Privacy Policy

1. Scope

This Policy applies to all information collected through our Services. It does not apply to third-party websites, applications, or services, even if linked from our Services.

2. Information We Collect

2.1 Information You Provide

• Account registration information (name, email address, password)
• Payment information (processed by our third-party payment processor; we do not store full payment card numbers)
• Audio recordings of your medical appointments (only when you initiate recording)
• Information shared with Care Circle members
• Communications you send to us (support requests, feedback)
• Parent or guardian information when recording on behalf of a minor or dependent

2.2 Information Collected Automatically

• Device identifiers (device type, operating system, unique device ID)
• Log data (IP address, browser type, pages visited, timestamps)
• Usage data (features used, session duration, in-app interactions)
• Cookie and tracking data

2.3 Information Derived from Recordings

• AI-generated transcripts of your medical appointments
• Plain-language summaries and key takeaways
• Follow-up action items and next steps

3. How We Use Your Information

• To provide, operate, and maintain the Services
• To generate visit summaries, key takeaways, and action plans
• To enable Care Circle sharing features
• To process payments and manage your subscription
• To send transactional communications (receipts, account notifications)
• To respond to support requests
• To improve the Services using aggregate, de-identified data only
• To detect and prevent fraud and unauthorized access
• To comply with applicable legal obligations

We do NOT sell your personal information or health data. We do NOT use your health data for advertising or marketing purposes.

4. How We Share Your Information

4.1 With Your Authorization

Visit summaries are shared with the Care Circle members you designate through your App settings. You control who has access and may revoke access at any time.

4.2 Service Providers

We share information with trusted third-party service providers who assist us in operating the Services, including cloud hosting providers, AI processing services, payment processors, and customer support platforms. All service providers are contractually required to use your information only as directed by us and to maintain appropriate security measures.

4.3 Legal Requirements

We may disclose your information as required by law, regulation, or legal process, or when we believe disclosure is necessary to protect rights, safety, or prevent fraud.

4.4 Business Transfers

If MyPHI is involved in a merger, acquisition, reorganization, or sale of all or substantially all of its assets, your personal information may be transferred to the acquiring entity as part of that transaction. We will notify you of any such transfer via email or prominent notice on our Website, and the acquiring entity will be required to honor the privacy commitments described in this Policy. If the acquiring entity intends to use your personal information in a manner materially different from this Policy, we will provide you with notice and, where required by applicable law, the opportunity to opt out.

5. Children's Privacy

The Services are intended exclusively for adults. You must be at least 18 years of age to create an account or use the Platform. We do not direct our Services to, and do not knowingly collect personal information directly from, individuals under the age of 18.

If we learn or have reason to believe that we have directly collected personal information from an individual under 18 without appropriate authorization, we will delete that information as promptly as practicable. If you believe we may have inadvertently collected information from someone under 18, please contact us immediately at privacy@myphi.com.

Note regarding COPPA: The Children's Online Privacy Protection Act (COPPA) imposes specific requirements on operators of websites and online services directed to children under 13. Because our Services are directed exclusively to adults aged 18 and older, COPPA's requirements do not apply to our direct collection of information. However, we take any inadvertent collection of information from minors seriously and will respond promptly to any reports.

6. Minors and Dependent Individuals — Adult-Managed Accounts

While minors under 18 may not hold their own accounts, an adult parent, legal guardian, or authorized legal representative (age 18 or older) may use their own account to record and manage health visit information on behalf of a minor child or dependent adult individual in their care. When a parent or guardian uses the Platform in this capacity:

• The adult account holder is solely responsible for all recordings, data, and activity associated with the minor or dependent
• The adult account holder represents they have full legal authority to record and manage health information for the minor or dependent
• All 30-day automatic deletion terms apply equally to recordings involving minors or dependents
• Care Circle sharing of a minor's visit information is subject to the same authorization controls as all other sharing
• The adult account holder is responsible for ensuring that use of the Platform on behalf of a minor complies with all applicable recording consent laws

7. Your Privacy Rights

Depending on your state of residence, you may have rights regarding your personal information, including:

• Right to access and obtain a copy of your personal information
• Right to request correction of inaccurate information
• Right to request deletion of your personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• California (CCPA/CPRA): Right to know, right to delete, right to correct, right to limit use of sensitive personal information, right to non-discrimination
• Virginia, Colorado, Connecticut, and other applicable state residents: Similar rights may apply

To exercise any of these rights, use our Data Deletion and Privacy Request Form or contact us at privacy@myphi.com. We will respond within the timeframe required by applicable law.

8. Data Security

We implement administrative, technical, and physical safeguards to protect your information, including:

• Encryption of data in transit (TLS) and at rest (AES-256)
• Access controls and authentication requirements
• Regular security assessments
• Employee training on privacy and data handling

No method of transmission or storage is completely secure. If you suspect a security issue, contact us at security@myphi.com immediately.

9. Data Retention

• Raw audio recordings: Automatically and permanently deleted 30 days from date of recording
• AI-generated transcripts: Automatically and permanently deleted 30 days from date of recording
• Visit summaries and action items: Retained for the life of your account
• Account information: Retained for the life of your account plus the period required by applicable law following account closure
• Payment records: Retained as required by applicable law

For complete visit records beyond 30 days, you must request those records directly from your healthcare provider. MyPHI is not a records repository and does not provide long-term medical record storage.

10. Cookies

We use cookies and similar tracking technologies on our Website. For full details, see our Cookie Policy.

11. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by posting an updated version with a revised effective date and, where appropriate, by email notification. Continued use of the Services after changes are posted constitutes acceptance.

12. Contact Us

Questions or requests regarding this Privacy Policy: