Privacy Policy

Medrexo is provided by Medrexo Tech Ltd., a company registered in Ireland under company number 742950, with its registered office at Cartoncoragh, Drumraney, Athlone, Westmeath, Ireland.

This Privacy Policy is written for potential customers, customer tenants, tenant administrators, tenant users, and people who contact us through the Medrexo marketing site. It is intended to support transparency under the EU General Data Protection Regulation and Irish data protection law.

Tenant organizations may have their own privacy notices for patients and clinic users. Those tenant notices should explain how the tenant uses Medrexo as part of its own healthcare operations.

Medrexo Tech Ltd. is normally the data controller under GDPR for personal data we collect for account administration, demos, support, marketing, billing, security, and the commercial relationship with potential and customer tenants.

For patient, clinic, appointment, practitioner, communication, billing, and operational data that a tenant enters into Medrexo, the tenant is normally the controller under GDPR and Medrexo Tech Ltd. acts as processor on the tenant's instructions, unless otherwise agreed in writing.

Where GDPR requires a data processing agreement, our customer agreement or separate data processing terms will set out the subject matter, duration, nature, purpose, personal data categories, data subject categories, and processor obligations that apply to the processing.

Depending on how you interact with Medrexo, we may process the following categories of personal data:

• contact details such as names, work email addresses, phone numbers, clinic names, job titles, and organization details;
• tenant account, user, subscription, billing, and payment administration data;
• support, onboarding, demo request, and communication records;
• technical information such as IP address, device data, browser data, security logs, and usage records;
• interface preference data, such as the selected light, dark, or system appearance setting where you use the marketing site appearance control;
• tenant-controlled clinic data, which may include patient, practitioner, appointment, communication, billing, and operational records where the tenant uses Medrexo for those workflows.

We use personal data to operate Medrexo and to manage our relationship with potential and customer tenants. This includes using data to:

• respond to enquiries, demo requests, support requests, and account questions;
• provide, maintain, secure, and improve the Medrexo platform;
• set up tenant accounts, users, subscriptions, billing, and product access;
• remember interface preferences such as appearance settings;
• send service communications, product updates, and information about Medrexo where legally permitted;
• monitor security, prevent misuse, diagnose technical issues, and maintain audit records;
• comply with legal, tax, accounting, regulatory, and contractual obligations.

Where Medrexo Tech Ltd. is the controller, we rely on GDPR legal bases such as performance of a contract, steps taken before entering a contract, legitimate interests, compliance with legal obligations, and consent where required.

Where we act as processor for tenant-controlled data, the tenant is responsible for identifying and communicating the GDPR lawful basis that applies to its own processing activities.

Tenants are responsible for providing patients and other data subjects with appropriate privacy notices about how the tenant uses Medrexo in its own clinic operations.

If you are a patient of a clinic that uses Medrexo, you should usually contact that clinic directly to exercise privacy rights or ask questions about your patient record.

We may share personal data with trusted recipients where needed to run Medrexo and manage the service. These recipients may include:

• hosting, infrastructure, security, communication, analytics, support, and payment service providers;
• professional advisers, insurers, auditors, accountants, and legal advisers;
• public authorities, courts, regulators, or other parties where disclosure is required by law or needed to protect rights, security, or safety.

We aim to use service providers with appropriate data protection standards. Where personal data is transferred outside the European Economic Area, we use appropriate GDPR transfer safeguards where required by data protection law.

We retain personal data for as long as needed for the purposes described in this policy, including to provide the service, manage accounts, meet legal obligations, resolve disputes, enforce agreements, and maintain security records.

Tenant-controlled data retention may depend on the tenant's configuration, subscription, legal duties, and written agreement with Medrexo.

We use technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure.

No software service can guarantee absolute security. Tenants should also manage user access carefully, keep credentials secure, and configure permissions according to their internal policies.

Depending on the circumstances, GDPR may give you rights to access, correct, erase, restrict, object to, or receive a copy of personal data. You may also have the right to withdraw consent where processing is based on consent.

For tenant-controlled patient or clinic data, we may need to refer requests to the relevant tenant because the tenant controls the purposes and means of that processing.

If you have a privacy concern, please contact us first so we can try to resolve it. You may also have the right to complain to the Irish Data Protection Commission or another competent supervisory authority.

We may update this Privacy Policy as Medrexo, our processing activities, or legal requirements change. The last updated timestamp at the top of this page shows when this version was published.

Privacy questions can be sent to support@medrexo.com.