PRIVACY POLICY

1. Our Role Under Data Protection Laws

Depending on the context, Medicalix may act as:

1.1 Data Controller

For:

• Account registration data
• Billing and subscription data
• Website analytics
• Customer support communications

1.2 Data Processor

For:

• Product stability data entered by Customers
• Excursion documentation
• Uploaded files
• Operational documentation within the platform

In such cases, the Customer organization is the Data Controller and Medicalix acts solely on documented instructions.

Enterprise customers may enter into a separate Data Processing Agreement (DPA).

2. Categories of Personal Data We Collect

We may collect the following categories:

2.1 Account Information

• Name
• Work email address
• Organization name
• Role/title
• Encrypted password
• Account preferences

2.2 Organization Information

• Company name
• Business address
• Billing details (processed via FastSpring)

2.3 Platform Data

• Product identifiers
• Batch numbers
• Excursion data
• Stability data
• Temperature logger files
• Audit logs
• User activity logs

Note: The platform is not intended for patient health data. Customers should not upload unnecessary personal data.

2.4 Technical Data

• IP address
• Browser type
• Device identifiers
• Log data
• Authentication tokens
• Usage metrics

2.5 Support Communications

• Emails
• Support tickets
• Meeting records (if applicable)

3. Lawful Bases for Processing (GDPR)

Where GDPR applies, we rely on the following legal bases:

4. How We Use Personal Data

We use data to:

• Provide and maintain the Service
• Authenticate users
• Process excursion assessments
• Generate reports
• Maintain audit logs
• Improve functionality
• Monitor system security
• Communicate updates
• Comply with legal obligations

We do not sell personal data.

We do not use Customer Data to train public AI models.

5. AI Data Usage Transparency

Customer-entered data may be processed by internal AI systems solely to generate analytical outputs within the platform.

We do not:

• Use Customer Data to train external AI systems
• Share Customer Data with third parties for model training
• Monetize Customer Data

Anonymized and aggregated data may be used for platform improvement.

6. Data Sharing and Sub-Processors

We may share data with trusted service providers, including:

• Hosting providers
• Cloud infrastructure providers
• Authentication providers
• Analytics providers
• Customer support systems
• FastSpring (Merchant of Record for billing)

All sub-processors are contractually bound to confidentiality and data protection obligations.

We may disclose data:

• When required by law
• In response to lawful requests
• To protect legal rights

7. International Data Transfers

Your data may be transferred outside your country of residence.

Where required by law, we implement safeguards such as:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Contractual data protection commitments

Data may be processed in Israel, the EU, the US, or other jurisdictions where our service providers operate.

8. Data Security

We implement appropriate technical and organizational measures, including:

• Encryption in transit (TLS)
• Encryption at rest
• Role-based access control
• Multi-factor authentication support
• Tenant isolation architecture
• Security monitoring
• Access logging
• Periodic security assessments
• Staff confidentiality agreements

However, no system can guarantee absolute security.

9. Data Retention

We retain personal data only as long as necessary for:

• Contract performance
• Legal compliance
• Security monitoring
• Legitimate business purposes

Account data may be retained after termination where required for legal or audit purposes.

Customers are responsible for regulatory record retention obligations under GDP/GMP.

10. Your Rights

Where applicable (including under GDPR), you may have the right to:

• Access your personal data
• Rectify inaccurate data
• Request erasure
• Restrict processing
• Object to processing
• Data portability
• Withdraw consent (where processing is consent-based)

Requests may be submitted to: support@excursionassess.com

We may verify identity before responding.

11. Israeli Privacy Law

Medicalix complies with applicable Israeli privacy legislation, including the Protection of Privacy Law, 1981.

12. U.S. State Privacy Laws

Where applicable, individuals may have additional rights under U.S. state laws (e.g., CPRA), including:

• Right to know
• Right to delete
• Right to correct
• Right to opt-out of sale (not applicable, as we do not sell data)

13. Children's Data

The Service is intended exclusively for professional use.

It is not intended for individuals under 18 years of age.

14. Cookies and Tracking

We use cookies and similar technologies as described in our Cookie Policy.

Strictly necessary cookies are required for authentication and security.

Non-essential cookies require consent where applicable.

15. Changes to This Policy

We may update this Privacy Policy periodically.

Material changes will be communicated via email or in-app notice.

Continued use of the Service constitutes acceptance.

16. Contact Information

For privacy-related inquiries:

Medicalix Ltd.
6 Hashfels St., Kochav Yair 4486400, Israel
Email: support@excursionassess.com