EUDAMate← Back to site

Legal

Privacy Policy

Last updated: May 2026

1. Who we are

EUDAMate is operated by Ege Can Gecer, trading as EUDAMate (“we”, “us”, “our”). We are the data controller for personal data processed through eudamate.eu.

Contact: ege@eudamate.eu

2. What data we collect

We collect only what is necessary to provide the service:

  • Email address: provided when you request a readiness report or create an account. Used to send your report and product communications you opt into.
  • Uploaded files: spreadsheets you upload for EUDAMED data preparation. These contain device data, not personal data about individuals. Files are processed immediately and permanently deleted from our servers after analysis.
  • Account data: name, email, and password hash if you register. Stored in Supabase.
  • Payment data: handled entirely by Stripe. We do not store card numbers or full payment details. We receive a transaction reference and billing email.
  • Server logs: IP address, browser type, pages visited, timestamps. Retained for up to 30 days for security and debugging purposes.

3. How we use your data

  • To run the readiness analysis and return your report
  • To manage your account and project history
  • To process payments and issue invoices
  • To send transactional emails (report delivery, account confirmation)
  • To improve the service and fix errors

We do not sell your data, share it with third parties for marketing, or use it for automated profiling.

4. Legal basis (GDPR Article 6)

  • Contract performance: processing necessary to deliver the readiness report and paid data preparation service you requested.
  • Legitimate interests: server logs and security monitoring.
  • Consent: marketing emails, if you opt in.

5. Data processors

We use the following sub-processors, each bound by data processing agreements:

  • Supabase: database and authentication (EU region)
  • Railway: backend API hosting
  • Vercel: frontend hosting and CDN
  • Stripe: payment processing
  • Anthropic: AI processing for column mapping and EMDN classification. Uploaded file content may be sent to Anthropic's API for this purpose. Anthropic does not use API inputs to train models.
  • Resend: transactional email delivery

6. Data retention

  • Uploaded files: deleted immediately after analysis. Never stored beyond the processing request.
  • Account data: retained while your account is active. Deleted within 30 days of account deletion request.
  • Project data (field decisions, review history): retained for the life of your account to support audit trails required by MDR/IVDR QMS obligations.
  • Payment records: retained for 7 years per EU accounting requirements.
  • Server logs: 30 days.

7. Your rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion (“right to be forgotten”)
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with your national data protection authority

To exercise any of these rights, email ege@eudamate.eu. We respond within 30 days.

8. Cookies

We use only essential session cookies required to keep you logged in. We do not use advertising or tracking cookies. No third-party analytics scripts are loaded on this site.

9. Changes to this policy

We will notify registered users by email of material changes to this policy at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.