Privacy Policy

Your personal data privacy is of utmost importance to us at Medi-Chat.Ai. We handle your personal data confidentially and in compliance with applicable data protection laws, particularly the EU General Data Protection Regulation (GDPR), and—where relevant—other international data protection regulations such as the California Consumer Privacy Act (CCPA). In this Privacy Policy, we inform you about what data we collect, how we use it, and the rights you have concerning your data.

1. Data Collected

Depending on how you use our website and services, we collect and process various categories of personal data, including:

• Name and Email Address: Information you provide when registering a user account or contacting us.
• IP Address: Your device’s IP address is automatically recorded for technical and security reasons whenever you visit our website.
• Payment Information: Data required for payment processing (e.g., credit card details, billing address), usually collected directly by our payment service provider (e.g., Stripe).
• Chat Histories: Content from the chats you conduct via our service (messages, inquiries, and responses). These can include personal data you voluntarily share in the chat.
• Cookies: Small text files stored on your device. We use only technically necessary cookies (see “Cookies” section below).

2. Purposes of Data Processing

We process your data for various purposes, as outlined below. We only process personal data to the extent necessary for these purposes:

• User Account Management: To allow for registration and management of user accounts, including login authentication and customer support.
• Payment Processing: To handle payments for paid services or subscriptions on our platform.
• Security Measures: To ensure the security of our service and protect against misuse (for example, using Google reCAPTCHA).
• Analysis of User Behavior: To evaluate the use of our service (in aggregated or pseudonymized form) and improve our offerings based on usage insights.
• Improvement of the Service: To further develop and optimize our website and chatbot functionality (e.g., by analyzing feedback or chat histories).

3. Legal Bases for Processing

We rely on the following legal bases under Article 6(1) GDPR when processing your personal data:

• Consent (Art. 6(1)(a) GDPR): If you have explicitly given us permission to process your data, we process it based on this consent. You may withdraw your consent at any time with future effect.
• Contract Performance (Art. 6(1)(b) GDPR): We process your data to fulfill our contractual obligations to you (e.g., creating and maintaining your account, processing payments).
• Legitimate Interests (Art. 6(1)(f) GDPR): In some cases, we process your data to protect our legitimate interests or those of third parties (e.g., IT security, improving our service), provided your interests do not override ours. You have the right to object at any time to processing based on legitimate interests if you have grounds relating to your particular situation.

In certain situations, we may be subject to legal obligations (Art. 6(1)(c) GDPR) that require data processing (e.g., tax regulations). If we process special categories of personal data (generally not required under normal circumstances), this would be carried out under Art. 9(2) GDPR.

4. Data Disclosure to Third Parties

We do not disclose your personal data to unauthorized third parties. However, in providing our services, we work with selected service providers who may need access to data for specific purposes (e.g., under a data processing agreement). Below is a list of the third-party providers who may receive data:

• Stripe (Payment Processing): Stripe, Inc. (USA) or Stripe Payments Europe Ltd. (Ireland) for European customers. Your payment details (e.g., credit card information) are processed by Stripe for payment purposes.
• OpenAI (Chatbot Functionality): The queries and chat content are sent to servers operated by OpenAI, Inc. (USA) to generate appropriate responses. OpenAI acts as a technical service provider.
• Google reCAPTCHA (Security Measures): A service provided by Google LLC (USA) to identify automated access (bots). This involves transmitting data to Google’s servers (see the “Data Transfer to Third Countries” section).
• IONOS (Hosting): Our hosting provider, responsible for storing server logs and website data. IONOS SE is based in Germany and adheres to GDPR requirements.
• Additional Service Providers: For technical services (e.g., email sending, IT maintenance), we may engage other trusted providers, which can change over time. All such providers are contractually obliged to comply with relevant data protection regulations.

We do not sell your personal data to third parties. Data is disclosed only for the purposes and within the scope described above.

5. Data Retention

We store personal data only as long as necessary to fulfill the stated processing purposes or as long as we have a legitimate interest in retention. We also retain data if legal storage obligations apply (e.g., for tax regulations). More specifically:

• User Account Data: Retained as long as your account is active. Once you delete your account, we remove this data unless storage obligations apply.
• Chat Histories: Stored as long as your account remains active to provide you with the conversation history and to improve our service. You may request deletion of specific conversations. After account deletion, chat histories are deleted or anonymized unless there is a legitimate interest on our part.
• Payment Data: Due to commercial and tax regulations, we retain payment data for several years (e.g., 7 years under Austrian law). We delete these records upon expiration of the applicable retention periods.
• Server Logs: Your IP address is logged when you access our website for security, error analysis, and monitoring.

Once the purpose for retention ends or legal retention periods expire, the data is deleted or anonymized.

6. Rights of Data Subjects

Under the GDPR, you have the following rights regarding your personal data:

• Access (Art. 15 GDPR): The right to obtain information about the personal data we process and the purposes of processing.
• Rectification (Art. 16 GDPR): The right to have incomplete or inaccurate data corrected.
• Erasure (Art. 17 GDPR): The “right to be forgotten,” unless legal or contractual retention requirements prevent us from doing so.
• Objection (Art. 21 GDPR): If processing is based on legitimate interests, you may object at any time for reasons relating to your particular situation.
• Restriction of Processing (Art. 18 GDPR): Under certain conditions, you have the right to request restricted data processing.
• Data Portability (Art. 20 GDPR): The right to receive your data in a commonly used, machine-readable format.
• Withdrawal of Consent (Art. 7(3) GDPR): You may withdraw any consent you have given at any time with future effect.
• Complaint (Art. 77 GDPR): You have the right to file a complaint with a supervisory authority if you believe your data is being processed in violation of the GDPR.

If you reside in California (USA), you may have additional rights under the California Consumer Privacy Act (CCPA), such as:

• Right to Know About the Data Collected,
• Right to Request Deletion (with exceptions),
• Right to Opt Out of the Sale of Personal Information,
• Right to Non-Discrimination for exercising your CCPA rights.

If you wish to exercise any of these rights, feel free to contact us using the details provided below. Complete account deletion is only possible if you do not have an active subscription. Please send your request to support@medi-chat.ai.

7. Cookies

Our website uses only technically necessary cookies to ensure essential functions (e.g., login processes, session management). These cookies do not create any extensive personal usage profiles, and—under current legal requirements (e.g., ePrivacy Directive)—no cookie banner is required if only essential cookies are used.

You can block or delete these cookies in your browser settings. However, doing so may limit certain features or functionality of our service.

8. Data Transfer to Third Countries

In the course of providing our service, personal data may be transferred to countries outside the European Union (“third countries”), especially when using certain service providers (e.g., Google, Stripe, Apple, Microsoft, Amazon AWS, OpenAI, Anthropic). We ensure that an adequate level of data protection is in place at the recipient’s location, for example, through the use of EU Standard Contractual Clauses or other recognized safeguards.

Please note that if data is transferred to the United States or other countries, it may be subject to government access under local laws. Where possible and reasonable, we take measures (e.g., encryption, contractual clauses) to fully protect your data.

9. Controller

The party responsible for data processing on this website (medi-chat.ai) is:

Medi-Chat.Ai Martin Harrer
Stadtplatz 34
4070 Eferding
Austria

As the controller, we determine the purposes and means of processing personal data.

10. Contact for Data Protection Requests

If you have any questions about this Privacy Policy or about how we handle your personal data, or if you wish to exercise any of your rights (see Section 6), feel free to reach out to us at:

Email: support@medi-chat.ai

You may also contact us by postal mail at the address indicated above (see “Controller”). We will review your inquiry promptly and respond in accordance with statutory requirements.

Last updated: February 2025. We reserve the right to amend this Privacy Policy as needed to reflect changes in legal requirements or in our services. The current version can be found on our website.