Privacy Policy

Version 1.0 – 26th January 2026.

This Privacy Policy explains how MedCube AS ("MedCube", "we", "us") processes personal data when individuals use or interact with the MedCube Platform (the platform), related services, or websites.

1. Who This Policy Applies To:

   This Privacy Policy applies to:

   • users working for or on behalf of or associated with MedCube’s partners, including organisations using the MedCube platform for managing missions (Platform Customers) and organisations providing services through the platform (Network Providers), collectively referred to as “partner/s”, as defined in the General Terms & Conditions

   • healthcare professionals and medical escorts using the platform

   • patients and next of kin granted access to case-related information

   • visitors to the MedCube website.

2. Who is Responsible for Your Data

   MedCube AS

   Organisation number: 933 336 883

   Address: Kongleveien 27, 1804 Bodø, Norway

   Email: privacy@medcube.care

   
   

   In most cases, MedCube processes personal data on behalf of its partners, who act as data controllers. MedCube acts as a data processor under an applicable Data Processing Agreement (DPA).

   
   

   For limited activities such as platform security, user administration, and website operation, MedCube may act as an independent data controller. MedCube may log IP addresses, user device metadata and audit logs for compliance and security purposes.

3. Personal Data We Process

   MedCube processes health and medical information strictly for mission coordination and the safe delivery of medical transport services. The legal bases for this processing are:

   • GDPR Article 9(2)(h) — processing necessary for the provision and management of healthcare and related services

   • GDPR Article 9(2)(c) — processing necessary to protect the vital interests of the data subject in emergency situations where the individual is unable to provide consent.

   Depending on your role and use of the platform, we may process:

   • identification and contact details

   • professional role and organisational affiliation

   • mission, case, and logistics information

   • communications within the platform

   • health and medical information where required for mission execution

   • location data, including real-time or near real-time geographic location data generated by mobile devices, where enabled, for the purpose of mission coordination, progress reporting, and operational safety

   • technical and usage data such as login records and access logs.

4. How We Collect Personal Data

   Personal data is collected when:

   • your organisation registers you as a platform user

   • you provide information directly in the platform

   • data is shared via approved integrations

   • you are invited as a patient or next of kin to access case information

   • automatically when you use the MedCube platform or Website (e.g., cookies, error logs, analytics, device metadata).

5. Purposes of Processing

   We process personal data to:

   • provide, operate, and maintain the MedCube platform

   • coordinate and execute medical transport and related services, including mission coordination, progress reporting, and operational safety using location data where enabled

   • enable secure communication between stakeholders

   • ensure platform security and integrity

   • comply with legal and regulatory obligations

   • train anonymised decision-support models

   • perform quality assurance and maintain safety documentation.

   MedCube does not use personal data for advertising or unrelated commercial purposes.

   
   

   Location data is processed only to the extent necessary for the relevant mission-related purpose and is not used for general tracking or monitoring of user behaviour.

6. Anonymised Data, Analytics and Benchmarking

   MedCube may generate anonymised and aggregated data sets from personal data processed through the platform for service improvement, safety analysis, benchmarking, and development of decision-support tools.

   
   

   Anonymisation methods follow GDPR anonymisation recommendations.

   
   

   Such anonymised data cannot identify individuals, partners, or specific missions and is no longer considered personal data under the GDPR.

7. Sharing of Personal Data

   Personal data may be shared with:

   • the partner organisation responsible for the relevant service or mission

   • authorised healthcare professionals and service providers involved in the relevant case

   • patients and, where enabled by the responsible partner, their designated next of kin, limited to information relevant to the specific case

   • approved sub-processors providing infrastructure or support services.

   An up-to-date list of sub-processors currently used by MedCube can found here: https://medcube.care/sub-processors.

   
   

   All sharing of personal data is subject to appropriate access controls and is limited to what is necessary for the relevant purpose.

   
   

   All sub-processors are subject to contractual and technical safeguards consistent with GDPR. Partners providing personal data to MedCube may have their own privacy policies.

8. International Transfers

   Personal data is primarily processed within the EU/EEA. Where transfers outside the EU/EEA occur, appropriate safeguards such as Standard Contractual Clauses are applied.

9. Data Retention

   Personal data is retained only for as long as necessary to provide the services, comply with legal obligations, and maintain operational and safety records. Some records may need to be retained to preserve the integrity of mission and safety documentation.

   
   

   Personal data related to operational logs are typically retained for a maximum of 1 month after completion of a mission.

   
   

   Mission records containing personal data may be retained for up to fifteen (15) years depending on legal requirements. Retention may vary according to requirements of the individual partners, in their capacity as data controller.

10. Your Rights

    Under the GDPR, you may have the right to access, rectify, restrict, object to processing, or request erasure of your personal data. Where MedCube acts as a processor, such requests are typically handled through the relevant partner organisation acting as controller.

    
    

    Requests may be submitted to privacy@medcube.care.

11. Patients and Next of Kin

    Patients and next of kin may be granted limited, case-specific access to the platform. Access is restricted to information relevant to the specific case and may be revoked once the case concludes.

12. Cookies and Website Use

    The MedCube website uses cookies and similar technologies to ensure functionality and improve user experience. Further details are provided in our Cookie Policy, where applicable.

13. Changes to This Policy

    This Privacy Policy may be updated from time to time.

    Notification of updates will be displayed the first time you log into your account on the MedCube platform after such an update.

    The most recent version will always be available on the MedCube website at https://medcube.care/privacypolicy.

14. Contact and Complaints

If you have questions or concerns about this Privacy Policy or our processing of personal data, please contact privacy@medcube.care. You also have the right to lodge a complaint with your local data protection authority.