, billing records — passes through the regions where our sub-processors operate, as listed in section 4. We use Standard Contractual Clauses and supplementary safeguards for any transfers that cross EU borders.

How long we keep data.

We keep data for as long as we need it to serve you well, and no longer. Specifically:

• Account & profile data — kept for the life of your account, then deleted thirty days after closure.

• Customer data (your equipment records, etc.) — kept until you delete it, or thirty days after account closure if you haven't.

• Backups — purged on a rolling ninety-day cycle. Deleted records persist in backups for up to ninety days before they're gone for good.

• Billing & invoice records — kept for ten years to satisfy Czech and EU accounting law.

• Support transcripts — kept for two years, then deleted unless you ask us to delete them sooner.

• Aggregated, anonymous usage data — kept indefinitely. This data cannot be tied back to a person or a customer.

International transfers.

Mediora is a Czech company, and our default storage region is the EU. When data needs to leave the EU — for example, to a sub-processor with global edge infrastructure — we rely on the European Commission's Standard Contractual Clauses, plus supplementary safeguards as required by the Schrems II ruling.

If you'd like a copy of the relevant SCCs or our Transfer Impact Assessment, write to privacy@mediora.com and we'll send them.

Children's privacy.

Mediora is built for healthcare and laboratory operations teams. The platform is not intended for, and we do not knowingly collect data from, anyone under sixteen. If you believe a child has provided us information, please contact us and we'll delete it promptly.

Changes to this policy.

We update this policy from time to time — usually because a regulation changed, a sub-processor moved, or we found a clearer way to phrase something. The Effective date and version number at the top of this page always reflect the current version.

For material changes — anything that meaningfully alters how we handle your data — we notify customers at least thirty days in advance, by email and in-app banner.

How to contact us.

Questions, requests, or just a polite suggestion that something here is unclear — we'd genuinely like to hear it. Privacy is one of the few topics where being told you got something wrong is good news.