Privacy Policy
Last updated: February 24, 2026 · Version 2.0
1. Introduction
NowMedical, Inc. (“NowMedical,” “we,” “our,” or “us”) is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our healthcare platform, including our website, mobile applications, telehealth services, AI-powered health tools, and related services (collectively, the “Platform”).
This policy is designed to satisfy the requirements of multiple international data protection frameworks, including the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK-GDPR), Brazil's Lei Geral de Proteção de Dados (LGPD), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Ontario's Personal Health Information Protection Act (PHIPA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Washington's My Health My Data Act (MHMDA), Nevada's Consumer Health Data Privacy Law, China's Personal Information Protection Law (PIPL), India's Digital Personal Data Protection Act 2023 (DPDP Act), South Africa's Protection of Personal Information Act (POPIA), Singapore's and Thailand's Personal Data Protection Acts (PDPA), Saudi Arabia's Personal Data Protection Law and Law of Practicing Healthcare Professions, and Australia's Privacy Act and Australian Privacy Principles (APP).
By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Platform.
2. Data Controller
NowMedical, Inc. is the data controller responsible for your personal data. For purposes of GDPR and UK-GDPR, our EU representative and Data Protection Officer (DPO) can be contacted as follows:
NowMedical, Inc.
Attn: Data Protection Officer
Email: dpo@nowmedical.com
Privacy Office Email: privacy@nowmedical.com
Phone: 1-800-NOW-MED1
For EU/EEA inquiries, you may also contact our EU representative at: eu-representative@nowmedical.com
3. Information We Collect
We collect the following categories of information depending on how you interact with our Platform:
a) Account Information
- Full name, email address, phone number, and date of birth
- Mailing and billing addresses
- Profile photo (optional)
- Login credentials (passwords are hashed and never stored in plain text)
- Identity verification documents (for provider accounts)
b) Health Information (Protected Health Information / PHI)
- Medical history, current conditions, allergies, and medications
- Symptoms reported through our platform or AI symptom checker
- Prescriptions, lab results, and diagnostic reports
- Clinical notes and appointment records
- Telehealth visit recordings (when consent is provided)
- Mental health assessments and treatment plans
c) Financial Information
- Insurance provider, plan type, and member ID
- Payment method details (last 4 digits of card; full card numbers are processed by Stripe and never stored on our servers)
- Billing history and transaction records
- Insurance claims and Explanation of Benefits (EOB) data
d) Usage Data
- Pages visited, features used, and actions taken on the Platform
- Device type, operating system, browser type, and screen resolution
- IP address and approximate geographic location
- Referring URLs and search queries
- Session duration and click patterns
e) Communication Data
- Secure messages exchanged between patients and providers
- Appointment notes and follow-up instructions
- Customer support correspondence
- Feedback, reviews, and survey responses
f) AI Interaction Data
- Symptom checker conversations and inputs
- Health chatbot interaction history
- AI-generated health summaries and triage recommendations
- Feedback provided on AI-generated content (thumbs up/down, corrections)
4. How We Use Your Information
We use your information for the following purposes, with the corresponding legal basis under GDPR Article 6:
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Provide healthcare services, including appointment booking, telehealth visits, and secure messaging | Performance of a contract (Art. 6(1)(b)) |
| Process appointments, payments, insurance claims, and refunds | Performance of a contract (Art. 6(1)(b)) |
| Operate AI-powered health tools (symptom checker, chatbot, clinical documentation) | Explicit consent (Art. 6(1)(a) / Art. 9(2)(a)) |
| Improve our services, conduct analytics, and develop new features | Legitimate interest (Art. 6(1)(f)) |
| Send appointment reminders, health notifications, and service updates | Consent (Art. 6(1)(a)) / Contract (Art. 6(1)(b)) |
| Comply with healthcare regulations, tax laws, and legal obligations | Legal obligation (Art. 6(1)(c)) |
| Protect the safety of patients in emergencies or imminent danger | Vital interest (Art. 6(1)(d)) |
| Prevent fraud, enforce terms, and maintain Platform security | Legitimate interest (Art. 6(1)(f)) |
5. Legal Bases for Processing (GDPR-Specific)
Under the GDPR and UK-GDPR, we must have a valid legal basis for processing your personal data. The legal bases we rely upon include:
- Consent (Art. 6(1)(a)): Where you have given clear consent for us to process your personal data for a specific purpose. For special categories of data (including health data), we rely on explicit consent under Art. 9(2)(a) or the provision of healthcare under Art. 9(2)(h). You may withdraw consent at any time.
- Contract (Art. 6(1)(b)): Processing necessary for the performance of a contract with you, such as providing healthcare marketplace services, processing appointments, and handling payments.
- Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with a legal obligation, such as HIPAA record retention requirements, tax reporting, and responding to lawful government requests.
- Vital Interests (Art. 6(1)(d)): Processing necessary to protect the vital interests of the data subject or another natural person, such as in medical emergencies.
- Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, provided they are not overridden by your rights. This includes improving our services, preventing fraud, and ensuring Platform security. We conduct legitimate interest assessments (LIAs) and document them for each processing activity relying on this basis.
6. Data Sharing
We do not sell your personal information or Protected Health Information. We may share your data with the following categories of recipients and only for the purposes described:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Healthcare Providers | Treatment, diagnosis, care coordination, and referrals you have authorized | HIPAA BAA, access controls |
| Stripe, Inc. | Payment processing, billing, and fraud prevention | PCI DSS Level 1, SCCs |
| Supabase / AWS | Cloud infrastructure, database hosting, and data storage | BAA, SOC 2, encryption at rest |
| OpenAI / Anthropic | AI-assisted clinical documentation and health insights (data is anonymized and de-identified before transmission) | BAA, zero data retention, API-only |
| Daily.co | Video telehealth visit infrastructure | BAA, SOC 2, end-to-end encryption |
| Twilio / SendGrid | SMS notifications, email communications, and appointment reminders | BAA, SCCs, TLS encryption |
| Law Enforcement / Government | When required by valid legal process, court order, or to prevent imminent harm | Legal review, minimum disclosure |
7. International Data Transfers
NowMedical is headquartered in the United States, and your data may be transferred to and processed in the United States or other countries where our service providers operate. We ensure that cross-border transfers comply with applicable data protection laws through the following mechanisms:
- Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses (June 2021 version) for transfers of personal data from the EU/EEA to countries without adequacy decisions.
- UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA or UK Addendum to the EU SCCs as approved by the ICO.
- Adequacy Decisions: Where the European Commission or other relevant authority has determined that a country provides an adequate level of data protection, we rely on that adequacy decision.
- Binding Corporate Rules: We are in the process of adopting Binding Corporate Rules for intra-group transfers.
- Transfer Impact Assessments: We conduct Transfer Impact Assessments (TIAs) for all cross-border data transfers and implement supplementary measures including encryption, pseudonymization, and access controls where necessary.
- LGPD (Brazil): Transfers to countries without adequate protection are made pursuant to standard contractual clauses approved by the ANPD or with the data subject's specific and highlighted consent.
8. Data Retention
We retain your data only for as long as necessary to fulfill the purposes described in this policy or as required by law. Our retention periods are as follows:
| Data Category | Retention Period | Basis |
|---|---|---|
| Medical records and PHI | 10 years from last encounter | HIPAA, state medical record retention laws |
| Financial and billing records | 7 years | Tax and accounting regulations |
| Account data | Duration of account + 30 days | Contract performance, account recovery window |
| AI conversation logs | 90 days | Service improvement, then auto-deleted |
| Analytics and usage data | 26 months | Legitimate interest in service improvement |
| Audit logs | 6 years | HIPAA audit requirements, legal compliance |
| Marketing consent records | Duration of consent + 3 years | GDPR accountability, proof of consent |
When data is no longer needed, it is securely deleted or anonymized using industry-standard methods. De-identified or aggregated data may be retained indefinitely for research and analytics purposes.
9. Your Rights
Depending on your location and applicable law, you may have the following rights regarding your personal data. We are committed to honoring these rights regardless of where you reside to the fullest extent practicable.
GDPR Rights (EU/EEA and UK Residents)
- Right of Access (Art. 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
- Right to Erasure (Art. 17): Request deletion of your personal data where there is no legal basis for continued processing.
- Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON, FHIR R4).
- Right to Restrict Processing (Art. 18): Request that we limit the processing of your data in certain circumstances.
- Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
- Rights Related to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI tools always include human oversight.
- Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
HIPAA Rights (United States)
- Right to Access PHI: Inspect and obtain a copy of your Protected Health Information maintained by us.
- Right to Request Amendments: Request amendments to your PHI if you believe it is inaccurate or incomplete.
- Right to an Accounting of Disclosures: Receive a list of certain disclosures we have made of your PHI.
- Right to Request Restrictions: Request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations.
- Right to Confidential Communications: Request that we communicate with you by alternative means or at alternative locations.
- Right to a Paper Copy: Obtain a paper copy of our Notice of Privacy Practices.
- Right to File a Complaint: File a complaint with us or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.
CCPA/CPRA Rights (California Residents)
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
- Right to Delete: Request deletion of personal information we have collected from you.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell personal information. You may opt out of sharing for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information: Direct us to limit the use of sensitive personal information to certain purposes.
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
LGPD Rights (Brazil Residents)
- Confirmation of Processing: Confirm whether we process your personal data.
- Access: Access your personal data held by us.
- Correction: Correct incomplete, inaccurate, or outdated data.
- Anonymization, Blocking, or Deletion: Request anonymization, blocking, or deletion of unnecessary or excessive data.
- Portability: Transfer your data to another service provider.
- Deletion: Delete personal data processed with your consent.
- Consent Information: Obtain information about public and private entities with which we share your data, and about the possibility and consequences of denying consent.
- Revocation of Consent: Revoke your consent at any time.
PIPEDA Rights (Canada Residents)
- Right of Access: Access your personal information held by us and be informed of its use and disclosure.
- Right to Correction: Challenge the accuracy and completeness of your information and have it amended.
- Right to Complaints: File a complaint with the Office of the Privacy Commissioner of Canada (OPC) if you believe we have not complied with PIPEDA.
- Right to Withdraw Consent: Withdraw consent for the collection, use, or disclosure of your information, subject to legal or contractual restrictions.
How to Exercise Your Rights
You can exercise any of the rights listed above through our self-service Privacy & Data Rights Center, or by contacting us directly:
- Visit nowmedical.com/privacy-center
- Email: privacy@nowmedical.com
- Phone: 1-800-NOW-MED1
We will respond to your request within 30 days (or the shorter period required by your applicable law). We may need to verify your identity before processing your request.
11. Children's Privacy
NowMedical complies with the Children's Online Privacy Protection Act (COPPA) and similar laws worldwide. Our Platform is not directed at children under the age of 13.
- We do not knowingly collect personal information from children under 13 without verified parental consent.
- Users must be at least 13 years of age to create an account. Users between 13 and 18 must have parental or guardian consent.
- Healthcare services for minors (under 18) require a parent or legal guardian to create and manage the account.
- If we discover that we have collected information from a child under 13 without proper consent, we will promptly delete that information.
- Parents or guardians may contact us at privacy@nowmedical.com to review, correct, or delete their child's information.
In the EU/EEA, the minimum age for consent to data processing may vary by member state (between 13 and 16 years). We comply with the age requirement applicable in the relevant jurisdiction.
12. HIPAA Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
NowMedical, as a Business Associate to healthcare providers on our Platform, is required by HIPAA to maintain the privacy of your Protected Health Information (PHI) and to provide you with this notice of our legal duties and privacy practices.
Uses and Disclosures of PHI
We may use and disclose your PHI for:
- Treatment: To facilitate the provision of healthcare services, including sharing information with your providers, specialists, pharmacists, and other healthcare professionals involved in your care.
- Payment: To process claims, verify insurance eligibility, obtain prior authorizations, and handle billing and payment activities.
- Healthcare Operations: For quality assessment, credentialing, auditing, and other activities necessary to run our healthcare operations.
- As Required by Law: When required by federal, state, or local law, including public health reporting, abuse or neglect reporting, and judicial proceedings.
- To Avert a Serious Threat: When necessary to prevent a serious and imminent threat to your health or safety or the health or safety of others.
Your HIPAA Rights
See Section 9 above for a full description of your rights under HIPAA. You will not be retaliated against for exercising any of these rights.
Breach Notification
We are required by law to notify you of any breach of your unsecured PHI. In the event of a breach, we will notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule.
Filing a Complaint
If you believe your privacy rights have been violated, you may file a complaint with us at privacy@nowmedical.com or with the U.S. Department of Health and Human Services, Office for Civil Rights, at www.hhs.gov/ocr/privacy/hipaa/complaints.
13. Security Measures
We implement comprehensive technical and organizational security measures to protect your data against unauthorized access, alteration, disclosure, or destruction. Our security program includes:
Encryption
- AES-256-GCM encryption for all data at rest
- TLS 1.3 encryption for all data in transit
- End-to-end encryption for telehealth video sessions
- Field-level encryption for sensitive PHI fields in our database
Access Controls
- Role-based access controls (RBAC) with principle of least privilege
- Multi-factor authentication (MFA) for all provider and administrative accounts
- Session timeout and automatic logout after inactivity
- IP allowlisting for administrative access
Monitoring and Testing
- Comprehensive audit logging of all PHI access with tamper detection
- Real-time intrusion detection and prevention systems
- Annual third-party penetration testing
- Continuous vulnerability scanning
- 24/7 security monitoring and incident response
Certifications and Compliance
- SOC 2 Type II certified
- HIPAA compliant with annual risk assessments
- Information security management aligned with ISO 27001
- Regular employee security awareness training
- Business continuity and disaster recovery plans tested annually
While we implement robust security measures, no method of electronic storage or transmission is 100% secure. If you become aware of any security incident, please contact us immediately at security@nowmedical.com.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or regulatory obligations. When we make material changes, we will:
- Post the updated policy on this page with a new “Last updated” date and version number.
- Notify you by email (for registered users) at least 30 days before material changes take effect.
- Display a prominent notice on the Platform informing you of the change.
- Where required by law, obtain your consent to material changes in how we process your data.
We encourage you to review this policy periodically. Your continued use of the Platform after any changes constitutes acceptance of the updated policy.
15. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through any of the following channels:
Data Protection Officer (DPO)
Email: dpo@nowmedical.com
Privacy Office
Email: privacy@nowmedical.com
Phone: 1-800-NOW-MED1
Mailing Address
NowMedical, Inc.
Attn: Privacy Office
1209 Orange Street
Wilmington, DE 19801
United States
16. Region-Specific Addenda
The following addenda supplement this Privacy Policy with region-specific information required by local law. In the event of a conflict between the main policy and a region-specific addendum, the addendum shall prevail for residents of that region.
Addendum A: European Union / European Economic Area (GDPR)
- Applicable Law: Regulation (EU) 2016/679 (General Data Protection Regulation).
- Data Protection Authority: You have the right to lodge a complaint with your local supervisory authority. A list of supervisory authorities is available at the European Data Protection Board website (edpb.europa.eu).
- Data Processing Agreement: Healthcare providers and business partners may request our Data Processing Agreement, which includes Standard Contractual Clauses.
- EU Representative: Our EU representative can be contacted at eu-representative@nowmedical.com.
- Data Protection Impact Assessments: We conduct DPIAs for any processing activities that are likely to result in a high risk to individuals.
Addendum B: United Kingdom (UK-GDPR)
- Applicable Law: UK General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018.
- Supervisory Authority: The Information Commissioner's Office (ICO). You may lodge a complaint at ico.org.uk or by calling 0303 123 1113.
- International Transfers: Transfers from the UK are protected by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
- UK Representative: Our UK representative can be contacted at uk-representative@nowmedical.com.
Addendum C: Brazil (LGPD)
- Applicable Law: Lei Geral de Proteção de Dados (Law No. 13,709/2018).
- Data Protection Authority: Autoridade Nacional de Proteção de Dados (ANPD). You may lodge a complaint at gov.br/anpd.
- Encarregado (DPO): Our Data Protection Officer for LGPD purposes can be contacted at dpo@nowmedical.com.
- Legal Bases: We process personal data based on the legal bases provided in Art. 7 and Art. 11 of the LGPD, including consent, contract performance, legal obligation, protection of life, and legitimate interest.
- International Transfers: Transfers outside Brazil comply with Chapter V of the LGPD, including standard contractual clauses or specific consent.
Addendum D: California (CCPA/CPRA)
- Applicable Law: California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act.
- Categories of Information Collected: Identifiers, personal information under Cal. Civ. Code § 1798.80(e), protected classifications, commercial information, internet activity, geolocation data, sensory data (telehealth audio/video), professional information, and sensitive personal information (health data).
- Sale of Personal Information: NowMedical does not sell personal information as defined under the CCPA/CPRA.
- Sharing for Cross-Context Behavioral Advertising: We may share certain identifiers with advertising partners. You can opt out via our Privacy Center.
- Authorized Agent: You may designate an authorized agent to submit requests on your behalf by providing written authorization to privacy@nowmedical.com.
- Financial Incentives: We do not offer financial incentives in exchange for the collection or sale of personal information.
- HIPAA Exemption: Protected Health Information (PHI) governed by HIPAA is exempt from the CCPA/CPRA. The HIPAA provisions of this policy govern PHI.
Addendum E: Canada (PIPEDA)
- Applicable Law: Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
- Accountability: NowMedical's Data Protection Officer is accountable for our compliance with PIPEDA and can be contacted at dpo@nowmedical.com.
- Consent: We obtain meaningful consent for the collection, use, and disclosure of personal information. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting us.
- Complaints: If you are not satisfied with our response to a complaint, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
- Transfers: Personal information may be transferred to jurisdictions outside Canada. We ensure comparable levels of protection through contractual obligations.
Addendum F: Australia (APP)
- Applicable Law: Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
- Sensitive Information: Health information is classified as sensitive information under the APPs. We only collect sensitive information with your consent or where otherwise permitted by law.
- Cross-Border Disclosure: Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient complies with the APPs or is subject to a substantially similar regime (APP 8).
- Access and Correction: You may request access to and correction of your personal information under APPs 12 and 13.
- Complaints: If you are not satisfied with our handling of your complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
- Direct Marketing: You may opt out of direct marketing at any time by contacting us or using the unsubscribe link in our communications (APP 7).
Addendum G: South Africa (POPIA)
- Applicable Law: Protection of Personal Information Act (POPIA), Act 4 of 2013.
- Information Officer: Our Information Officer can be contacted at dpo@nowmedical.com.
- Complaints: You may lodge a complaint with the Information Regulator at justice.gov.za/inforeg.
- Special Personal Information: Health information is classified as special personal information under POPIA. We process this information only with your consent or as permitted under Section 27 of POPIA.
Addendum H: Singapore & Thailand (PDPA)
- Singapore: We comply with the Personal Data Protection Act 2012 (PDPA). Complaints may be directed to the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.
- Thailand: We comply with the Personal Data Protection Act B.E. 2562 (2019) (PDPA). Complaints may be directed to the Office of the Personal Data Protection Committee.
- Consent: We obtain consent before collecting, using, or disclosing personal data unless an exemption applies under the relevant PDPA.
- Data Protection Officer: Our DPO can be contacted at dpo@nowmedical.com for inquiries under either jurisdiction.
Addendum I: China (PIPL)
- Applicable Law: Personal Information Protection Law (PIPL), Data Security Law (DSL), and the Cybersecurity Law of the People's Republic of China.
- Sensitive Personal Information: Health and medical data is classified as sensitive personal information under PIPL Article 28. We process it only with your separate, explicit consent and for a specific, reasonable purpose.
- Cross-Border Transfer: Transfers of personal information outside China comply with the Measures for the Security Assessment of Cross-Border Data Transfer, including security assessments, standard contracts, or certification as applicable.
- Data Localization: Where required, personal information of individuals in China is stored on servers located within the People's Republic of China.
- Individual Rights: You have the right to know, decide, restrict, refuse, access, copy, correct, delete, and request explanation of automated decision-making under PIPL Articles 44-49.
- Complaints: You may file complaints with the Cyberspace Administration of China (CAC) or relevant local authorities.
Addendum J: India (DPDP Act 2023)
- Applicable Law: Digital Personal Data Protection Act, 2023 (DPDP Act) and Information Technology Act, 2000.
- Consent: We process personal data based on valid consent obtained in a clear, plain language notice (Section 6). You may withdraw consent at any time.
- Data Fiduciary Obligations: As a Significant Data Fiduciary (if designated), we appoint a Data Protection Officer and conduct periodic data audits.
- Children's Data: We obtain verifiable parental consent before processing personal data of individuals under 18 years of age (Section 9).
- Grievance Redressal: Our Grievance Officer can be contacted at dpo@nowmedical.com. If unresolved, you may approach the Data Protection Board of India.
- Cross-Border Transfer: Personal data may be transferred outside India except to countries notified by the Central Government as restricted.
Addendum K: Saudi Arabia (PDPL & Healthcare Professions Law)
- Applicable Law: Personal Data Protection Law (Royal Decree M/19) and the Law of Practicing Healthcare Professions.
- Health Data: Health and medical information is classified as sensitive data under the PDPL. We process it only with explicit consent and in compliance with the Saudi Data and Artificial Intelligence Authority (SDAIA) regulations.
- Healthcare Compliance: We comply with the Saudi Health Council requirements and the Law of Practicing Healthcare Professions regarding patient data confidentiality and electronic health records.
- Data Residency: Where required, personal data of Saudi residents may be stored within the Kingdom or transferred in accordance with PDPL cross-border transfer requirements.
- Complaints: You may lodge complaints with the Saudi Data and Artificial Intelligence Authority (SDAIA) or the Ministry of Health.
Addendum L: Ontario, Canada (PHIPA)
- Applicable Law: Personal Health Information Protection Act, 2004 (PHIPA) — Ontario's health-specific privacy legislation.
- Health Information Custodians: Healthcare providers using NowMedical in Ontario are Health Information Custodians (HICs) under PHIPA. We act as their agent or electronic service provider.
- Circle of Care: We facilitate the sharing of personal health information within the circle of care as defined by PHIPA, with implied consent for treatment purposes.
- Complaints: You may file a complaint with the Information and Privacy Commissioner of Ontario (IPC) at ipc.on.ca.
Addendum M: US State Health Data Laws (Washington MHMDA & Nevada)
- Washington My Health My Data Act (MHMDA): For Washington state residents, we obtain consent before collecting or sharing consumer health data, provide a clear health data privacy policy, honor deletion requests within 30 days, and do not sell or offer consumer health data without valid authorization. Geofencing restrictions around healthcare facilities are respected.
- Nevada Consumer Health Data Privacy Law (SB 370): For Nevada residents, we comply with restrictions on the sale of consumer health data, honor opt-out requests for data sharing, and provide clear notice of health data practices.
- Private Right of Action: Both laws provide individuals with a private right of action. We maintain compliance programs to prevent violations and respond promptly to any data subject requests.