Controller: Tzepeloglou Christos (trading as “Medora”). Registered address: Lagkada 38, Thessaloniki, 54632, Greece. Contact: medora.ai.dev@gmail.com. EU establishment: Greece. DPO: not appointed at this time.
1) Roles
For account, billing, website and marketing data, Medora acts as a data controller. For Customer Content (text, images, files you submit in a workspace), Medora acts as a data processor on your documented instructions under our Data Processing Addendum.
We do not make decisions based solely on automated processing that produce legal or similarly significant effects about you. If this changes, we will provide the information required by GDPR Articles 13–15 and 22.
2) Legal Bases (Art. 6) and Special‑category (Art. 9)
We process: (i) account/workspace data to perform a contract; (ii) service improvement and security logs under our legitimate interests; (iii) marketing with your consent; and (iv) compliance with legal obligations.
Where Customer Content includes health or biometric data, we process it (i) as a processor on your instructions where you (or your organization) have a valid Art. 9 condition, or (ii) as a controller with your explicit consent when you submit such content to us outside an organization workspace. We do not require special‑category data to provide the Service.
3) Research‑only use
The Service is provided for information and research purposes only. It is not intended or permitted for clinical decision‑making, diagnosis, or treatment. All outputs must be independently verified by a qualified professional before any real‑world use.
4) Model/data usage
We do not use Customer Content (prompts, images, chat history) to train or fine‑tune our models unless you opt in. We may process limited telemetry for abuse prevention and service integrity. Where third‑party endpoints are used, we disclose any retention they perform for abuse monitoring in our Subprocessors page.
5) International transfers
We transfer personal data outside the EEA where necessary. When we do, we rely on the European Commission’s adequacy decision for the EU‑US Data Privacy Framework and/or the 2021 Standard Contractual Clauses. Copies are available on request.
6) Rights
You have rights to access, rectification, erasure, restriction, portability, objection; to withdraw consent at any time; and to lodge a complaint with a supervisory authority. Contact medora.ai.dev@gmail.com. We respond within one month (extendable by two months for complex requests). You may contact the Hellenic DPA.
7) Breach notices
If a personal data breach occurs, we will notify the competent authority within 72 hours where required and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
8) Cookies & tracking
We use strictly necessary cookies and, with your consent, analytics cookies. You can accept or reject non‑essential cookies at any time with equal prominence and granular controls. See our Cookie Policy.
9) Subprocessors
We use vetted subprocessors to deliver the Service and enter into Art. 28 GDPR agreements with each. Current core subprocessors include: Supabase (database, auth, storage) and Vercel (hosting, CDN, logs). We minimize data shared and use appropriate transfer tools (DPF and/or 2021 SCCs). We will provide prior notice for material changes.
10) U.S. privacy addenda (if applicable)
California CPRA: rights to correct, limit use of sensitive personal information, and opt out of sale/share. WA/NV Consumer Health Data: consents and rights as required. COPPA: not directed to under‑13s; if we learn of children’s data without verifiable parental consent, we will delete it.
Contact
Privacy inquiries: medora.ai.dev@gmail.com.