Privacy Policy

ReasonMD ("we," "us," or "our") is committed to protecting the privacy and security of your personal information and Protected Health Information (PHI). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our clinical decision support platform (the "Service").

This Privacy Policy should be read in conjunction with our Terms of Service and, for applicable users, our Business Associate Agreement (BAA).

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Professional credentials and specialty
• Password (encrypted)
• Practice or organization affiliation (if applicable)

1.2 Protected Health Information (PHI)

As a healthcare provider using the Service, you may input PHI into the system, including but not limited to:

• Patient symptoms and medical history
• Clinical observations and findings
• Diagnostic information
• Treatment plans
• SOAP notes and clinical documentation

Important: We treat all clinical information you input as PHI and protect it in accordance with HIPAA regulations. We are a HIPAA-covered entity and Business Associate.

1.3 Usage Information

We automatically collect information about how you use the Service:

• Log data (IP address, browser type, device information)
• Pages visited and features used
• Time and date of access
• Number of SOAP notes generated
• Error logs and diagnostic information

1.4 Payment Information

Payment information is processed by our third-party payment processor (Stripe). We do not store your full credit card information on our servers. We only retain the last 4 digits, expiration date, and billing address for reference.

1.5 Communications

If you contact us via email, chat, or phone, we collect the contents of your message and any information you choose to provide.

2. How We Use Your Information

2.1 To Provide the Service

• Generate AI-assisted clinical decision support content
• Create and store your SOAP notes and clinical documentation
• Provide voice-to-text transcription services
• Export your data in various formats (PDF, DOCX, FHIR, HL7)
• Maintain and improve Service functionality

2.2 For Communication

• Send you account-related notifications
• Respond to your inquiries and support requests
• Send important Service updates and security alerts
• Provide educational content and feature updates (with your consent)

2.3 For Billing and Payment

• Process subscription payments
• Send billing statements and receipts
• Manage your subscription and payment issues

2.4 For Security and Compliance

• Monitor for security threats and fraudulent activity
• Enforce our Terms of Service
• Comply with legal obligations and law enforcement requests
• Maintain audit logs as required by HIPAA

2.5 For Service Improvement (Aggregated Data Only)

We may analyze aggregated, de-identified usage data to improve the Service. This data cannot be used to identify you or your patients.

3. How We Share Your Information

We do not sell, rent, or trade your personal information or PHI. We only share information in the following limited circumstances:

3.1 With Your Consent

We will share your information when you explicitly authorize us to do so, such as when exporting notes to your EMR system.

3.2 Service Providers (Business Associates)

We share information with trusted third-party service providers who assist us in operating the Service:

• Cloud hosting: Google Cloud Platform (BAA in place)
• AI services: OpenAI and Google Gemini (BAA in place for processing PHI)
• Speech-to-text: Google Cloud Speech-to-Text (BAA in place)
• Payment processing: Stripe (does not have access to PHI)
• Email service: SendGrid (for account notifications only, no PHI)

All service providers that may access PHI have signed Business Associate Agreements and are required to maintain HIPAA compliance.

3.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal process (subpoena, court order)
• Law enforcement requests
• National security requirements
• Protection of our rights, property, or safety
• Public health or safety emergencies

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your information is transferred and becomes subject to a different privacy policy.

4. HIPAA Compliance

4.1 Business Associate Relationship

ReasonMD acts as a Business Associate under HIPAA. We have implemented administrative, physical, and technical safeguards to protect PHI in accordance with HIPAA Security and Privacy Rules.

4.2 Business Associate Agreement (BAA)

For Professional and Enterprise customers, we provide a Business Associate Agreement that outlines our HIPAA obligations. The BAA is available upon request and is incorporated into your subscription agreement.

4.3 HIPAA Safeguards

We maintain the following safeguards:

Administrative Safeguards:

• Designated Privacy and Security Officers
• Regular risk assessments
• Employee training on HIPAA compliance
• Incident response procedures
• Business Associate Agreements with all subcontractors

Physical Safeguards:

• Data hosted in HIPAA-compliant facilities (Google Cloud Platform)
• Physical access controls to data centers
• Workstation security policies

Technical Safeguards:

• AES-256 encryption at rest
• TLS 1.3 encryption in transit
• Unique user authentication
• Automatic session timeouts
• Comprehensive audit logging
• Regular security updates and patching

4.4 Breach Notification

In the event of a breach of unsecured PHI, we will notify you within 60 days as required by HIPAA. We maintain breach notification procedures and incident response plans.

4.5 Minimum Necessary

We limit access to PHI to the minimum necessary to accomplish the intended purpose. Only authorized personnel have access to PHI, and access is logged and monitored.

5. Data Security

5.1 Security Measures

We implement industry-leading security practices:

• Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.3)
• Authentication: Multi-factor authentication available
• Access controls: Role-based access with principle of least privilege
• Monitoring: 24/7 security monitoring and intrusion detection
• Backups: Daily encrypted backups with 30-day retention
• Auditing: Comprehensive audit logs of all data access

5.2 Infrastructure Security

Our infrastructure is hosted on Google Cloud Platform, which maintains:

• SOC 2 Type II certification
• HIPAA compliance
• ISO 27001 certification
• Physical security at data centers
• Redundancy and disaster recovery

5.3 Your Responsibilities

You are responsible for:

• Maintaining the confidentiality of your account credentials
• Using strong, unique passwords
• Enabling multi-factor authentication
• Logging out of shared devices
• Reporting any security concerns immediately

6. Your Rights and Choices

6.1 Access and Correction

You have the right to:

• Access your personal information and PHI
• Correct inaccurate information
• Export your data in machine-readable formats
• Request a copy of your data

6.2 Deletion

You may request deletion of your account and data at any time. Upon deletion request:

• We will delete your account within 30 days
• All PHI will be securely destroyed
• Backups will be deleted according to our retention schedule
• Some information may be retained for legal compliance (e.g., billing records, audit logs) as required by law

6.3 Data Portability

You can export your SOAP notes and clinical data at any time in PDF, DOCX, FHIR, or HL7 formats through the Service interface.

6.4 Marketing Communications

You can opt out of marketing emails at any time by clicking the "unsubscribe" link in emails or updating your account preferences. Note that you cannot opt out of transactional emails (e.g., billing, security alerts).

6.5 HIPAA Rights

As a healthcare provider, your patients have HIPAA rights regarding PHI you create using our Service:

• Right to access
• Right to request amendments
• Right to an accounting of disclosures
• Right to request restrictions

You are responsible for responding to patient requests. We will assist you in fulfilling these obligations as your Business Associate.

7. Data Retention

7.1 Retention Periods

• Active accounts: Data retained for the duration of your subscription
• Canceled accounts: Data retained for 30 days to allow for re-activation, then deleted
• Audit logs: Retained for 6 years as required by HIPAA
• Billing records: Retained for 7 years as required by law
• De-identified data: May be retained indefinitely for analytics and research

7.2 Secure Deletion

When data is deleted, we use secure deletion methods that prevent recovery. Backups are deleted according to our retention schedule.

8. Cookies and Tracking Technologies

8.1 Types of Cookies

We use the following types of cookies:

• Essential cookies: Required for Service functionality (authentication, security)
• Analytics cookies: Help us understand how you use the Service (Google Analytics)
• Preference cookies: Remember your settings and preferences

8.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

8.3 Analytics

We use Google Analytics to understand Service usage. Google Analytics does not have access to PHI. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

9. International Users and GDPR

9.1 Data Transfers

Our Service is hosted in the United States. If you access the Service from outside the US, your information will be transferred to, stored, and processed in the United States.

9.2 GDPR Compliance

For users in the European Economic Area (EEA), we comply with the General Data Protection Regulation (GDPR). You have additional rights under GDPR:

• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making

9.3 Legal Basis for Processing

We process personal data under the following legal bases:

• Contract performance: To provide the Service you've subscribed to
• Legitimate interests: To improve and secure the Service
• Consent: For marketing communications (where required)
• Legal obligation: To comply with applicable laws

10. Children's Privacy

The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected information from a child, please contact us immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Posting the updated policy on our website
• Updating the "Last Updated" date
• Sending you an email notification (for material changes)

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions about this Privacy Policy, HIPAA compliance, or wish to exercise your privacy rights, please contact us:

HIPAA Complaints

If you believe your HIPAA rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights: