Privacy Policy

1. Introduction

Rymeda, Inc. ("Rymeda," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services. This policy applies in conjunction with our Terms of Service, Cookie Policy, and, where applicable, our Business Associate Agreement and Data Processing Agreement.

2. Information We Collect

Information you provide directly: name, email address, phone number, organization name, professional credentials, and billing information when you create an account, request a demo, or contact us.

Information collected automatically: IP address, browser type, device information, operating system, pages visited, timestamps, and referral source. We use Plausible Analytics, a privacy-first analytics provider that does not use cookies or collect personal data. See our Cookie Policy for details.

Protected Health Information (PHI): When our platform is used by healthcare providers (Covered Entities), we may process PHI as a Business Associate under HIPAA (42 USC §1320d et seq.; 45 CFR Parts 160 and 164). PHI processing is governed by the Business Associate Agreement.

Medical information: For California residents, medical information is additionally protected under the Confidentiality of Medical Information Act ("CMIA"), Cal. Civ. Code §56 et seq.

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve our platform and services.
• Process transactions and send related information, including confirmations and invoices.
• Communicate with you about updates, security alerts, and support messages.
• Power AI-driven features, including clinical workflow automation and analytics (see Section 9 for AI disclosures).
• Ensure platform security, detect fraud, and prevent abuse in accordance with our Acceptable Use Policy.
• Comply with legal obligations, including HIPAA (45 CFR Part 164), CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.), and other applicable laws.
• Generate de-identified, aggregated analytics to improve our services (in compliance with 45 CFR §164.514).

4. Data Sharing and Disclosure

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising. We may disclose information in the following circumstances:

• Service Providers / Subprocessors: We share data with third-party service providers who assist in operating our platform, subject to contractual protections. See our Subprocessor List and Data Processing Agreement.
• Legal Requirements: We may disclose information as required by law, including in response to lawful requests by public authorities.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction.
• With Consent: We may share information with your explicit consent.

5. Data Retention

We retain personal data according to the following schedule:

• PHI and healthcare data: Minimum six (6) years from creation or last effective date, in accordance with 45 CFR §164.530(j) and the BAA.
• General personal data: Up to three (3) years after last account activity, unless earlier deletion is requested.
• Account data after deletion request: Deleted within thirty (30) days, except where retention is required by law.
• Anonymized and aggregated data: May be retained indefinitely as it cannot identify individuals.

These retention periods are consistent with the Data Processing Agreement.

6. Data Security

We implement industry-leading security measures to protect your data, including AES-256 encryption at rest, TLS 1.3 for data in transit, role-based and attribute-based access controls, tenant data isolation, automated PHI redaction, and immutable audit trails. Healthcare data is handled in accordance with the HIPAA Security Rule (45 CFR Part 164, Subpart C). For complete details, see our Security page and the Service Level Agreement.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Right to access your personal information.
• Right to correct inaccurate personal information.
• Right to delete your personal information.
• Right to data portability.
• Right to opt out of marketing communications at any time.

To exercise these rights, contact privacy@rymeda.com. We will respond within the timeframes required by applicable law. California residents have additional rights described in Section 8. For PHI, rights are governed by HIPAA (45 CFR §164.524, §164.526) and the BAA.

8. California Privacy Rights (CCPA/CPRA)

California residents have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq.):

• Right to Know (Cal. Civ. Code §1798.100): You may request the categories and specific pieces of personal information we have collected about you.
• Right to Delete (Cal. Civ. Code §1798.105): You may request deletion of your personal information, subject to legal retention requirements.
• Right to Correct (Cal. Civ. Code §1798.106): You may request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing (Cal. Civ. Code §1798.120): We do not sell or share your personal information as defined under the CCPA/CPRA.
• Right to Limit Use of Sensitive Personal Information (Cal. Civ. Code §1798.121): You may request that we limit our use of sensitive personal information.
• Right to Non-Discrimination (Cal. Civ. Code §1798.125): We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a request, contact privacy@rymeda.com. We will verify your identity and respond within forty-five (45) days. Note: PHI regulated under HIPAA is exempt from CCPA/CPRA (Cal. Civ. Code §1798.145(c)(1)(A)).

9. AI Disclosure (AB 3030)

In accordance with California AB 3030 (Cal. Health & Safety Code §1279.6), Rymeda discloses the following regarding AI-powered features on the platform:

• Rymeda uses artificial intelligence and machine learning technologies to power clinical workflow automation, analytics, and decision-support features.
• AI-generated outputs, including summaries, suggestions, and analytics, are intended to assist — not replace — licensed healthcare professionals in clinical decision-making.
• All AI-generated content that could be used in a clinical context is clearly labeled as AI-generated.
• Healthcare providers retain full responsibility for clinical decisions and must exercise independent professional judgment when using AI-assisted features.
• Patients have the right to be informed when AI technology is used in their care and may request human review of any AI-assisted determination.

See also the AI-related provisions in our Acceptable Use Policy and Terms of Service.

10. CMIA Compliance (California Medical Information)

For California residents whose medical information is processed through the platform, Rymeda complies with the Confidentiality of Medical Information Act (Cal. Civ. Code §56 et seq.):

• Medical information is not disclosed without valid written authorization from the patient, except as permitted under Cal. Civ. Code §56.10.
• Authorizations comply with the requirements of Cal. Civ. Code §56.11, including specificity of information, purpose, recipients, and expiration.
• Patients may revoke authorization at any time (Cal. Civ. Code §56.16), and revocation applies prospectively.
• In the event of a breach of medical information, we provide notification as required by Cal. Civ. Code §56.36.

11. Recording Consent (Cal. Penal Code §632)

California is a two-party consent state for recording confidential communications (Cal. Penal Code §632). Rymeda adheres to the following:

• Rymeda does not record voice calls, video sessions, or other confidential communications without the explicit consent of all parties involved.
• Where platform features involve recording or transcription capabilities, clear and conspicuous notice is provided to all participants before recording begins.
• Consent to recording is obtained separately from other consents and may be revoked at any time.
• Recorded communications are stored with the same security protections as other personal data, as described in Section 6.

12. Consent Framework (Three-Consent Model)

For healthcare data processed through the Rymeda platform in California, we implement a three-consent model to ensure comprehensive authorization:

• HIPAA Authorization: Written authorization for uses and disclosures of PHI not otherwise permitted by the HIPAA Privacy Rule (45 CFR §164.508).
• CMIA Consent: Authorization for disclosure of medical information as required by Cal. Civ. Code §56.11, including specific identification of the information, purpose, recipients, and expiration.
• Platform Consent: Informed consent for platform-specific data processing, including AI-assisted features, analytics, and data sharing with subprocessors listed in our Subprocessor List.

Each consent is obtained independently and may be revoked independently without affecting the validity of the other consents. The Business Associate Agreement governs the relationship between Covered Entity and Rymeda for PHI processing.

13. Breach Notification

In the event of a data breach, Rymeda will notify affected individuals and authorities in accordance with applicable law:

• HIPAA: Notification within sixty (60) days of discovery, per 45 CFR §164.404 and the BAA.
• CCPA/SB 446: Notification without unreasonable delay, per Cal. Civ. Code §1798.82. Notification to the California Attorney General when more than 500 California residents are affected.
• CMIA: Notification as required by Cal. Civ. Code §56.36 for breaches involving medical information.

See also the breach notification provisions in our BAA and DPA.

14. Children's Privacy

The Rymeda platform is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated revision date and, for material changes, by sending a notification to the email address associated with your account. Your continued use of the platform after changes constitutes acceptance of the updated policy.

16. Governing Law

This Privacy Policy is governed by the laws of the State of California, without regard to conflict of laws principles. Where PHI is involved, federal HIPAA regulations apply. The CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.) applies to all processing of personal data of California residents. The CMIA (Cal. Civ. Code §56 et seq.) applies to medical information of California residents.

17. Contact Us

For privacy questions, data subject requests, or concerns:

• Privacy Office: privacy@rymeda.com
• Legal Department: legal@rymeda.com
• Compliance Office: compliance@rymeda.com