Privacy Policy

1. Identity & Data Controller

The data controller responsible for your personal information is:

For purposes of the EU General Data Protection Regulation ("GDPR"), Rymeda, Inc. is the data controller for personal data processed through the Services. For purposes of HIPAA, Rymeda acts as a Business Associate when processing Protected Health Information (PHI) on behalf of Covered Entities, as governed by the Business Associate Agreement. Our Privacy Officer can be reached at legal@rymeda.com for any privacy-related inquiries, data subject requests, or complaints.

2. Data We Collect

We collect the following categories of personal information, organized by type. Each category is derived from specific data fields processed by the Rymeda platform:

2.1 Identity Data

• Full name (first name, last name)
• Email address
• Phone number
• Date of birth
• Gender
• Physical address (street, city, state, ZIP code)
• Account credentials (password hashes — we never store plaintext passwords)

2.2 Profile Data

• Avatar / profile photo
• Bio / description
• Location
• Account role (user, social_provider, business_provider, admin)
• Provider verification status
• Organization membership and affiliation

2.3 Health & Patient Data

• Date of birth, gender, blood type
• Allergies (substance, reaction, severity)
• Medical conditions and problem list (description, ICD-10 codes, onset date, status)
• Medications (name, dosage, frequency, prescriber, start/end dates)
• Emergency contact information (name, relationship, phone)
• Insurance information (provider, policy number, group number)
• Patient status (active, inactive, discharged)

2.4 Clinical Data (PHI)

• SOAP notes (Subjective, Objective, Assessment, Plan)
• Progress notes, intake notes, discharge summaries
• Diagnoses and ICD-10 codes
• Vital signs (temperature, blood pressure systolic/diastolic, heart rate, respiratory rate, oxygen saturation, weight, height)
• Lab results (test name, values, reference ranges, ordering provider)
• Treatment plans (goals, interventions, target dates, status)
• Clinical note metadata (author, author role, note type, status: draft/ai_draft/signed/amended)
• Care team relationships (provider-patient assignments, relationship type: primary/consulting/referred)

2.5 Biometric Data

2.6 Professional & Credential Data

• National Provider Identifier (NPI)
• State license number and license state
• Drug Enforcement Administration (DEA) registration number
• Credential type and specialty
• Clinical role (Physician, NP, PA, RN, Therapist, Biller, Front Desk, Org Admin, Owner)
• Verification status (unverified, pending, NPI validated, manual review, verified, reverification, suspended)
• NPI/NPPES validation data (name match, state match, confidence score, taxonomy, active status)

2.7 Financial & Billing Data

• Invoice records (line items, CPT codes, subtotal, tax, total, due date, payment status, payment method)
• Insurance claims (payer, claim number, diagnosis codes, procedure codes, amount billed/allowed/paid, denial reason)
• Subscription tier and billing cycle (monthly/annual)
• Stripe payment tokens (we do not store full credit card numbers — payment processing is handled entirely by Stripe)
• Organization tax identification number
• Marketplace order data (items, subtotal, shipping, tax, total, shipping address, order status, tracking number)

2.8 Device & Technical Data

• IP address
• Browser type and version
• Device type and operating system
• Authentication session data (JWT tokens, session identifiers)
• AWS Cognito authentication metadata

2.9 Usage & Analytics Data

• Pages visited, features used, timestamps
• Referral source
• We use Plausible Analytics, a privacy-first, cookie-free analytics provider that does not collect personal data, does not use cookies, and does not track users across sites. See our Cookie Policy.

2.10 AI-Generated Data

• AI-generated transcriptions from voice recordings
• AI-generated SOAP note drafts
• Suggested ICD-10 diagnostic codes and confidence scores
• ORIS AI Assistant conversation logs (with guardrails: emergency detection, blocked content, off-topic filtering)
• AI model version identifiers

2.11 Communication Data

• Secure messages between providers, patients, and staff
• Message threads and conversation metadata
• Support and contact form submissions

2.12 Organization Data

• Organization name, type, and description
• Tax identification number
• Business address
• Staff roster (roles, invitations, status)
• Subscribed modules and features
• Vendor/marketplace profile (verification status, business type, rating, sales data)

3. Legal Basis for Processing

We process personal information under the following legal bases, as applicable under GDPR, CCPA/CPRA, and other privacy laws:

Where we rely on consent, you may withdraw consent at any time by contacting legal@rymeda.com. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal. Where we rely on vital interests, this applies only in emergency situations where processing is necessary to protect the life of the data subject or another person.

4. Purpose Limitation

We process personal information only for the following specific, explicit, and legitimate purposes:

• Healthcare delivery: Facilitating clinical documentation, care coordination, treatment planning, and provider-patient communication
• Clinical documentation: AI-assisted transcription, SOAP note generation, diagnostic code suggestion, and clinical note management (draft, review, sign workflow)
• Billing & payments: Invoice creation, insurance claims processing, payment collection via Stripe, aging reports, and financial record-keeping
• Platform operations: Account management, scheduling, task management, staff management, and organization administration
• Security & compliance: Authentication (AWS Cognito), access control (RBAC), immutable audit logging, trust and safety enforcement, fraud detection, and incident response
• Regulatory compliance: Meeting obligations under HIPAA, CCPA/CPRA, CMIA, and other applicable healthcare and privacy laws
• AI-assisted clinical support: ORIS AI clinical decision support, voice transcription, and automated clinical documentation with human-in-the-loop review
• Provider verification: NPI/NPPES validation, license verification, credential monitoring, and re-verification
• Analytics & improvement: Cookie-free analytics via Plausible to understand platform usage patterns (no personal data collected)
• Communication: Sending transactional emails (account confirmations, security alerts, billing notifications) via SendGrid; secure in-platform messaging

We do not process personal information for purposes incompatible with those described above without providing additional notice and, where required, obtaining separate consent.

5. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are:

When data reaches the end of its retention period, it is securely deleted or de-identified in accordance with NIST SP 800-88 guidelines. Retention periods in the Business Associate Agreement and Data Processing Agreement govern where applicable.

6. Third-Party Processors & Data Sharing

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising. We engage the following third-party processors to provide the Services:

All third-party processors are bound by data processing agreements that require them to process data only as instructed, implement appropriate security measures, and notify us of any security incidents. For a current list, see our Subprocessor List. AI processors (OpenAI, Google, ORIS) are contractually prohibited from using your data to train their models.

We may also disclose personal information: (a) as required by law, including in response to lawful requests by public authorities; (b) to protect the rights, property, or safety of Rymeda, our users, or others; (c) in connection with a merger, acquisition, or sale of assets, subject to the acquiring entity agreeing to the terms of this Policy; or (d) with your explicit consent.

7. International Data Transfers

All primary data storage is located in the United States, specifically in AWS US-East-1 (N. Virginia) region. If you access the Services from outside the United States, your data will be transferred to and processed in the United States.

For transfers of personal data from the European Economic Area (EEA), United Kingdom (UK), or Switzerland to the United States, we rely on:

• Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses as the primary transfer mechanism for personal data from the EEA
• UK International Data Transfer Agreement (IDTA): For transfers from the United Kingdom
• Supplementary measures: Including AES-256 encryption at rest, TLS 1.3 in transit, per-tenant AWS KMS encryption keys, and access controls that limit data access to authorized personnel only

You may request a copy of the applicable SCCs by contacting legal@rymeda.com.

8. Automated Decision-Making & AI Processing

In accordance with California AB 3030 (Cal. Health & Safety Code §1279.6) and GDPR Article 22, Rymeda discloses the following about automated processing:

8.1 AI-Assisted Clinical Suggestions

The Platform uses AI to generate clinical content including transcriptions, SOAP note drafts, suggested ICD-10 codes, and confidence scores. These outputs are suggestions only and do not constitute autonomous clinical decisions. All AI-generated content is labeled "AI_DRAFT — REQUIRES PROVIDER REVIEW" and requires review and electronic signature by a licensed provider (Physician, NP, or PA) before becoming part of the medical record. The signing action is irreversible.

8.2 Trust & Safety Automation

The Platform uses automated systems for trust and safety enforcement, including AI-assisted content moderation (with an 85% confidence threshold requiring human review below that threshold), automated rate limiting, and trust scoring. These systems may result in automated enforcement actions (warnings, muting, suspension). Users may contest automated decisions by contacting support@rymeda.com.

8.3 Human-in-the-Loop Guarantee

No solely automated decision that produces legal or similarly significant effects is made without human review. For clinical decisions, a licensed provider must always review and approve AI-generated content. For trust and safety actions that result in account suspension or termination, human review is available on request. You have the right to: (a) obtain an explanation of any automated decision; (b) request human review of any automated decision; and (c) contest the outcome.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq.):

"Do Not Sell or Share My Personal Information": Rymeda does not sell personal information and does not share personal information for cross-context behavioral advertising. No opt-out mechanism is required because we do not engage in these practices.

Sensitive Personal Information: Under the CPRA, sensitive personal information includes health data, biometric data, and precise geolocation. We process sensitive personal information only as necessary to provide the Services and do not use it for advertising or profiling purposes.

How to submit a request: Contact legal@rymeda.com. We will verify your identity using a two-step verification process and respond within forty-five (45) days (extendable by an additional 45 days with notice).

HIPAA Exemption: PHI regulated under HIPAA is exempt from CCPA/CPRA (Cal. Civ. Code §1798.145(c)(1)(A)). Rights regarding PHI are governed by HIPAA and described in our HIPAA Notice of Privacy Practices.

10. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access (Art. 15): Request a copy of the personal data we hold about you, including processing purposes, categories, recipients, retention periods, and the source of data not collected directly from you
• Right to Rectification (Art. 16): Request correction of inaccurate personal data or completion of incomplete data
• Right to Erasure (Art. 17): Request deletion of your personal data where the data is no longer necessary, you withdraw consent, or the data was unlawfully processed (subject to legal retention obligations)
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (CSV, JSON) and transmit it to another controller
• Right to Restrict Processing (Art. 18): Request restriction of processing while accuracy is contested, processing is unlawful, or data is needed for legal claims
• Right to Object (Art. 21): Object to processing based on legitimate interest, including for direct marketing purposes (we will cease processing unless we demonstrate compelling legitimate grounds)
• Rights Related to Automated Decisions (Art. 22): Not be subject to solely automated decision-making that produces legal or similarly significant effects (see Section 8 for our human-in-the-loop guarantees)

To exercise these rights, contact legal@rymeda.com. We will respond within thirty (30) days (extendable by two additional months for complex requests, with notice).

Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority. If you are in the UK, this is the Information Commissioner's Office (ICO). If you are in the EU, you may contact the supervisory authority in your member state of residence.

11. California Healthcare Privacy Disclosures

11.1 CMIA (Cal. Civ. Code §56 et seq.)

For California residents whose medical information is processed through the Platform, Rymeda complies with the Confidentiality of Medical Information Act: medical information is not disclosed without valid written authorization from the patient except as permitted under Cal. Civ. Code §56.10; authorizations comply with Cal. Civ. Code §56.11 requirements (specificity of information, purpose, recipients, expiration); patients may revoke authorization at any time (Cal. Civ. Code §56.16) with prospective effect; and breach notification is provided as required by Cal. Civ. Code §56.36.

11.2 Cal. Penal Code §632 (Recording Consent)

California is a two-party consent state for recording confidential communications. Rymeda does not record voice calls, video sessions, or clinical encounters without the explicit consent of all parties. Where the Platform's voice recording features are used, clear and conspicuous notice is provided before recording begins. Recording consent is obtained separately from all other consents and may be revoked on a per-encounter basis. See our Patient Consent & Authorization Forms for the voice recording authorization.

11.3 AB 3030 (AI Disclosure)

In accordance with California AB 3030 (Cal. Health & Safety Code §1279.6), Rymeda discloses that the Platform uses artificial intelligence and machine learning in healthcare-related features. AI-generated content is clearly labeled, intended to assist rather than replace licensed providers, and requires provider review before clinical use. Patients have the right to be informed when AI is used in their care and may request human-only review. See Section 8 for detailed AI processing disclosures and our Terms of Service Section 6 for AI-generated content terms.

11.4 Three-Consent Model

For California telehealth encounters that include recording, three separate consents are required and cannot be bundled: (1) Telehealth informed consent per Cal. BPC §2290.5; (2) Voice recording authorization per Cal. Penal Code §632; and (3) HIPAA authorization per 45 CFR §164.508. Each consent is obtained independently, may be revoked independently, and revocation of one does not affect the validity of the others.

12. Biometric Data Notice

13. Children's Privacy

The Rymeda Platform is not directed at children under the age of thirteen (13). We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§6501–6506). If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete it promptly.

Minors (13–17): Individuals between the ages of 13 and 17 may use the Platform only with verifiable parental or legal guardian consent. When a minor patient receives care through the Platform, the guardian's authorization is required as described in our Patient Consent & Authorization Forms.

California Minor Exceptions: Under California law, certain minors may consent to their own healthcare without parental involvement, including: minors 12+ for mental health treatment (Cal. Fam. Code §6924), minors 12+ for substance abuse treatment (Cal. Fam. Code §6929), and minors 12+ for sexual assault-related care (Cal. Fam. Code §6927). In these cases, the minor's own consent is sufficient.

14. Cookies & Tracking Technologies

Rymeda uses a minimal cookie approach:

• Authentication session cookies: Essential cookies required for user authentication and session management (AWS Cognito session tokens). These are strictly necessary and cannot be disabled while using the Platform.
• Plausible Analytics: We use Plausible, a privacy-first analytics service that does not use cookies, does not collect personal data, and does not track users across sites. All analytics data is aggregated and anonymous.
• No third-party tracking: We do not use Google Analytics, Facebook Pixel, or any other third-party tracking cookies or advertising trackers.

For complete details, see our Cookie Policy.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. For material changes, we will:

• Post the updated Privacy Policy on this page with a new effective date
• Provide at least thirty (30) days' advance notice via email to registered users
• Where required by law (e.g., for changes affecting sensitive personal information or biometric data processing), obtain your consent before the changes take effect

Your continued use of the Services after the effective date of any modification constitutes acceptance of the updated Privacy Policy. If you do not agree with a material change, you must discontinue use of the Services before the effective date. The prior version of this Privacy Policy is available upon request.

16. Contact Us

For privacy questions, data subject requests, complaints, or to exercise any of the rights described in this Policy, contact us through the following channels:

• Legal Team: legal@rymeda.com
• Security Team: security@rymeda.com (for security incidents or suspected breaches)

Rymeda, Inc.
Attn: Legal Team
legal@rymeda.com

For HIPAA-specific complaints, you may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights at www.hhs.gov/ocr. Filing a complaint will not affect your ability to use the Services. For GDPR-related complaints, you may contact your local data protection supervisory authority.

Related Policies

• Terms of Service — Agreement governing use of the Platform
• HIPAA Notice of Privacy Practices — How we use and disclose PHI
• Patient Consent & Authorization Forms — Required patient consents
• Business Associate Agreement — HIPAA-required agreement for PHI processing
• Data Processing Agreement — Data processing terms
• Cookie Policy — Cookie and tracking technology usage
• Subprocessor List — Third-party processors
• Security — Platform security architecture
• Breach Notification Policy — Breach notification procedures
• Incident Response Plan — Security incident response