MedifyAI Privacy Policy

Learn how MedifyAI collects, uses, and safeguards your information across our AI-powered healthcare platform.

Privacy Policy

Last Updated: November 7, 2025

MedifyAI, Inc. (“MedifyAI”, “we”, “us”, or “our”) is committed to protecting the privacy, security, and integrity of personal information, including sensitive health information, entrusted to us by healthcare providers, administrators, researchers, and patients.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you:

  • Use the MedifyAI platform, applications, and APIs (including our agentic AI assistant “Dock”);
  • Access our websites, dashboards, portals, or related online services; or
  • Interact with us in connection with our products and services.

This Privacy Policy is designed for a healthcare-grade, AI-driven SaaS platform operating primarily in the United States, with protections aligned with applicable U.S. federal and state laws (including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the HITECH Act), and, where applicable, international data protection laws such as the GDPR and UK GDPR. HHS Overview

By using our services, you acknowledge that you have read and understood this Privacy Policy. Where required by law, we will seek your explicit consent.

Note: This Privacy Policy is provided for informational and operational purposes. It does not constitute legal advice. MedifyAI customers should review it with their own counsel and adapt it to their specific regulatory status (e.g., Covered Entity, Business Associate, controller/processor).

1. Scope & Relationship to HIPAA and Other Laws

1.1 HIPAA Context

When MedifyAI provides services to healthcare providers, health plans, or other Covered Entities that involve Protected Health Information (“PHI”), we act as a Business Associate under HIPAA and the HITECH Act. In those cases:

  • Our use and disclosure of PHI are governed by:

    • This Privacy Policy;
    • The applicable Business Associate Agreement (BAA); and
    • HIPAA/HITECH and related regulations. HHS Guidance

  • If there is any conflict between this Privacy Policy and a BAA, the BAA will control with respect to PHI.

1.2 Non-HIPAA / Direct-to-Consumer / Visitors

For individuals who use MedifyAI directly (e.g., as patients or users accessing tools offered directly by MedifyAI) or who visit our public websites, this Privacy Policy governs the handling of their personal information under applicable privacy laws.

1.3 International Users

If you access MedifyAI from outside the United States, your information may be processed in the U.S. or other jurisdictions. Where required, we implement appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers.

2. Definitions

For purposes of this Privacy Policy:

  • “PHI”: Protected Health Information as defined by HIPAA, when applicable.
  • “Personal Information” / “Personal Data”: Information that identifies, relates to, or can reasonably be linked to an identifiable individual.
  • “De-Identified Data”: Data that does not identify an individual and cannot reasonably be used to identify an individual, consistent with HIPAA de-identification standards where applicable.
  • “Platform”: MedifyAI’s applications, interfaces, APIs, tools, AI agents (including Dock), documentation, and related services.
  • “Customer”: The organization (e.g., provider group, health system, research institution, payer, or enterprise) that has contracted with MedifyAI.
  • “User”: Any individual interacting with the Platform, including clinicians, staff, researchers, patients, administrators, or visitors.

3. Information We Collect

Depending on how you interact with MedifyAI, we may collect the following categories of information.

3.1 Information Processed as PHI (When Applicable)

When acting as a Business Associate or similar role, we may process PHI provided or made accessible by Customers, such as:

  • Patient identifiers (e.g., name, date of birth, medical record number, contact details);
  • Demographic details as permitted by the Customer;
  • Clinical notes, encounter summaries, diagnoses, medications, allergies, lab results, imaging reports;
  • Claims, billing, scheduling, and care coordination data;
  • Other information designated as PHI under HIPAA in connection with the services.

3.2 Other Personal Information

Outside of PHI contexts, we may collect:

  • Account & Profile Data: Name, email, role, organization, credentials, authentication details.
  • Contact & Support Data: Messages, support tickets, feedback, and communication preferences.
  • Usage & Device Data: IP address, browser type, device identifiers, access times, pages viewed, product interactions, logs, and diagnostic data.
  • Payment & Billing Data: Limited billing details (handled directly or via compliant payment processors).
  • Recruiting, Sales & Events Data: Information provided in demos, webinars, evaluations, surveys, or partnerships.

3.3 Automatically Collected Data (Cookies & Similar Technologies)

We use cookies and similar technologies to:

  • Maintain secure sessions and authentication;
  • Enable core platform features;
  • Gather analytics to improve performance and reliability.

For PHI-related workflows, we design our implementation to avoid using non-essential third-party tracking technologies in a manner that would create unauthorized disclosures of PHI or conflict with HIPAA or other applicable rules. Tracking Tech Guidance

4. How We Collect Information

We collect information:

  1. Directly from Customers and Users

    • Account registration, profile setup, forms, or communications.

  2. Through Integrations & Data Feeds

    • EHR/EMR systems, FHIR APIs, practice management systems, claims systems, research databases, or other integrated systems as configured by the Customer.

  3. Automatically via the Platform

    • Logs, telemetry, security events, performance monitoring, and activity tracking.

  4. From Third Parties

    • Identity providers, analytics tools, referral partners, or service providers, in compliance with agreements and laws.

5. How We Use Information

We use PHI and other personal information solely for legitimate and authorized purposes, including:

5.1 Service Delivery & Core Functionality

  • Operating our agentic AI tools (including Dock) to assist clinicians, staff, patients, and researchers with:
    • Documentation support, summarization, chart review support;
    • Care coordination and workflow automation;
    • Secure messaging and task routing;
    • Research workflow and data analysis support (as authorized).

5.2 Configuration & Customization

  • Implementing Customer-specific workflows, permissions, templates, and integrations.

5.3 Security, Compliance & Fraud Prevention

  • Monitoring, detecting, and preventing security incidents and abuse;
  • Meeting audit, logging, risk management, and incident response obligations under HIPAA, HITECH, and security regulations. Security Rule Summary

5.4 Improvement of Our Services

  • Using de-identified and/or aggregated data to:

    • Improve AI models, algorithms, and product features;
    • Enhance system accuracy, reliability, and usability.

  • When dealing with PHI, any use for model training or analytics beyond what is necessary to perform contracted services will:

    • Be governed by the BAA and applicable law; and
    • Rely on de-identification or explicit contractual authorization.

5.5 Legal & Regulatory Obligations

  • Complying with applicable laws, regulations, court orders, and law enforcement requests.

5.6 Communications & Support

  • Sending service notifications, security alerts, and operational updates;
  • Providing customer support and responding to inquiries.

5.7 Marketing (Non-PHI)

  • Using non-PHI contact details to provide product updates, newsletters, and event invitations, with clear opt-out mechanisms.

We do not use or disclose PHI for third-party advertising or sell PHI. Where applicable state or international laws define “sale” of personal information, we do not “sell” personal information without required notices and consents.

6. AI, Automation, and Human Oversight

MedifyAI provides advanced AI and agentic automation capabilities. To maintain safety and trust:

  • Our AI systems operate within parameters set by Customers and subject to access controls.
  • AI-generated outputs (e.g., summaries, recommendations, workflows) are intended to support, not replace, professional judgment and established clinical or administrative decision-making.
  • Customers are responsible for ensuring appropriate review, validation, and governance within their environments.
  • We log and monitor AI interactions for security, quality assurance, and compliance purposes, consistent with our agreements.

7. How We Share Information

We may share information under strict controls and only as described below:

7.1 With Customers (Your Organization)

  • Information (including PHI) is shared back with the Customer and authorized users consistent with their configuration and access controls.

7.2 With Service Providers & Subprocessors

  • Infrastructure providers, secure cloud hosting, logging/monitoring, email delivery, and other subprocessors that support our services.
  • All such parties are bound by contractual obligations (including HIPAA-compliant BAAs when applicable) to protect the information and use it only for specified purposes.

7.3 With Integration Partners

  • EHR vendors, health information exchanges, and other systems as configured by the Customer.

7.4 For Legal, Security, and Enforcement

  • To comply with law, regulation, subpoena, or legal process;
  • To protect the rights, property, or safety of MedifyAI, our Customers, users, or the public, consistent with applicable legal standards.

7.5 Business Transfers

  • In connection with a merger, acquisition, restructuring, or sale of assets, subject to confidentiality and continuity of protections.

We do not disclose PHI to third parties for their independent marketing or data monetization purposes.

8. Data Security

We implement administrative, technical, and physical safeguards designed to protect PHI and personal information against loss, misuse, and unauthorized access, disclosure, alteration, or destruction, consistent with the HIPAA Security Rule and industry best practices. Security Rule Summary

These measures include (without limitation):

  • Encryption of data in transit and at rest (where appropriate);
  • Role-based access controls and least-privilege principles;
  • Strong authentication and logging of access and actions;
  • Network segmentation, firewalls, and intrusion detection measures;
  • Secure software development lifecycle, code review, and vulnerability management;
  • Business continuity and disaster recovery planning;
  • Workforce training, confidentiality agreements, and background checks as appropriate.

No system is perfectly secure; however, we continuously enhance our security posture and may update controls based on evolving threats, regulatory changes, and independent assessments.

9. Data Retention

We retain PHI and personal information:

  • For as long as necessary to provide the services to our Customers;
  • As required by law, regulation, or contractual obligations; and
  • In accordance with documented retention schedules and BAAs.

Upon termination of services or at a Customer’s written request, we will return or securely delete PHI as specified in the applicable agreement and law, subject to any legal retention requirements. De-identified or aggregated data may be retained for legitimate business and research purposes.

10. Individual Rights

Your rights may vary depending on your relationship to MedifyAI and applicable laws.

10.1 HIPAA Rights (When PHI Is Involved)

In many cases, MedifyAI processes PHI on behalf of a Covered Entity. Individuals typically must exercise their HIPAA rights (access, amendment, accounting of disclosures, restrictions, confidential communications, etc.) through their provider or health plan, not directly with MedifyAI. We support our Customers in fulfilling these requests as required by our BAAs and HIPAA. HIPAA Rights

10.2 Other Privacy Rights

Where applicable law (e.g., GDPR, UK GDPR, certain U.S. state privacy laws) grants you rights, you may have the right to:

  • Access and obtain a copy of your personal information;
  • Request correction of inaccurate information;
  • Request deletion (subject to legal/contractual limits);
  • Object to or restrict certain processing;
  • Data portability;
  • Withdraw consent, where processing is based on consent;
  • Lodge a complaint with a supervisory authority.

We will respond to rights requests in accordance with applicable laws and our role (controller vs. processor). Where we act as a processor/Business Associate, we will refer or support your request via the relevant Customer.

11. Your Choices & Controls

You may:

  • Update your account information through your organizational or platform settings (where available);
  • Manage certain notification preferences (e.g., marketing emails) using unsubscribe links or by contacting us;
  • Configure privacy and security settings in collaboration with your organization (for enterprise Customers).

If you disable cookies or certain technologies, parts of our services may not function properly.

12. Third-Party Services & Links

Our Platform may reference or integrate with third-party services, websites, or applications. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing information or enabling integrations.

13. Children’s Privacy

MedifyAI does not target its public-facing services to children under 13 years of age. Any processing of minors’ health information occurs solely in collaboration with authorized healthcare organizations and in compliance with applicable laws and parental/guardian consent requirements.

If we learn that we have collected personal information directly from a child under 13 outside those regulated channels, we will take reasonable steps to delete it.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our services or business operations;
  • Changes in applicable laws and regulations (including HIPAA/HITECH and state privacy laws); or
  • Security or compliance best practices. HIPAA Change Commentary

When we make material changes, we will:

  • Update the “Last Updated” date; and
  • Provide additional notice as required (e.g., via email, dashboard notice, or in-app banner).

Your continued use of our services after an update signifies your acceptance of the revised Privacy Policy, where permitted by law.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

MedifyAI, Inc. Attn: Privacy & Security Office Email: legal@medifyai.com

Join our newsletter and get updates on MedifyAI.