This Privacy Policy explains how UploMD, Inc. ("UploMD," "we," "us")
collects, uses, shares, and protects information when you use the UploMD applications,
websites, and services (the "Service"). UploMD is a patient-controlled platform: you
decide what records to store and who can see them. Please read this alongside our
Terms of Use.
Your records are yours. We do not sell your personal or health
information, and we do not use it for advertising. We use it to operate the Service
for you and to carry out the actions you ask us to take (like requesting records or
sharing them with people you choose).
1. Information We Collect
Account information — name, date of birth, email, phone, password, and profile photo.
Health information — the medical records, documents, images, and imaging studies (including DICOM) that you upload or that we obtain from facilities at your request; and the summary health profile associated with your account.
Records-request details — the facilities you add, the authorizations/releases you sign, and the status of requests we send on your behalf.
Payment information — handled by our payment processor (Stripe). We do not store full card numbers; we receive limited billing details and subscription status.
Usage and device information — app/device type, log data, and basic analytics needed to operate and secure the Service.
Communications — messages you send us and notifications we send you.
2. How We Collect It
We collect information you provide directly, information we obtain from healthcare
facilities and providers at your direction and with your authorization, and
information generated automatically as you use the Service.
3. How We Use Information
To provide, maintain, and improve the Service;
To request, receive, organize, and display your medical records;
To generate AI-assisted summaries and answer your questions about your records;
To enable sharing with people you authorize and to record who accessed your chart;
To process subscriptions and payments;
To communicate with you (service notices, request status, security alerts); and
To protect the Service, prevent fraud, and comply with law.
4. AI Processing
To power features like document summarization, the summary profile, and "Ask my
Records," we send relevant record content to AI service providers acting as our
processors under contract. These providers process the content to return results to you
and are not permitted to use your content to train their models or for their own
purposes. AI output may be inaccurate; see our Terms.
5. How We Share Information
We share information only as needed to run the Service or as you direct:
People you authorize — members of your inner circle, recipients of a share link, and (if you opt in) verified emergency responders. You control these and can revoke access.
Facilities you ask us to contact — to request your records, we transmit your authorization and request details to the facility by fax, email, or secure link.
Service providers (subprocessors) — vendors that host and operate the Service under contracts that require them to protect your information. These may include cloud hosting and medical-imaging storage (Google Cloud / Firebase), AI providers, fax and telephony providers, email delivery, and payment processing (Stripe).
Legal and safety — when required by law or to protect rights, safety, and the integrity of the Service.
Business transfers — in connection with a merger, acquisition, or sale of assets, subject to this Policy.
We do not sell your information and do not share it for cross-context
behavioral advertising.
6. How We Protect Information
We use technical and organizational safeguards including encryption in transit and at
rest, access controls, and audit logging of chart access. No system is perfectly secure,
and we cannot guarantee absolute security, but we work to protect your information and
to notify you of incidents as required by law.
7. Data Retention and Deletion
We keep your information for as long as your account is active or as needed to provide
the Service and meet legal obligations. You can delete individual records or your entire
account. When you delete records, we remove them from your active account and from the
AI summary contributions derived from them; some information may persist in backups or
logs for a limited period, and we may retain limited records as required by law.
8. Your Rights and Choices
You can access, export, correct, and delete your information through the Service or by
contacting us. Depending on where you live, you may have additional rights:
California (CCPA/CPRA and the Confidentiality of Medical Information Act): rights to know, access, correct, delete, and limit certain uses of your information, and the right not to be discriminated against for exercising them. We do not sell or share personal information as those terms are defined under California law.
You may use an authorized agent to exercise rights on your behalf, subject to verification.
To exercise any right, contact support@uplomd.com.
We will verify your identity before acting on a request.
9. About Health Information and HIPAA
UploMD operates as a consumer, patient-directed personal health record. We obtain and
disclose your health information based on your instructions and the authorizations you
sign. UploMD is generally not your healthcare provider or health plan. Records held by
your providers remain subject to those providers' own obligations (including HIPAA).
10. Children's Privacy
The Service is intended for adults (18+) and is not directed to children. We do not
knowingly collect information from children under 13. If you believe a child has provided
us information, contact us and we will delete it.
11. Data Location
We operate in the United States, and your information is processed and stored there.
12. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will
notify you through the Service or by email and update the effective date above.
13. Contact Us
For privacy questions or to exercise your rights, contact
support@uplomd.com
.