MedBrief AI — Privacy Policy

1. Data Controller

This Privacy Policy applies to the MedBrief AI mobile application ("App"), developed and operated by BMA Works (Istanbul, Turkey).

Support: support@bma.works
Privacy: privacy@bma.works

2. Personal Data We Collect

Data Category	Examples	Purpose
Identity data	First name, last name	Account creation
Contact data	Email address	Authentication and communication
Usage data	Briefing content, doctor name, hospital, specialty, visit notes	AI briefing generation
Technical data	Device ID, operating system, app version	Technical troubleshooting
Commercial data	Subscription status, purchase history	Payment and subscription management

3. Purposes and Legal Basis for Processing

Creating user accounts and authentication (performance of contract)
Generating AI-powered briefing summaries (performance of contract)
Subscription and payment management (performance of contract)
Technical troubleshooting and app improvement (legitimate interest)
Compliance with legal obligations (legal requirement)

4. Third-Party Data Sharing

Your personal data is shared with the service providers listed below solely for the purpose of operating the App. Your data is never sold to third parties.

4.1 Google Firebase

Firebase Authentication and Cloud Firestore are used for user authentication and data storage. Data is hosted on Google LLC servers (USA). Learn more →

4.2 OpenAI — AI Service

⚠️ Please read this carefully:
When you generate a briefing, the visit notes and doctor information you enter are transmitted to OpenAI LLC's API in order to produce an AI-generated summary. OpenAI does not use data submitted via the API for model training. Data is temporarily processed on OpenAI's servers (USA) only for the duration of the request. We advise against including sensitive personal medical information (e.g., patient names or national ID numbers) in your notes.

OpenAI API Data Usage Policy →

4.3 RevenueCat

RevenueCat Inc. is used for subscription management. Purchase history and device identifiers are processed on RevenueCat servers (USA). Learn more →

5. Data Retention

Account data: For the duration of your active account
Briefing content: Until you delete it or request account deletion
Technical logs: 90 days

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access — Request a copy of the personal data we hold about you
Correction — Request correction of inaccurate or incomplete data
Deletion — Request deletion of your personal data ("right to be forgotten")
Objection — Object to processing based on legitimate interests
Portability — Request your data in a portable format

Turkish residents additionally hold the rights specified under Article 11 of the Turkish Personal Data Protection Law (KVKK No. 6698).

To exercise any of these rights, contact us at privacy@bma.works. We will respond within 30 days.

7. Data Security

All data is transmitted using HTTPS/TLS encryption
Firebase security rules ensure each user can only access their own data
Unauthorized access attempts are blocked by Firebase's built-in protections

8. Children's Privacy

MedBrief AI is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors.

9. Changes to This Policy

We may update this policy from time to time. For significant changes, we will notify you within the App and update the "last updated" date above.

Questions about this Privacy Policy?

privacy@bma.works