Privacy Policy

Last updated: March 1, 2026

1. Introduction

Medfuel AI ("we," "us," or "our") operates the website medfuelai.com and provides AI-powered revenue cycle management services to healthcare organizations. We are committed to protecting the privacy and security of your personal information and any protected health information (PHI) entrusted to us.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our platform, or interact with our services. We maintain strict compliance with the Health Insurance Portability and Accountability Act (HIPAA), and all applicable federal and state privacy laws.

By accessing or using our website and services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use our services.

2. Information We Collect

Information You Provide Directly

We collect information that you voluntarily provide to us when you interact with our website or services, including:

Contact information: Name, email address, phone number, and mailing address
Professional information: Organization name, job title, department, and role
Account information: Credentials you create to access our platform
Communication data: Information you provide when you contact us through forms, email, phone, or chat, including the content of your messages and any attachments
Feedback and survey responses: Information you provide in response to surveys, questionnaires, or feedback requests

Protected Health Information (PHI)

In the course of providing our revenue cycle management services, we may process protected health information on behalf of our healthcare clients. This PHI is handled strictly in accordance with HIPAA regulations and the terms of our Business Associate Agreements (BAAs). PHI may include patient demographic data, insurance information, diagnosis and procedure codes, billing records, and claims data. We process PHI solely as directed by our covered entity clients and in compliance with applicable law.

Usage Data

We automatically collect certain information when you visit, use, or navigate our website, including:

Log data: IP address, browser type and version, operating system, referring URLs, pages visited, date and time of access, and time spent on pages
Interaction data: Actions taken on our website, features used, links clicked, and search queries
Cookie data: Information collected through cookies, pixels, and similar tracking technologies (see Section 7 for details)

Device Information

We collect information about the device you use to access our website, including:

Device type, model, and manufacturer
Operating system and version
Screen resolution and display settings
Unique device identifiers
Network connection type and internet service provider

3. How We Use Your Information

We use the information we collect for the following purposes:

Provide and maintain our services: To deliver our AI-powered revenue cycle management platform, process your requests, and manage your account
Process revenue cycle data: To perform revenue cycle management services on behalf of our healthcare clients in accordance with executed Business Associate Agreements
Improve and optimize our services: To analyze usage patterns, diagnose technical issues, and develop new features and functionality
Communicate with you: To respond to your inquiries, send service-related notices, provide product updates, and share relevant information about our offerings
Analytics and research: To conduct data analysis, benchmarking, and research to improve our platform's performance and accuracy
Security and fraud prevention: To detect, investigate, and prevent unauthorized access, security incidents, and fraudulent activity
Legal compliance: To comply with applicable laws, regulations, legal processes, and governmental requests
Marketing (with consent): To send promotional communications about our products and services, which you can opt out of at any time

4. HIPAA Compliance

Medfuel AI operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) when processing protected health information on behalf of covered entity clients. We take our obligations under HIPAA seriously and have implemented comprehensive measures to ensure full compliance.

Business Associate Agreements

We enter into Business Associate Agreements (BAAs) with all covered entity clients before accessing or processing any PHI. These agreements define the permitted uses and disclosures of PHI, our obligations to safeguard information, and the responsibilities of each party under HIPAA.

Administrative Safeguards

Designated privacy and security officers responsible for HIPAA compliance
Comprehensive workforce training on HIPAA requirements and data handling procedures
Documented policies and procedures for all aspects of PHI management
Regular risk assessments to identify and address potential vulnerabilities
Workforce sanctions for policy violations

Physical Safeguards

Secure, access-controlled facilities for all infrastructure hosting PHI
Visitor access controls and monitoring at data center facilities
Secure workstation policies and device management protocols
Proper disposal procedures for hardware and media containing PHI

Technical Safeguards

End-to-end encryption of PHI in transit (TLS 1.3) and at rest (AES-256)
Unique user identification and multi-factor authentication
Role-based access controls enforcing the minimum necessary standard
Comprehensive audit logging of all PHI access and modifications
Automatic session management and timeout controls
Integrity controls to protect PHI from improper alteration or destruction

Breach Notification

In the event of a breach of unsecured PHI, Medfuel AI will notify affected covered entity clients without unreasonable delay and no later than 60 days following discovery, as required by the HIPAA Breach Notification Rule. We will cooperate fully with covered entities in investigating the breach, mitigating harm, and fulfilling notification obligations to affected individuals and the Department of Health and Human Services.

5. Data Security

We implement industry-leading security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. Our security program includes:

SOC 2 Type II certification: Our security controls are independently audited and certified to meet the rigorous SOC 2 Type II standards for security, availability, processing integrity, confidentiality, and privacy
Encryption at rest: All stored data is encrypted using AES-256 encryption, the same standard used by government agencies and financial institutions
Encryption in transit: All data transmitted between your systems and ours is protected with TLS 1.3, the latest and most secure transport layer protocol
Role-based access controls (RBAC): Strict access controls ensure that personnel can only access the data necessary for their specific job functions
Regular security audits: We conduct periodic internal and third-party security assessments, vulnerability scans, and penetration testing to identify and remediate potential risks
US-based infrastructure: All data is processed and stored within secure, SOC 2-compliant data centers located in the United States
Intrusion detection and prevention: Continuous monitoring systems detect and respond to potential security threats in real time
Incident response plan: A documented and regularly tested incident response plan ensures rapid containment and remediation of any security events

While we strive to use commercially acceptable means to protect your information, no method of electronic transmission or storage is 100% secure. We continuously evaluate and improve our security measures to address emerging threats.

6. Data Sharing and Disclosure

We do not sell your personal information. We do not sell, rent, or trade your personal data or PHI to third parties for their marketing or any other purposes.

We may share your information only in the following limited circumstances:

Service providers: We engage trusted third-party vendors who assist us in operating our platform and delivering our services (such as cloud infrastructure providers, analytics services, and customer support tools). These vendors are bound by contractual obligations to protect your data, use it only for the purposes we specify, and comply with applicable privacy and security requirements. Where PHI is involved, we execute appropriate Business Associate Agreements or sub-business associate agreements with these providers.
Legal requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including to comply with a subpoena, court order, or other legal obligation. We will notify you of such disclosures to the extent permitted by law.
With your consent: We may share your information with third parties when you have given us explicit consent to do so.
Business transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change in ownership or control of your personal information.
Protection of rights: We may disclose information where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or violations of our Terms of Service.

A current list of our sub-processors is available upon request. Please contact us at info@medfuel.com for details.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our website. Cookies are small data files placed on your device that help us understand how you use our site and improve our services.

Essential Cookies

These cookies are strictly necessary for the operation of our website. They enable core functionality such as navigation, session management, security features, and accessibility preferences. You cannot opt out of essential cookies as they are required for the site to function properly.

Analytics Cookies

We use analytics cookies to understand how visitors interact with our website, including which pages are visited most frequently, how visitors navigate the site, and where errors occur. This data helps us improve our website's performance and user experience. Analytics data is collected in aggregate and does not personally identify individual visitors. You may opt out of analytics cookies through your browser settings or through the cookie preference controls on our website.

No Third-Party Advertising Cookies

We do not use third-party advertising cookies on our website. We do not allow advertising networks to place cookies on our site, and we do not engage in behavioral advertising or cross-site tracking for advertising purposes.

Managing Cookie Preferences

Most web browsers allow you to manage cookie preferences through their settings. You can configure your browser to refuse all cookies, accept only certain cookies, or notify you when a cookie is being set. Please note that disabling essential cookies may impact the functionality of our website.

8. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

Right to access: You may request a copy of the personal information we hold about you, including the categories of data collected, the sources of that data, and the purposes for which it is used.
Right to correction: You may request that we correct any inaccurate or incomplete personal information we maintain about you.
Right to deletion: You may request that we delete your personal information, subject to certain exceptions required by law or legitimate business purposes.
Right to opt out of marketing: You may opt out of receiving promotional communications from us at any time by clicking the "unsubscribe" link in any marketing email or by contacting us directly. Please note that you may continue to receive transactional and service-related communications.
Right to data portability: You may request that we provide your personal information in a structured, commonly used, and machine-readable format so that it can be transferred to another service provider.
Right to restrict processing: You may request that we limit the processing of your personal information under certain circumstances.

California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information, including:

The right to know what personal information we collect, use, disclose, and sell
The right to delete personal information we have collected from you
The right to opt out of the sale or sharing of your personal information (note: we do not sell personal information)
The right to non-discrimination for exercising your privacy rights
The right to correct inaccurate personal information
The right to limit the use and disclosure of sensitive personal information

To exercise any of these rights, please contact us at info@medfuel.com. We will respond to your request within the timeframes required by applicable law. We may need to verify your identity before processing your request.

9. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. The retention period for your data depends on the type of information and the context in which it was collected:

Account information: Retained for the duration of your active relationship with us, plus a reasonable period thereafter to address any outstanding issues
PHI: Retained in accordance with the terms of our Business Associate Agreements and applicable HIPAA retention requirements (minimum six years for HIPAA-related documentation)
Usage data: Generally retained for up to 24 months for analytics purposes
Marketing preferences: Retained until you update your preferences or request deletion
Legal records: Retained as required by applicable laws and regulations

When your data is no longer required, we securely delete or anonymize it using industry-standard methods to prevent unauthorized recovery. Secure deletion procedures include cryptographic erasure, overwriting, and physical destruction of media where appropriate.

10. Children's Privacy

Our website and services are not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take immediate steps to delete that information from our records. If you believe we may have collected information from a child under 13, please contact us immediately at info@medfuel.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this policy, we will notify you by posting the updated policy on this page with a revised "Last updated" date. For significant changes that materially affect your rights or our handling of your information, we will provide additional notice through email or a prominent notice on our website prior to the changes taking effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your information. Your continued use of our website and services after any changes to this policy constitutes your acceptance of the updated terms.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: info@medfuel.com
Website: medfuelai.com

We take all privacy inquiries seriously and will respond to your request as promptly as possible, and in all cases within the timeframes required by applicable law.