MedCite.eu

Privacy Policy

Last updated: May 2026

1. Who We Are

MedCite is operated by Nordjysk Speciallægeklinik ApS, Denmark. We are the data controller for personal data processed through the Service.

2. Data We Collect

We collect the following categories of data:

  • Query text — the clinical questions you enter into the Service
  • Account data — if you create an account: name, email, professional credentials
  • Technical logs — IP address (anonymised), browser type, device type, access timestamps
  • Feedback data — ratings, comments, and citation quality feedback you submit
  • Usage analytics — pages accessed, features used, search patterns (anonymised, no cookies)
  • Generated outputs — evidence summaries and citations produced in response to your queries

3. Patient Data and Health Information

Users should not submit directly identifiable patient information into MedCite. The Service is not designed to process patient data and does not provide the safeguards required for handling special-category health data under GDPR Article 9. If you believe you have inadvertently submitted patient data, contact us immediately and we will assist with deletion.

4. Legal Basis for Processing

We process your data under the following GDPR legal bases:

  • Contract (Article 6(1)(b)) — processing necessary to provide the Service you request
  • Legitimate interests (Article 6(1)(f)) — improving Service quality, security, and abuse prevention
  • Consent (Article 6(1)(a)) — where you voluntarily provide feedback or contact us

We do not intentionally process special-category health data. If you submit clinical queries that could constitute health data, processing is based on your explicit consent by using the Service.

5. AI Processing

Your queries are processed by AI models to generate evidence summaries. Queries are transmitted to Mistral AI (France) for synthesis and to biomedical literature databases for retrieval. Search queries are anonymised before transmission to literature databases. We do not use your queries or generated outputs to train AI models.

6. Third-Party Processors

We engage the following third-party processors:

  • Mistral AI — AI model provider (Paris, France). Data Processing Agreement in place. 30-day rolling retention. EU data residency.
  • Neon — Serverless PostgreSQL database (EU region). Application data and cached results.
  • Upstash Redis — Caching and rate limiting (EU region).
  • Europe PMC — Biomedical literature search. Queries are anonymised.
  • Qdrant — Vector search for semantic retrieval (EU region).
  • DeepL — Translation support for multilingual queries.

We use PostHog (EU-hosted) and Umami (open-source, EU-hosted) for product and website analytics. Both operate in cookie-less mode with anonymised data only. Analytics help us improve reliability, answer quality, and user experience. We do not sell your data. You can opt out at any time via the privacy settings page or by contacting privacy@medcite.eu.

7. Data Retention

Query logs and generated outputs are retained for up to 90 days for quality monitoring and dispute resolution. Account data is retained until you request deletion. Technical logs are retained for up to 30 days.

8. Caching

We may cache answers to frequently asked questions to improve performance. Cached results do not contain query text or user identifiers. Queries containing personal data are excluded from caching.

9. Security

We implement encryption in transit (TLS), access controls, and data minimisation. Only authorised personnel have access to query logs for quality improvement purposes.

10. International Transfers

All primary processors operate within the European Economic Area. If any subprocessor is located outside the EEA, we ensure appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place.

11. Your Rights

  • Access — Request a copy of the personal data we hold about you
  • Correction — Request correction of inaccurate personal data
  • Deletion — Request deletion of your personal data
  • Restriction — Request restriction of processing
  • Portability — Request transfer of your data in a machine-readable format
  • Objection — Object to processing based on legitimate interests
  • Withdrawal — Withdraw consent at any time where processing is consent-based
  • Complaint — Lodge a complaint with your local supervisory authority

12. Cookies & Analytics

  • Essential cookies — Required for the website to function (e.g., language preferences)
  • Analytics — We use Umami and PostHog in cookie-less, privacy-compliant mode (no cookies, no localStorage, anonymised data only)

13. Model Training

We do not use your queries, feedback, or generated outputs to train AI models. Your input is used only to provide the Service and to improve retrieval quality through internal evaluation.

14. Contact Us

Nordjysk Speciallægeklinik ApS

For privacy, GDPR, and data protection inquiries, please contact:

privacy@medcite.eu

Privacy Policy — MedCite