Privacy Policy

*How we handle your personal data

Medicue AS · Org.nr. 927 533 235 · Medicue UK Ltd · Co. no. 15977689 · Effective: 25 March 2026

About Medicue

Medicue (est. 2021) is a health technology company specialising in patient communication and patient participation across diagnostics, treatment and follow-up care. We bring together medical expertise and technological intelligence to optimise communication between patient and clinician, enabling more efficient consultations, faster and more precise diagnostics, improved patient safety and better patient experiences. Our platform also supports clinical research, internal quality improvement work at individual clinics, and broader professional governance and follow-up at an organisational level.

1. Who this policy applies to

This Privacy Policy explains how Medicue handles personal data when people visit our website, contact us, request a demo, use Medicue services through a clinic or healthcare provider, or otherwise interact with us. Depending on context, Medicue may act either as a data controller or as a data processor on behalf of a healthcare provider.

2. Data controllers and contact details

Norway
Medicue AS · Dampskipsbrygga 12A, 1607 Fredrikstad · Org.nr. 927 533 235

UK
Medicue UK Ltd · 47 Kings Road, Cowplain, Waterlooville, PO8 8UT · Co. no. 15977689

General enquiries and privacy requests:
hello@medicue.com · dpo@medicue.com

3. What personal data we process

Identity and contact:
Name, role, organisation, email address, telephone number

Business data:
Enquiries, meetings, support requests, contract information, onboarding records

Technical data:
IP address, device and browser information, login records, timestamps, audit logs, analytics

Patient data:
Health information entered into the platform by or on behalf of a healthcare provider

Communications:
Emails, web forms, support correspondence and feedback

4. Purposes and legal bases

Platform operation:
Legitimate interests; contract performance; legal obligation where applicable

Customer relations:
Contract performance; legitimate interests

Support and training:
Contract performance; legitimate interests

Enquiries and demos:
Legitimate interests; steps prior to contract

Security and audit:
Legitimate interests; legal obligation where applicable

Regulatory compliance:
Legal obligation

Analytics:
Legitimate interests; consent where required for cookies

Marketing:
Explicit consent — separate opt-in at sign-up; withdraw at any time via dpo@medicue.com

5. Special category data

Where Medicue is used by a healthcare provider, the platform may process health-related information. In those situations, the healthcare provider determines the purposes for which patient data is collected, and Medicue processes that data on the provider's documented instructions. If you are a patient, please contact your clinic first to exercise data rights.

6. How we share your data

We will not sell your personal data. We share data only as described below:

· Healthcare organisations and authorised users of the Medicue platform
· Microsoft Azure (EEA) — cloud hosting; all data stored within the European Economic Area
· Microsoft Application Insights — anonymised technical performance monitoring only
· Professional advisers, auditors, insurers and regulators where needed for lawful purposes
· Public authorities or law enforcement where required by law
· We do not share personal health data with advertising networks or social media platforms.

7. International transfers

Where personal data is transferred outside the EEA or UK, Medicue uses appropriate safeguards such as adequacy decisions or standard contractual clauses.

8. Retention

Customer and operational records are typically retained for up to 7 years after the relationship ends. Patient-related data is retained in line with the provider's instructions and applicable record-keeping obligations. Following a verified deletion request, personal data is permanently deleted within 30 days except where retention is required by law.

9. Security

Medicue uses AES-256 encryption at rest, TLS 1.2+ encryption in transit, role-based access controls, mandatory two-factor authentication for all clinician access, and ongoing security monitoring.

10. Cookies

Medicue uses cookies on its website and platform. Please read the separate Cookie Policy at www.medicue.com/cookies. A cookie consent banner allows you to accept or decline non-essential cookies at any time.

11. Your rights

Contact dpo@medicue.com to exercise any of the following rights. We respond within one calendar month at no charge.

Access:
Request a copy of personal data we hold about you

Rectification:
Ask us to correct inaccurate or incomplete data

Erasure:
Ask us to delete your personal data

Restrict processing:
Ask us to pause processing in certain circumstances

Data portability:
Request your data in a structured, machine-readable format

Object:
Object to processing based on legitimate interests or for direct marketing

Withdraw consent:
Withdraw consent at any time without affecting prior processing

Automated decisions:
Not to be subject to decisions based solely on automated processing

Complaints:
ICO (ico.org.uk) in the UK · Datatilsynet (datatilsynet.no) in Norway.

12. Changes to this policy

Medicue may update this Privacy Policy from time to time. The latest version will always be published at www.medicue.com/privacy with the effective date. We will notify you of material changes before they take effect.

Medicue AS · Org.nr. 927 533 235 · Dampskipsbrygga 12A, 1607 Fredrikstad, Norway
Medicue UK Ltd · Co. no. 15977689 · 47 Kings Road, Cowplain, Waterlooville, PO8 8UT, UK


www.medicue.com · hello@medicue.com · dpo@medicue.com · Effective: 25 March 2026

Table of Contents

About Medicue
1. Who this policy applies to
2. Data controllers and contact details
3. What personal data we process
4. Purposes and legal bases
5. Special category data
6. How we share your data
7. International transfers
8. Retention
9. Security
10. Cookies
11. Your rights
12. Changes to this policy