Effective Date: April 8, 2026
Medera, Inc. (“Medera,” “we,” “us,” or “our”) is committed to protecting the privacy, confidentiality, and security of all personal information and Protected Health Information (“PHI”) entrusted to us. This Privacy Policy (“Policy”) describes the categories of information we collect, the purposes for which we process it, the safeguards we maintain, and the rights you may exercise with respect to your data.
This Policy applies to all users of Medera’s AI-powered behavioral health platform, including healthcare providers, their authorized staff, covered entities, business associates, and patients whose information is processed through our Services. By accessing or using our Services, you acknowledge that you have read and understood this Policy.
This Policy applies to all data collected and processed through Medera’s platform, websites, APIs, mobile applications, and any related services (collectively, the “Services”). This includes:
Where Medera processes PHI on behalf of a Covered Entity, the terms of the applicable Business Associate Agreement (“BAA”) shall control to the extent of any conflict with this Policy.
To deliver AI-powered clinical insights, generate evidence-based treatment recommendations, facilitate behavioral health assessments, and support clinical decision-making workflows. PHI is processed solely for the purpose of providing the contracted Services as described in the applicable BAA.
To maintain, monitor, and improve the reliability, performance, and security of our platform. Where we use data for model training or algorithmic improvement, we use only de-identified datasets that meet the HIPAA Safe Harbor or Expert Determination de-identification standard under 45 CFR § 164.514.
To meet regulatory obligations under HIPAA, state privacy laws, and other applicable statutes; to conduct internal and third-party audits; to detect, prevent, and respond to fraud, abuse, security incidents, and threats to patient safety.
To respond to support requests, deliver service notifications, provide onboarding materials, and communicate material changes to our Services or policies. We do not use PHI for marketing purposes under any circumstances.
We process personal data and PHI under the following legal bases, as applicable:
Processing required to fulfill our obligations under the Master Service Agreement, BAA, or other contractual arrangements with your organization.
Processing required to comply with HIPAA, state breach notification laws, and other applicable regulations.
Processing for fraud prevention, platform security, service improvement, and operational analytics, balanced against individual privacy rights.
Where required, explicit and informed consent for specific processing activities such as voice recording, optional analytics, and marketing communications.
Medera maintains a comprehensive, enterprise-grade security program designed to protect the confidentiality, integrity, and availability of all data processed through our platform. Our security controls are independently validated through annual SOC 2 Type II audits and HITRUST CSF certification.
AES-256-GCM encryption for all data at rest, with hardware security module (HSM)-backed key management and automated 90-day key rotation.
TLS 1.3 enforced for all data in transit. Certificate pinning implemented for mobile clients. Forward secrecy enabled on all endpoints.
Role-based access control (RBAC) with principle of least privilege. Multi-factor authentication (MFA) required for all users. Just-in-time access provisioning for administrative functions.
Zero-trust network architecture with micro-segmentation. Web application firewall (WAF), DDoS protection, and intrusion detection/prevention systems (IDS/IPS).
PHI is tokenized at the application layer prior to storage. Row-level security (RLS) enforces tenant isolation. De-identification pipelines meet HIPAA Safe Harbor standards.
Continuous automated vulnerability scanning. Annual third-party penetration testing. Responsible disclosure program. Mean time to remediate critical vulnerabilities: under 24 hours.
Medera operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Our HIPAA compliance program includes:
We execute HIPAA-compliant BAAs with all Covered Entities prior to receiving PHI. Our standard BAA addresses permissible uses and disclosures, safeguard obligations, breach notification requirements, subcontractor flow-down provisions, and data return or destruction obligations upon termination.
Medera applies the HIPAA minimum necessary standard to all uses, disclosures, and requests for PHI. Our platform is designed to limit PHI exposure to only the data elements required for the specific authorized purpose.
Medera undergoes an annual SOC 2 Type II examination conducted by an independent, AICPA-accredited auditing firm. Our SOC 2 report covers the following Trust Services Criteria:
Controls to protect against unauthorized access, both physical and logical. Includes access management, network security, vulnerability management, and incident response.
Controls to ensure the platform meets contractual uptime commitments. Includes redundancy, failover, disaster recovery, and capacity monitoring.
Controls to protect confidential information including PHI, trade secrets, and proprietary data through classification, encryption, and access restrictions.
Controls governing the collection, use, retention, disclosure, and disposal of personal information in accordance with commitments and regulatory requirements.
The SOC 2 Type II report covers a twelve-month audit period and evaluates the operational effectiveness of controls over time. Enterprise customers may request a copy of our most recent SOC 2 Type II report under NDA by contacting hi@medera.info.
Medera does not sell, rent, or trade your personal information or PHI under any circumstances. We may share information only in the following limited circumstances:
All subprocessors that access, store, or process PHI on our behalf are subject to rigorous due diligence and contractual controls:
A complete list of current subprocessors is available upon request.
In the event of a breach of unsecured PHI, Medera will comply with HIPAA breach notification requirements and all applicable state breach notification laws. Our breach notification commitments include:
Medera retains personal information and PHI only for as long as necessary to fulfill the purposes described in this Policy and to comply with legal and regulatory obligations.
PHI and personal data are retained for the duration of the active service agreement with the Covered Entity.
Upon contract termination, PHI is returned or securely destroyed within thirty (30) calendar days, per the BAA. A certificate of destruction is provided upon request.
Access audit logs and security event records are retained for a minimum of six (6) years to satisfy HIPAA requirements.
Data subject to a litigation hold, regulatory investigation, or legal preservation obligation will be retained until the hold is released.
Secure deletion is performed using NIST SP 800-88-compliant data sanitization procedures. For encrypted data, cryptographic erasure (destruction of encryption keys) is employed as an equivalent method.
All PHI and primary personal data are processed and stored within the United States. Medera does not transfer PHI outside the United States without the prior written consent of the applicable Covered Entity.
Depending on your jurisdiction and the nature of the data, you may have some or all of the following rights. To exercise any right, contact us at hi@medera.info. We respond to all verified requests within thirty (30) calendar days, or the shorter timeline required by applicable law.
Request a copy of the personal data or PHI we hold about you, including the categories collected, purposes of processing, and recipients.
Request amendment of inaccurate or incomplete personal data or PHI, subject to applicable clinical record-keeping requirements.
Request deletion of personal data, subject to legal retention obligations, litigation holds, and HIPAA record-keeping requirements.
Receive your data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and transmit it to another controller.
Request that we restrict or limit the processing of your personal data under certain circumstances defined by applicable law.
Object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.
Exercise any of these rights without discriminatory treatment in the quality, level, or pricing of services provided to you.
In addition to HIPAA, Medera complies with applicable state privacy and data protection laws, including:
California residents have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. These include the right to know what personal information is collected and sold/shared, the right to delete, the right to opt-out of sales and sharing, and the right to limit the use of sensitive personal information. Medera does not sell personal information. To exercise CCPA/CPRA rights, contact us at hi@medera.info.
We also comply with privacy laws enacted in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy legislation. Where state law provides rights in addition to those described above, we honor those rights for residents of the applicable state.
Medera maintains a comprehensive mapping of state-specific breach notification requirements and will comply with the notification timelines and content requirements of each applicable jurisdiction in addition to federal requirements.
Where the European Union General Data Protection Regulation (“GDPR”) or UK GDPR applies to our processing activities, Medera acts as a Data Processor on behalf of the Data Controller (typically the healthcare organization). Our GDPR commitments include:
Medera’s platform employs artificial intelligence and machine learning technologies to provide clinical decision support. Transparency regarding our AI practices is integral to our commitment to ethical, trustworthy healthcare technology.
AI models are trained exclusively on de-identified datasets that meet HIPAA Safe Harbor or Expert Determination standards. No identifiable PHI is used in model training, fine-tuning, or evaluation. Training data undergoes bias assessment and fairness auditing.
Medera’s AI generates clinical recommendations as decision-support tools only. No automated decisions with legal or similarly significant effects are made without human clinician review and approval. Healthcare providers retain full authority over all clinical decisions.
Our AI outputs include confidence scores and supporting evidence references. Model performance is monitored continuously for accuracy, bias, and drift. Board-certified clinicians review model outputs as part of our Clinical Oversight Program. Model cards and algorithmic impact assessments are maintained and available to enterprise customers upon request.
Medera’s Services are designed for use by licensed healthcare providers and authorized clinical staff. We do not knowingly collect personal information directly from children under the age of 13 (or the applicable age of consent in the relevant jurisdiction). Where PHI of minors is processed through our platform, it is collected and managed by the treating healthcare provider in accordance with applicable law, including parental consent requirements. If we become aware that we have inadvertently collected personal information from a child without appropriate authorization, we will promptly delete that information.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. Material changes will be communicated to Covered Entities and registered users via email notice at least thirty (30) calendar days prior to the effective date. Non-material changes may be posted directly on this page. The “Effective Date” at the top of this Policy indicates when it was last revised. Continued use of the Services after the effective date of a revised Policy constitutes acceptance of the updated terms.
If you have questions, concerns, or requests related to this Privacy Policy or our data protection practices, please contact us:
Email: hi@medera.info
Email: hi@medera.info
Our Data Protection Officer and Privacy Team are available to address any questions about how we protect your information.