Privacy Policy of MedAscend

Languages, Current Language: en-GB
English (UK)

Welcome to the privacy policy of MedAscend. This Privacy Policy describes how Medical Ascend Limited (“MedAscend,” “we,” “us,” or “our”) collects, uses, stores, and protects personal data processed through the MedAscend platform.

MedAscend complies with the UK GDPR, the Data Protection Act 2018, and applicable higher-education data governance standards.

Latest Update: 17 January 2026

---

Table of Contents

• 1. Summary
• 2. Data We Collect Automatically
• 3. Data You Provide to Us
• 4. Data Controller and Data Processor
• 5. Categories of Personal Data Processed
• 6. How and Where Data Is Processed
• 7. Retention Time
• 8. Purposes of Processing
• 9. Legal Basis for Processing
• 10. Data Sharing & Disclosure
• 11. Use of Anonymised Data
• 12. Demo Accounts and Trial Access
• 13. International Data Transfers
• 14. Security Measures
• 15. Your Rights Under UK GDPR
• 16. How to Exercise Your Rights
• 17. Cookies & Tracking Technologies
• 18. Changes to This Privacy Policy
• 19. Contact Information

---

1. Summary

MedAscend processes personal and performance data on behalf of educational institutions for the purpose of delivering clinical communication training.

Institutions act as Data Controllers. MedAscend acts as a Data Processor.

We do not sell, trade, or misuse personal data.

We do not store raw passwords.

We do not use personal or performance data for AI model training.

We do not share identifiable data with third parties unless legally required or authorised by the institution.

All data is stored exclusively within UK and EU regions.

---

2. Data We Collect Automatically

When you access the platform, we automatically collect certain technical and usage data, including:

• IP address
• Browser type and device information
• Session activity (timestamps, navigation events)
• System performance data
• Essential cookies required for authentication and security

We do not use tracking cookies, advertising cookies, or third-party marketing cookies.

---

3. Data You Provide to Us

When you create or access an account via your institution, we collect:

• Name
• Email address
• Year group or cohort
• Consultation transcripts
• Performance metrics and feedback
• User-submitted text within the platform

We do not collect:

• Real patient data
• Health records
• Special category data unless explicitly required by the institution

---

4. Data Controller and Data Processor

Data Controller:
Your university or educational institution

Data Processor:
Medical Ascend Limited

---

5. Categories of Personal Data Processed

Essential Account Data

• Name
• Email address
• Institution affiliation
• Year group

Performance Data

• Consultation transcripts
• AI-generated feedback
• Scores and analytics
• Scenario interaction history

Technical and Security Data

• IP address
• Device metadata
• Authentication logs (Microsoft Entra ID)

All data is processed under strict access controls and encryption.

---

6. How and Where Data Is Processed

Processing Methods

Data is processed using:

• Encrypted databases (Cloudflare D1 EU)
• Encrypted object storage (Cloudflare R2 EU)
• Secure serverless compute (Cloudflare Workers)
• Microsoft Entra ID authentication
• Google Vertex AI Gemini (EU inference region only)
• Langfuse EU for pseudonymised debugging and observability

Student identifiers are pseudonymised before being sent to Vertex AI.

Data Residency

All personal and performance data is stored exclusively within UK and EU regions:

• Cloudflare R2 (WEUR)
• Cloudflare D1 (WEUR)
• Langfuse (EU)
• Google Vertex AI (EU inference region)

No identifiable data is transferred outside the UK or EU.

---

7. Retention Time

Retention periods are determined by the institution.

By default:

• Data is retained for the duration of the course or institutional contract.
• Upon contract termination, data is securely deleted or anonymised unless otherwise instructed.

---

8. Purposes of Processing

We process data strictly for:

• Providing educational services
• Delivering personalised feedback
• Supporting academic evaluation
• Platform security and performance
• Debugging and quality assurance
• Contractual obligations
• Conducting educational and pedagogical research using anonymised or pseudonymised performance data, where authorised by the Data Controller.

We do not use personal data for advertising or unrelated commercial purposes.

---

9. Legal Basis for Processing

We process data under the following legal bases:

• Performance of a contract
• Legitimate interests
• Compliance with legal obligations
• Institutional consent where applicable

Where pseudonymised data is used for research purposes, processing is based on the Data Controller’s lawful basis under Article 6(1)(e) or 6(1)(f), as applicable, and carried out by MedAscend under Article 28 instructions.

---

10. Data Sharing & Disclosure

Sharing with Institutions

As a Data Processor, MedAscend shares:

• Student performance data
• Consultation transcripts
• Engagement analytics

Only with the relevant institution.

Sub-Processors

We use vetted sub-processors, including:

• Cloudflare (EU infrastructure)
• Google Vertex AI (EU inference only)
• Microsoft Entra ID
• Langfuse (EU)

All sub-processors are UK GDPR compliant and reviewed regularly.

Legal Requirements

Data may be disclosed if required by law or regulatory authority.

---

11. Use of Anonymised and Pseudoanonymised Data

MedAscend may, where expressly authorised by the relevant Data Controller, use pseudonymised performance data for the purposes of:

• Platform analytics
• Educational research
• Pedagogical validation
• Assessment methodology evaluation
• Product improvement
• Marketing materials
• Grant applications

Such data:

• Shall not include direct identifiers (name, email, student ID)
• Shall not be used to make decisions about individual users
• Shall not be re-identified
• Shall be processed only under documented controller instructions

MedAscend shall remain a Data Processor for all such processing.

---

12. Demo Accounts and Trial Access

MedAscend may create temporary demo accounts for evaluation purposes.

Demo accounts:

• Require minimal personal data
• Operate in a controlled environment
• Do not contain real student data
• Are automatically disabled after evaluation
• Have all data deleted within 30 days unless extended

Demo data is not used for AI training, marketing, or reporting unless fully anonymised.

---

13. International Data Transfers

We do not transfer identifiable data outside the UK or EU.

If required, appropriate safeguards such as SCCs, UK Addendum, and encryption will be applied.

---

14. Security Measures

We implement industry-standard security controls, including:

• TLS 1.2+ encryption
• AES-256 encrypted storage
• Role-based access control
• Microsoft SSO
• Multi-factor authentication
• Encrypted audit logs
• Regular security reviews

---

15. Your Rights Under UK GDPR

You have the right to:

• Access your data
• Correct inaccuracies
• Request deletion
• Restrict processing
• Object to processing
• Request data portability

Requests are handled via your institution.

---

16. How to Exercise Your Rights

To exercise your rights, contact your institution or email:

📧 hello@medascend.ai

---

17. Cookies & Tracking Technologies

We use only essential and security-related cookies.

We do not use advertising or behavioural tracking cookies.

Blocking essential cookies may limit platform functionality.

---

18. Changes to This Privacy Policy

We may update this policy periodically. Significant changes will be communicated via email or platform notifications.

---

19. Contact Information

Medical Ascend Limited
7E Abbotsford Street
Dundee
DD2 1DE

📧 Email: hello@medascend.ai

You may lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe your rights have been violated.