MyQCM Aljazayrby EOSIA Health
FRENع
Legal

Privacy Policy — MyQCM Aljazayr by EOSIA Health

Last updated: 27 May 2026

Last updated: 27 May 2026
Controller contact: EOSIA Health, startup undergoing registration (trade register and tax IDs pending), Pavilion 23, Saad Dahlab University Blida 1, Route de Soumâa, BP 270, Ouled Yaïch, 09100 Blida, Algeria
Privacy contact: privacy@myqcmdz.com
Data Protection Officer / personal data contact: dpo@myqcmdz.com

This Privacy Policy explains how EOSIA Health operates MyQCM Aljazayr and related services, including MyQCM student learning, teacher spaces, EOSIA Campus, EOSIA Scribe, PHAROS, Curator, adaptive QCM/QROC, smart articles, AI explanations, live sessions, progress analytics, subscriptions, activation cards, support, and website cookie/local-storage features.

This Policy is designed to be transparent and protective, but it must be aligned with the final technical implementation and with signed contracts before publication.

1. Who we are

For ordinary student, visitor, teacher, beta, support, and direct-subscription use, EOSIA Health is generally the controller of personal data processed through MyQCM Aljazayr because EOSIA Health determines the main purposes and means of the processing.

For institutional deployments, such as EOSIA Campus used by a faculty, university, training provider, hospital training department, or other institution, roles may differ. Depending on the contract and configuration:

  • EOSIA Health may act as controller for platform security, billing, product analytics, service administration, and direct user relationship;
  • the institution may act as controller for official academic records, institutional access decisions, class membership, teacher assignments, and formal educational decisions;
  • EOSIA Health may act as processor or sub-processor for specific institutional data handled only on the institution’s documented instructions;
  • some activities may be joint or independent controllership and should be described in the institutional contract.

Where a separate institutional agreement or data processing agreement applies, that agreement may provide additional information and protections.

2. Key definitions

Personal data means information relating to an identified or identifiable person.
Processing includes collection, recording, storage, organization, consultation, use, disclosure, transfer, deletion, or any similar operation.
Learning data means educational interaction data such as answers, scores, attempts, progress, weaknesses, knowledge components, revision history, and recommendations.
User content means files, notes, scans, images, text, questions, comments, documents, prompts, answers, generated content, and other materials uploaded or submitted by a user.
AI features means AI-assisted tools used for educational explanation, structuring, summarization, classification, tagging, generation, recommendation, or support.
Institutional administrator means a person authorized by an institution to manage users, roles, modules, cohorts, dashboards, or content.

3. Data we may collect

The data we process depends on your role, account type, settings, and the services you use.

3.1 Account and identity data

We may process name, first name, username, email address, phone number, account identifier, password hash, authentication method, role, account status, language, organization, and other information required to create or manage an account.

3.2 Educational profile data

We may process university, faculty, school, cohort, year, specialty, modules, teacher group, institution, learning goals, preferred language, exam preparation context, and learning preferences.

3.3 Authentication and security data

We may process login logs, timestamps, IP-derived security signals, device/browser identifiers, access tokens, refresh tokens, session metadata, failed-login events, password reset events, abuse-prevention signals, audit logs, and security incident records.

3.4 Learning and progress data

We may process QCM/QROC attempts, answers, scores, time spent, mistakes, progress, mastery state, weak concepts, knowledge components, revision schedule, training seasons, recommended next steps, goals, achievements, badges, streaks, dashboards, and educational analytics.

3.5 AI and personalization data

We may process prompts, uploaded educational documents, extracted text, generated explanations, summaries, tags, difficulty estimates, semantic classifications, recommended revisions, and feedback on AI outputs.

3.6 User content

We may process notes, Scribe scans, images, PDFs, typed text, imported courses, teacher materials, questions, answers, articles, comments, and documents submitted to PHAROS, Curator, Scribe, or other content tools.

3.7 Teacher, contributor, and institutional data

We may process roles, invitations, module assignments, content reviews, publication status, moderation actions, correction history, aggregated class analytics, institutional dashboard activity, and permissions.

3.8 Payment, activation, and subscription data

We may process plan type, subscription status, activation-card information, order references, invoice references, limited payment metadata, discount codes, transaction status, renewal status, refund requests, and support records related to payment. We should not store full card data unless expressly disclosed and legally/technically secured through a compliant payment provider.

3.9 Support, beta, and communication data

We may process messages, demo requests, beta applications, bug reports, screenshots sent by you, customer support history, email preferences, and service notifications.

3.10 Website and cookie/local-storage data

We may process cookie consent choices, language preference, local interface preferences, browser storage keys, technical logs, and analytics where configured and lawful. More information appears in the Cookie Policy.

4. Data we do not want you to upload

MyQCM is an educational platform. It is not designed to collect real patient medical data.

You must not upload or submit real patient information, medical records, identifiable clinical images, names, phone numbers, national identifiers, hospital identifiers, biometric data, or any information that can identify a patient, unless all of the following conditions are met:

  1. a separate written agreement authorizes this use;
  2. a valid legal basis and all required authorizations exist;
  3. the data is minimized and, where possible, anonymized or strongly de-identified;
  4. the institution and users have complied with medical secrecy, confidentiality, and applicable data-protection law;
  5. EOSIA Health has confirmed the required safeguards in writing.

If you accidentally upload real patient data or other sensitive information, you must delete it where possible and contact us immediately at privacy@myqcmdz.com or security@myqcmdz.com.

5. Why we process personal data

We process personal data for the following purposes:

  1. create, secure, authenticate, and manage accounts;
  2. provide QCM, QROC, articles, notes, live sessions, dashboards, reminders, and learning features;
  3. personalize learning pathways, revision schedules, and recommendations;
  4. operate teacher, contributor, and institutional workflows;
  5. structure, generate, review, and improve educational content through PHAROS, Curator, Scribe, and AI tools;
  6. provide support, onboarding, beta testing, and demonstrations;
  7. manage subscriptions, activation cards, payments, refunds, invoicing, and access rights;
  8. send service messages, invitations, alerts, security notices, and necessary account communications;
  9. detect, prevent, and investigate abuse, fraud, account sharing, scraping, attacks, and security incidents;
  10. maintain audit trails and comply with legal, accounting, tax, regulatory, and contractual obligations;
  11. measure performance, reliability, stability, and quality of the platform;
  12. improve the service, user experience, educational quality, and system safety;
  13. manage cookies and similar technologies according to the Cookie Policy;
  14. protect the rights, property, safety, and legitimate interests of EOSIA Health, users, teachers, institutions, and third parties.

6. Legal bases

Depending on the applicable law and context, processing may rely on one or more of the following legal bases.

Processing activityTypical legal basis
Account creation, login, access to learning featuresPerformance of the service contract or user request
Institutional access and class/module membershipInstitutional contract, performance of educational service, legitimate interest, or institution’s lawful basis
Learning progress, recommendations, dashboardsPerformance of the service, legitimate interest in providing adaptive learning, and safeguards for users
Optional AI processing of uploaded documentsPerformance of requested feature; consent or additional safeguards where sensitive data may be involved
Payment, activation cards, invoicesPerformance of contract and legal/accounting obligations
Security logs, abuse prevention, fraud detectionLegitimate interest, legal obligations, and protection of service integrity
Service notificationsPerformance of service or legitimate interest
Marketing communicationsConsent or legitimate interest where permitted; opt-out rights apply
Non-essential cookies or trackersConsent, unless legally exempt
Legal claims and regulatory requestsLegal obligation and legitimate interest
Product analyticsLegitimate interest or consent depending on the tool, configuration, jurisdiction, and cookie rules

When Algerian personal-data law applies, EOSIA Health will seek to comply with Law No. 18-07 as amended and supplemented, including obligations relating to information, consent where required, rights, security, records, transfers, and the national authority. When GDPR applies, EOSIA Health will seek to comply with GDPR principles, including lawfulness, transparency, purpose limitation, minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.

7. AI, personalization, and automated processing

MyQCM may use AI and algorithmic systems to:

  • explain educational content;
  • structure documents;
  • identify knowledge components;
  • classify difficulty;
  • generate educational drafts;
  • suggest revision priorities;
  • summarize notes;
  • detect weak concepts;
  • recommend exercises;
  • support teachers in reviewing or organizing content.

AI outputs are provided to support learning. They are not medical advice, diagnosis, prescription, treatment guidance, legal advice, or an official academic decision by themselves.

EOSIA Health seeks to apply the following safeguards:

  1. important educational or institutional decisions should remain subject to human oversight;
  2. teachers and institutions remain responsible for validating content they publish or use officially;
  3. users should verify important medical or scientific information through reliable sources, teachers, or official references;
  4. AI outputs may be incorrect, incomplete, outdated, biased, or unsuitable for a given context;
  5. users may report problematic outputs;
  6. where automated processing materially affects access, progress, or institutional treatment, users should be able to request information and human review where required by law.

MyQCM does not intend to make solely automated decisions producing legal effects or similarly significant effects on users without appropriate legal basis, information, and safeguards.

8. Institutional dashboards and teacher access

Where you use MyQCM through a faculty, school, teacher, or institution, authorized administrators and teachers may access limited educational information, such as enrolment status, module progress, scores, attempts, completion, activity, weak topics, and aggregated analytics.

Institutions and teachers must use these data only for legitimate educational purposes, within their authorized scope, and in accordance with applicable law and institutional rules. They should not use platform analytics alone for disciplinary measures, exclusion, official grading, or other high-impact decisions without appropriate human assessment and procedural fairness.

9. Sources of personal data

We may collect data directly from you, from your device/browser, from your use of the service, from teachers or institutions that invite or enroll you, from payment or activation providers, from support communications, and from technical service providers necessary to operate the platform.

10. Sharing personal data

We do not sell users’ personal data.

We may share personal data only where necessary and lawful with:

  1. authorized EOSIA Health personnel and contractors under confidentiality duties;
  2. teachers, module leads, institution administrators, and authorized institutional users within their scope;
  3. hosting, cloud, storage, database, email, notification, analytics, monitoring, customer support, payment, and security providers;
  4. AI infrastructure or model providers where AI features are enabled and where contractual and technical safeguards are in place;
  5. professional advisers such as lawyers, accountants, auditors, and insurers;
  6. public authorities, regulators, courts, or law enforcement where legally required or necessary to protect rights and safety;
  7. successors or partners in a merger, acquisition, restructuring, investment, or transfer of business, subject to confidentiality and lawful processing.

Where providers act as processors or sub-processors, EOSIA Health should contractually require confidentiality, security, limited processing, assistance with rights, incident notification, and deletion/return of data at the end of the service.

11. International transfers

The service may use infrastructure and providers in Algeria, the European Union, or other countries. International transfers may occur when data is hosted, accessed, supported, processed by AI systems, or handled by service providers outside your country.

Where Algerian law applies, transfers of personal data outside Algeria must be assessed and, where required, authorized or safeguarded in accordance with the applicable Algerian personal-data framework and ANPDP requirements.

Where GDPR applies, transfers from the European Economic Area to third countries should rely on an adequacy decision, Standard Contractual Clauses, additional safeguards, or another lawful transfer mechanism.

EOSIA Health should maintain a transfer map identifying providers, countries, categories of data, safeguards, and whether authorization or additional assessment is required.

12. Retention

We retain personal data only as long as necessary for the purposes described in this Policy, unless a longer period is required or permitted by law.

Indicative retention logic, to be validated before publication:

Data categoryIndicative retention criteria
Account dataWhile the account is active, then limited archiving for legal, security, and accounting purposes
Learning dataWhile needed for learning continuity, progress history, institutional reporting, and service improvement; deletion or anonymization after account closure where feasible
User contentUntil deleted by the user, account closure, end of institutional contract, or retention need; backups may persist for a limited technical period
Payment and invoice dataAccording to accounting, tax, and legal retention requirements
Security logsLimited period proportionate to security needs, unless needed for investigation or legal claims
Cookie consent recordsProportionate period to prove and manage consent choices
Support recordsAs long as needed to resolve requests and keep evidence of service communications
Marketing preferencesUntil withdrawal/opt-out plus a limited suppression period to avoid recontact
Aggregated/anonymized analyticsMay be retained longer where individuals are no longer identifiable

Before publication, EOSIA Health should replace this table with exact retention periods and deletion/anonymization triggers.

13. Security

EOSIA Health should implement appropriate technical and organizational measures based on the risks, nature, scope, context, and purposes of processing, including where relevant:

  • HTTPS/TLS encryption in transit;
  • password hashing and secure authentication;
  • access controls based on roles and least privilege;
  • separation of student, teacher, institution, and administrator scopes;
  • audit logs for sensitive actions;
  • encryption or strong protection for sensitive stored data where feasible;
  • backups and recovery procedures;
  • secure development and vulnerability management;
  • input validation and abuse prevention;
  • monitoring and incident response;
  • confidentiality obligations for personnel and contractors;
  • minimization of data sent to AI providers;
  • contractual safeguards with processors;
  • deletion or anonymization procedures.

No online service can guarantee absolute security. Users must keep credentials confidential, use strong passwords, avoid sharing accounts, and report suspected unauthorized access.

14. Personal data breaches

If EOSIA Health becomes aware of a personal-data breach, it should investigate, contain, document, and assess the incident. Where required by applicable law, EOSIA Health will notify the competent authority and affected persons.

Under the Algerian framework as amended by Law No. 25-11, the controller must notify the national authority of a personal-data breach within the applicable legal period where required, and document breaches and remedial actions. Where the breach is likely to create a high risk for natural persons, affected persons should be informed in clear and simple language unless an exception applies.

Processors must notify EOSIA Health without undue delay after becoming aware of a breach affecting data processed for EOSIA Health.

15. Your rights

Depending on the applicable legal framework, you may have the right to:

  1. receive information about the processing of your personal data;
  2. access your personal data;
  3. correct inaccurate or incomplete data;
  4. request deletion where legally possible;
  5. restrict certain processing;
  6. object to certain processing;
  7. withdraw consent where processing is based on consent;
  8. request portability where GDPR applies and conditions are met;
  9. obtain information about automated processing that affects you;
  10. request human review where required by law;
  11. lodge a complaint with a competent data-protection authority.

To exercise rights, contact: privacy@myqcmdz.com or dpo@myqcmdz.com.

We may need to verify your identity before responding. We may refuse or limit requests where allowed by law, for example if the request is manifestly unfounded, excessive, affects the rights of others, or conflicts with legal retention obligations.

16. Children and minors

MyQCM is designed mainly for higher-education medical students, teachers, and institutions. It is not designed for young children.

If minors use the service, EOSIA Health and the relevant institution should implement an appropriate consent, parental/guardian authorization, supervision, and safeguarding framework consistent with applicable law.

17. Communications

We may send service communications necessary to operate the platform, such as account messages, security alerts, teacher invitations, institutional notifications, progress reminders, and administrative notices.

Marketing or promotional messages will be sent only where permitted by law. You may unsubscribe or change preferences where applicable, but you may continue to receive necessary service messages.

18. Cookies and similar technologies

We use cookies, localStorage, sessionStorage, tokens, and similar technologies as described in the Cookie Policy. Non-essential cookies or trackers should not be activated unless a valid exemption applies or consent has been obtained.

19. Changes to this Policy

We may update this Policy to reflect changes in the service, law, providers, security practices, or institutional requirements. The updated version should display the effective date. Material changes should be communicated through a reasonable channel, such as the website, application, account area, or email.

20. Contact

EOSIA Health / MyQCM Aljazayr
Legal entity: EOSIA Health — startup undergoing registration (trade register and tax IDs pending)
Registered address: Pavilion 23, Saad Dahlab University Blida 1, Route de Soumâa, BP 270, Ouled Yaïch, 09100 Blida, Algeria
Operational address: Ouled Yaïch, Blida, Algeria
Privacy: privacy@myqcmdz.com
DPO/personal-data contact: dpo@myqcmdz.com
Security: security@myqcmdz.com
General contact: contact@myqcmdz.com

21. Publication checklist

Before publishing this Policy, complete the following:

  • official legal identity and address;
  • DPO or privacy contact;
  • exact provider/sub-processor list;
  • exact hosting countries and transfer safeguards;
  • exact retention periods;
  • exact cookie inventory;
  • institutional role allocation;
  • breach response procedure;
  • records of processing;
  • DPIA where required;
  • lawyer approval.

A question about this document? Write to us at contact@myqcmdz.com