Mediphant Logo

Guardian

Back to Home

Privacy Policy

Mediphant Guardian Platform

Last Updated: October 20, 2025

Version: 1.0

Introduction

This Privacy Policy describes how Mediphant Corporation ("Mediphant," "we," "our," or "us") collects, uses, discloses, and protects information in connection with the Mediphant Guardian platform (the "Service" or "Platform").

Mediphant Guardian is a HIPAA-compliant healthcare technology platform designed for healthcare organizations to securely receive, manage, and organize patient health information shared by individuals using the Mediphant consumer application.

This Privacy Policy applies to:

  • Healthcare organizations that use Mediphant Guardian ("Organizations" or "Customers")
  • Authorized Users (healthcare providers, staff, and other personnel authorized by the Organization)
  • Connected Patients (individuals who grant Organizations access to their health data through Mediphant)

Our Commitment: We are committed to protecting the privacy and security of all information processed through the Platform in accordance with HIPAA, state privacy laws, and other applicable regulations.

1. Definitions

"Authorized User" means healthcare providers, administrative staff, and other personnel authorized by an Organization to access and use the Service.

"Connected Patient" means an individual who has granted an Organization access to their health data through the Mediphant consumer application.

"Organization" or "Customer" means a healthcare organization, medical practice, or healthcare provider entity that has entered into the Terms of Service and BAA with Mediphant.

"Protected Health Information" or "PHI" has the meaning set forth in 45 CFR § 160.103 and means individually identifiable health information transmitted or maintained in any form or medium by Mediphant as a Business Associate.

2. Information We Collect

2.1 From Organizations and Authorized Users

Account and Registration Information:

  • Organization name, address, and contact information
  • Tax identification number (EIN or SSN) and NPI numbers
  • Professional license information
  • Authorized User names, email addresses, job titles, and roles
  • Login credentials (email and encrypted passwords)
  • Payment information (credit card details processed by our payment processor)

Organization-Created Data:

  • Files that may be shared with patients
  • Notes, annotations, and tags related to patient care
  • Communication preferences and settings
  • Custom workflows and configurations
  • Messages and communications within the Platform

Usage and Activity Data:

  • Login times and session duration
  • Features accessed and actions taken
  • Clickstream data and navigation patterns
  • Search queries within the Platform
  • Audit logs of PHI access (required by HIPAA)

Device and Technical Information:

  • IP addresses (may be anonymized for analytics)
  • Browser type and version
  • Operating system
  • Device identifiers
  • Crash logs and error reports

2.2 Information About Connected Patients

Patient Health Information: When a Connected Patient grants an Organization access through Mediphant, we process:

  • Medical records, lab results, and diagnostic reports
  • Medications, allergies, and medical history
  • Visit summaries and clinical notes
  • Health data uploaded by the patient to their Mediphant account
  • Any other health information the patient has shared via Mediphant

Important: Patient Health Information is owned by the patient and shared with Organizations based on the patient's consent. This information constitutes PHI under HIPAA.

Connection and Consent Data:

  • Date and time the patient granted access
  • Date and time the Organization accepted the connection
  • Consent preferences and permissions
  • Connection status (active, revoked, expired)

2.3 De-identified and Aggregated Information

We may create de-identified or aggregated information from the data we collect, in accordance with HIPAA standards. This information cannot reasonably be used to identify any individual or Organization.

3. How We Use Information

3.1 Primary Uses

We use information collected through the Service to:

  • Enable Organizations to receive and access Patient Health Information shared by Connected Patients
  • Facilitate secure storage and organization of health data
  • Enable communication between Organizations and patients
  • Process billing and payments
  • Provide customer support
  • Authenticate users and verify credentials
  • Detect and prevent unauthorized access
  • Monitor for security threats and vulnerabilities
  • Maintain audit logs of PHI access as required by HIPAA
  • Comply with legal and regulatory requirements
  • Analyze usage patterns to improve features and functionality

3.2 Uses We DO NOT Engage In

We do not:

  • Sell Personal Information, PHI, or Organization Data to third parties
  • Use PHI to train general-purpose AI models
  • Use Patient Health Information for marketing purposes without proper authorization
  • Share PHI with third parties except as permitted by the BAA and HIPAA
  • Use data in any manner inconsistent with the purposes described in this Privacy Policy

4. How We Share Information

4.1 Sharing Patient Data with Organizations

Patient Health Information is shared with Organizations only when:

  • The Connected Patient has granted the Organization access through the Mediphant consumer app, AND
  • The Organization has accepted the connection

Patients control which Organizations can access their data and may revoke access at any time through the Mediphant consumer app.

4.2 Service Providers and Subcontractors

We engage third-party service providers to help us deliver the Service. These providers have access only to the minimum information necessary to perform their functions.

Current service providers include:

  • Amazon Web Services (AWS): Cloud infrastructure and hosting services (HIPAA-compliant)
  • Payment Processors: Credit card processing (PCI-DSS compliant)
  • Customer Support Tools: To provide support to Organizations
  • Analytics and Monitoring Tools: For service improvement and security monitoring

All service providers that may access PHI have executed Business Associate Agreements with Mediphant and are subject to HIPAA requirements.

4.3 Legal Compliance and Protection

We may disclose information, including PHI, when we believe in good faith that disclosure is necessary to:

  • Comply with a court order, subpoena, search warrant, or other legal process
  • Comply with legal or regulatory requirements
  • Protect the rights, property, or safety of Mediphant, our users, or others
  • Prevent or investigate potential fraud, security issues, or technical problems
  • Enforce our Terms of Service or other agreements

5. Data Security

Mediphant implements comprehensive administrative, physical, and technical safeguards designed to protect information against unauthorized access, use, disclosure, alteration, and destruction. Our security program complies with the HIPAA Security Rule and industry best practices.

Administrative Safeguards:

  • Security management process with regular risk assessments and risk management
  • Workforce security policies and training programs
  • Information access management with role-based access controls
  • Security awareness and training for all personnel
  • Security incident procedures and response protocols
  • Contingency planning including data backup and disaster recovery

Physical Safeguards:

  • HIPAA-compliant data centers with physical access controls
  • Facility security plans and procedures
  • Workstation security policies
  • Device and media control procedures

Technical Safeguards:

  • Encryption: AES-256 encryption for all data at rest; TLS 1.2+ for all data in transit
  • Access Controls: Unique user identification, automatic logoff, and emergency access procedures
  • Audit Controls: Comprehensive logging of system activity and PHI access
  • Integrity Controls: Mechanisms to ensure data is not improperly altered or destroyed
  • Authentication: Multi-factor authentication (MFA) for administrative access
  • Transmission Security: End-to-end encryption for all data transfers

6. Data Retention

6.1 Organization Data

We retain Organization Data for as long as the Organization maintains an active account with Mediphant. Upon termination:

User-Generated Content:

  • Organization-created data (notes, annotations, files, tags) will be available for export for 30 days after termination
  • After 30 days, user-generated content files will be permanently deleted from our systems
  • Organizations may submit a written request to compliance@mediphant.ai during the 30-day period to request their data

Account Records and Compliance Data:

  • Account records, user profiles, metadata, connection records, and compliance-related data are retained indefinitely in a deactivated state for:
    • HIPAA compliance and audit trail requirements
    • Legal and regulatory obligations
    • Dispute resolution and fraud prevention
    • Business continuity and record-keeping purposes
  • Deactivated accounts are marked as inactive and cannot access the Service
  • This data may be available upon written request to compliance@mediphant.ai, subject to verification and legal requirements

Backup Copies:

  • Backup copies may persist for up to 90 days but will not be accessible through the Service

6.2 Patient Health Information

Important: Patient Health Information is owned by patients, not by Organizations or Mediphant.

  • While a patient-organization connection is active, Organizations can access Patient Health Information through the Service
  • When a connection is terminated, the Organization immediately loses access to Patient Health Information
  • Mediphant may continue to retain Patient Health Information on behalf of the patient after the connection terminates
  • Upon termination of an Organization's account, Patient Health Information is NOT provided to the Organization as part of any data export

6.3 Audit Logs and Compliance Records

We retain audit logs, access records, and other compliance documentation for at least 6 years from the date of creation or as required by applicable law, whichever is longer. This is required by HIPAA and supports our security and compliance obligations.

7. Your Rights and Choices

7.1 Rights of Organizations and Authorized Users

  • Access and Correction: Organizations may access and update their account information, organization profile, and settings at any time
  • Account Termination: Organizations may terminate their account at any time in accordance with the Terms of Service
  • Communication Preferences: Organizations may opt out of non-essential communications
  • Export of Data: Organizations may request an export of their Organization Data (exports do not include Patient Health Information)

7.2 Rights of Connected Patients

Connected Patients' rights are primarily exercised through the Mediphant consumer application. As required by HIPAA, patients have the following rights:

  • Right of Access: Individuals have the right to access their PHI maintained by Mediphant
  • Right to Amend: Individuals have the right to request amendments to their PHI
  • Right to an Accounting of Disclosures: Individuals have the right to receive an accounting of certain disclosures of their PHI
  • Right to Restrict Disclosures: Patients can control which Organizations have access to their data by managing connections
  • Right to Notification of Breach: If a breach of unsecured PHI affects a patient, we will notify them in accordance with HIPAA
  • Right to Complain: Individuals who believe their privacy rights have been violated may file a complaint

8. Cookies and Tracking Technologies

Mediphant Guardian uses cookies and similar tracking technologies to provide and improve the Service.

Essential Cookies: Session management and authentication, security and fraud prevention, load balancing and performance

Analytics and Performance Cookies: Understanding how Authorized Users interact with the Service, identifying bugs and performance issues, improving features and user experience

We use PostHog for product analytics, which helps us understand usage patterns and improve the Service.

We do not:

  • Use advertising or marketing tracking cookies
  • Allow third-party advertisers to place cookies on the Service
  • Track users across unrelated websites

9. Children's Privacy

Mediphant Guardian is designed for use by healthcare organizations and their staff, not by children. We do not knowingly collect information from individuals under 18 years of age through the Guardian platform.

10. State-Specific Privacy Rights

10.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions
  • Right to Correct: You have the right to request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell or share personal information as defined by the CCPA
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

10.2 Virginia, Colorado, Connecticut, and Utah Residents

If you are a resident of Virginia, Colorado, Connecticut, or Utah, you may have similar rights to access, correct, delete, and opt out of the sale of your personal information. Contact us at compliance@mediphant.ai to exercise these rights.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make changes, we will update the "Last Updated" date at the top of this Privacy Policy.

If we make material changes that affect how we use or disclose PHI or that significantly affect your privacy rights, we will notify Organizations via email and through the Service at least 30 days before the changes take effect.

12. Contact Information

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact:

Privacy Officer
Mediphant Corporation
539 W Commerce St. #7718
Dallas, TX 75208
Email: compliance@mediphant.ai

For HIPAA complaints, you may also contact:

U.S. Department of Health and Human Services
Office for Civil Rights
Online: https://www.hhs.gov/ocr/complaints/index.html
Phone: 1-800-368-1019

We will not retaliate against anyone for filing a HIPAA complaint.