Legal

Privacy Policy

Effective date: 1 March 2026 · Controller: Roadlink UAE FzCo · medilab24

1. Preamble

This Privacy Policy applies to all domains and subdomains through which the medilab24 platform is officially accessible, including any associated applications and network services. The current version of this document is published in the footer of the website, is available in multiple languages, and is effective from the date stated above until revoked.

By accessing the platform or using any of its services, the user acknowledges and accepts the terms set out in this document. The Operator reserves the right to amend this Policy unilaterally. Amendments are not retroactive and take effect upon publication.

2. Data Controller

Roadlink UAE FzCo
Building A1, Dubai Digital Park
Dubai Silicon Oasis, Dubai, United Arab Emirates
Premises number: 58309-001

Contact: via the contact form at medilab24.com/contact

3. Data Processors and Transfer Partners

Partner	Activity	Location	Safeguards
Cloudflare, Inc.	CDN and web security	USA	EU–US Data Privacy Framework
OpenAI, L.L.C.	AI-based lab result analysis	USA	EU–US Data Privacy Framework
Anthropic, PBC	AI-based lab result analysis	USA	EU–US Data Privacy Framework
Google LLC (Gemini)	AI-based lab result analysis	USA / Ireland	EU–US Data Privacy Framework
Payment processor	Payment processing	USA / Ireland	EU–US Data Privacy Framework

Data transfers to the USA are made on the basis of the EU–US Data Privacy Framework. Where this framework does not apply, Standard Contractual Clauses (SCCs) are used as the transfer mechanism.

4. Definitions

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council — the General Data Protection Regulation.
Personal data: any information relating to an identified or identifiable natural person.
Health data: personal data relating to the physical or mental health of a natural person, including data which reveal information about the person's health status (GDPR Art. 4(15)).
Processing: any operation performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, erasure or destruction.
Data subject's consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of their personal data.
Data breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
User / Partner: visitors, users, and partners accessing the medilab24 platform.
Operator / Company: Roadlink UAE FzCo, operating the medilab24 platform.

5. Data We Process

5.1 Automatically collected data

When accessing the platform, certain parameters are recorded automatically, including: login and session timestamps, browser type, screen resolution, language, operating system, device type, and IP address.

5.2 Data provided by the user

The following categories of data are processed in connection with the use of the platform:

Category	Purpose	Legal basis	Retention
Contact data (email, phone)	Service delivery, results delivery	Art. 6(1)(b) GDPR – contract	8 years (accounting obligation)
Billing data (name, address, amount)	Invoice issuance, tax compliance	Art. 6(1)(c) GDPR – legal obligation	8 years (accounting obligation)
Payment data (card reference, transaction ID)	Payment processing	Art. 6(1)(b) GDPR – contract	8 years (accounting obligation)
Health data (lab result file, supplementary health information)	AI-based lab result analysis	Art. 9(2)(a) GDPR – explicit consent	Partner-selected retention (48 hours – 7 days), then permanently deleted
Analysis result (PDF)	Delivery of analysis to partner	Art. 6(1)(b) GDPR – contract	Partner-selected retention (48 hours – 7 days), then permanently deleted
IP address, browser, session data	Security, quality assurance	Art. 6(1)(f) GDPR – legitimate interest	1 year
Support communications	Customer support, legal compliance	Art. 6(1)(b) and (f) GDPR	8 years (accounting obligation)
Payment processor risk assessment	Fraud prevention (by payment processor)	Art. 6(1)(f) GDPR – legitimate interest	Per payment processor's policy

6. Retention Periods

Health data (uploaded lab result files and analysis PDFs) are automatically and permanently deleted upon expiry of the retention period selected by the partner at the time of submission (minimum 48 hours, maximum 7 days). The retention period cannot be extended after submission.

Other personal data is deleted within 48 hours of a verified deletion request, except where retention is required by accounting or legal obligations. Deletion requests may be submitted via the contact form. The Operator may request additional verification before processing a deletion request.

7. Health Data

Uploaded lab results constitute special category data within the meaning of GDPR Art. 9. Such data is processed exclusively on the basis of the data subject's explicit consent (Art. 9(2)(a) GDPR), given by actively checking the mandatory consent checkbox during the submission process.

The Operator processes health data solely for the purpose of delivering the requested analysis service. Health data is not shared with third parties other than the data processors listed in Section 3, who are necessary for the technical operation of the service.

When lab result data is transmitted to AI processors (OpenAI, Anthropic, Google Gemini), only the content of the lab result is transmitted. No personally identifying information (name, email address, phone number) is passed to AI processors.

Consent may be withdrawn at any time via the contact form. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

8. Automated Processing

The platform uses artificial intelligence to analyse uploaded lab results. This constitutes automated data processing. However, the output is purely informational and does not produce any legal effect or similarly significant consequence for the data subject (GDPR Art. 22). The analysis does not constitute a medical diagnosis and does not replace professional medical examination.

The payment processor applies its own automated risk-scoring system (fraud prevention). This is the payment processor's proprietary system; Roadlink UAE FzCo does not make decisions based on this scoring.

9. Cookies

The platform uses cookies to ensure functionality and improve the user experience. Cookies are small text files stored by the browser on the user's device.

9.1 Strictly necessary cookies

These cookies are required for the basic operation of the platform and may be used without consent.

Cookie name	Type	Expiry	Purpose
XSRF-TOKEN	Essential	2 hours	CSRF security protection
medilab24_session	Essential	2 hours	Session identifier
cookie_consent_*	Essential	1 year	Stores consent preferences
__cf_bm	Essential	30 minutes	Cloudflare bot management

9.2 Consent management

The platform displays a cookie consent banner. Consent is managed across three categories: Essential, Analytics and Marketing. Analytics and marketing cookies may be enabled or disabled at any time via the cookie settings menu. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR).

10. International Data Transfers

Transfers of personal data to the United States (Cloudflare, OpenAI, Anthropic, Google, payment processor) are made on the basis of the EU–US Data Privacy Framework. Where this framework is not applicable, Standard Contractual Clauses (SCCs) are used as the applicable transfer safeguard in accordance with GDPR Art. 46(2)(c).

11. Your Rights

As a data subject under the GDPR, you have the following rights, which may be exercised by submitting a request via the contact form:

Right to information: You may request information about what data we hold about you, the legal basis, purpose, source and retention period. We will respond within 30 days.
Right to rectification: You may request correction of inaccurate data. We will act within 30 days.
Right to erasure: You may request deletion of your data. Health data is automatically deleted upon expiry of the chosen retention period. Other data is deleted within 48 hours of a verified request.
Right to restriction: You may request restriction of processing for as long as the reason you specify requires the data to be retained.
Right to object: You may object to processing based on legitimate interest. We will review the objection within 15 days and notify you of our decision.
Right to data portability: You have the right to receive personal data you have provided to us in a structured, machine-readable format.
Right to withdraw consent: Consent to the processing of health data may be withdrawn at any time via the contact form. Withdrawal does not affect prior processing.

12. Contact and Complaints

All data protection enquiries and requests may be submitted via the contact form at medilab24.com/contact.

If you believe that your personal data has been processed unlawfully, you have the right to lodge a complaint with the supervisory authority in your country of residence, place of work, or the place of the alleged infringement (GDPR Art. 77). A list of EU supervisory authorities is available at edpb.europa.eu.

The applicable legal framework includes: Regulation (EU) 2016/679 (GDPR); Directive 2002/58/EC (ePrivacy); and applicable national data protection legislation of the EU member state where the data subject is located.

Last updated: 1 March 2026