Privacy Policy

Medzora — Last updated:

This Privacy Policy describes how Medzora (“Medzora”, “we”, “us”) collects, uses, stores, shares, and protects information in connection with the Medzora platform, available at https://web.medzora.ae/ and related properties (the “Service”). Medzora provides AI-assisted content drafting, compliance review, scheduling, and social publishing tools for licensed medical professionals and the clinics that employ them.

By accessing or using the Service, you agree to this Policy. If you do not agree, please do not use the Service.

1. Who this Policy covers

• Registered users — licensed clinicians and their clinic staff who sign in to manage content and connect social accounts.
• Clinic administrators — users who manage clinic-level settings, seats, and reporting.
• Visitors — anyone browsing our public pages (marketing, FAQ, news, blog) without signing in.

2. Information we collect

2.1 Information you provide

• Account data: name, email, password (hashed), professional role, medical license reference, clinic affiliation, language preference.
• Content you submit: article drafts, captions, media uploads, workflow notes, schedule metadata, analytics annotations.
• Support correspondence: messages, screenshots, and attachments you send to our team.

2.2 Information from connected platforms

When you choose to connect a third-party platform (for example TikTok, Meta/Facebook, Instagram, Threads, YouTube, or Google), we receive data from that platform strictly to operate the features you enable:

• OAuth tokens — access and refresh tokens scoped to the permissions you grant. Tokens are stored encrypted at rest and are never shared with other Medzora users.
• Profile identifiers — platform user ID, display name, avatar URL, and basic account metadata used to label the connected account in the UI.
• Content you post through us — videos, images, captions, hashtags, and scheduling metadata submitted via our publishing tools.
• Analytics and insights — aggregate views, engagement, follower counts, and similar metrics returned by the platform’s APIs for accounts you own.

2.3 TikTok-specific disclosure (Developer Data and Commercial Tools)

If you connect a TikTok account, Medzora uses TikTok’s Developer Data and Commercial Tools (“DDCTs”) — specifically Login Kit, the Content Posting API, and the Display API — in accordance with TikTok’s Developer Terms of Service, the Developer Data and Commercial Tools policies, and TikTok’s Community Guidelines.

Data we collect from TikTok through DDCTs. We request only the OAuth scopes necessary for features you enable. Typical scopes include:

• user.info.basic — your TikTok open ID, union ID, display name, avatar URL, and profile link, used to label the connected account in the UI.
• video.list — metadata about videos you own (title, description, create time, cover image, view/like/comment/share counts) used for analytics and content management.
• video.upload and video.publish — upload and publish videos you submit through Medzora’s scheduler.

How we use TikTok DDCT data. Strictly to operate the features you enable: to authenticate you, to render your TikTok account in the UI, to publish or schedule content you submit, and to display analytics for your own account. We do not use TikTok data to build profiles of end users, to serve advertising, or to train foundation AI models.

How we share TikTok DDCT data. We do not sell or rent TikTok data. We share TikTok data only with (i) cloud infrastructure sub-processors (hosting, storage, error monitoring) under contractual confidentiality and security obligations, and (ii) the clinic administrators linked to your account, who can see content and analytics you manage on behalf of the clinic.

How we store and protect TikTok DDCT data. OAuth tokens are encrypted at rest; transport uses TLS; access is restricted on a need-to-know basis and audit-logged.

How to disconnect and delete TikTok data. You can disconnect TikTok at any time from Settings → Integrations. Disconnection immediately revokes the stored OAuth token, and all cached TikTok data associated with your connection is deleted within 30 days. You can also revoke Medzora’s access at any time from your TikTok account’s “Manage app permissions” page. Full account deletion (see Section 13 below) also purges any residual TikTok data.

2.4 Technical data we collect automatically

• IP address, approximate location derived from IP, user-agent, device/browser type, operating system.
• Product usage events (page views, feature interactions, error logs) used for debugging, product analytics, and abuse prevention.
• Cookies and similar technologies used to keep you signed in and to remember preferences.

3. How we use information

• Provide, maintain, secure, and improve the Service.
• Authenticate you, manage sessions, and prevent unauthorized access.
• Generate AI-assisted drafts and compliance suggestions using models we run or license (inputs are not used to train third-party foundation models unless you explicitly opt in to such a feature).
• Publish, schedule, or sync content to connected platforms when you direct us to do so.
• Produce analytics and reports for your account and your clinic.
• Communicate with you about your account, security, or changes to the Service.
• Comply with applicable law and respond to valid legal requests.

4. Legal bases (where GDPR applies)

• Contract — to provide the Service you requested.
• Legitimate interests — to secure, improve, and troubleshoot the Service, provided those interests are not overridden by your rights.
• Consent — for optional integrations, marketing email, or any feature that explicitly requests it.
• Legal obligation — to meet regulatory, tax, or law-enforcement requirements.

5. Sharing and disclosure

We do not sell your personal information. We share data only in these cases:

• Service providers / sub-processors — cloud hosting, object storage, email, error monitoring, and AI inference providers that operate the Service on our behalf under contractual confidentiality and security obligations.
• Third-party platforms — when you direct us to publish or sync content (for example to TikTok, Meta, YouTube), data flows to that platform under its own privacy policy.
• Your clinic — if your account is provisioned under a clinic, designated clinic administrators can see content, schedules, and analytics tied to their clinic.
• Legal / safety — if required by law, subpoena, or to protect the rights, property, or safety of Medzora, our users, or others.
• Business transfer — in connection with a merger, acquisition, or asset sale, subject to this Policy.

6. International transfers

Medzora is operated from the United Arab Emirates. Data may be processed in jurisdictions where our sub-processors operate. Where required, we rely on appropriate safeguards such as standard contractual clauses.

7. Data retention

We retain personal data only for as long as necessary to provide the Service, meet legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:

• Account profile (name, email, role, license reference): for the life of the account, plus up to 12 months after deletion for audit, tax, and abuse-prevention purposes, unless a longer period is required by law.
• User-generated content (drafts, captions, media, schedules): for the life of the account; deleted items are purged within 30 days.
• Third-party platform OAuth tokens and cached data (including TikTok DDCT data): retained only while the connection is active; deleted within 30 days of disconnection or account deletion.
• TikTok analytics and video metadata fetched via DDCTs: cached for up to 24 hours for performance; refreshed or purged on disconnection.
• Operational and security logs: typically retained for up to 90 days.
• Encrypted backups: retained on a rolling basis and fully purged within 35 days.
• Support correspondence: retained for up to 24 months after the ticket is closed.

8. Data deletion process

You can delete your data in three ways:

1. Self-service disconnection — from Settings → Integrations you can disconnect any connected platform (TikTok, Meta, Google, etc.). The associated OAuth token is revoked immediately and all cached platform data is deleted within 30 days.
2. Account deletion request — email privacy@medzora.ae from your account email, or use the form on our Data Deletion page. We verify the request, confirm by email within 7 days, and complete deletion within 30 days. Third-party tokens are revoked immediately on receipt of a verified request.
3. Clinic-initiated deletion — authorized clinic administrators can request deletion of clinic-owned accounts and content through the same channel, subject to any retention required by applicable medical-records law.

After deletion, residual copies in encrypted backups are purged within 35 days under our backup rotation. We retain minimal records required by law (for example tax invoices and evidence of prior policy acceptance) for the period required, in an access-restricted archive.

You can also revoke Medzora’s access to TikTok at any time directly in TikTok → Settings → Privacy → Manage app permissions, which immediately invalidates our stored token.

9. Security

We use industry-standard controls, including TLS for data in transit, encryption at rest for sensitive fields (including OAuth tokens), access controls and audit logs, regular dependency patching, and principle-of-least-privilege for staff access. No system is perfectly secure; we cannot guarantee absolute security.

10. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete personal data, and to object to or restrict certain processing. To exercise these rights, email us at the address below. We respond within 30 days. You can also delete your account at any time; see Section 8 or our data deletion page.

11. Children

The Service is intended for licensed medical professionals and authorized clinic staff only. It is not directed to children under 16, and we do not knowingly collect personal data from children.

12. Cookies

We use strictly necessary cookies for authentication and session management, and limited analytics cookies for product improvement. You can control cookies through your browser settings; disabling authentication cookies will prevent you from using signed-in features.

13. Changes

We may update this Policy to reflect product, legal, or operational changes. Material changes will be notified in-product or by email at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.