MEDVROOM PRIVACY POLICY

Effective Date: June 26, 2026

At MedVroom (“MedVroom,” “we,” “us,” or “our”), we are committed to protecting your privacy while providing a seamless marketplace for connecting patients with independent healthcare providers. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile applications, and services (collectively, the “Platform”).

By using MedVroom, you consent to the practices described in this Policy. This Policy is incorporated into and subject to our Terms of Service (Patient) and Provider Agreement.

1. INFORMATION WE COLLECT

We collect the following categories of information:

Personal Information

Name, email address, phone number, date of birth, and mailing address
Account credentials and profile information

Health-Related Information

Appointment details (date, time, specialty, reason for visit – limited to short descriptions)
Provider interaction history
Limited intake information voluntarily provided

Technical and Usage Data

IP address, device information, browser type, operating system
Usage data, cookies, and similar tracking technologies (see our Cookie Policy)

Automatically Collected Data

Location data (ZIP code or city-level for provider matching)
Referral sources and interaction logs

We do not require or store detailed medical history, symptoms, clinical notes, or full medical records on our core platform.

2. HIPAA STATUS & ROLE CLARIFICATION

MedVroom is not a healthcare provider or covered entity. Depending on the services, we may act as a Business Associate under HIPAA when we create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of our healthcare provider customers (Covered Entities).

Where we act as a Business Associate:

We only process PHI as permitted by our signed Business Associate Agreement (BAA) with the Provider and in accordance with HIPAA, the HITECH Act, and applicable regulations (including 2026 updates).
We enter into BAAs with Providers as required.
We implement administrative, physical, and technical safeguards to protect PHI.

For more information, see our Business Associate Agreement.

3. HOW WE USE INFORMATION

We use the information we collect to:

Facilitate appointment booking and provider matching
Operate, maintain, and improve the Platform
Communicate with you (reminders, confirmations, support)
Process payments (via third-party processors)
Ensure safety, security, fraud prevention, and compliance with our Acceptable Use Policy
Moderate and enforce rules regarding user-generated content and reviews
Generate de-identified or aggregated analytics
Comply with legal obligations

We may review user content for compliance with our Acceptable Use Policy as part of platform moderation and safety efforts.

4. DATA SHARING & DISCLOSURE

All service providers and subcontractors are bound by our Data Processing Addendum (or equivalent contractual safeguards) and, where applicable, Business Associate Agreements

We may share information with:

Healthcare Providers you book with
Service providers (hosting, analytics, messaging, payment processors like Stripe) under strict contracts
As required by law, court order, or government request

We do not sell your personal information or PHI. We do not share PHI except as permitted under our BAAs and HIPAA.

5. DE-IDENTIFIED AND AGGREGATED DATA

We may use and disclose de-identified or aggregated data (that cannot reasonably identify you) for analytics, research, product improvement, and industry insights. Such data is no longer subject to HIPAA or most state privacy laws.

6. DATA SECURITY

We implement industry-standard safeguards including:

Encryption in transit (TLS) and at rest (AES-256)
Role-based access controls and audit logging
Regular security assessments and monitoring
Breach response protocols

No system is 100% secure. In the event of a breach involving PHI or personal data, we will notify affected individuals and regulators as required by law.

7. DATA RETENTION

We retain information only as long as necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements. PHI is retained in accordance with our BAAs and applicable retention schedules.

8. YOUR PRIVACY RIGHTS

State Privacy Rights (including California, Washington, Virginia, Colorado, Connecticut, and others):

Depending on your state of residence, you may have rights to:

Access, correct, or delete your personal information
Opt out of certain processing or sharing
Limit use of sensitive/consumer health data
Receive a copy of your data in portable format

Washington My Health My Data Act & Consumer Health Data: We treat consumer health data with heightened protections and honor all applicable rights under this law and similar state laws.

To exercise your rights, contact us at privacy@medvroom.com. We will respond within the time required by law (typically 30–45 days).

9. COOKIES & TRACKING TECHNOLOGIES

We use cookies and similar technologies as described in our Cookie Policy. We comply with all applicable state cookie and tracking laws.

We do not currently respond to “Do Not Track” browser signals but honor opt-out and consent preferences where required.

10. CHILDREN’S PRIVACY

MedVroom is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 18, we will delete it.

11. BREACH NOTIFICATION

In the event of a security incident or breach, we will:

Investigate promptly
Notify affected Providers and individuals as required by HIPAA and state law
Take appropriate remedial actions

12. CHANGES TO THIS PRIVACY POLICY

We may update this Policy from time to time. We will notify you of material changes by posting the new Policy with an updated effective date and, where required, by additional notice (email or in-app). Continued use after changes constitutes acceptance.

13. CONTACT US

For questions, requests, or concerns about this Privacy Policy or your data:

Email: support@medvroom.com