Privacy Policy
Last updated: February 2, 2026
Your privacy is important to us. This Privacy Policy explains how MedWeb collects, uses, stores, and protects your personal data, in compliance with the General Data Protection Regulation (GDPR).
1. Data Controller
The data controller for your personal data is the entity operating MedWeb. To exercise your rights or clarify questions about this policy, you can contact us at privacy@medweb.site.
2. Personal Data Collected
We collect the following types of personal data:
- Authentication data: Email and session data required to access your account.
- Professional profile: Name, medical specialties, professional email, phone, photograph, and biography.
- Locations: Addresses, cities, and GPS coordinates of where you practice.
- Payment data: Payment information securely processed through Stripe.
- Usage metrics: Pageviews and unique visitors to your website.
- Images: Uploaded photographs and AI-generated professional images.
- Messages: Content of chat conversations for profile editing.
3. Legal Basis for Processing
We process your data based on the following GDPR legal bases:
- Consent: For analytics cookies and marketing communications.
- Contract performance: To provide the service you subscribed to.
- Legitimate interest: To improve the service and ensure platform security.
4. Cookies and Similar Technologies
We use the following cookies:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| locale | Store language preference | 1 year | Functional |
| medweb_visitor | Website visit tracking | 30 minutes | Analytics |
| authjs.session-token | Maintain authenticated session | Session | Essential |
5. Third-Party Sharing
We share data with the following service providers:
- Supabase: Authentication and database (EU).
- Stripe: Secure payment processing (PCI-DSS certified).
- Google Gemini: Professional image generation (Google).
- Anthropic/OpenAI: Natural language processing for chat editing.
- Cloudflare: Hosting, CDN, and domain management.
- Resend: Transactional email delivery.
6. International Transfers
Some of our service providers may process data outside the European Economic Area (EEA). In such cases, we ensure adequate safeguards exist, such as Standard Contractual Clauses approved by the European Commission or adequacy decisions.
7. Retention Period
We retain your data as long as you maintain an active account on MedWeb. After account cancellation, data is deleted within 30 days, except when legal obligations require retention for a longer period (e.g., billing data for 7 years).
8. Your Rights
Under GDPR, you have the following rights:
- Right of access: You can request a copy of your personal data.
- Right to rectification: You can correct inaccurate or incomplete data.
- Right to erasure: You can request deletion of your data ("right to be forgotten").
- Right to portability: You can receive your data in a structured format and transfer it.
- Right to object: You can object to processing based on legitimate interest.
- Right to restriction: You can request restriction of processing in certain circumstances.
If you believe your rights have not been respected, you can file a complaint with the Portuguese Data Protection Authority (CNPD) or your local supervisory authority.
9. Data Security
We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or destruction. This includes encryption in transit (HTTPS), access controls, security monitoring, and regular backup procedures.
10. Changes to this Policy
We may update this Privacy Policy periodically. Substantial changes will be communicated by email or through the platform before taking effect. The last update date is indicated at the beginning of this document.
11. Contact
For questions about this Privacy Policy or to exercise your rights, contact us at privacy@medweb.site.