Privacy Policy

Last updated: January 2026

1. Introduction

MiriConnect ("we", "our", or "us"), based in Copenhagen, Denmark, is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use MiriConnect, our mobile and web interface for accessing MIRI Timelapse incubator systems used in fertility and reproductive medicine clinics.

Key Privacy Principle: MiriConnect is a real-time streaming interface. Patient and medical data is streamed directly from your clinic's MIRI Timelapse machine to your device. We do not store, cache, or retain any patient medical data on our servers. Your clinic's infrastructure remains the sole repository of all medical information.

MiriConnect is designed exclusively for licensed healthcare professionals working at fertility clinics. By using our services, you acknowledge that you are a healthcare professional authorized to access patient data in the course of your professional duties.

This Privacy Policy complies with the General Data Protection Regulation (GDPR), the Danish Data Protection Act, and other applicable data protection laws.

2. Data Controller and Processor Relationships

Understanding the roles and responsibilities regarding your data:

  • Healthcare Clinics (Data Controllers for Medical Data): Your clinic is the sole data controller for all patient medical data. Since MiriConnect only streams this data and never stores it, your clinic retains complete control and responsibility for patient information at all times.
  • MiriConnect (Data Controller for Service Data Only): We are the data controller only for user account information, authentication credentials, and service-related data (such as login logs and preferences). We do not control or process patient medical data—we merely facilitate its secure transmission.
  • Cloud Service Providers (Sub-processors): We use reputable cloud infrastructure providers for user authentication, account management, and service delivery. These providers process user account data on our behalf under data processing agreements and never receive or process patient medical data.

We maintain Data Processing Agreements (DPAs) with all clinics and sub-processors to ensure appropriate data protection safeguards are in place. Note that because patient medical data is streamed directly and never stored by MiriConnect, our role regarding such data is limited to providing a secure transmission channel.

3. Information We Collect

We collect and process the following categories of personal data:

3.1 Authentication Data

  • Email addresses used for account identification and communication
  • Password hashes (securely stored by our authentication service provider)
  • Time-based One-Time Password (TOTP) secrets for multi-factor authentication
  • Authentication tokens for session management
  • Biometric authentication templates (stored exclusively on your device, never transmitted to our servers)

3.2 User Profile Data

  • Display name
  • User role (user, admin, or superadmin)
  • Clinic assignment information (clinic ID and identifier)
  • Multi-factor authentication enrollment status
  • Account status (active, inactive, or pending)
  • Last login timestamp
  • Account creation date

3.3 Usage Data

  • Application access logs for security monitoring
  • API request logs for troubleshooting and optimization
  • Session duration and timing information
  • Feature interaction patterns (anonymized for analytics)
  • Data refresh timestamps

3.4 Device Data

  • Device model and type
  • Operating system version (iOS or Android)
  • Device identifiers for security verification and fraud prevention

3.5 Notification Data

  • Push notification tokens for delivering alerts to your device
  • Notification preferences and settings
  • Message delivery and read status

4. Medical and Clinical Data

MiriConnect provides access to sensitive medical data as part of its core functionality. It is important to understand how this data is handled:

4.1 Data Accessed Through MiriConnect

When authorized users access patient records, the following categories of medical data may be retrieved from your clinic's MIRI Timelapse infrastructure:

  • Patient identifiers, codes, and names
  • Patient and spouse/partner birth dates
  • Diagnosis and medical history information
  • Contact information including email addresses
  • Treatment records (attending physicians, embryologists, clinical notes)
  • Timelapse data (incubator information, chamber IDs, cycle intervals)
  • Embryo data (IDs, positions, developmental states, annotations)
  • High-resolution embryo images and time-lapse frame data
  • Medication records and protocols
  • Oocyte quality assessments and maturity data
  • Culture types, media, and laboratory conditions
  • Insemination types and sperm source information
  • Treatment outcomes and results

4.2 How Medical Data Flows (Critical Information)

MiriConnect Never Stores Your Medical Data

MiriConnect operates as a pass-through streaming interface. When you access patient records, embryo images, or timelapse recordings through our app, this data is streamed in real-time directly from your clinic's MIRI Timelapse machine to your mobile device. Think of MiriConnect as a secure window into your clinic's system—not a separate database.

The data flow works as follows:

  • Source: All patient medical data originates from and remains stored on your clinic's MIRI Timelapse infrastructure
  • Streaming: When you request data (e.g., view an embryo image), it is streamed through our encrypted gateway directly to your device
  • No Storage: MiriConnect servers do not store, cache, log, or retain any patient medical data during or after transmission
  • No Local Storage: Your mobile device displays the streamed data but does not save it locally
  • Session End: When you close the app or navigate away, no medical data persists anywhere except on your clinic's original MIRI system

What our gateway does:

  • Authenticates your identity and verifies your authorization
  • Establishes an encrypted connection between your device and your clinic's system
  • Routes the data stream securely without inspecting or storing the medical content
  • Logs access events (who accessed, when) for security auditing—but not the medical data itself

5. Data Storage Locations

5.1 On-Device Storage (iOS)

  • Secure Enclave: Authentication tokens, app PIN codes, and MFA verification status (protected by iOS platform security)
  • App Preferences: Non-sensitive settings such as environment selection and biometric preferences
  • No patient medical data is stored locally on iOS devices

5.2 On-Device Storage (Android)

  • Hardware-Backed Security: Biometric credentials and cryptographic keys (protected by Android platform security)
  • App Preferences: Non-sensitive settings such as environment selection
  • Encrypted Storage: Sensitive configuration data (encrypted at rest)
  • No patient medical data is stored locally on Android devices

5.3 Cloud Storage

  • MiriConnect Cloud Services: User profiles, clinic information, user invitations, in-app messages, and administrative audit logs (stored with our cloud infrastructure providers)
  • Clinic MIRI Infrastructure: All patient medical data remains on your clinic's own systems, accessed securely through our gateway

6. How We Use Your Information

We process your personal data for the following purposes and legal bases:

6.1 Service Provision (Contract Performance)

  • Authenticating your identity and managing your account
  • Providing secure access to MIRI Timelapse systems
  • Facilitating communication between clinic staff
  • Enforcing subscription and licensing terms
  • Processing and rendering medical images and data for viewing

6.2 Security and Fraud Prevention (Legitimate Interest)

  • Detecting and preventing unauthorized access
  • Monitoring for suspicious activity and potential breaches
  • Maintaining audit logs for security investigations
  • Verifying device integrity and authentication status

6.3 Service Improvement (Legitimate Interest)

  • Analyzing usage patterns to improve user experience
  • Identifying and fixing technical issues
  • Developing new features and functionality
  • Optimizing application performance

6.4 Legal Compliance (Legal Obligation)

  • Complying with healthcare regulations and data protection laws
  • Responding to valid legal requests from authorities
  • Maintaining records as required by applicable regulations

7. Data Security Measures

We implement comprehensive security measures to protect your data:

7.1 Encryption

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest in our cloud infrastructure
  • Hardware-backed encryption on mobile devices

7.2 Authentication and Access Control

  • Secure authentication service with custom security claims
  • Mandatory TOTP-based multi-factor authentication for all users
  • Optional biometric authentication (Face ID, Touch ID, fingerprint)
  • App-level PIN codes for additional protection
  • Role-based access control (user, admin, superadmin)
  • Clinic-based data isolation ensuring users can only access their assigned clinic's data

7.3 Session Management

  • Automatic session expiration and token refresh
  • Automatic logout after periods of inactivity
  • Secure token storage using platform-specific secure enclaves

7.4 Infrastructure Security

  • Gateway-mediated backend access to clinic systems
  • Comprehensive audit logging for compliance and forensics
  • Regular security assessments and penetration testing
  • Continuous monitoring for vulnerabilities and threats

8. GDPR Rights

Under the General Data Protection Regulation, you have the following rights regarding your personal data:

  • Right of Access: You can request a copy of your personal data and information about how it is processed.
  • Right to Rectification: You can request correction of inaccurate or incomplete personal data.
  • Right to Erasure: You can request deletion of your personal data, subject to legal retention requirements.
  • Right to Restrict Processing: You can request limitation of how your personal data is processed.
  • Right to Data Portability: You can request your data in a structured, machine-readable format.
  • Right to Object: You can object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time.
  • Right to Lodge a Complaint: You can file a complaint with a supervisory authority (in Denmark: Datatilsynet).

To exercise any of these rights, please contact us at privacy@miriconnect.com. We will respond to your request within 30 days.

Note: For rights regarding patient medical data, please contact your clinic directly as they are the data controller for such information.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Account Information: Retained while your account is active and for 30 days after account deletion to allow for recovery.
  • Authentication Logs: Retained for 12 months for security monitoring and incident investigation.
  • Audit Logs: Retained for the period required by applicable healthcare regulations (typically 5-10 years depending on jurisdiction).
  • Usage Analytics: Aggregated and anonymized data may be retained indefinitely for service improvement.
  • Support Communications: Retained for 3 years after resolution for quality assurance and legal compliance.

When data is no longer needed, it is securely deleted or anonymized in accordance with our data destruction procedures.

10. Third-Party Services and Sub-processors

We use carefully selected third-party service providers to deliver MiriConnect. These providers are chosen based on their security practices, compliance certifications, and data protection standards.

10.1 Cloud Infrastructure Providers

  • Authentication Services: User identity management and secure login
  • Database Services: Storage for user profiles, clinic data, and messaging
  • Serverless Computing: Backend processing and business logic
  • Push Notification Services: Delivery of alerts and notifications to your device
  • Analytics Services: Anonymous usage analytics to improve our service (can be disabled)
  • Web Hosting: Hosting for our web applications and admin portal

Our cloud infrastructure providers process data in accordance with data processing agreements and maintain industry-standard compliance certifications (such as SOC 2, ISO 27001, and similar).

10.2 App Distribution Platforms

  • Apple (iOS): App Store for distribution and Apple Push Notification service for alerts
  • Google (Android): Google Play Store for distribution and push notification services

10.3 Sub-processor List

A detailed list of our current sub-processors, including their locations and processing activities, is available upon request. Please contact privacy@miriconnect.com to obtain this list. We will notify clinics of any changes to our sub-processors in accordance with our data processing agreements.

11. International Data Transfers

As MiriConnect is based in Copenhagen, Denmark, your data is primarily processed within the European Economic Area (EEA). However, some of our service providers may process data outside the EEA:

  • Cloud Infrastructure Providers: May process data in the United States and other countries where they operate data centers.
  • App Distribution Platforms: May process data in the United States for app store and notification services.

For transfers to countries outside the EEA that have not received an adequacy decision from the European Commission, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all sub-processors
  • Supplementary technical and organizational measures where necessary
  • Regular assessment of the legal framework in recipient countries

12. Healthcare Data Regulations

MiriConnect is designed to comply with healthcare-specific data protection requirements:

  • GDPR Article 9: Special categories of data (health data) are processed under the exemption for healthcare provision and occupational medicine (Art. 9(2)(h)).
  • Professional Secrecy: We maintain appropriate confidentiality obligations equivalent to those binding healthcare professionals.
  • Audit Trails: Comprehensive logging of all data access for regulatory compliance.
  • Data Minimization: We only facilitate access to data necessary for treatment purposes.

Your clinic remains responsible for ensuring that its use of MiriConnect complies with all applicable healthcare regulations in your jurisdiction.

13. Cookies and Tracking Technologies

Our web application and landing pages may use the following technologies:

  • Essential Cookies: Required for authentication and security (session cookies, CSRF tokens).
  • Preference Cookies: Remember your settings and preferences (language, theme).
  • Analytics: Usage analytics for understanding usage patterns (can be disabled in app settings).

Our mobile applications do not use cookies but may use similar technologies such as local storage and device identifiers for the purposes described in this policy.

14. Automated Decision-Making

MiriConnect does not currently use automated decision-making or profiling that produces legal or similarly significant effects on individuals. Any analytics or AI-assisted features operate as follows:

  • Image analysis and embryo assessment tools provide recommendations only; all clinical decisions are made by qualified healthcare professionals.
  • Usage analytics are aggregated and do not affect individual user access or service provision.
  • Account security measures (such as suspicious activity detection) may restrict access temporarily, but human review is always available.

If we introduce automated decision-making features in the future, we will update this policy and provide appropriate information about the logic involved and the significance of such processing.

15. Children's Privacy

MiriConnect is designed exclusively for use by licensed healthcare professionals in fertility clinics. We do not knowingly collect personal information from children under 18 years of age. The service is not directed at children and requires professional healthcare credentials for access. If we become aware that we have collected personal data from a child without appropriate authorization, we will take steps to delete such information promptly.

16. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

  • We will notify the relevant supervisory authority (Datatilsynet in Denmark) within 72 hours of becoming aware of the breach.
  • If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay.
  • We will notify affected clinics immediately so they can fulfill their own notification obligations regarding patient data.
  • We maintain an incident response plan and conduct regular breach simulation exercises.

Notifications will include the nature of the breach, likely consequences, measures taken or proposed, and contact information for further inquiries.

17. Future Features and Updates

As MiriConnect evolves, we may introduce new features that involve additional data processing. These may include:

  • AI-assisted analysis tools and clinical decision support
  • Enhanced analytics and reporting capabilities
  • Integration with additional third-party laboratory and clinic systems
  • Collaboration features between clinics and healthcare networks
  • Research and quality improvement programs (with appropriate consent)

Before introducing features that materially affect how we process your data, we will update this Privacy Policy and, where required, seek your consent or that of your clinic.

18. Contact Information

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about our data practices, please contact us:

Privacy Inquiries

Email: privacy@miriconnect.com

Address: Copenhagen, Denmark

We aim to respond to all privacy inquiries within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) or your local supervisory authority.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

  • We will update the "Last updated" date at the top of this page.
  • For material changes, we will provide notice through the application or via email before the changes take effect.
  • We encourage you to review this Privacy Policy periodically.
  • Your continued use of MiriConnect after changes become effective constitutes acceptance of the revised policy.

Previous versions of this Privacy Policy are available upon request.

20. Governing Law

This Privacy Policy is governed by the laws of Denmark and the European Union, including the General Data Protection Regulation (GDPR). Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the Danish courts, without prejudice to your right to bring proceedings in your country of residence if you are a consumer in the EEA.