MyPHI

Health Data Privacy Notice

Effective Date: March 1, 2026

This notice describes how MyPHI, Inc. handles your health-related information, your rights regarding that information, and how to contact us with questions or requests.

1. Who We Are and This Notice's Purpose

MyPHI, Inc. (“MyPHI”) operates a mobile application that helps users record and understand their medical appointments. Unlike hospitals, clinics, or insurance companies, MyPHI is not a HIPAA Covered Entity (as that term is defined under the Health Insurance Portability and Accountability Act of 1996). We do not provide healthcare services and we are not a healthcare provider's vendor or contractor.

What we are is a consumer health technology company that takes the privacy of your health-related information seriously. This Notice explains:

  • What health-related information we collect and how we use it
  • Your rights regarding your health-related information
  • The federal and state laws that govern how we handle your information
  • How to contact us with requests or concerns

2. The Health Information We Handle

When you use the MyPHI Platform, we process the following categories of health-related information:

  • Audio recordings of your conversations with healthcare providers (only when you initiate recording)
  • AI-generated transcripts of those conversations
  • Plain-language summaries and key takeaways derived from your recordings
  • Follow-up action items identified from your visit
  • Any health-related information you share with Care Circle members

30-Day Deletion Policy: Raw audio recordings and full AI-generated transcripts are automatically and permanently deleted 30 days from the date of recording. No exceptions. Only summaries and action items are retained beyond 30 days. For complete visit records, contact your healthcare provider directly.

3. Applicable Law — Why This Matters

Because MyPHI is a consumer app chosen and controlled by you (the patient), HIPAA's framework — which regulates how healthcare providers and their vendors handle your records — does not directly govern MyPHI's operations. Instead, we are primarily governed by:

3.1 The FTC Health Breach Notification Rule

The Federal Trade Commission's Health Breach Notification Rule (as updated in 2024) applies to consumer-facing health technology companies like MyPHI. Under this Rule, we are required to notify you, the FTC, and in some cases the media, in the event of a breach of your health-related information. We are committed to full compliance with this Rule.

3.2 State Health Data Privacy Laws

Several U.S. states have enacted laws specifically governing consumer health data. As a U.S.-only service, we monitor and comply with applicable state requirements, including:

  • Washington My Health MY Data Act (applies to consumer health data of Washington residents)
  • Nevada and other states with emerging health data protections
  • State consumer privacy laws (CCPA/CPRA for California residents, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and others) to the extent they cover health-related personal information

3.3 General Consumer Protection Law

The FTC Act's prohibition on unfair and deceptive trade practices governs all our health data commitments. Our privacy promises in this Notice and throughout our policies are legally binding consumer commitments.

4. How We Use Your Health-Related Information

We use your health-related information exclusively to provide the Services to you:

  • Processing your audio recordings to generate transcripts, summaries, and action items
  • Enabling Care Circle sharing features you authorize
  • Providing customer support related to your account and recordings
  • Improving our AI models using de-identified, aggregated data only (never your identifiable recordings)

We DO NOT:

  • Sell your health-related information to any third party
  • Use your health-related information for advertising or marketing purposes
  • Share your health-related information with employers, insurers, or healthcare providers without your explicit authorization
  • Use your health data to train external AI models that are shared with or accessible to other parties

5. How We Share Your Health-Related Information

5.1 With Your Authorization

We share visit summaries with Care Circle members you designate. You control all sharing settings and may revoke access at any time through the App.

5.2 Technology Service Providers

We engage technology vendors (cloud hosting, AI processing, customer support) who may process your information on our behalf as part of delivering the Services. These vendors are:

  • Subject to contractual restrictions limiting their use of your information to providing services to us
  • Prohibited from using your health information for their own purposes
  • Required to implement appropriate security measures

5.3 Legal Requirements

We may disclose your information when required by law, court order, or government request, or to protect rights, safety, or prevent fraud.

5.4 Business Transfers

In the event of a merger, acquisition, or sale, your information may be transferred. We will notify you before any such transfer subjects your health information to materially different privacy terms.

6. Your Rights Regarding Your Health-Related Information

6.1 Right to Access

You may request a copy of the health-related information we hold about you. Requests can be submitted through our Data Deletion and Privacy Request Form or by emailing privacy@myphi.com. We will respond within 30 days.

6.2 Right to Correct

You may request correction of inaccurate information we maintain about you. We will accommodate reasonable correction requests and will respond within 30 days.

6.3 Right to Delete

You may request deletion of your health-related information and account. Submit a request at myphi.com/data-request or email privacy@myphi.com. We will complete verified deletion requests within 30 days and confirm in writing. We will retain only information we are legally required to keep.

6.4 Right to Opt Out of Future Data Uses

You may contact us to restrict how we use your information. We will honor all reasonable restriction requests that do not impair our ability to provide the Services.

6.5 Right Not to Be Discriminated Against

We will not deny you Services, charge different prices, or provide a different level of service because you exercised any of the rights described in this Notice.

6.6 Washington My Health MY Data Act Rights

If you are a Washington State resident, you have additional rights under the My Health MY Data Act, including the right to confirm whether we collect your consumer health data, the right to withdraw consent to our collection of consumer health data, and the right to have your consumer health data deleted. To exercise these rights, contact us at privacy@myphi.com.

7. Security Measures

We implement administrative, technical, and physical safeguards designed to protect your health-related information from unauthorized access, use, disclosure, or destruction:

  • Encryption of all data in transit (TLS) and at rest (AES-256)
  • Strict access controls and multi-factor authentication
  • Regular security assessments and penetration testing
  • Employee training on health data privacy and handling
  • Vendor security assessments and contractual security requirements

8. Breach Notification

In the event of a breach of your health-related information, we will notify you promptly in accordance with the FTC Health Breach Notification Rule and any applicable state breach notification laws. Notification will include:

  • A description of what happened
  • The types of information involved
  • Steps you can take to protect yourself
  • What we are doing in response
  • How to contact us for more information

We will provide notification without unreasonable delay and in no event later than 60 days after discovering the breach, consistent with applicable law.

9. Note for Users Who Are Also Patients with HIPAA-Regulated Providers

Even though MyPHI is not a HIPAA Covered Entity, your healthcare provider IS a HIPAA Covered Entity. This means:

  • Your right to access, amend, and receive an accounting of disclosures of your medical records is protected by HIPAA as against your healthcare provider
  • To obtain a complete record of your medical visit, request your records from your healthcare provider using your HIPAA patient rights
  • MyPHI's 30-day deletion policy means it is not a substitute for the records your healthcare provider is required to maintain

If you have questions about your rights regarding records maintained by your healthcare provider, the U.S. Department of Health and Human Services Office for Civil Rights can assist at www.hhs.gov/ocr.

10. Contact Our Privacy Team

For questions, requests, or concerns regarding this Notice or your health-related information:

Privacy Team Email: privacy@myphi.com

Data Request Form: myphi.com/data-request

You may also submit a complaint to the Federal Trade Commission at www.ftc.gov/complaint if you believe we have mishandled your health-related information.

MyPHI, Inc.

Email: legal@myphi.com

Website: myphi.com

This Notice is effective as of March 1, 2026. MyPHI reserves the right to update this Notice. Material updates will be communicated via in-app notification or email.