Legal
Privacy Policy
MedFlow is committed to protecting your personal and health information. This policy explains what we collect, how we use it, and your rights as a patient or healthcare provider.
Last updated: March 7, 2026 · Effective: March 7, 2026
Information We Collect
Account Information
When you register, we collect your name, email address, date of birth, and password. Doctors additionally provide their medical license number, state, specialty, and professional biography.
Health Information
During consultations and as you use the platform, we may collect health records, consultation notes, vital signs, prescriptions, medical documents, and information you choose to share with your care providers.
Usage Data
We collect device information, IP addresses, browser type, and pages visited to improve the platform and for security monitoring. This data is never linked to your health records.
Communications
Messages sent through MedFlow's secure messaging system are stored encrypted. We do not read, sell, or share the contents of your conversations.
How We Use Your Information
Providing Care
Your health information is used to facilitate consultations, generate prescriptions, and maintain your health record — accessible only to you and the licensed doctors you consult.
Platform Operations
We use account information to operate the platform, send appointment reminders, and provide customer support. We do not use your health data for advertising.
Safety & Compliance
We may process your information to comply with legal obligations, prevent fraud, and respond to lawful requests from public authorities where required.
Service Improvement
We use anonymised, aggregated data (never individually identifiable) to improve our platform features and user experience.
HIPAA & Protected Health Information
We are a HIPAA-Covered Entity
MedFlow operates as a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). Your Protected Health Information (PHI) is handled in strict accordance with HIPAA Privacy and Security Rules.
Business Associate Agreements
All third-party service providers with access to PHI have executed Business Associate Agreements (BAAs) with MedFlow, including our infrastructure and communications providers.
Minimum Necessary Standard
We apply the HIPAA minimum necessary standard — accessing, using, or disclosing only the minimum amount of PHI necessary to accomplish each function.
Data Security
Encryption
All health records are encrypted at rest using AES-256-GCM. All data in transit is protected by TLS 1.3. Messages are end-to-end encrypted — not even MedFlow staff can read them.
Access Controls
Access to your health information is restricted to you and the licensed providers you have consulted. Internal staff access is role-based, logged, and audited.
Audit Logging
All access to PHI is logged with timestamp, user ID, and action type. These logs are write-only, tamper-evident, and retained for a minimum of six years as required by HIPAA.
Breach Notification
In the event of a data breach involving your PHI, we will notify you within 60 days as required by HIPAA, or sooner where required by applicable state law.
Your Rights
Access & Portability
You have the right to request a copy of your personal data and health records at any time. We will provide them in a machine-readable format within 30 days.
Correction
If any personal information we hold is inaccurate, you may request a correction through your account profile or by contacting our privacy team.
Deletion
You may request deletion of your account and non-medical personal data. Note that health records may be retained for legal and medical record-keeping periods as required by state and federal law.
Opt-Out
You may opt out of non-essential communications (marketing emails, product updates) at any time via your notification settings. Appointment reminders cannot be disabled as they are a safety feature.
Third-Party Services
Infrastructure Partners
MedFlow uses Neon (PostgreSQL), Cloudflare R2 (document storage), and LiveKit (encrypted video). These partners process data only as directed by MedFlow under contractual data protection terms.
No Advertising Networks
We do not use advertising networks, tracking pixels, or third-party analytics that would expose your health information or browsing behaviour to advertisers.
No Data Sales
MedFlow does not sell, rent, or trade your personal information or health data to any third party, ever.
Contact Our Privacy Team
For privacy inquiries, data access requests, or HIPAA concerns, contact our Privacy Officer:
Email: privacy@medflow.health
Response time: Within 5 business days
HIPAA complaints: You may also file a complaint with the U.S. Department of Health & Human Services Office for Civil Rights.