Our privacy policy

Read our Privacy Policy and make sure everything stated in it suits you. We take your privacy very seriously,
which is why this document is detailed.
01
DATA COLLECTION AND USAGE

On the Meddox mobile application and on the Meddox.com website, user data is collected
and used in accordance with the services for which the user has registered and based on
the Act on Prohibition and Prevention of Unregistered Activities. In addition to the
aforementioned regulations, we have harmonized the application and our services with all
applicable regulations.
The processing of personal data is voluntary, it occurs after the decision to use the
application. The above is not the only situation when data is processed, therefore it is
important that you read this document so that it becomes clearer to you when, how and
why your data as a user or Data Subject is processed.
The Meddox mobile application, as well as the Meddox.com website, are compliant with
the European General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679.
(further: Regulation)

02
WHAT DOES THIS PRIVACY POLICY APPLY TO?

This Privacy Policy applies to the Meddox mobile application and the Meddox.com website
and the services they provide, as well as the security and privacy of data collected from
natural persons who register on the Meddox application (personal data that can be used to
identify a natural person ) or who visit the Meddox.com website.
For personal data covered by this Privacy Policy, the Data Controller is Meddox digital d.o.o.
whose seat is in the Republic of Croatia.
You can contact the Data Protection Officer at complaint@meddox.com or by writing to the
address of the headquarters - Ulica grada Vukovara 269F, Zagreb, with the indication „Data
Protection Officer''.

03
DATA COLLECTION

We collect your personal information when you access the Meddox.com website, download
the application, create an account and when you use the application.
Registration on the Meddox application enables the entry, archiving and display of certain
data and the sharing of documents. When registering on Meddox, the user enters their
data such as:
● Name (name is required for user identification),
● Surname (surname is required for user identification),
● E-mail (e-mail is required for registration and communication with the user),
● Password or PIN (password or PIN is required to protect user profile and user data),
● Date of birth (date of birth is required for the accuracy of reference intervals of medical-
biochemical parameters),
● Gender (gender is required for accuracy of reference intervals of medical-biochemical
parameters).
In addition to the above data on the user profile, the user can additionally enter:
 Blood type
 Smoking status
 Weight
 Height
 Identification number of the insured
 Information about family members
 Information about the doctor/doctors
 Information about health examination
 List of medicines and their dosage

As you can see, there is the possibility of entering data into the application that is not
necessary for the basic functioning of the application, but is necessary for the accuracy of
the analysis. In addition to the accuracy of the analysis, the user can enter some data to
make it easier for him to function regularly and act with a lot of examinations and/or
medicines that need to be taken, which he may forget. The above is the reason why we
enable users to enter medical documentation, health data (for example, symptoms and
time of taking medication, daily notes), information about their doctor, etc. By filling in the
mentioned data, the user can calendar when he has examinations, when he has to take and
what medicines, how many pills he has left, etc. The user decides on the use of
notifications, as well as the calendar, independently and voluntarily, all depending on his
own needs.

All data that the user stores in the Meddox application is protected by a password, or PIN,
set by the user. The user is able to choose a password via PIN.
To summarize, the following data can be collected using the Meddox app:
● Technical data about the devices used to access the Meddox application or website.
● Type of connection used (fixed and/or mobile connection).
● The operating system that the user uses when accessing the Meddox application or
website.
● Browser type.
● Other data that is necessary to provide the best possible user experience and to resolve
possible system errors.
● Other data that the user stores in the Meddox application.
In contrast to the data in the application on the Meddox com website, data is collected on
the user's IP address, geolocation, data on users who choose to contact us via the contact
form or contact information published by Meddox on the website. In addition to the above,
data is also collected from the cookies that Meddox uses on the Meddox.com website,
which you can read more about in our Cookies Policy.

04
METHOD OF DATA COLLECTION

We divide the ways in which the Meddox app collects data into:
● Data entered by the user during registration,
● Data entered by the user when filling out the user profile,
● Data that the user enters into the application,
● Data that the user leaves when contacting customer support or the e-mail address listed
on the portal,
● Data that the user leaves when filling out surveys.
● Data that the user leaves when subscribing to the newsletter.

05
COOKIES

The Meddox app and website also collect data through the use of cookies and similar
technologies. More information about the cookies used can be found in our Cookie Policy.
It is important for us that you know that you can always change your mind about the
selected categories of cookies via a pop-up window or here.

06
USE AND SHARING OF DATA

User data is used for:
● Using the functionality of the Meddox application (connection to reference intervals of
medical biochemical parameters, etc.)
● Application communication with users (new messages on the application or website and
conversations with user support, etc.),
● Analyzes and reports of group anonymized indicators or statistical reports.
● Educational purposes, scientific research purposes and patient behavior statistics
● Sending information through newsletters or other selected channels about public health
events, new functionalities of the application, new treatment methods, etc.
If your personal data is shared for scientific purposes or based on legitimate interest, the
processing of health data will be carried out in accordance with the rules of the Regulation,
and in particular with Article 9, paragraph 2, point j. Regulation (processing for the
purposes of scientific research), i.e. Article 6, paragraph 1, point f. Regulation (needs of the
legitimate interest of the Data Controller or a third party).
Personal data is generally collected directly from you as a user when you enter it in the
application or when you visit the website and select one of the functionalities through
which some categories of your personal data are directly and voluntarily collected.
We provide you with the ability to share medical/health information with others (via a link
or email or directly through the application). In the latter case, the data is protected by a
password known only to you and the person with whom you share the data (e.g. a doctor).
Data that Meddox collects from its users is also shared with the services it uses for the
purpose of improving the service or to fulfill certain obligations that must be fulfilled in

accordance with applicable regulations, and for Meddox it is fulfilled by third parties as its
business partners.
Services used to improve the application are also called Data Processors:
● Google Analytics, Firebase and Hotjar, QuickSight (providers of analytical tools),
● Sendgrid (providers of communication service with customer support via e-mail window
and other communication channels),
● Plava tvornica d.o.o. (development, program support and administration),
● Azikus d.o.o. (development and maintenance of mobile application)
● Jutro obrt (marketing campaign activities on digital channels Google ads and Facebook)
● Marketing inteligenija d.o.o. (digital marketing)
● Pimcore data storage and reporting system.
● Presido d.o.o. (external Data Protection Officer).
Meddox can use the anonymized data to create and distribute reports based on a sample or
for a certain period of time, in accordance with the European Regulation on the Protection
of Personal Data, data protection principles that do not apply to the processing of personal
data that have been made anonymous in such a way that the identity of the Data Subject
cannot be determined .
In the event that you have an inquiry regarding the protection of personal data, especially
when you send us a request to exercise one of your rights, we will share the request and/or
other inquiry with our external Data Protection Officer.

07
LINKS TO WEBSITE AND SERVICES

Content published by Meddox may occasionally contain links to third-party websites and
services (social networks, blogs, advertiser email). The Privacy Policy applicable to the
Meddox mobile application and the Meddox.com website does not apply to such external
services.
In order to make it easier for you to exercise your rights from third parties whose privacy
policies Meddox cannot influence, we list the most important links as well as the contacts
of their data protection officers.

https://policies.google.com/privacy,
https://www.apple.com/legal/privacy/en-ww/,
https://hr-hr.facebook.com/privacy/explanation/
Data collected by Google, Apple and/or Meta Platforms may include unique identifiers,
browser type and settings, device type and settings, operating system, mobile network
information (including operator name and phone number) and application version number,
application interaction data , browser and device, including IP address, crash reports,
system activity, and the date, time, and URL of referral requests.
Meddox cannot influence the processing of personal data by Google, Apple and/or Meta
Platforms, as a result of your use of the mentioned tools. Be careful because you may be
using the services of other such similar service providers.

08
RECIPIENTS OF PERSONAL DATA AND TRANSFER OF PERSONAL DATA

We may provide your personal data to our trusted partners who maintain the application
and IT system or provide services on behalf of Meddox. For example, marketing, finance,
advertising, payment processing, delivery and other services. Service providers are obliged,
according to relevant contracts, to use entrusted data only in accordance with our rules and
exclusively for strictly declared purposes. They are also obliged to adequately protect your
personal data and keep it as a professional secret. Read more about our partners under ˝06
Use and sharing of data˝.
As a Data Controller, Meddox cares about the protection of your data. We inform you that
there is a possibility that your personal data may be transferred to third countries, namely
the USA, because tools such as Google Play and the App Store are used, which are based in
the USA.
Meddox has taken all technical and organizational measures to determine whether data is
transferred, but we cannot determine with certainty whether your personal data is
transferred to third countries.

09
LEGAL FRAMEWORKS

The Meddox app and website are subject to various laws and may share the data of its
users at the request of a government authority or some other form of legal obligation.

In the event of a reorganization or transfer of ownership of the Meddox application and
website, we have the right to transfer the user's personal data to an involved third party
that will protect it at least to the same extent as we do in this Privacy Policy.
The Meddox app is not subject to the Medical Products Act.

10
USER RIGHTS

The user has the right to:


● Information on what his personal data is used for.
● Access to personal data - the user has the possibility to access his personal data in the
user profile at any time.
● The right to correction - the user can correct his personal data in the user profile at any
time.
● The right to deletion - the user can delete his profile from the Meddox application at any
time.
● The right to limit processing - the user has the right to demand that his data be used
exclusively for the purpose for which he gave his consent.
● The right to complain - the user can send a complaint at any time to
complaint@meddox.com.
● Rights related to automatic decision-making - the user has the right to clarification of his
rights in case of automated decision-making or profiling.
● Responsibility and management - the user has the right to be informed about the
responsibilities and management of his personal data.
● Breach reporting - the user has the right to be notified in case of any breach of personal
data privacy.

The user can change, correct or delete data in his user profile at any time. Likewise, the
user has the right to have the entered personal data forgotten by the Company, that is, to
delete the profile. If the user wants to delete his profile, he must do so in the application
settings by clicking on Delete profile or send an e-mail with a request to the e-mail address
complaint@meddox.com, after which he will receive a notification about the deletion of his
data. Once a profile has been deleted, it is not possible to restore it or access its data.

Changing the e-mail for user registration is possible with a written request that must be
sent to the e-mail info@meddox.com. Upon receipt of the request, you will receive further
instructions on the possibility of changing your e-mail.
If you would like to learn more or exercise any of the above rights, please feel free to
contact our Personal Data Protection Officer at complaint@meddox.com
If you believe that your rights have been violated, you have the right to file a complaint with
the supervisory authority. With regard to the headquarters and place of decision-making,
the competent supervisory body is located in the Republic of Croatia (Personal Data
Protection Agency).

11
BASIS OF DATA PROCESSING

When selecting cookie categories in the pop-up window that appears on the website, the
user gives consent. Exceptionally, consent is not a legal basis in the case of necessary
cookies, without which it is not possible to operate the website, especially in the manner
expected by our users or Data Subjects.
When registering in the application, users accept the Terms and Conditions of use of the
application and this Privacy Policy. The Cookies Policy is part of the Privacy Policy.
In addition to the above, the legal basis for data processing is processing in accordance with
Article 9, paragraph 2, item j. Regulation, that is, processing for the purposes of the
legitimate interest of the Data Controller or a third party, in accordance with Article 6,
paragraph 1, point f. Regulation.
We may also process your personal data if this is necessary to comply with a legal obligation
to which we are subject.
In the event that additional consent is required for the processing of personal data, the
Data Controller will require such consent.

12
STORAGE OF PERSONAL DATA

Your personal information that is collected will be stored in a secure environment and is
protected from any unauthorized access, disclosure, use, alteration or destruction by any
organization or individual.
Data collected for the purposes specified in this Privacy Policy is stored only for as long as is
necessary for the specified purposes. Your personal data will not be kept in a form that

allows your identification for longer than Meddox reasonably considers necessary to fulfill
the purpose for which the data was collected and processed. Meddox will store certain
personal data for the period determined by law or regulation that obliges Meddox to store
data (for example, data from your request to exercise the right to deletion will be kept for 5
years from the resolution of the request).
Meddox stores personal information until the user or application administrator deletes the
account.
Personal data may be processed until the end of judicial, administrative or extrajudicial
proceedings, including the deadline for submitting legal remedies.

13
PRIVACY POLICY CHANGES

The company, as a Data Controller, reserves the right to change the Privacy Policy. With the
date of change, the modified Privacy Policy comes into force. The new Privacy Policy will be
published on the official website of Meddox.com
Zagreb, 20.02.2023.