Privacy Policy

1. Who We Are

This Privacy Policy applies to Medicin.io LLC, a Delaware limited liability company ("Medicin," "we," "our," or "us") and the Medicin™ platform accessible at medicin.io and associated applications.

Medicin is a technology infrastructure platform. We are not a healthcare provider, medical practice, or clinical entity. We connect users to independent, licensed healthcare providers ("Providers") who operate under their own professional licenses and insurance.

2. What Information We Collect

We collect only information necessary to operate the platform. Specifically:

Information you provide:

• Identity: Your name, email address, and phone number
• Location: The US state you are in at the time of the consultation (to route you to a provider licensed in your state)
• Minimal intake: Patient age, relationship to the person seeking care (self / child / family), preferred pharmacy (if any), and a short description of your concern written by you
• Payment: Card payment details — processed and stored entirely by Stripe. Medicin never receives or stores your full card number, CVV, or expiration

Information we generate:

• Session identifier, timestamps, and call duration
• Platform access logs (IP address, browser, device type)
• The identifier of the Provider your session was routed to

What we deliberately do NOT collect or store:

• Your Social Security Number
• Your full date of birth (we capture age, not DOB, for intake; DOB is optional)
• Insurance policy numbers or insurer identifiers
• Medical history, diagnoses, prescriptions, or clinical notes from your call (these remain in the Provider's own records system)
• Recordings or transcripts of your consultation
• Biometric information of any kind

3. Why We Collect It

Every category of data above is collected for one or more of the following purposes:

• To facilitate a connection between you and a licensed, independent provider
• To comply with state licensing laws (routing based on your state)
• To process your platform fee payment
• To send you confirmation messages, receipts, and status updates
• To investigate fraud, abuse, or security incidents
• To comply with legal obligations when properly compelled

We do not sell your information. We do not rent it. We do not use it for advertising.

4. Who Sees Your Information

Your Provider: The independent healthcare provider matched to your session sees your name, phone number, state, age, relationship context, and your written description of your concern. They use this to provide you with clinical care.

Our service providers (subprocessors): We use a small number of trusted third parties to operate the platform. Each has a signed Business Associate Agreement (BAA) where applicable or a Data Processing Addendum:

• Google Cloud Platform / Firebase — hosts our application and database (HIPAA-eligible)
• Twilio, Inc. — handles encrypted voice and SMS routing (HIPAA-eligible)
• Stripe, Inc. — processes payments (PCI-DSS Level 1)
• Resend — sends transactional emails (receipts, notifications)

These subprocessors are contractually prohibited from using your data for their own purposes.

Legal compliance: We may disclose information if compelled by valid legal process (subpoena, court order, warrant) or if we believe in good faith that disclosure is necessary to prevent imminent harm, fraud, or violation of our Terms of Service. When lawfully permitted, we will notify you of such requests.

Business transfers: If Medicin is acquired, merges, or sells its assets, your information may transfer to the successor entity, subject to the protections of this Privacy Policy.

5. How We Handle Protected Health Information (PHI)

When you use Medicin, certain information you provide may constitute Protected Health Information under HIPAA. Medicin operates as a Business Associate under HIPAA with respect to the Providers on our platform.

Our data architecture is designed around a minimization principle: we capture the least amount of PHI necessary to facilitate your connection. Clinical observations, diagnoses, treatment plans, and prescriptions are recorded by your Provider in their own independent records system — not on Medicin servers.

The written "concern" you submit in the intake form is routed to your Provider and stored on our platform to generate a receipt and administrative record. It is encrypted at rest and in transit.

For a detailed discussion of PHI handling, see our HIPAA Business Associate Agreement.

6. How Long We Keep Your Data

• Session records (name, phone, state, age, concern text, timestamps): 6 years, to comply with HIPAA's minimum retention requirements for Business Associates
• Payment records: 7 years, for tax and accounting compliance
• Platform access logs: 12 months, then automatically deleted
• Account information (if you're a Provider): for the life of your account plus 6 years after closure
• Anonymized aggregate analytics: indefinitely

You may request earlier deletion by contacting us (see Section 13). We will honor such requests except where we are legally required to retain specific records.

7. Your Rights

Regardless of where you live in the United States, you have the right to:

• Access the personal information we hold about you
• Correct information you believe is inaccurate
• Delete your information (subject to legal retention requirements)
• Opt out of non-essential communications
• Receive a copy of your data in a portable format
• Object to our processing of your data under certain circumstances

To exercise any of these rights, email us at privacy@medicin.io. We verify identity before fulfilling requests. We will respond within 30 days.

8. How We Protect Your Data

• Encryption in transit: All data exchanged with Medicin uses TLS 1.2 or higher
• Encryption at rest: AES-256 encryption via Google Cloud Platform managed keys
• Access controls: Role-based access with multi-factor authentication for our personnel
• Audit logs: Every access to user data is logged with timestamp and actor
• Phone number masking: Patient and provider phone numbers are never exchanged directly — calls route through Medicin's bridge
• No persistent recording: We do not record or transcribe consultations
• Regular security review: Infrastructure security is reviewed quarterly

No system is perfectly secure. If we discover a data breach affecting your information, we will notify you within 60 days as required by HIPAA and applicable state laws.

9. Cookies and Tracking

Medicin uses a minimal set of cookies and browser storage, limited to:

• Session cookies to maintain your authenticated state and active session
• Firebase client-side storage to enable real-time communication with our database

We do not use third-party advertising cookies, social media tracking pixels, or behavioral retargeting. We do not sell cookie data.

10. Children's Privacy

Medicin is not directed to children under 13 and we do not knowingly collect information from children under 13. A parent or legal guardian may use the Medicin platform on behalf of a minor; in such cases, the parent/guardian is the account holder and is responsible for the information provided.

If we learn that we have collected information from a child under 13 without parental consent, we will delete it promptly. Parents may contact us at privacy@medicin.io with concerns.

11. State-Specific Rights

California residents (CCPA / CPRA): In addition to the rights listed in Section 7, you have the right to know what categories of personal information we collect, the right to opt out of "sale" or "sharing" of personal information (we do neither), and the right to non-discrimination for exercising your privacy rights. You may designate an authorized agent to submit requests on your behalf.

Virginia residents (VCDPA): You have the right to access, correct, delete, and obtain a copy of your personal information. You may also appeal our response to your privacy request.

Colorado residents (CPA): You have the same rights as Virginia residents and may opt out of profiling that produces legal or similarly significant effects.

To exercise any state-specific right, email privacy@medicin.io and identify the state where you reside.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or services. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Email account holders with a summary of material changes
• Provide a 30-day notice before changes affecting existing data practices take effect

13. Contact Us

For any privacy-related question, concern, or request:

• Email: privacy@medicin.io
• Subject line suggestion: "Privacy Request" for data rights, "Security Concern" for suspected incidents
• Mail: Medicin.io LLC, [Delaware registered agent address], Delaware

We respond to privacy requests within 30 days. For urgent security issues, use the subject line "URGENT SECURITY" for expedited handling.