Privacy Policy
Effective: March 23, 2026
Our Core Principle
Patient data stays where it belongs — on your infrastructure. MedAgent is designed from the ground up for healthcare data privacy. Our self-hosted architecture means we never see, store, or process your patient data.
Data Collection by Deployment Type
| Data Type | Self-Hosted (Free) | Cloud SaaS ($49) | Enterprise ($500) |
|---|
| Patient data (PHI) | Your servers only | Your cloud tenant (encrypted) | Your servers only |
| Account info | None | Email, name, org | Email, name, org |
| Usage analytics | None | Anonymous metrics | None (optional) |
| AI model data | Local Ollama | Dedicated Ollama | Local Ollama |
| Payment info | None | Via Stripe (PCI-DSS) | Invoice |
Self-Hosted Users
We collect zero data from self-hosted installations. The software runs entirely on your infrastructure. We have no telemetry, no phone-home, no usage tracking. Your patient data never touches our servers.
Cloud SaaS Users
For Cloud SaaS customers, we collect:
- Account data: Email, organization name, billing info (processed by Stripe)
- Clinical data: Stored encrypted (AES-256) in your dedicated tenant. Row-level security ensures complete isolation between organizations.
- Usage metrics: Anonymous aggregate metrics (query count, document count) for service improvement. No PHI in metrics.
Data Security
- Encryption at rest: AES-256 for all stored data
- Encryption in transit: TLS 1.3 for all connections
- Column-level encryption for PHI fields (patient name, DOB)
- Tamper-evident audit logs (SHA-256 hash chain)
- Role-based access control with department-level scoping
- No PHI in application logs
AI & LLM Privacy
- All LLM processing runs on Ollama (local or dedicated instance)
- No patient data sent to external AI providers (OpenAI, Google, etc.)
- No customer data used for model training or fine-tuning
- Embeddings stored in your database, not shared across tenants
Data Retention
- Clinical data: Retained until you delete it or close your account
- Audit logs: Per compliance config (HIPAA: 6 years, GDPR: varies)
- Account data: Deleted within 30 days of account closure
- Backups: Encrypted, retained for 90 days for disaster recovery
Your Rights
Depending on your jurisdiction, you have the right to:
- Access and export all your data at any time
- Request deletion of your data (Right to Erasure / GDPR Article 17)
- Data portability in standard formats
- Withdraw consent for optional data processing
Third-Party Services
| Service | Purpose | Data Shared |
|---|
| Stripe | Payment processing | Billing info only (PCI-DSS compliant) |
| Cloudflare | CDN & DDoS protection | IP address, request metadata |
We do not sell, share, or transfer patient data to any third party.
Compliance
MedAgent supports region-aware compliance for HIPAA (US), GDPR (EU), APPI (Japan), PIPA (Korea), and Vietnamese data protection laws. Compliance is configurable per tenant.
Changes
We will notify you of material changes via email at least 30 days in advance.
Contact
Data Protection Officer: privacy@medagent.dev