Consumer Health Data Privacy Policy
MD Aid, Inc. · Effective date: June 10, 2026 · Version 1.1
This policy explains how MD Aid handles consumer health data when you use the MD Aid assistant as an independent, general health-education tool — that is, in Privacy-First mode, where MD Aid operates independently and is not a hospital's or clinic's HIPAA business associate. It is separate from our general Privacy Policy and is provided under the Washington My Health My Data Act (RCW 19.373) and comparable laws.
When this policy does not apply:if you are a patient of a clinic using MD Aid in Standard mode, what you share is Protected Health Information governed by HIPAA, that clinic's Notice of Privacy Practices, and our Business Associate Agreement — not this policy. Health information already regulated by HIPAA is exempt from the My Health My Data Act.
1. Consumer health data we collect, and why
- Questions and messages you send — to generate a relevant, educational answer.
- Information derived from your messages (a short, general summary) — only to serve your request.
- Contact details, only if you provide them (name, email, or phone) — to pass a follow-up request to the clinic you choose, at your direction.
- Limited technical data (a temporary in-browser session id and IP address) — to operate and secure the service. On the patient assistant we do not set advertising or cross-session tracking cookies, and we do not use product-analytics services.
We collect only what is reasonably necessary to provide the assistant you asked to use.
2. Sources
We collect consumer health data directly from you. We do not buy it or obtain it from data brokers.
3. How we use it
To provide the assistant and answer your questions; to review answer quality in de-identified form; to secure the service, prevent abuse, and comply with law; and to pass along a follow-up request only if you ask us to. We do not use your consumer health data to train any AI model, and we do not use it for advertising.
4. How we share it — and how we don't
We share consumer health data only with service providers (processors) under contracts requiring them to protect it and use it only for us:
- Amazon Web Services (incl. AWS Bedrock) — hosting, storage, database, key management, AI inference, email, within the United States.
- Deepgram — speech-to-text, only where audio is used.
- Sentry — error monitoring, with personal data filtered out.
We do not use product-analytics services on the patient assistant. We do not sell your consumer health data and do not share it for targeted or cross-context behavioral advertising. We will not share it for any other purpose without your separate authorization.
5. We collect with your consent
Before you use the assistant, we ask for your consent to collect and process your questions so we can answer them. Consent is voluntary, specific to this purpose, not bundled with other terms, and never inferred from inaction. You may decline (we then cannot provide the assistant) and may withdraw consent at any time (Section 7).
6. Retention and security
We keep consumer health data only as long as needed, then delete or de-identify it. On the patient assistant, full chat transcripts are deleted about a day after a conversation ends (with a short outer limit while summary processing completes); after that, only summaries with identifying details removed and aggregate statistics are retained - if you have an account, those summaries remain visible in your conversation history. We protect it with encryption in transit and at rest — including application-layer KMS envelope encryption of your messages and other sensitive fields — access controls and least privilege, tenant isolation, audit logging, and U.S.-only storage and processing.
7. Your rights
Subject to law, you may access your consumer health data and the list of third parties we shared it with, delete it, withdraw consent, and appeal a refusal. To exercise these, contact privacy@md-aid.com. We respond within the timeframes required by law (under the My Health My Data Act, within 45 days, extendable once by 45 days with notice) and will not discriminate against you for exercising them. If we deny a request, you may appeal by replying to our response; if the appeal is denied, you may contact the Washington State Attorney General.
8. No geofencing
We do not use a geofence around any health-care facility to identify, track, or message consumers, or to collect consumer health data.
9. Other states
This policy is written to meet the Washington My Health My Data Act and to address comparable protections in other states, including Nevada (SB 370), Connecticut, California (CMIA and the CCPA/CPRA treatment of sensitive personal information), and Texas (the Texas Data Privacy and Security Act's consent requirements for sensitive health data, and the Texas Medical Records Privacy Act). Where a state grants broader rights, those rights apply.
10. Contact
MD Aid, Inc. · privacy requests: privacy@md-aid.com · legal notices: legal@md-aid.com. Email is our official contact method. We will post any material change here with an updated version and, where required, obtain fresh consent.