Privacy Policy
Controller: [legal entity], [registered address], Ireland.
Company / registration no.: [to confirm].
Data Protection Officer / privacy contact: [privacy@medtrix…] (interim: medtrix6@gmail.com).
Effective date: [to confirm].
For care-home customers, a Data Processing Agreement applies in addition to this policy.
1. Who we are
MedTrix provides AI-based elder-care monitoring. Two AI modules run on a single on-device unit: fall detection and medication-intake verification. This policy explains what personal data we process, why, the legal bases we rely on, and the rights you have. It applies to care homes, families, and the people being cared for.
2. Scope and who this covers
This policy applies to:
- our website (marketing pages and forms),
- the MedTrix apps (the caretaker app and the on-device app), and
- the MedTrix device.
It covers several types of data subject:
- Caregivers and family users (account holders).
- Care-home staff who operate a deployment.
- Residents being cared for (data subjects who are often not the account holder and may be vulnerable adults).
3. Our role: controller or processor
Our role under GDPR depends on the deployment:
- Care-home deployments: the care home (or operator) is typically the controller and MedTrix acts as a processor on its instructions, under a Data Processing Agreement. In that case the care home's own privacy notice governs resident data, and this policy describes our practices as processor.
- Direct family deployments: MedTrix is the controller for the monitoring service provided to the family. [Confirm mapping with counsel per product line.]
- In all cases MedTrix is the controller for its own website, accounts, billing, and product-improvement data.
4. Privacy by design: on-device processing
MedTrix processes the camera feed on the device, locally. Raw video does not leave the building. The AI extracts only the information needed to confirm an event (a fall, a verified dose, a missed dose). Only confirmed events, related metadata, and short event clips (where enabled) are transmitted to authorised carers and family. Privacy mode lets the person being cared for pause monitoring.
5. The personal data we process
| Category | Examples | Source | Special category? |
|---|---|---|---|
| Account data | name, email, role, hashed password, timezone | caregiver/staff | No |
| Care-subject profile | name, date of birth, room/location, relationship | account holder / care home | Possibly |
| Event data | fall and medication events, timestamps, location, confidence, status | the device (on-device AI) | Yes (health) |
| Media | short event clips and thumbnails, where enabled | the device | Possibly (health) |
| Device / telemetry | device IDs, connectivity, heartbeats, model/app versions, diagnostics | the device | No |
| Usage and support | app interactions, logs, communications with us | apps / support | No |
| Website data | see the Cookie Policy | website | No |
We do not intentionally collect more than we need (data minimisation).
6. Special-category (health) data
Fall and medication events, and any event clips, can reveal information about a person's health, which is a special category under GDPR Article 9. We process such data only where an Article 9 condition applies, for example explicit consent, or processing necessary for the provision of health or social care under Union or Member State law, and we apply additional safeguards. [Confirm the exact Art. 9(2) condition(s) and supporting Irish law with counsel.]
7. Why we process data and our legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the monitoring service and deliver alerts | Performance of a contract / [to confirm] |
| Keep the service secure, reliable, and abuse-free | Legitimate interests |
| Meet care, safety, and legal obligations (e.g., HIQA) | Legal obligation |
| Optional product analytics and improvement | Consent |
| Health-related processing (see §6) | Art. 9 condition + an Art. 6 basis |
| Marketing communications (if any) | Consent |
Where we rely on legitimate interests, we balance them against your rights and can provide our assessment on request.
8. The AI we use (transparency)
MedTrix uses AI to detect falls and to verify medication intake. These outputs are assistive: they support human carers and are subject to human oversight. MedTrix does not use this processing to make solely automated decisions that produce legal or similarly significant effects on a person. We maintain logging and an audit trail consistent with the EU AI Act. Detection is monitoring, not a medical diagnosis or an emergency-response guarantee. [Confirm AI Act classification and obligations with counsel.]
9. How we share information
- With the authorised carers and family members linked to a resident.
- With the care provider or organisation operating the deployment.
- With processors / sub-processors under contract (for example hosting and infrastructure), see §10.
- With emergency or care contacts that you configure.
- Where required by law or to protect vital interests.
We do not sell personal data, and we do not use resident data to train models without an appropriate basis and safeguards. [Confirm training-data position.]
10. Sub-processors
We use vetted sub-processors under written contracts with appropriate data-protection terms. A current list is available at [link] and includes [hosting, infrastructure, analytics, comms]. We give notice of material changes so customers can object where applicable.
11. International transfers
Personal data is hosted in [region, ideally EU/EEA]. Where any transfer outside the EEA occurs, we rely on an appropriate safeguard (an adequacy decision or Standard Contractual Clauses) and additional measures as needed. [Confirm hosting region and transfer mechanism.]
12. How long we keep data
We keep personal data only as long as necessary for the purposes above and to meet applicable care record-keeping requirements, then delete or anonymise it.
| Data | Indicative retention |
|---|---|
| Account data | for the life of the account, then [to confirm] |
| Event data / records | [aligned to HIQA / care-record rules] |
| Event clips | minimised; [short period] |
| Diagnostics / logs | [to confirm] |
| Website / analytics | see Cookie Policy |
13. How we protect data
On-device processing (raw video stays local), encryption in transit (TLS), access controls and least-privilege access, audit logging, and segregation of duties. ISO 27001 is planned. [Detail current technical and organisational measures; see the DPA Annex II.]
14. Your rights
Subject to GDPR, you have the rights of access, rectification, erasure, restriction, data portability, objection, and to withdraw consent at any time (without affecting prior processing). To exercise a right, contact medtrix6@gmail.com. Where MedTrix acts as a processor for a care home, we will direct your request to that controller or assist it in responding. We respond within the statutory time limits (generally one month). You also have the right to complain to the Data Protection Commission (Ireland), 21 Fitzwilliam Square South, Dublin 2, D02 RD28 (dataprotection.ie), or your local supervisory authority.
15. Children and vulnerable adults
MedTrix is not directed at children. Many people being cared for are vulnerable adults; deployments must have a lawful basis and the consent of the person being cared for or their legal representative, with dignity-preserving controls (such as privacy mode and consent-led monitoring). [Confirm safeguarding approach with counsel.]
16. Cookies and similar technologies
Our website uses cookies and similar storage as described in the Cookie Policy. Non-essential cookies are used only with your consent.
17. Changes to this policy
We will post updates here and, where appropriate, notify you. Material changes will be highlighted with a new effective date.
18. Contact and complaints
Privacy contact: medtrix6@gmail.com (interim). Postal: [registered address]. You can complain to the Data Protection Commission (Ireland) at any time.