MedZone - AI-Powered UCAT Preparation

1. Introduction and Scope

This Data Protection Addendum (DPA) supplements our Privacy Policy and provides detailed information about our data protection practices, specifically addressing requirements under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).

This DPA applies to all personal data processed by MedZone Ltd in connection with providing our UCAT preparation platform services to users in the UK, European Economic Area (EEA), and other jurisdictions with equivalent data protection requirements.

2. Definitions

For purposes of this DPA:

Controller: MedZone Ltd, the entity that determines the purposes and means of processing personal data
Data Subject: Individual users of the MedZone platform
Personal Data: Any information relating to an identified or identifiable natural person
Processing: Any operation performed on personal data, including collection, storage, use, and deletion
Processor: Third-party service providers who process data on behalf of MedZone
Sub-processor: Any processor engaged by another processor

3. Data Controller Information

Entity Name: MedZone Ltd
Registered Address: London, United Kingdom
Data Protection Officer: dpo@medzone.co
Privacy Contact: privacy@medzone.co
UK ICO Registration: [Registration Number]

4. Lawful Basis for Processing

4.1 Contract Performance

We process personal data necessary to provide our services under the Terms of Service:

Account creation and management
Delivering practice questions and mock exams
Tracking progress and generating performance reports
Providing AI Tutor assistance

4.2 Legitimate Interests

We process data based on legitimate interests, balanced against user rights:

Platform security and fraud prevention
Service improvement and feature development
System performance and error monitoring
Business analytics and reporting

4.3 Consent

We obtain explicit consent for:

Marketing communications
Non-essential cookies
Parent-child account linking
Processing data of users under 18

4.4 Legal Obligations

We process data to comply with legal requirements such as tax obligations, financial record-keeping, and responding to law enforcement requests.

5. Categories of Personal Data

5.1 Identity Data

Name, email address, account password (encrypted)

5.2 Profile Data

School year, UCAT test date, previous test experience, study preferences

5.3 Performance Data

Question attempts, answers, scores, time taken, skill mastery metrics

5.4 Usage Data

5.5 Payment Data

Transaction history, subscription status (card details held by Stripe, not MedZone)

5.6 Communication Data

Support tickets, feedback, AI Tutor conversations

6. Data Processors and Sub-processors

We engage the following processors who have access to personal data:

Supabase (Database & Authentication)

Location: United States

Purpose: Database hosting, user authentication

Safeguards: Standard Contractual Clauses, ISO 27001 certified

Stripe (Payment Processing)

Location: United States

Purpose: Payment processing, subscription management

Safeguards: Standard Contractual Clauses, PCI DSS Level 1

AI Service Providers

Location: Varies

Purpose: AI Tutor functionality

Safeguards: Data minimization, anonymization where possible

Email Service Provider

Location: European Union

Purpose: Transactional and notification emails

Safeguards: GDPR compliant, EU-based infrastructure

All processors are bound by data processing agreements ensuring GDPR compliance. We conduct due diligence before engaging any processor and monitor their security practices regularly.

7. International Data Transfers

Some personal data may be transferred outside the UK/EEA to our processors. We ensure appropriate safeguards through:

7.1 Transfer Mechanisms

Standard Contractual Clauses (SCCs): Approved by the UK ICO and EU Commission
Adequacy Decisions: Transfers to countries deemed adequate by UK/EU authorities
Binding Corporate Rules: Where applicable for multi-national processors

7.2 Additional Safeguards

Encryption in transit and at rest
Access controls and authentication
Regular security assessments
Data minimization practices

8. Data Subject Rights

You have the following rights under GDPR, which you can exercise at any time:

Right to Access (Art. 15 GDPR)

Request a copy of your personal data and information about how it's processed.
Timeline: 30 days

Right to Rectification (Art. 16 GDPR)

Correct inaccurate or incomplete personal data.
Timeline: 30 days

Right to Erasure (Art. 17 GDPR)

Request deletion of your personal data ("right to be forgotten").
Timeline: 30 days

Right to Restrict Processing (Art. 18 GDPR)

Limit how we process your data in certain circumstances.
Timeline: 30 days

Right to Data Portability (Art. 20 GDPR)

Receive your data in a structured, machine-readable format.
Timeline: 30 days

Right to Object (Art. 21 GDPR)

Object to processing based on legitimate interests or for direct marketing.
Timeline: Immediate for marketing; 30 days for other objections

Right to Withdraw Consent (Art. 7(3) GDPR)

Withdraw consent for processing at any time without affecting prior processing.
Timeline: Immediate

Right to Lodge a Complaint (Art. 77 GDPR)

File a complaint with your local data protection authority (UK ICO or relevant EU DPA).

To exercise any of these rights, contact us at privacy@medzone.co with:

Your full name and account email address
Specific right you wish to exercise
Any relevant details or documentation

9. Data Retention

Data Type	Retention Period	Legal Basis
Account data	Active account + 90 days	Contract
Practice/performance data	Active account lifetime	Contract
Payment records	7 years	Legal obligation
Support communications	3 years after resolution	Legitimate interest
Marketing consents	Until withdrawn	Consent
Security logs	12 months	Legitimate interest

After retention periods expire, data is securely deleted or anonymized beyond recovery.

10. Security Measures

We implement technical and organizational measures pursuant to Article 32 GDPR:

10.1 Technical Measures

End-to-end encryption for data in transit (TLS 1.3)
Encryption at rest for all stored data (AES-256)
Secure authentication with password hashing (bcrypt)
Regular automated backups with encryption
Intrusion detection and prevention systems
Automated security updates and patching

10.2 Organizational Measures

Role-based access controls with principle of least privilege
Mandatory data protection training for staff
Regular security audits and penetration testing
Incident response and breach notification procedures
Data protection impact assessments for new features
Vendor security assessments and monitoring

11. Data Breach Notification

In the event of a personal data breach:

We will notify the ICO within 72 hours of becoming aware, as required by Article 33 GDPR
Affected users will be notified without undue delay if the breach poses high risk to their rights and freedoms (Article 34 GDPR)
Notifications will include: nature of breach, likely consequences, measures taken, and contact details
We maintain a breach register documenting all incidents and responses

12. Children's Data

Special protections apply for users under 18 (UK) or 16 (most EU countries):

Parental consent obtained before processing (Article 8 GDPR)
Enhanced security measures for children's accounts
Limited data retention periods
Transparent information provided in age-appropriate language
Regular reviews of processing activities involving children

See our Parental Consent Statement for full details.

13. Automated Decision-Making

We use automated processing for:

Adaptive question selection: Choosing appropriate difficulty levels based on performance
Progress tracking: Calculating skill mastery and readiness scores
AI Tutor responses: Generating personalized explanations and guidance

These processes do not constitute "solely automated decision-making" under Article 22 GDPR as they do not produce legal effects or similarly significantly affect you. However, you may request human review of any automated assessment by contacting support.

14. Updates to This DPA

We may update this DPA to reflect changes in data protection law, our processing activities, or best practices. Significant changes will be communicated via email with 30 days notice. Continued use after changes take effect constitutes acceptance.

15. Contact Information

Data Protection Officer
Email: dpo@medzone.co

Privacy Inquiries
Email: privacy@medzone.co

Postal Address
MedZone Ltd
London, United Kingdom

Supervisory Authority
UK Information Commissioner's Office
Website: ico.org.uk
Telephone: 0303 123 1113

This Data Protection Addendum supplements and forms part of our Privacy Policy and Terms & Conditions.