Skip to main content

Privacy Policy — Medzi App

Last updated: 14 July 2026

Versão em Português

1. Who we are

The Medzi mobile application (“the App”) is provided by Tiago Gouveia Cunha, Unipessoal Lda, based in Lisbon, Portugal (“Medzi”, “we”), a provider of clinic-management software. The App is a professional tool intended exclusively for healthcare professionals working at clinics that are Medzi customers, for use in their professional activity.

This policy applies specifically to the App. Data processing on the medzi.io website is governed by the general privacy policy.

For privacy matters, contact us at privacy@medzi.io.

2. Scope

This policy describes the processing of personal data carried out through the App. The App is not intended for patients or the general public: access requires a professional account provisioned by the clinic.

3. Data we process

3.1 User data (healthcare professional)

  • Identity and account: name, professional email address and user identifier, managed through the clinic’s authentication system.
  • Technical data: device identifier for push notifications and technical error logs, which may include device model and operating-system version.

3.2 Patient data displayed in the App

The App displays clinical and administrative patient data to the healthcare professional (agenda, patient record, treatments, notes). This data belongs to the clinic, which acts as data controller; Medzi acts as data processor under the service agreement and Article 28 GDPR. The App does not collect patient data from the device — it only displays it to authorised professionals.

4. Purposes and legal basis

  • Authentication and access control (performance of contract; legitimate interest in ensuring security);
  • Displaying the agenda and clinical information to the authorised professional (performance of the contract with the clinic);
  • Error diagnosis and improving the App’s stability (legitimate interest);
  • Notifications related to clinical activity (performance of contract).

We do not use the data for advertising, do not sell it, and do not carry out profiling.

5. Storage on the device

  • Session credentials (tokens) are stored in the system’s secure storage (Keychain/Keystore), protected by biometrics when enabled; biometric data never leaves the device and is not accessible to Medzi;
  • Recently viewed agenda data may be temporarily cached on the device for offline viewing;
  • On sign-out, tokens are removed from the device.

6. Sharing and sub-processors

Data travels between the App and Medzi’s servers over encrypted connections (TLS). We use infrastructure and monitoring sub-processors (hosting in the European Union; error monitoring). We do not transfer health data outside the European Economic Area.

7. Retention

Technical error logs are retained for limited periods. Clinical data is retained by the clinic in accordance with the legal obligations applicable to clinical documentation; the App does not set its own retention periods for that data.

8. Your rights

As a professional user, you may exercise your GDPR rights (access, rectification, erasure, restriction, objection and portability) by contacting privacy@medzi.io. Patients should exercise their rights with the clinic where they are treated, which is the controller of their data. You also have the right to lodge a complaint with the Portuguese supervisory authority, CNPD (www.cnpd.pt).

9. Security

We apply appropriate technical and organisational measures, including strong authentication, permission-based access control, encryption in transit, audit logging of clinical changes and environment segregation.

10. Changes

We may update this policy; the date of the last update is shown at the top. Significant changes will be communicated through the App or the clinic.