Privacy Policy

medcomply.ai ("medcomply.ai," "we," "us," or "our") is operated by medcomply.ai, a New Jersey limited liability company. We are committed to protecting your privacy and handling your personal information responsibly.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit medcomply.ai, create an account, use our compliance tools, or interact with our services (collectively, the "Services").

Please read this policy carefully. By using our Services you agree to the practices described here.

Important note: medcomply.ai is a HIPAA compliance guidance platform. We provide information and tools to help organizations understand and implement HIPAA requirements. medcomply.ai itself does not store, process, or transmit Protected Health Information (PHI) as defined under HIPAA on behalf of covered entities or business associates. Our platform does not require a Business Associate Agreement with medcomply.ai. If you believe your use of our Services may involve PHI, please contact us at hello@medcomply.ai before proceeding.

2.1 Information you provide directly

Account registration: When you create an account we collect your name, email address, organization name, organization type, and job title. If you sign in via Google or Microsoft OAuth, we receive your name and email address from those providers.

Profile information: You may optionally provide additional information including your role, organization size, and compliance program details.

Tool usage: When you use our compliance tools — including the Risk Assessment Tool, BAA Generator, and Breach Notification Checker — we collect the information you enter to generate results and documents. This may include organization details, incident descriptions, and compliance responses. We do not collect actual patient data or PHI through these tools.

Training: When you complete HIPAA training modules we collect your answers, scores, completion dates, and any employee details you provide for certificate generation (name, title, organization).

Communications: When you contact us via email or our contact form we collect your name, email address, and the content of your message.

Newsletter: When you subscribe to the Compliance Brief we collect your email address and any optional information you provide (name, organization type).

Payments: When you subscribe to a paid plan, payment information is processed by Stripe, Inc. We do not store full credit card numbers. We receive and store transaction IDs, subscription status, and billing history from Stripe.

2.2 Information collected automatically

Usage data: We automatically collect information about how you interact with our Services, including pages visited, features used, time spent, and navigation paths.

Device information: We collect device type, operating system, browser type and version, and IP address.

Analytics: We use Plausible Analytics, a privacy-first analytics service that does not use cookies and does not collect personally identifiable information. Plausible processes data in the EU under GDPR-compliant terms.

Log data: Our servers automatically record information including IP addresses, browser type, referring URLs, and error logs. Log data is retained for 90 days.

2.3 Information from third parties

Authentication providers: If you sign in via Google or Microsoft, we receive your name, email address, and profile picture from those providers subject to your privacy settings with them.

Stripe: We receive subscription status, payment history, and customer identifiers from Stripe to manage your account.

We use the information we collect to:

Provide and operate the Services — including processing your account registration, delivering compliance tools, generating documents, administering training, and sending the Compliance Brief newsletter.

Personalize your experience — including remembering your preferences, showing relevant compliance content, and tailoring the AI assistant's responses to your organization type.

Process payments — including managing subscriptions, processing charges through Stripe, and sending billing communications.

Communicate with you — including sending service emails (account confirmations, password resets, subscription receipts), the weekly Compliance Brief (if subscribed), and product updates. You may unsubscribe from marketing emails at any time.

Improve our Services — including analyzing usage patterns, debugging errors, and developing new features.

Comply with legal obligations — including responding to lawful requests from government authorities and enforcing our Terms of Service.

Protect our Services — including detecting fraud, abuse, and security incidents.

We do not sell your personal information to third parties. We do not use your information to serve you advertisements from third-party advertisers.

4.1 Service providers

We share information with third-party service providers that help us operate the Services:

Supabase — database and authentication infrastructure. Data processed in the US.

Stripe — payment processing. Stripe's privacy policy governs their handling of payment information.

Resend — transactional and newsletter email delivery.

Anthropic / OpenAI — AI model providers that power our compliance AI assistant. Queries submitted through the AI assistant are processed by these providers subject to their terms. Do not submit actual patient PHI through the AI assistant.

Vercel — hosting and content delivery infrastructure.

Plausible Analytics — privacy-first website analytics.

All service providers are contractually required to protect your information and use it only for the purposes we specify.

4.2 Business transfers

If medcomply.ai is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

4.3 Legal requirements

We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

4.4 With your consent

We may share your information for other purposes with your explicit consent.

We retain your information for as long as your account is active or as needed to provide the Services.

Account data: Retained for the duration of your account. If you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required by law or legitimate business purposes.

Training certificates: Retained for 6 years from issuance to support HIPAA documentation requirements. You may request earlier deletion subject to applicable law.

Generated documents: BAAs, risk assessment reports, and breach assessment reports are retained in your account until you delete them or close your account.

Newsletter subscriber data: Retained until you unsubscribe. Unsubscribed records are retained in suppressed status for 12 months to prevent re-subscription in error, then deleted.

Payment records: Retained for 7 years as required by applicable tax and financial regulations.

Log data: Retained for 90 days.

We implement appropriate technical and organizational measures to protect your information against unauthorized access, disclosure, alteration, and destruction.

These measures include:

Encryption of data in transit using TLS 1.2 or higher. Encryption of sensitive data at rest. Access controls limiting employee access to personal information on a need-to-know basis. Regular security assessments. Incident response procedures.

No method of transmission over the internet or method of electronic storage is 100% secure. While we implement commercially reasonable security measures, we cannot guarantee absolute security.

If you believe your account has been compromised, please contact us immediately at hello@medcomply.ai.

7.1 Account information

You may review and update your account information at any time by logging into your dashboard at medcomply.ai/dashboard.

7.2 Email communications

You may unsubscribe from the Compliance Brief newsletter at any time using the unsubscribe link in any email. You cannot opt out of transactional emails (such as account confirmations and subscription receipts) while your account is active.

7.3 Account deletion

You may delete your account by contacting us at hello@medcomply.ai. We will process deletion requests within 30 days subject to applicable retention requirements.

7.4 Data access and portability

You may request a copy of the personal information we hold about you by contacting us at hello@medcomply.ai. We will respond within 30 days.

7.5 California residents

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to request access to the personal information we collect, the right to request deletion, and the right to correct inaccurate personal information.

We do not sell personal information or share personal information for cross-context behavioral advertising. To submit a request, contact hello@medcomply.ai with the subject line "Privacy Request." We may need to verify your identity before responding.

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us, contact hello@medcomply.ai so we can take appropriate steps.

We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top of this page when we make changes. Your continued use of the Services after a change becomes effective means you accept the updated policy.

If you have questions about this Privacy Policy or our privacy practices, contact us at hello@medcomply.ai.