Privacy Policy

Last updated: August 20, 2025

This Privacy Policy explains how MD.ai, Inc. (“MD.ai,” “we,” “us,” or “our”) collects, uses, and protects information when you use our products, including MD.ai Annotator and MD.ai Reporting.

HIPAA & regulatory

If you are a Covered Entity or Business Associate, our processing of protected health information (“PHI”) occurs under a Business Associate Agreement (BAA) and in environments configured to help you meet applicable privacy and security requirements (e.g., HIPAA). Our software supports robust access controls, audit logging, and encryption to protect PHI.

The data we process

Depending on your configuration and contractual terms, MD.ai may process the following:

  • Imaging data: DICOM and derived images/metadata used for storage, organization, labeling, annotation, and AI-assisted workflows.
  • Clinical voice & reporting data: Audio recordings (where enabled), transcriptions, report templates, report content, and associated metadata used for drafting and finalizing clinical reports.

Your control & choices

  1. De-identification by default in shared environments. Outside HIPAA-covered deployments, you should upload only de-identified/anonymized data. In HIPAA-covered deployments under a BAA, PHI may be processed per your configuration.
  2. Access control. You control who can access your projects and data. You can grant or revoke access at any time.
  3. No selling. We do not sell or rent your data. We share it only as necessary to provide the services, comply with law, or as described in this policy and your agreement.
  4. Deletion. You can delete your data at any time. Deletion is initiated promptly; residual backups may persist for a limited period and then are purged.
  5. AI/Model use. We do not use customer data (including voice, transcripts, imaging, or reports) to train foundation models for other customers without your explicit permission.

How we use information

  • Account & operations. We use basic account information (e.g., name, email, password or SSO) to secure your account and operate the services.
  • Logs & telemetry. We temporarily associate operational logs (e.g., sign-ins, API calls) with your account to run, secure, and improve the services; then we aggregate or de-identify them.
  • Product improvement. We may analyze aggregated or de-identified usage to improve performance, quality, and safety.
  • Integrations. If you enable integrations (e.g., PACS/RIS, EHR, cloud storage), we process and exchange data as needed to provide those features per your configuration.

Security

Security informs how we design and run our systems. We:

  • Enforce TLS for data in transit and encryption at rest (e.g., AES-256).
  • Operate in data centers with appropriate security certifications (e.g., ISO 27001).
  • Maintain detailed audit logs, conduct regular vulnerability management, and perform code/security reviews.
  • Provide additional technical, administrative, and physical safeguards for HIPAA-covered environments and engage third-party assessments as appropriate.

Data location & transfers

We may process data in the United States and other locations where we or our subprocessors operate, consistent with your contractual and regional hosting choices. When personal data is transferred across borders, we use appropriate transfer mechanisms (e.g., standard contractual clauses) and honor applicable law and your agreement.

Subprocessors

We use vetted subprocessors (e.g., cloud providers, authentication services, model providerss) to deliver the services. We require appropriate confidentiality, security, and privacy commitments from them.

Children

Our services are intended for professional use by healthcare organizations and their authorized users. We do not knowingly collect personal information directly from children under 13 (or the age required by local law). If we learn that such information was collected, we will delete it. We may process pediatric patient information on our customers’ behalf under a BAA; that processing is not directed to children and is not collected directly from them.

Contact

MD.ai, Inc.
199 Water St FL 34
New York, NY 10038

termsandprivacy@md.ai