Privacy Policy
Your Privacy at a Glance
At Medisage, we are committed to protecting your personal and health information with industry-leading security measures and HIPAA-aligned practices. This policy explains how we collect, use, and safeguard your data.
Table of Contents
1. Information We Collect
Personal Information
- Account Details: Name, email address, phone number
- Profile Information: Age, gender, emergency contacts
- Authentication Data: Encrypted passwords, login credentials
Health Information (PHI)
- Medical Records: Uploaded documents, reports, prescriptions
- Health Parameters: Blood pressure, glucose levels, weight, BMI
- Blood Test Results: 22 analyzed parameters with educational trend data
- Medication Data: Prescriptions, dosages, schedules, adherence
- Family Health Data: Multi-profile health information for dependents
Technical Information
- Device Data: Device ID, operating system, app version
- Usage Analytics: Feature usage, session duration, interaction patterns
- Performance Data: Crash logs, error reports, performance metrics
- Location Data: Optional location services for emergency features
2. Purpose of Collection
Health Record Management
Store, organize, and provide secure access to your medical documents and health data for personal health management.
AI-Powered Educational Insights
Generate educational health summaries and reference information using advanced AI analysis for learning purposes only.
Medication Reminders
Provide timely medication reminders and track adherence to support your health management routine.
Family Collaboration
Enable secure sharing with family members and caregivers according to your permission settings.
Educational Health Analytics
Track health trends, generate educational reports, and provide data visualization for better health understanding and learning.
Service Improvement
Analyze usage patterns and feedback to enhance app functionality and user experience.
3. Consent and Legal Basis
5. Data Retention
Retention Periods
Data Deletion Process
You have the right to request deletion of your personal data at any time. Here's how:
📱 Through the App
- Go to Settings → Account → Delete Account
- Confirm your identity with password
- Review what will be deleted
- Submit deletion request
📧 By Email
Send a deletion request to: privacy@medisage.com
Include:
- Your full name and email address
- Subject line: "Data Deletion Request"
- Verification of identity (account email)
⏱️ Deletion Timeline & Exceptions
Standard Deletion Process:
- Immediate: Account access disabled
- Within 30 days: Personal data permanently deleted from active systems
- Confirmation: Email confirmation sent upon completion
What Remains After Deletion (And For How Long):
- Legal Hold Data: Data subject to legal proceedings (until legal hold expires)
- Encrypted Backups: Anonymized data in encrypted backups (up to 90 days for complete removal)
- Security Audit Logs: Access logs without PHI (3 years for compliance)
- Legal Compliance Records: Consent records and deletion requests (7 years as required by law)
- Aggregated Analytics: Anonymized, non-identifiable usage statistics (indefinitely)
- Third-Party AI Data: Data processed by AI providers subject to their retention policies
📋 Complete Retention Matrix:
| Active PHI | Account lifetime + 1 year | Deleted within 30 days of request |
| Encrypted Backups | 90 days rolling | 90 days max after deletion request |
| Audit Logs | 3 years | Remains for compliance (no PHI) |
| Legal Records | 7 years | Required by law (consent, deletion proof) |
| AI Provider Data | Varies by provider | Subject to third-party policies |
📞 Privacy Rights Contact
For all privacy-related requests and questions:
- Email: privacy@medisage.com
- Response time: Within 72 hours
- Subject line format: "Privacy Request - [Your Request Type]"
6. Your Rights
Right to Access
Request a copy of all personal data we hold about you, including health records and usage information.
Right to Rectification
Correct any inaccurate or incomplete personal information in your account or health records.
Right to Erasure
Request deletion of your personal data when it's no longer necessary for the original purpose.
Right to Restrict
Limit how we process your data while maintaining your account and essential health services.
Right to Portability
Export your health data in a machine-readable format to transfer to another service provider.
Right to Object
Object to processing for direct marketing or legitimate interests while maintaining core health services.
How to Exercise Your Rights
To exercise any of these rights, contact us through:
7. Security Measures
Data Encryption
- In Transit: TLS 1.3 encryption for all data transmission
- At Rest: AES-256 encryption for stored data
- Databases: Encrypted PostgreSQL with Row Level Security
- Backups: Encrypted automated backups with secure key management
Access Control
- Authentication: Multi-factor authentication (MFA) support
- Authorization: Role-based access control (RBAC)
- Session Management: Secure JWT tokens with expiration
- Monitoring: Continuous security monitoring and audit logs
Infrastructure Security
- Cloud Provider: SOC 2 compliant hosting infrastructure
- Network Security: Firewalls, DDoS protection, intrusion detection
- API Security: Rate limiting, input validation, CORS protection
- Compliance: HIPAA-ready security controls and procedures
Data Protection
- Isolation: User data isolation and cross-tenant security
- Validation: Input sanitization and SQL injection prevention
- Monitoring: Real-time threat detection and response
- Incident Response: 24/7 security incident response team
8. Children's Privacy
Age Requirements
Medisage requires users to be at least 18 years old or have verified parental consent. We take special care to protect children's privacy:
- Under 13: Requires explicit parental consent and supervision
- 13-17 years: Requires parental consent for account creation
- 18+ years: Can create accounts independently
Parental Controls
For minors using Medisage:
- Parents have full access to their child's health data
- Enhanced privacy controls for sensitive health information
- Limited data sharing capabilities
- Additional security measures for account protection
9. International Data Transfers
Cross-Border Data Processing
Your data may be processed in countries other than your residence for:
- Cloud storage and backup services
- AI processing and analysis
- Technical support and maintenance
- Security monitoring and threat detection
Transfer Safeguards
We ensure adequate protection through:
- Adequacy Decisions: Transfers to countries with adequate protection
- Standard Contractual Clauses: EU-approved data transfer agreements
- Binding Corporate Rules: Internal policies for international transfers
- Encryption: All data encrypted during international transfers
10. Policy Changes
How We Notify You
We will notify you of significant privacy policy changes through:
- In-App Notifications: Prominent notices in the mobile app
- Email Alerts: Direct email to your registered address
- Website Banner: Visible notice on our website
- Push Notifications: Mobile push notifications for major changes
Implementation Timeline
- Minor Changes: Effective immediately upon posting
- Material Changes: 30-day notice period before implementation
- Your Options: Review, accept, or discontinue service
- Continued Use: Constitutes acceptance of updated policy
11. Contact Information
Postal Address
Medisage Privacy Department[Your Business Address]
[City, State ZIP Code]
[Country]
Our Response Commitment
- Privacy Rights Requests: Response within 30 days
- General Inquiries: Response within 5 business days
- Security Issues: Acknowledgment within 24 hours
- Data Breaches: Notification within 72 hours (if required)