Privacy Notice – MEG (Medical EGuides Ltd)
Last updated: October 2025
At MEG, we build software that helps healthcare professionals work safely and efficiently. Protecting personal data is central to how we do business.
Who We Are
Medical EGuides Ltd (“MEG”, “we”, “our”, “us”) provides digital tools and platforms used by healthcare organisations worldwide.
We are registered in Ireland (Reg. No. 581747) with offices in Dublin, the UK, the UAE and Australia.
We are regulated by the Data Protection Commission (DPC - Ireland) as our lead supervisory authority.
Our Role Under Data Protection Laws
Depending on the context, MEG may act as:
Data Processor – when processing information on behalf of our healthcare organisation customers (the data controllers).
Data Controller – for our own employees, contractors, suppliers, and business operations.
Joint Controller or Data Owner – in limited cases defined by contract.
When you use MEG software as part of your healthcare organisation’s system, that organisation controls your personal data. You should contact them directly to exercise your data protection rights. MEG supports all such requests promptly and securely on their behalf where needed.
Purposes and Legal Basis for Processing
We process personal data for:
Delivering and supporting our software and services (Contractual necessity)
Managing customer accounts, billing, and support (Contractual necessity)
Meeting legal, regulatory, and compliance obligations (Legal obligation)
Improving and securing our systems (Legitimate interest)
Managing our employees and contractors (Legal obligation and contract)
We never use customer data for marketing, profiling, or any unrelated purpose.
Information We Collect
We may process:
Contact details (name, email, phone number, role, organisation)
Technical data (device type, browser, IP address, usage logs)
Account credentials (as configured by the customer)
Limited location data when users opt-in (e.g. to display local indexes)
Employee and supplier data for HR and contractual purposes
Website and Cookies
When you visit megit.com:
We use cookies to enable website functionality, analyse usage, and improve user experience.
Session cookies expire when you close your browser.
Persistent cookies help remember preferences and track visits for analytics.
We use Google Analytics and similar tools to understand traffic trends in an aggregated, anonymised way.
You can manage or disable cookies through your browser settings.
Links on our site may lead to other websites; MEG is not responsible for their privacy practices.
Where Data Is Stored
All healthcare data processed on behalf of our customers is hosted on Microsoft Azure, in secure data centres located within the local region of the healthcare organisation we serve.
If data is transferred outside the EEA or UK, we use EU Standard Contractual Clauses, Adequacy Decisions, and equivalent safeguards to protect it.
Security & Certifications
We maintain independent certifications to ensure the highest standards of data protection and cybersecurity:
ISO 27001:2022 – Information Security Management
ISO 27017 & ISO 27018 – Cloud security and data protection in the cloud
Cyber Essentials – UK Government-endorsed cybersecurity framework
NHS Data Security and Protection Toolkit – For organisations handling NHS data
SOC 2 Type II – Independent attestation of internal controls
HIPAA compliant – Meeting U.S. healthcare privacy and security requirements
These certifications guide our policies, staff training, encryption, and system design.
You can rely on these certifications as guarantors of the highest security standards - and in most cases, they mean we already meet or exceed your healthcare organisation’s own security and compliance requirements.
Data Sharing
We only share data with:
Trusted service providers (e.g. Microsoft Azure, analytics or support platforms) who act under written data-processing agreements; and
Regulatory or legal authorities when required by law.
We do not sell or commercially share personal data.
Data Retention
We retain personal data only for as long as:
It is necessary to fulfil our contractual or legal obligations; or
The customer instructs us to delete it.
Data is securely deleted or anonymised after this period. Backup data is overwritten within 14 days of deletion.
Your Rights
Under GDPR and other applicable privacy laws, you (or your organisation) have the right to:
Access a copy of your personal data
Correct inaccurate or incomplete data
Request deletion or restriction of processing
Object to processing or withdraw consent (where applicable)
Request portability of your data
Lodge a complaint with your local Data Protection Authority or the Irish Data Protection Commission
When MEG acts as processor, these rights must be exercised through your healthcare organisation.
Security Measures
We protect data using:
Encryption in transit and at rest
Multi-factor authentication
Role-based access control (least privilege)
Continuous monitoring and regular audits
Annual external penetration tests
In the unlikely event of a data breach, MEG will notify affected customers and relevant authorities within 72 hours, where required by law.
Employee and Business Data
For our employees, contractors, and suppliers, MEG acts as data controller.
We process only what is required for employment, payroll, compliance, or business operations, and we retain data only as long as legally necessary.
Updates to This Notice
We may update this Privacy Notice periodically to reflect changes in laws, technology, or our services. The latest version will always be available at megit.com/privacy-policy.
Contact Us
If you have questions or requests related to data protection or this notice, contact:
📧 dataprotection@megit.com (Data Protection Officer)
📍 The Digital Depot, Thomas Street, Dublin D08 TCV4, Ireland
☎️ +353 87 706 43 22