Privacy Policy

Medzr ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store and share your personal data when you use the Medzr platform ("the Platform"), and sets out your rights under applicable data protection law. Medzr operates in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the Irish Data Protection Act 2018. By using the Platform, you agree to the collection and use of your personal data as described in this Policy.

  1. Who We Are - Data Controller Medzr is the data controller responsible for your personal data collected through the Platform. If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at:Email: support@medzr.com

  2. What Personal Data We Collect We collect personal data in the following categories: Registration and Account Data When you create a Medzr account, we collect: Full name, Email address, Password (stored in encrypted form), Profession or healthcare discipline, Profile information you choose to provide. Transaction Data: When you buy or sell on Medzr, we collect: Details of items listed, purchased or sold, Transaction amounts and dates, Delivery addresses provided for shipping, Communications between buyers and sellers through the Platform inbox, Transaction status and history. Payment Data: Payments on Medzr are processed by Stripe. Medzr does not store your full payment card details. Stripe collects and processes payment data directly in accordance with their own privacy policy. We receive limited transaction confirmation data from Stripe, including payment status and amounts. Sellers who receive payouts through Stripe Connect must provide bank account details directly to Stripe. Medzr does not store full bank account numbers. Tax and Identity Data (DAC7 Compliance): Where a seller meets the DAC7 reporting thresholds (30 or more completed sales or €2,000 or more in sales within a calendar year), we are legally required to collect and verify: Full legal name, Date of birth, Residential address, PPS number or equivalent tax identification number, Bank account details for payout verification. This data is collected solely for the purpose of complying with our legal obligations under the EU DAC7 Directive (Council Directive 2021/514/EU) and is processed only as required by law. Communications Data: When you contact us at support@medzr.com or communicate through the Platform, we collect the content of those communications and your contact details. Technical and Usage Data: When you use the Platform, we automatically collect certain technical data including:IP address,Browser type and version, Device type and operating system, Pages visited and time spent on the Platform, Referring website or source. This data is collected through Sharetribe (our marketplace platform provider) and is used to operate, maintain and improve the Platform.

  3. How We Use Your Personal Data. We use your personal data for the following purposes and on the following legal bases: To provide and operate the Platform. Legal basis: Performance of a contract (Article 6(1)(b) GDPR). We use your account data, transaction data and communications data to: Create and manage your account, Facilitate transactions between buyers and sellers, Process payments and payouts through Stripe, Enable communication between buyers and sellers, Provide customer support. To comply with legal obligations; Legal basis: Legal obligation (Article 6(1)(c) GDPR) We use your data to: Comply with the EU DAC7 Directive and report seller information to Irish Revenue where required, Comply with anti-money laundering regulations, Respond to lawful requests from regulatory or law enforcement authorities, Comply with Irish and EU consumer protection law. To protect the Platform and our users,Legal basis: Legitimate interests (Article 6(1)(f) GDPR), We use your data to: Detect and prevent fraud, abuse and prohibited listings., Enforce our Terms and Conditions, Ensure the security and integrity of the Platform. To communicate with you. Legal basis: Performance of a contract / Legitimate interests We use your email address to send you: Transaction notifications (order confirmations, delivery updates, payment confirmations). Responses to your support queries. Important updates to the Platform, our Terms or this Privacy Policy. To improve the Platform; Legal basis: Legitimate interests (Article 6(1)(f) GDPR) We use anonymised technical and usage data to understand how the Platform is used and to improve its functionality and user experience. Who We Share Your Data With. We do not sell your personal data. We share your data only in the following circumstances:Other users of the Platform When you complete a transaction, certain information is shared with the other party as necessary to complete the transaction - for example, a buyer's delivery address is shared with the seller for shipping purposes. Please be mindful of the information you share in your listings and inbox messages. Sharetribe: The Platform is built on Sharetribe's marketplace technology. Sharetribe processes certain personal data on our behalf as a data processor in order to operate the Platform. Sharetribe is bound by a data processing agreement and may not use your data for any other purpose. Stripe: Payment processing is handled by Stripe. When you make or receive a payment, your payment data is processed by Stripe directly. Stripe operates as an independent data controller for payment data. Please refer to Stripe's own Privacy Policy at stripe.com/ie/privacy for details of how they process your data. Irish Revenue and EU Tax Authorities. Where required under the EU DAC7 Directive, we are legally obliged to share seller information with Irish Revenue. Revenue may in turn share this information with tax authorities in other EU member states where relevant. This sharing occurs only where sellers meet the DAC7 reporting thresholds and only to the extent required by law. An Post and postal carrier: Where sellers use postal services, delivery address information is necessarily shared with the postal carrier to facilitate delivery. This is at the seller's discretion. Legal and regulatory authorities: We may share your data with law enforcement, regulatory authorities or courts where we are legally required to do so, or where we reasonably believe it is necessary to protect the rights, property or safety of Medzr, our users or the public.

  4. International Data Transfers: Medzr is based in Ireland and your data is primarily processed within the European Economic Area (EEA). Where any of our service providers process data outside the EEA, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, in accordance with GDPR requirements. Sharetribe is based in Finland (EEA). Stripe operates globally - please refer to their privacy policy for details of their international transfer mechanisms.

  5. How Long We Keep Your Data. We retain your personal data for as long as necessary to provide the Platform and fulfil the purposes set out in this Policy, and in any case for the minimum periods required by law: Account data: retained for the duration of your account and for 6 years after account closure, in line with Irish statutory limitation periods. Transaction data: retained for 7 years in accordance with Irish Revenue requirements for financial records. DAC7 tax data: retained for 10 years as required under the DAC7 Directive. Support communications: retained for 2 years from the date of the communication. Technical and usage data: retained in anonymised form for up to 2 years. When your data is no longer required, we securely delete or anonymise it.

  6. Your Rights Under GDPR. As a data subject under GDPR, you have the following rights in relation to your personal data: Right of access. You have the right to request a copy of the personal data we hold about you. We will respond to such requests within one month. Right to rectification. You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. Right to erasure ("right to be forgotten") You have the right to request that we delete your personal data in certain circumstances, for example where the data is no longer necessary for the purposes for which it was collected. This right is subject to our legal obligations to retain certain data - for example, we cannot delete transaction or DAC7 data during the legally required retention periods. Right to restriction of processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while you contest its accuracy.Right to data portability; You have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transmit that data to another controller where processing is based on consent or contract. Right to object; You have the right to object to the processing of your personal data where processing is based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. Rights in relation to automated decision-making; Medzr does not make solely automated decisions that produce legal or similarly significant effects about you.To exercise any of the above rights, please contact us at support@medzr.com. We will respond within one month of receiving your request. We may need to verify your identity before processing your request.

  7. Data Security We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction or alteration. These measures include: Encrypted storage of passwords, Secure HTTPS connections across the Platform. Access controls limiting who within Medzr can access personal data. Use of reputable third-party processors (Sharetribe, Stripe) with their own security certifications. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Commission (DPC) within 72 hours and, where required, notify affected users without undue delay.

  8. Children's Privacy The Platform is not directed at or intended for use by persons under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a person under 18 has provided us with personal data, please contact us at support@medzr.com and we will take steps to delete it.

  9. Links to Third-Party Sites The Platform may contain links to third-party websites. This Privacy Policy applies only to Medzr. We are not responsible for the privacy practices of any third-party sites and encourage you to read their privacy policies before providing any personal data.

  10. Changes to This Privacy Policy We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or through a prominent notice on the Platform before the changes take effect. The date at the top of this Policy indicates when it was last updated. Continued use of the Platform following notification of changes constitutes acceptance of the updated Policy.

  11. How to Complain If you have a concern about how we handle your personal data, please contact us in the first instance at support@medzr.com. We will endeavour to resolve your concern promptly. If you are not satisfied with our response, you have the right to lodge a complaint with the Irish Data Protection Commission (DPC):

Data Protection Commission Website: dataprotection.ie Email: info@dataprotection.ie Phone: +353 57 868 4800

  1. Contact Us For any questions, requests or concerns relating to this Privacy Policy or your personal data, please contact:

Medzr Data Controller Email: support@medzr.com