Compliance & Data Assurance

Legal Basis & Consent

• GDPR (UK/EU): MYQER acts as a data controller for user accounts. Explicit consent is required before collecting or processing any health-related data.
• Withdrawal: You can toggle visibility off or delete your account at any time. When deleted, your data is erased from active systems and scheduled for secure removal from backups.

Standards & Frameworks

• HIPAA-aligned safeguards (note: MYQER is not a HIPAA-covered entity).
• Alignment with UK NHS DTAC and ISO 27001 information-security management practices is in progress, with milestones published in our roadmap below.

Data Location & Transfers

• Primary hosting in London, United Kingdom using Render and Supabase.
• If data is processed outside the UK/EU, transfers occur only under the UK IDTA or EU SCCs with approved sub-processors.

Data Retention

• Account data is retained only while the account remains active.
• When an account is deleted, all personal data is purged within 30 days, including from encrypted backups.

Your Rights

• Access, correct, or erase your data.
• Request a copy for portability.
• Withdraw consent at any time.

Requests can be made at hello@myqer.com.

Security & Governance

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Role-based and row-level access controls within Supabase.
• Regular internal security reviews and supplier due-diligence.
• Incident-response playbook and breach-notification template prepared for deployment.

Clinical & Safety Readiness

• MYQER is a non-diagnostic emergency triage platform. It assists situational awareness but does not replace clinical assessment.
• A formal Clinical Safety Case and DTAC submission will accompany the next development phase.