RULES FOR PROCESSING AND PROTECTING PERSONAL DATA IN CONNECTION WITH THE USE OF THE MEDDI MD APP

(hereinafter referred to as the "Rules")

MEDDI hub a.s., Na Florenci 2116/15, Nové Město, 110 00 Prague 1, ID No.: 062 30 458, registered at Municipal Court in Prague, insert B 25071, email: info@meddihub.com (hereinafter referred to as "Operator" or "Data Controller"), is the Operator of the MEDDI MD application, available via the Internet server www.meddimd.com or as a downloadable mobile app on Google Play and the App Store (hereinafter referred to as "Applications"). The app is an online platform for the provision of health and health-related services, enables mutual electronic communication between Health Service Providers or Providers therapeutic services on the one hand and registered users, i.e. recipients of services on the other hand (hereinafter referred to as "Beneficiaries of services"). The subject of these communications is usually professional consultations and expert opinions concerning concerning the health of Service Recipients, and these interactions involve encrypted secure transmission of data and other information.

These Rules govern all treatment of Users' personal data when using the Application, unless the specific entities have agreed otherwise. These Rules supplement the MEDDI MD Application Terms and Conditions, which are available in the Application or on the website www.meddi.com (hereinafter referred to as "OP"). Terms in these Rules beginning with capital letters shall have the same meaning as assigned to them in the OP, unless these Rules expressly provide otherwise.

The controller has appointed a data protection officer. The contact details of the data protection officer are:

Name of the delegate: Daniela Ševčíková
Email: daniela.sevcikova@meddi.com

Who processes your personal data
(data controller)
The personal data of Users are processed by the Operator (identification data are listed above).
How we obtain this personal data
(sources of personal data)
The Operator processes the personal data it obtains from Users (Data Subjects) in the context of setting up User account in the Application (i.e. when registering in the Application) and on the other hand when using the Application afterwards User's use of the Application. The Data Subject under these Rules cannot be a legal entity.
What personal data is processed
(categories of personal data)
These Rules apply exclusively to the handling of data of Users who are natural persons. Operator, as Data Controller, processes:
1. identification (in particular name, surname and residential or registered office address) and contact (in particular e-mail address, telephone number) personal data of Users, to the extent specified in the registration form when setting up (registration) and administration of individual User accounts in the Application,
2. other personal data of Users that the Data Controller obtains when the User uses the Application, e.g. as part of Offers or Inquiries.
Based on the User's consent given in the Application, the processing of location data may be of the device used in order to offer more relevant Offers and Requests.

In the event that the User discloses any personal data of third parties in the Application, the User is obliged to do so only when complying with the conditions set out in the relevant legislation, including in particular, where applicable, obtaining consent to the processing of personal data from such entities.

In the event that the User discloses any personal data in the Application that is not provided by the Operator required by the User, he/she does so entirely voluntarily. Due to privacy and technical the User is obliged to search for such personal data and notify the User of its disclosure, or to destroy the personal data.

The Operator monitors and stores records of Users' activity and interactions with content placed on the Application in order to store, manage and archive them for further use by the User in the Application, in particular to satisfy Offers and Demands, including the conclusion of the relevant contract between the User and Service Recipient through the Application. Furthermore, records of User activity are stored for the purpose of improving the efficiency of the search for Service Recipients, customising the content of the Application and tracking preferences Users within a selected region. In this way, data on the frequency of visits to the Application, searches for passwords and displayed Offers and Inquiries and actions performed within the User's account.
How we use personal data
(purposes of processing personal data)
1. Processing for the purpose of conclusion and performance of the Contract
  The data controller will process
  - Personal data specified in point III.a) for the creation of a User account (registration) and subsequent administration User's account in the Application,
  - The personal data referred to in point III.b) for the purpose of storage, management and archiving in case of further use at the User's request in the Application,
  - Personal data referred to in III.a) and III.b). for the purpose of fulfilling other contractual obligations of the Controller towards Users or Providers arising from the Contract, in particular the IP.
  The Operator uses personal data for the purpose of fulfilling its contractual obligations towards Users and Service Recipients, as regulated in particular in the OP. The personal data is thus used for the purpose of enabling viewing the content of the Application, managing the User account, placing Offers and Requests and interacting between User and the Operator and between Users and Service Recipients with each other to satisfy their Offers and/or Requests. At the same time, personal data is processed for the purpose of user support, where applicable other purposes regulated in the OP. The processing of personal data for these purposes is carried out by the Operator by the Provider only to the extent strictly necessary.
  
  Providers are provided with personal data provided by the User to the extent necessary for the negotiation and performance of contract between Users and Providers through or with the assistance of the Application only after the User has personal data is disclosed by the User, or after the User authorizes the interaction with another User.
2. Processing for marketing purposes
  The Operator uses the User's contacts for marketing and sending commercial communications only if The User gives the Operator his/her express consent to use the contact details for marketing purposes. The User gives his/her consent during registration or through his/her User account. This consent The User confirms this consent via his/her e-mail.
  
  As part of marketing activities, the Operator contacts the User in connection with information about news regarding the Application and its features.
  
  In this case, the Operator uses the telephone number and/or e-mail address of the Users for communication, which the User fills in the Application for this purpose or sends messages directly via the Application.
  
  The provision of data for these purposes is entirely voluntary. Consent to the processing of personal data for marketing purposes can be revoked at any time or to change your preferences regarding the communications you receive, by by clicking on the link at the bottom of each email message and selecting the appropriate settings or by request sent to the Operator's email address.
On the basis of which we process personal data
(legal titles for processing personal data)
The Operator processes personal data in the operation of the Application under the following titles:
- Conclusion and performance of the Contract - Users' personal data are processed to the extent necessary for the possibility of concluding, performing and, where applicable, enforcing claims arising from the Contract concluded with Operator;
- Consent - The operator is entitled to process personal data if you have provided it with personal data for their express consent to process it for a specific purpose, for the duration of the validity of such consent, or until such consent is withdrawn; processing of personal data on the basis of consent occurs in particular when processing of personal data for the purposes of marketing activities;
- Legitimate interests of the Operator - personal data may also be processed in cases where certain processing is a legitimate interest of the Operator and at the same time such processing does not adversely affect the User's rights and freedoms to privacy; the processing of personal data may take place in particular for the purpose of ensuring the protection and security of Users.
Who we provide your personal data to
(recipients of personal data)
The Operator processes personal data only by employees (who are under employment or similar contractual relationship with the Operator) and persons cooperating with the Operator on the basis of civil law contracts.

The operator transfers personal data to other controllers or processors only if this is necessary for for the fulfilment of the individual purposes of the processing, in accordance with the relevant legal basis for the processing personal data. In particular, the Operator transfers personal data to external legal, economic and accounting consultants, external entities providing server, cloud or IT services to the Data Controller, entities operating payment instruments, e.g. GOPAY, etc. Personal data may also be transferred on the basis of legislation to the relevant public authorities.

The Operator does not transfer the processed personal data to a third country or an international organisation.
Period of processing of personal data
Personal data, in particular basic personal data obtained during registration and data on the process of processing the Offer are are processed for a period of 6 months after the expiry of the registration, in particular for the purpose of processing complaints. If the applicable legal regulations stipulate a longer period in a specific case, the personal data are processed for this period. period (for example, personal data on invoices are processed for 5 years).
Automated individual decision-making, including profiling
The processing of personal data will not involve automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR.
Cookies
The Operator does not store data or access data stored in endpoints in an automated manner. Users' devices, even with regard to the storage of technical files.
How personal data is secured
The handling of personal data is carried out in full compliance with the applicable data protection legislation. The operator places great emphasis on technical and organisational security when processing personal data of the processed data. The Operator has put in place and maintains the necessary appropriate technical and organisational measures, internal controls and processes to ensure information security in accordance with best commercial practice, corresponding to to the potential risk to the User. The Operator shall take into account the state of technological development in order to protect the User's personal data against accidental loss, destruction, alteration, unauthorised disclosure or access. These measures may include, but are not limited to, measures to ensure physical security, the adoption of reasonable steps to ensure accountability, and training of employees who have access to User Data, regular backups, data recovery and incident management procedures, software protection of equipment on which personal data are stored, and other measures.

In order to ensure compliance with the Rules, an internal data protection policy has been adopted, with organizational and technical security measures have been implemented at the Operator to to protect the personal data processed.

All personal data is stored on electronic storage. Access to the storage is also password protected and encrypted communication with the database. Within the Operator, only those who have access to personal data with who have an immediate need to handle it.

Within the framework of these measures, all employees of the Operator and persons cooperating with Operator on the basis of civil law contracts are bound by the obligation of confidentiality. The same level of protection in the processing of personal data is also required from our processors.
What rights the user has in relation to the processing and protection of personal data
You can apply to the Operator in connection with the processing of your personal data under the following conditions set out in Articles 15 to 22 of the GDPR:
- Right to withdraw consent to the processing of personal data
  You may withdraw your voluntary consent to the processing of personal data at any time free of charge. consent does not affect the processing of personal data that the Operator processes on the basis of other legal basis other than consent, i.e. in particular if the processing is necessary for the performance of a contract, a legal obligation or for other reasons specified in applicable law.
- Right of access to personal data processed
  As part of your right of access to personal data, you can obtain the following information: whether your personal data are being processed by the Operator, for what purpose and what personal data are being processed, whether the personal data are personal data are transferred to other recipients, for how long personal data are processed and information about your your rights in relation to the personal data processed. At the same time, you have the possibility of obtaining a copy of your of the personal data processed.
- Right to rectification of personal data processed
  As part of the right to rectification of personal data processed, you have the right to request rectification or completion of your incorrectly or incompletely processed personal data. We take reasonable measures to ensure to keep your personal data accurate and up to date. You can always contact us with questions, whether we are still processing your personal data.
- Right to erasure of personal data processed
  If you contact us with such a request, we will delete all your personal data without undue delay, that we hold, unless we no longer need your personal data to perform our contractual or legal obligations or to protect our legitimate interests as described above. You are always entitled to request deletion of the personal data processed, if the Operator's legal basis for processing it is your prior consent.
- Right to restriction of processing of personal data
  You are entitled to ask the Operator to limit the scope of processing of your personal data in the following cases (i) you contest the accuracy of the personal data processed - the processing may be limited until decision, (ii) the processing is unlawful, but you only request the restriction of processing, not complete erasure, (iii) the controller no longer needs the personal data for the establishment, exercise or defence of legal claims or (iv) you have objected to the processing of personal data and this request has not yet been received by the Operator dealt with by the Operator.
- Right to portability of processed personal data
  You are entitled to request the Operator to transfer your processed personal data in in a structured, commonly used and machine-readable format for the purpose of subsequent transmission to another controller. Alternatively, you have the right to request, in technically feasible cases, that they be transmitted directly to another administrator. This right may only be exercised on condition that such a request does not adversely affect the rights of and freedoms of other persons and is technically feasible.
- Right to object to the processing of personal data
  You have the right to object in cases where your personal data is processed by the Operator on the basis of the legal title "legitimate interests of the controller" pursuant to Article 6(1)(f) GDPR. The Operator is not entitled to further process your personal data after the objection has been lodged, unless it proves compelling legitimate grounds for further processing which override your interests, rights and freedoms, or demonstrates the necessity of further processing for the establishment, exercise or defence of legal claims. In the case of personal data processed for direct marketing purposes, you may object at any time and the Operator will no longer process the personal data for this purpose.
  
  You are entitled to exercise the above rights with the Operator in the following ways:
  - a request in written documentary form (with an officially certified signature) delivered to the Operator's address; or
  - a request in written electronic form (e-mail with a recognised e-signature) delivered to the following e-mail address address of the Operator; or
  - a request in written electronic form (data message) delivered to the Operator's data box; or
  - requests in written electronic form from the email address that is listed in your user profile.
  According to the legislation (Article 12 of the GDPR), the Operator is obliged to clearly identify the following when dealing with the request the applicant. In the event that you submit a request in a form other than that required above, you will be asked by the Operator to unambiguously identify yourself by providing proof of identity or by resubmitting the application using one of the methods required above. This is a precautionary security measure to prevent unauthorised persons from accessing your personal data.
- Complaint against the processing of personal data
  If you believe that the processing of your personal data by the Operator has violated the rules of the protection of personal data set out in the legislation (GDPR), you have the right to object to such processing file a complaint with the Office for Personal Data Protection, located at Pplk. Sochora 27, 170 00 Prague 7. website of the Office: www.uoou.cz.
Update of the rules on processing and protection of personal data
We may modify or update these Rules from time to time. Any changes to these Rules will become effective upon their posting on the Application.

These Rules are valid and effective from 29.3.2024

MEDDI hub a.s.