es
Solicita una demo
es
Solicita una demo

Data Retention Policy - MediAgent

Last updated: November 2025

1. Purpose

This Policy explains how long MediAgent Solutions, S.L. retains data processed through the MediAgent App, how and when such data is deleted, and how MediAgent complies with the storage-limitation principle set out in Article 5(1)(e) of the GDPR.

The processing and temporary storage of summaries are based on the legal ground of provision of healthcare under Article 9(2)(h) GDPR, ensuring continuity of care when transcription is used for medical documentation.

2. Scope

This Policy applies to all personal and operational data handled by MediAgent Solutions, S.L., including information related to doctors, consultation content, metadata, and supporting technical services.

3. Retention Overview

MediAgent applies strict data-retention limits across all environments to comply with the GDPR storage-limitation principle (Article 5 (1)(e)).
The table below summarises the maximum retention periods and deletion methods applied to each data category.

All retention periods run from the moment a session ends or a user request is completed.

All data is processed and stored primarily within the European Union on secure, GDPR-compliant cloud infrastructure managed by authorised sub-processors.

Where certain processing activities, including audio file, transcription, summarisation, or related logging, require temporary data transfer outside the EU (for example, to OpenAI Ireland Ltd. and its U.S. affiliate), such transfers are performed under a signed Data Processing Agreement (DPA) and are protected by the European Commission’s Standard Contractual Clauses (SCCs) and other equivalent safeguards ensuring an adequate level of data protection.

4. Roles & Responsibilities

  • MediAgent Solutions, S.L. acts as Data Controller for doctors’ account data and as Data Processor for patient-related data.

  • OpenAI Ireland Ltd acts as a Sub-processor under a signed Data Processing Agreement (DPA).

  • Only authorised MediAgent or infrastructure personnel may access retained data, and all such individuals are bound by confidentiality and non-disclosure agreements.

  • MediAgent keeps internal records of processing activities and deletion logs in accordance with Article 30 GDPR.

5. Security Measures

  • Encryption in transit (HTTPS/TLS) and at rest.

  • Strict access-control procedures and monitoring.

  • All personal data is processed and stored primarily within the European Union on secure, encrypted, GDPR-compliant cloud infrastructure. Where limited data transfers are necessary (e.g., for AI processing or logging through OpenAI Ireland Ltd. or its U.S. affiliate), such transfers are protected by the European Commission’s Standard Contractual Clauses (SCCs) and equivalent safeguards.

  • In the event of a personal-data breach, MediAgent will notify the Agencia Española de Protección de Datos (AEPD – https://www.aepd.es) within 72 hours of becoming aware of the breach, where required by law.

  • Regular security and retention reviews are conducted to verify compliance with this Policy.

6. User-Initiated Deletion

Doctors may delete data directly within the App https://www.mediagent.es/en-account-deletion or submit a request to admin@mediagent.es.

Available options include:

  • Partial deletion – specific sessions or data types.

  • Full account deletion – complete removal of personal data.

When submitting a request, users are encouraged to specify clearly which information they wish to delete, so that the request can be processed efficiently.

User account deletions are processed within 30 days in all cases.

If a deletion request is submitted via the account-deletion link provided on the MediAgent website, the user receives a confirmation of completion once the process is finalised.

When the deletion is initiated directly from the app, the process is handled automatically, and the user is informed only through a short in-app notification at the time of deletion.

Automatic system deletions (such as the removal of expired audio files or summaries) occur without individual notifications.

6.1 Account Deactivation After Free Access

When a user’s free access or trial period ends and no subscription is activated, MediAgent may deactivate or delete the account.

Data will be retained and deleted according to this Policy — normally within 30 days of deactivation, except where legal retention is required (e.g., for security or audit purposes).

7. Data Processing Agreement (DPA)

MediAgent maintains a signed Data Processing Agreement with OpenAI Ireland Ltd, ensuring that:

  • Data are used solely for transcription and summarisation purposes.

  • OpenAI retains data for no longer than 30 days before deletion.

  • Transfers outside the EU are protected by Standard Contractual Clauses (SCCs) and strong technical and organisational safeguards.

Some limited technical logs may also be processed by OpenAI LLC (United States) under the same DPA, with protections ensured by the EU Standard Contractual Clauses (SCCs) to guarantee GDPR-level safeguards.

This DPA guarantees GDPR-level protection for all data transiting between MediAgent and OpenAI.

8. Review & Updates

This Policy is reviewed annually or whenever a significant technical or legal change occurs.
Updated versions are published on https://www.mediagent.es/en-legal-and-compliance and within the App.

9. Contact for Retention Queries

Questions regarding data-retention schedules or deletion procedures can be addressed to:
admin@mediagent.es

Legal Compliance Summary

This Data Retention Policy satisfies GDPR Articles 5(1)(e), 13(2)(a), 30(1)(f), 32, and 33, ensuring transparent retention periods, secure deletion mechanisms, and clear user rights.

info@mediagent.es

Política de privacidad
Términos y condiciones
Política de Cookies