GDPR Statement
Effective Date: February 2026
Document Version: 1.0
1. Overview
Rymeda, Inc. (“Rymeda,” “we,” “us”) is a Delaware corporation headquartered in California that operates a HIPAA-compliant healthcare SaaS platform providing electronic health records (EHR), telehealth, clinical AI (ORIS), voice-to-note transcription, secure messaging, and a healthcare marketplace. Although Rymeda is a US-based entity, we are committed to complying with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) whenever it applies to our processing activities.
This statement describes how Rymeda aligns its data protection practices with GDPR requirements, the rights available to data subjects in the European Economic Area (EEA) and United Kingdom, and the safeguards we maintain for international data transfers. This statement supplements our Privacy Policy and Data Processing Agreement.
2. Scope & Applicability
The GDPR applies to Rymeda's processing activities when:
- We process personal data of individuals located in the EU/EEA in connection with offering our platform services to them (Article 3(2)(a)).
- We monitor the behavior of individuals within the EU/EEA, such as through analytics or usage tracking (Article 3(2)(b)).
- A customer (controller) established in the EU/EEA engages Rymeda as a data processor under our Data Processing Agreement (Article 28).
Where Rymeda acts as a processor on behalf of a healthcare organization (controller), the controller determines the purposes and means of processing, and Rymeda processes personal data solely on documented instructions. Where Rymeda acts as a controller — for example, when managing provider accounts or website visitors — we comply directly with all applicable GDPR obligations.
3. Legal Basis for Processing
Rymeda relies on the following legal bases under GDPR Article 6 (and Article 9 for special categories of data) depending on the processing activity:
| Legal Basis | GDPR Article | Platform Use |
|---|---|---|
| Consent | Art. 6(1)(a), Art. 9(2)(a) | Voice recording for transcription, AI-generated clinical notes (ORIS), telehealth session recording, marketing communications |
| Contract Performance | Art. 6(1)(b) | Account creation, EHR service delivery, telehealth appointments, billing and invoicing, marketplace transactions |
| Legitimate Interest | Art. 6(1)(f) | Platform security, fraud detection, service improvement, cookie-free analytics (Plausible), secure messaging delivery |
| Legal Obligation | Art. 6(1)(c) | HIPAA compliance, clinical record retention, audit logging, tax and financial reporting, breach notification |
| Vital Interests | Art. 6(1)(d), Art. 9(2)(c) | Emergency clinical situations where processing is necessary to protect a patient's life or health |
Special Category Data: Health data, biometric data (voice recordings), and AI-derived clinical data are processed under Article 9(2)(a) (explicit consent), Article 9(2)(h) (healthcare provision), or Article 9(2)(c) (vital interests) as applicable. All AI-generated clinical content requires clinician review and signature before becoming part of the medical record.
4. Data Subject Rights (Articles 15–22)
Rymeda supports and facilitates the exercise of all GDPR data subject rights. Requests may be submitted to legal@rymeda.com and will be fulfilled within 30 days.
| Right | Article | Implementation |
|---|---|---|
| Right of Access | Art. 15 | Full data export in machine-readable JSON including profile, posts, comments, messages, login history, sessions, bookings, community memberships, and provider data |
| Right to Rectification | Art. 16 | Update personal data via platform settings or upon written request; changes are logged in the immutable audit trail |
| Right to Erasure | Art. 17 | Profile anonymization (email replaced with deleted_{id}@deleted.rymeda.com, name set to “Deleted User”), soft-deletion of posts and comments (content replaced with “[Deleted]”), session invalidation, and audit log anonymization |
| Right to Restriction | Art. 18 | Processing restricted upon request while accuracy disputes or objections are resolved; restricted data is marked and active processing ceases |
| Right to Data Portability | Art. 20 | Structured JSON export of all user data, downloadable via authenticated API endpoint with a 7-day expiration window |
| Right to Object | Art. 21 | Cease processing based on legitimate interest upon request; immediate opt-out from non-essential communications |
| Automated Decision-Making | Art. 22 | All AI-generated clinical content (ORIS suggestions, transcriptions, SOAP notes, ICD-10 codes) requires human clinician review and provider signature — no solely automated decisions with legal or significant effect |
Erasure & Retention: The right to erasure is subject to legal retention obligations. Clinical records governed by HIPAA (45 CFR §164.530(j)) must be retained for six years. Where erasure conflicts with retention requirements, data is anonymized rather than deleted, and processing is restricted to the retention purpose only. Audit logs may be preserved in anonymized form (actor email replaced with the anonymized address) to maintain system integrity.
5. Data Protection Principles (Article 5)
Rymeda adheres to the core data protection principles set out in GDPR Article 5:
Lawfulness, Fairness & Transparency
We process personal data only with a valid legal basis, provide clear privacy notices, and maintain an AI Transparency policy disclosing how clinical AI systems operate.
Purpose Limitation
Personal data is collected for specified, explicit, and legitimate purposes — healthcare delivery, platform operation, billing, and compliance — and not further processed in a manner incompatible with those purposes.
Data Minimization
We collect only the personal data necessary for each processing purpose. Our PHI redaction pipeline strips identifiable health information before data reaches external AI processing layers. Website analytics use Plausible (cookie-free, no PII).
Accuracy
We provide tools for data subjects and controllers to keep personal data accurate and up to date, including NPI/NPPES validation for provider credentials and patient self-service profile management.
Storage Limitation
Personal data is retained only as long as necessary for its processing purpose or as required by law. Our Data Retention Policy documents specific retention periods for each data category.
Integrity & Confidentiality
We implement AES-256 encryption at rest (per-tenant AWS KMS keys), TLS 1.3 in transit, role-based access controls with a 9-role clinical permission matrix, immutable audit logging, tenant isolation, and VPC network security.
Accountability
Rymeda maintains records of processing activities (Article 30), conducts Data Protection Impact Assessments, undergoes annual SOC 2 Type II audits, and designates a Data Protection Officer contactable at legal@rymeda.com.
6. International Data Transfers
Rymeda's infrastructure is hosted in AWS US-East-1 (Northern Virginia). When personal data is transferred from the EEA, UK, or Switzerland to the United States, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs): Module Two (Controller to Processor) per EU Commission Implementing Decision (EU) 2021/914, incorporated into our DPA. UK International Data Transfer Addendum and Swiss FADP modifications apply where relevant.
- HIPAA Safeguards: As a HIPAA-compliant platform, we maintain security standards that meet or exceed GDPR Article 32 requirements, including Business Associate Agreements with all subprocessors handling PHI.
- Encryption: AES-256 encryption at rest with per-tenant AWS KMS keys and TLS 1.3 for all data in transit, ensuring data remains protected regardless of jurisdiction.
- Transfer Impact Assessment: We have conducted a TIA confirming that our supplementary measures — including tenant isolation, per-tenant encryption keys, and strict access controls — provide an essentially equivalent level of protection for transferred personal data.
7. Data Protection Impact Assessments
Rymeda conducts Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35 whenever processing is likely to result in a high risk to the rights and freedoms of individuals. We conduct DPIAs for:
- AI processing of clinical data: ORIS clinical AI, AI-generated SOAP notes, and suggested ICD-10 codes with confidence scoring
- Voice transcription: Recording and transcribing clinical encounters using OpenAI Whisper, involving biometric (voice) data
- Telehealth services: Real-time audio/video consultations involving health data
- New feature launches: Any new processing activity involving health data, biometric data, or large-scale profiling
Each DPIA includes: (a) a systematic description of processing operations and purposes; (b) an assessment of necessity and proportionality; (c) an evaluation of risks to data subjects; and (d) documented mitigation measures. We cooperate with controllers who must conduct their own DPIAs, providing technical documentation and processing details upon request.
8. Data Processor Obligations
When acting as a data processor under GDPR Article 28, Rymeda:
- Processes personal data only on documented instructions from the controller
- Ensures all personnel processing data are bound by confidentiality obligations
- Implements appropriate technical and organizational security measures (Article 32)
- Engages sub-processors only with prior authorization and equivalent contractual protections
- Assists with data subject rights, breach notification, DPIAs, and prior consultation
- Returns or deletes all personal data upon termination, subject to legal retention
- Makes available all information necessary to demonstrate compliance and supports audits
A complete list of our sub-processors — including their purpose, data processed, and location — is maintained on the Subprocessor List page. All sub-processors handling health data are covered by Business Associate Agreements. Controllers receive 30 days' advance notice of sub-processor changes with a 15-day objection window.
9. Breach Notification
72-Hour Notification (Article 33): In the event of a personal data breach, Rymeda notifies the affected controller without undue delay and no later than 72 hours after becoming aware of the breach, providing the nature of the breach, approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we assist controllers in fulfilling their obligation to notify data subjects under Article 34. Breach notifications include: (a) the categories of data affected; (b) contact details of our Data Protection Officer; (c) a description of likely consequences; and (d) remediation measures.
For breaches involving Protected Health Information, HIPAA breach notification requirements under 45 CFR §§164.404–164.410 apply concurrently. See our Breach Notification Policy for full details.
10. Data Protection Officer
Rymeda has designated a Data Protection Officer (DPO) who can be reached for any GDPR-related inquiries, data subject requests, or complaints:
Data Protection Officer
Data subject requests, GDPR inquiries, DPIAs, privacy complaints
11. Supervisory Authority
Data subjects in the EU/EEA have the right to lodge a complaint with their local supervisory authority (data protection authority) if they believe their personal data is being processed in violation of the GDPR (Article 77). A list of EU supervisory authorities is available from the European Data Protection Board.
UK data subjects may contact the Information Commissioner's Office (ICO). Swiss data subjects may contact the Federal Data Protection and Information Commissioner (FDPIC).
We encourage data subjects to contact us at legal@rymeda.com before filing a complaint so that we may attempt to resolve the concern directly.
12. Related Policies
Data Processing Agreement
Article 28 processor obligations and SCCs
Privacy Policy
Data collection, use, and disclosure practices
Subprocessor List
Current third-party data processors
Data Retention Policy
Retention periods and deletion schedules
Patient Consent Policy
Consent management for healthcare data
State Compliance
US state privacy law compliance