Privacy Policy

1. Introduction

MD Record AI ("we," "our," or "us") is committed to protecting your privacy and maintaining the highest standards of data protection in healthcare technology. This Privacy Policy explains in detail how we collect, use, disclose, process, and safeguard your information when you visit our website at mdrecord.ai and use our AI-powered medical scribe application.

We recognize the sensitive nature of healthcare information and the critical importance of maintaining confidentiality, security, and compliance with all applicable laws and regulations. This includes strict adherence to:

• In the United States: The Health Insurance Portability and Accountability Act (HIPAA), including the Privacy Rule, Security Rule, and Breach Notification Rule.
• In Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation such as the Personal Health Information Protection Act (PHIPA) in Ontario.
• General Data Protection: Industry best practices for data security, encryption, and privacy protection.

By using MD Record AI, you acknowledge that you have read and understood this Privacy Policy and agree to be bound by its terms.

2. Information We Collect

We collect various types of information to provide and improve our services to you:

2.1 Account Information

When you create an account, we collect:

• Full name and professional credentials (MD, DO, NP, PA, etc.)
• Email address and phone number
• Billing information and payment details (processed securely through Stripe)
• Professional license numbers and verification information
• Practice or institution affiliation
• Specialty and practice type

2.2 Protected Health Information (PHI)

In the course of providing our medical scribe services, we process Protected Health Information, including:

• Audio recordings of patient-provider encounters
• Transcripts of medical consultations
• Clinical notes and documentation generated by our AI
• Patient demographic information (when included in recordings)
• Medical history, diagnoses, and treatment information
• Any other health-related data captured during recordings

Important: All PHI is processed strictly in accordance with our Business Associate Agreement (BAA) for US healthcare providers and relevant Information Manager Agreements for Canadian healthcare providers. We are contractually and legally obligated to protect this information according to HIPAA and PIPEDA/PHIPA requirements.

2.3 Usage and Technical Data

We automatically collect certain information about your use of our platform:

• Device information (type, operating system, browser)
• IP address and general location information
• Log data (access times, pages viewed, clicks)
• Feature usage patterns and preferences
• Performance data and error reports
• Session duration and frequency of use

2.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience:

• Essential Cookies: Required for basic platform functionality and security
• Analytics Cookies: Help us understand how you use our service to improve it
• Preference Cookies: Remember your settings and customizations

You can control cookie settings through your browser, though disabling certain cookies may affect platform functionality.

3. How We Use Your Information

We use the collected information for the following specific purposes:

3.1 Service Provision

• To provide, maintain, and improve our AI medical scribe services
• To process audio recordings and generate accurate medical documentation
• To customize templates and workflows based on your specialty
• To enable real-time transcription and note generation

3.2 Account Management

• To create and manage your account
• To process subscription payments and billing
• To provide customer support and respond to inquiries
• To verify your professional credentials

3.3 Communication

• To send service updates, security alerts, and important notices
• To provide technical support and training materials
• To notify you of new features and improvements
• To send marketing communications (with your consent, which you can withdraw at any time)

3.4 Legal Compliance and Security

• To ensure compliance with HIPAA, PIPEDA, PHIPA, and other applicable regulations
• To detect, prevent, and address fraud and security issues
• To conduct security audits and maintain system integrity
• To comply with legal obligations and respond to lawful requests

4. Data Security and Protection

We implement comprehensive, industry-leading security measures to protect your personal and patient information:

4.1 Encryption

• In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 or higher
• At Rest: All stored data, including PHI, is encrypted using AES-256 encryption
• End-to-End: Audio recordings are encrypted from the moment of capture

4.2 Access Controls

• Multi-factor authentication (MFA) available for all accounts
• Role-based access control (RBAC) for team features
• Strict employee access policies with regular audits
• Automated session timeout for inactive users

4.3 Infrastructure Security

• Secure cloud infrastructure with industry-leading providers
• Regular security assessments and penetration testing
• 24/7 monitoring for suspicious activity and threats
• Disaster recovery and business continuity plans
• Regular security updates and patch management

4.4 Compliance Certifications

• HIPAA compliant infrastructure and practices
• Regular third-party security audits
• Compliance with PIPEDA and PHIPA requirements

While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We continuously work to enhance our security posture and protect your information.

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information or PHI to third parties. We may share information only in the following limited circumstances:

5.1 Service Providers

We work with trusted third-party service providers who assist in operating our platform:

• Cloud infrastructure providers (for secure hosting)
• Payment processors (Stripe) - who never receive PHI
• Customer support platforms
• Analytics services (using anonymized data only)

All service providers are contractually obligated to maintain confidentiality and comply with HIPAA, PIPEDA, and PHIPA requirements where applicable. They may only use your information to perform services on our behalf.

5.2 Legal Requirements

We may disclose information when required by law or to:

• Comply with legal process, court orders, or government requests
• Enforce our Terms of Service
• Protect our rights, property, or safety
• Prevent fraud or security threats

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and prominent notice on our website of any change in ownership or use of your information.

5.4 With Your Consent

We may share information in other circumstances with your explicit consent, such as when you authorize integration with third-party EHR systems.

6. Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

6.1 Account Data

Your account information is retained for the duration of your active subscription and for a reasonable period afterward to comply with legal obligations, resolve disputes, and enforce our agreements.

6.2 PHI and Medical Records

Protected Health Information is retained according to:

• HIPAA requirements (minimum 6 years from creation or last use)
• Applicable state and provincial record retention laws
• Your specific retention preferences (where permitted by law)

6.3 Deletion Requests

You may request deletion of your data at any time, subject to legal and regulatory requirements. Upon account deletion:

• Your account and profile information will be permanently deleted within 30 days
• PHI may be retained longer if required by law or legitimate business purposes
• Anonymized, aggregated data may be retained for analytics
• Backup copies will be deleted according to our backup retention schedule

7. Your Rights and Choices

Depending on your location and applicable laws, you have certain rights regarding your personal data:

7.1 United States (HIPAA)

Under HIPAA, you have the right to:

• Access: Request a copy of your Protected Health Information
• Amendment: Request corrections to your PHI
• Accounting: Receive an accounting of disclosures of your PHI
• Restriction: Request restrictions on certain uses and disclosures
• Confidential Communication: Request to receive communications by alternative means

7.2 Canada (PIPEDA/PHIPA)

Under Canadian privacy laws, you have the right to:

• Access: Access your personal information held by us
• Correction: Challenge the accuracy and completeness of your information
• Withdrawal: Withdraw consent for certain uses (subject to legal requirements)
• Complaint: File a complaint with the Privacy Commissioner of Canada

7.3 Additional Rights

Regardless of location, you can:

• Update your account information at any time
• Opt-out of marketing communications (via email preferences or unsubscribe links)
• Export your data in a portable format
• Delete your account and associated data
• Disable cookies through your browser settings

To exercise any of these rights, please contact us at support@mdrecord.ai. We will respond to your request within 30 days.

8. International Data Transfers

MD Record AI operates globally. Your information may be transferred to, stored, and processed in countries other than your country of residence, including the United States. These countries may have data protection laws that differ from your jurisdiction.

When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard contractual clauses approved by relevant authorities
• Adequacy decisions for certain jurisdictions
• Encryption and security measures during transfer
• Compliance with applicable cross-border data transfer regulations

9. Children's Privacy

MD Record AI is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately, and we will take steps to delete such information.

10. Third-Party Links

Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you via email to your registered email address
• Display a prominent notice on our platform
• For significant changes affecting PHI, obtain your consent where required

We encourage you to review this Privacy Policy periodically. Your continued use of MD Record AI after any changes indicates your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Regulatory Contacts

If you have concerns about our privacy practices, you may also contact:

• US (HIPAA): Department of Health and Human Services Office for Civil Rights
• Canada (PIPEDA): Office of the Privacy Commissioner of Canada
• Ontario (PHIPA): Information and Privacy Commissioner of Ontario