Privacy Policy

1. Who we are

MedReady ("MedReady", "we", "us", "our") operates the website at medready.io and the MedReady training platform. We are a company incorporated in Sweden. Our primary contact for privacy matters is hello@medready.io.

As a service processing personal data of individuals in the European Union and European Economic Area, we are subject to the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679.

2. Data we collect and why

2.1 Waitlist registration

When you join our waitlist, we collect:

• Email address — to send you your confirmation and notify you when early access opens. Legal basis: legitimate interest (pre-contractual communication) and your consent.
• Role chip selection (e.g. "Corporate Traveler", "Healthcare Professional") — optional, helps us prioritize which features to build first. Legal basis: your consent.

2.2 Training platform usage

When you use the MedReady training platform (available to early access users), we collect:

• Training performance data — scenario completion, decisions made, time taken, scores, and module progress. Used to provide you with performance feedback, certificates of completion, and to improve the platform.
• Account information — name, email address, and optionally your role and organization. Used for authentication and to personalize your experience.
• Technical data — browser type, operating system, general location (country/region), and session timestamps. Used for platform reliability, security, and aggregate analytics. We do not collect precise geolocation.

2.3 Language preference

Your language preference (English or Swedish) is stored in your browser's localStorage. This is a client-side storage mechanism — the data never leaves your device and is not accessible to us.

3. Cookies and local storage

MedReady uses no tracking cookies and no advertising cookies.

We use only:

• localStorage (essential) — to store your language preference (medready_lang) and your cookie consent choice (cookie_consent). These are stored only in your browser and are not transmitted to our servers.
• Session cookies — when you are logged in to the platform, a session token is stored to keep you authenticated. This is deleted when you log out or the session expires.

We do not use Google Analytics, Meta Pixel, or any third-party advertising or behavioral tracking services.

4. Third-party processors

We currently use the following infrastructure providers to operate the service:

• Cloudflare — DNS, CDN, DDoS protection, and edge computing (including Cloudflare Workers for the waitlist API). Cloudflare may process request metadata (IP address, headers) as part of traffic routing. Cloudflare is GDPR-compliant and provides Standard Contractual Clauses.

We do not currently use any other third-party processors for storing or processing personal data. As the platform grows, this list will be updated and you will be notified of material changes.

5. Data retention

• Waitlist data — retained until you request deletion or until 12 months after the platform launches without you converting to a registered user.
• Account and training data — retained for the duration of your account plus 90 days after account deletion, to allow recovery and resolve disputes.
• Certificates of completion — retained for 3 years, as these may be required for audit and compliance purposes by your employer.

6. Your rights under GDPR

If you are located in the EU/EEA, you have the following rights:

• Right of access — you may request a copy of the personal data we hold about you.
• Right to rectification — you may request that we correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — you may request deletion of your personal data, subject to legal retention requirements.
• Right to restriction of processing — you may ask us to limit how we use your data in certain circumstances.
• Right to data portability — you may request your data in a structured, machine-readable format.
• Right to object — you may object to processing based on legitimate interest.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, email us at hello@medready.io. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority. In Sweden, this is the Integritetsskyddsmyndigheten (IMY).

7. International transfers

MedReady's primary infrastructure is operated within the EU/EEA. To the extent any data is processed outside the EEA (e.g. through Cloudflare's global network), appropriate safeguards are in place including Standard Contractual Clauses as required by GDPR Chapter V.

8. Data security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encrypted data transmission via HTTPS/TLS
• Access controls limiting who can access personal data
• Regular review of security practices
• No storage of unencrypted passwords

No method of transmission over the internet is 100% secure. In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

9. Children

MedReady is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us immediately.

10. Changes to this policy

We may update this policy as the platform evolves. Material changes will be communicated to registered users by email and to all visitors via a notice on the website. The "Last updated" date at the top reflects the most recent revision. Continued use of the service after changes constitute acceptance of the revised policy.

11. Contact

For privacy questions, requests, or concerns:

• Email: hello@medready.io
• Subject line: "Privacy Request — [Your name]"
• Website: medready.io

See also: Terms of Service