Skip to content
Skip to content

Medova — Informed Care platform in 15 languages

Travel health platform with a clinic marketplace, real-time WHO/CDC data, and an ML pipeline. From zero to production in 4 months — one developer with an AI-augmented workflow.
Client: Medova / EPKO internal projectIndustry: Healthcare / HealthTechDuration: 4 months (ongoing)

Challenge

A traveler types "Kenya vaccinations" into Google and lands on the CDC website. They read a list of 12 vaccinations, 3 of which are mandatory, 4 recommended, and the rest "depending on the region." They do not know which apply to their route. They do not know where to get vaccinated. They do not know the cost. They close the tab.

On the other side is a travel medicine clinic in Warsaw with open slots, every vaccine in stock, and a doctor who could answer each of those questions in 5 minutes. But that clinic does not exist in Google for "Kenya vaccinations." Its website is a business card with a phone number and a directions map.

This is the Care Gap — the chasm between credible medical information and booking an appointment. WHO and CDC data is public, clinics exist, patients are searching. But nothing connects them.

Medova was meant to close that gap: one place where a traveler learns what they need, why they need it, and where to get it — while the clinic gains a channel to reach a patient who has already made their decision.

What this meant technically

Simple on paper. In practice — a requirements list that would make most teams ask for 12 months and 6 people:

  • 15 languages from day one, including Arabic (RTL) and Japanese — because the travel health market is global, and SEO in one language means giving up 90% of organic traffic. Not "we'll add it later." From the first commit.
  • WHO and CDC medical data updated daily — not a static table, but a pipeline that queries 6 external sources daily, normalizes data, and updates recommendations per country × disease × vaccine. Stale data in travel medicine is not a bug — it is a health risk.
  • Marketplace with booking, payments, and clinic verification — not a directory with links. Full flow: clinic profile → doctor calendar → slot → payment → confirmation. With clinic identity verification before they appear in results.
  • Compliance from day one — GDPR, ISMS (ISO 27001), medical data. Not "we'll add a privacy policy before launch." Row-Level Security on every table, audit trail, encryption, data retention, consent — designed into the architecture, not bolted on after the fact.
  • Zero budget for enterprise infrastructure — a startup, not a corporation. The solution had to cost what Supabase + a dedicated server costs, not what AWS with a consultant costs.

And all of this was to be delivered by one developer.

Solution

Instead of planning architecture for a quarter, we had a working prototype in 6 weeks. Key decision upfront: we are not building "a platform that will someday support 15 languages." We are building a platform that supports 15 languages now — because every day without a Turkish, Indonesian, or Spanish version is organic traffic we will never recover.

Stack: deliberate trade-offs, not hype

Next.js 16 with App Router — because we needed SSR for SEO (Google needs to see translated content, not a spinner), while also building dynamic dashboards for clinics and admins. One framework for both use cases.

Supabase instead of a custom backend — PostgreSQL 15 with Auth, Storage, Edge Functions, and Row-Level Security in one package. The alternative was 3 months writing authentication and authorization boilerplate. Supabase gave us that in a week. Trade-off: less flexibility in edge cases. Acceptable at this stage.

Sanity v5 as blog CMS — document-level i18n, Portable Text, embedded Studio at /studio. Editors write content in one place, and the article appears in 15 language versions without developer involvement.

Coolify on Hetzner instead of Vercel/AWS — dedicated server, Docker standalone, zero vendor lock-in. Cost: a fraction of Vercel at comparable traffic. Cloudflare (free plan) in front — CDN, DDoS, SSL. The entire infrastructure for the price of one business lunch per month.

Routing: one of the harder problems

URL /pl/wiedza/choroby must lead to the same component as /en/knowledge/diseases and /de/wissen/krankheiten. But files on disk live under English paths.

We solved this with a proxy in the routing layer — not Next.js middleware, not redirects, not 15 copies of the same files. The proxy intercepts the request, recognizes the locale from the URL, translates the path to its English equivalent, and forwards it to the correct component. URL translations live in the database — a moderator adds a new language without redeploying.

Security: 935 RLS policies

Each of 160 database tables has Row-Level Security policies — who can read, write, modify, delete, at the individual row level. A patient sees their own data. A clinic sees its patients. A moderator sees reports. An admin sees everything. Even if someone bypassed the frontend and hit the API directly — the database would refuse.

935 policies is not an accident. It is the result of a systematic approach: every new table = immediate question "who has access and why." We wrote audit tooling that detects tables without RLS before code reaches the repository.

Medical data pipeline

6 Edge Functions (Deno runtime) query external sources daily:

  • WHO — Global Health Observatory, Disease Outbreak News
  • CDC — travel notices, vaccination requirements
  • Climate data, travel costs, travel advisories

Data flows into PostgreSQL, where 16 scheduled jobs (pg_cron) normalize it, recalculate health scores, and update recommendations. On top — an ML pipeline in Python: XGBoost as a risk predictor per country × disease, Isolation Forest for anomaly detection (sudden spike in cases → alert for users).

We did not build AI for the sake of AI. We built an early warning system, because stale data in travel medicine is not an inconvenience — it is a real health risk.

CI/CD: three gates, zero cost

The biggest fear in solo development: "what if I break production at 2 AM?" The answer — a three-gate pipeline where heavy checks happen locally, for free:

Gate 1 — local (cost: $0): pre-commit checks secrets, formatting, and lint. Pre-push runs the full suite: strict lint, typecheck, 7,929 tests, production build, and bundle size check. If anything fails — the push does not go through.

Gate 2 — GitHub Actions: safety net. Lint + typecheck on every PR (catches cases where someone bypasses local hooks). On merge to main — automatic migration push to the production database.

Gate 3 — Coolify: detects a new commit on main, builds a Docker image, deploys the container with zero-downtime. Rollback = one click in the dashboard.

AI-augmented development

Not "AI wrote the application." The developer made every architectural decision, designed the database schema, established conventions, and supervised every line of code. Claude Code acted as a pair programmer — accelerating implementation of repeatable patterns, generating tests, helping with refactoring.

The result: productivity comparable to a 3-4 person team. But responsibility for architecture, quality, and trade-offs — always on the human side. AI does not replace a senior. AI makes a senior deliver faster.

Results

Platform in production after 4 months. Not a prototype, not a demo — a working marketplace with booking, payments, a clinic panel, and an admin panel, handling organic traffic in 15 languages.

But the numbers tell the story better than any description.

Code scale

1,778 TypeScript files in strict mode means every type is explicit, every null is checked, every unused import is a compilation error. 904 migrations mean every database change is versioned, reproducible, and auditable — zero manual changes in production.

  • 541 React components
  • 105 API endpoints, 13 Edge Functions (Deno)
  • 665+ commits
  • 15 languages with full routing and translated URLs

Quality and security

7,929 tests are not the result of writing tests for the sake of tests. Each test exists because it protects a specific scenario — from health score calculations through clinic registration flows to edge cases in RTL translations. Plus mutation testing (Stryker), which verifies that tests actually catch bugs, not just inflate coverage.

935 RLS policies across 160 tables — a level of security that in a traditional approach would require a dedicated security engineer at half capacity. In our case, it is built into the database architecture.

  • 6 system roles: patient, clinic, moderator, admin, analytics_viewer, sales
  • ISMS (ISO 27001) phases 1-4 complete, certification readiness ~90%
  • 93 security controls, 10 documented risks, 4 incident playbooks
  • Full GDPR documentation with 72h breach notification procedure

Infrastructure

The entire infrastructure costs less per month than one hour of a senior developer's work. At comparable traffic on Vercel Pro — the bill would be 10-20x higher.

  • Hosting: Coolify + Hetzner dedicated — cost in the tens of euros/month
  • CDN: Cloudflare free plan — DDoS protection, edge caching, SSL for $0
  • CI/CD: local hooks + GitHub Actions — heavy tests locally = ~$0 for CI
  • Monitoring: SigNoz (OpenTelemetry) — full observability without a Datadog license

What this means for business

  • Marketplace in production — full flow from clinic search through booking to Stripe payment
  • B2B API in beta — documentation, keys, rate limiting, ready for integration partners
  • Founder's Program launched — first 50 clinics at zero commission
  • 4 pricing tiers — from free profile to Enterprise with API and dedicated account manager

Time to delivery

4 months from first commit to production. One developer with an AI-augmented workflow.

For comparison — a project of this scale (marketplace, 15 languages, compliance, ML pipeline, 6 external integrations) at a traditional software house is typically 6-9 months with a team of 4-6 people.

We do not claim AI replaces a team. We claim it changes the economics of software delivery — and we have 665 commits to prove it.

What we learned

This section matters to us as much as the metrics. A client looking for a technology partner wants to know we can talk about trade-offs, not just successes.

AI-augmented development works, but differently than marketing promises. Claude Code as a pair programmer does not replace experience. It lets one developer deliver output comparable to a 3-4 person team — but key architectural decisions, trade-offs, and code review are always human.

Supabase: great for MVP and fast start. But 935 RLS policies are technical debt you need to manage consciously. We could simplify, but at the cost of security. We kept them.

15 languages from day 1 is a harder decision than "we'll add it later." Routing, tests, content, SEO — everything is 15x more complex. But it gave us a search engine advantage you cannot retrofit.

Mutation testing (Stryker) alongside unit tests. Catches false-positive coverage where tests pass but do not test what they should. Extra CI cost, but worth it.

1,778TypeScript files541 React components, strict mode
7,929Tests499 test files + mutation testing
935RLS policies160 tables, 6 roles, zero trust
15LanguagesIncluding Arabic (RTL) and Japanese
904SQL migrationsInfrastructure-as-code, zero manual changes
~4 mo.To production1 developer + AI-augmented workflow

Technologies

Next.js 16React 19TypeScriptSupabasePostgreSQL 15Sanity v5StripeTailwind CSSCloudflareDockerCoolifyHetznerPythonXGBoostOpenTelemetryDenoUpstash RedisSigNoz

Planning a HealthTech product, marketplace, or multilingual platform? Let's talk about how we can help.

Get in touch
All case studies