Privacy Policy

1. Introduction

Mediyn, Inc. (“Mediyn,” “we,” “us,” or “our”) is committed to protecting the privacy and security of the personal information and Protected Health Information (PHI) entrusted to us by clinicians, their practices, and the patients they serve.

This Privacy Policy describes how Mediyn collects, uses, discloses, retains, and safeguards information when you use our website at mediyn.com, our web application at mediyn.ai, our mobile applications, and any related services (collectively, the “Services”). It also describes your rights and choices with respect to your information.

Mediyn provides an AI-powered clinical documentation platform designed specifically for mental health professionals. Because our Services process clinical information, we are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, and its implementing regulations. This Privacy Policy should be read alongside the Business Associate Agreement (BAA) we execute with each covered entity customer, available at mediyn.com/baa.

By accessing or using the Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

2. Information We Collect

2.1 Personal Information

When you create an account, subscribe to a plan, or contact us, we may collect the following personal information:

Full name, email address, phone number, and professional credentials (e.g., LCSW, PhD, PsyD, LMFT)
National Provider Identifier (NPI) and state licensure information
Practice name, address, and organizational affiliation
Billing information, including payment card details (processed by our PCI-compliant payment processor; Mediyn does not store full card numbers)
Professional profile information you choose to provide, such as specialties, treatment modalities, and practice demographics

2.2 Clinical and Protected Health Information (PHI)

In the course of providing the Services, Mediyn processes clinical information that may constitute PHI under HIPAA. This includes:

Session recordings: Audio captured during therapy sessions is processed entirely on the clinician's device. Raw audio is never uploaded to Mediyn servers.
De-identified transcripts: Transcripts generated on-device from session recordings after PHI has been redacted by our on-device de-identification engine.
Clinical notes: AI-generated progress notes, treatment plans, intake assessments, and other clinical documentation created from de-identified session data.
Assessments and worksheets: Standardized assessments (e.g., PHQ-9, GAD-7) and therapeutic worksheets generated or managed through the platform.
Patient demographic information: Names, contact information, dates of birth, insurance details, and other identifying information entered by clinicians into the platform.

2.3 Usage Data

We automatically collect certain information about how you interact with the Services, including:

Device information (device type, operating system, browser type and version, screen resolution)
IP address, approximate geographic location (city/region level), and internet service provider
Feature usage patterns, page views, session duration, and navigation paths
Error logs and performance data to diagnose and resolve technical issues
Referring URLs, search terms used to find our site, and marketing attribution data

2.4 Cookies and Similar Technologies

We use cookies, local storage, and similar technologies to maintain your session, remember your preferences, analyze site usage, and support our marketing efforts. You can manage cookie preferences through your browser settings. Disabling certain cookies may limit the functionality of the Services. We do not use cookies to track PHI. For more information, see our Cookie Policy.

3. How We Use Your Information

We use the information we collect for the following purposes:

Provide and operate the Services: To create and manage your account, authenticate your identity, and deliver the clinical documentation, practice management, and AI-powered features you subscribe to.
Generate AI clinical documentation: To process de-identified transcript data through our AI models and produce clinical notes, treatment plans, assessments, worksheets, and other documentation.
Process payments: To bill for subscriptions, process transactions, send invoices, and manage your billing account.
Communicate with you: To send service-related notifications, respond to support requests, provide product updates, and deliver information you have requested.
Improve and develop the Services: To analyze usage patterns (using de-identified and aggregated data only), conduct research, identify trends, and develop new features and improvements.
Ensure security and prevent fraud: To monitor for suspicious activity, enforce our terms of service, protect against unauthorized access, and maintain the integrity of the platform.
Comply with legal obligations: To meet our obligations under HIPAA, state privacy laws, tax regulations, and other applicable legal requirements.

4. On-Device Processing and De-Identification

Mediyn employs a patent-pending on-device processing architecture specifically designed to minimize the exposure of Protected Health Information. This architecture is a core differentiator of our platform and central to how we protect patient privacy.

4.1 How It Works

The on-device processing pipeline operates as follows:

On-device transcription: When a clinician records a therapy session, the audio is transcribed locally on the clinician's device. The raw audio file never leaves the device and is not transmitted to Mediyn servers.
On-device PHI redaction: Before any transcript data is transmitted, our de-identification engine runs locally on the device to detect and redact Protected Health Information, including patient names, dates of birth, addresses, phone numbers, Social Security numbers, and other identifiers defined under the HIPAA Safe Harbor method.
De-identified data transmission: Only the de-identified transcript — with PHI replaced by standardized tokens — is transmitted to Mediyn servers over TLS 1.3 encrypted connections for AI processing.
AI documentation generation: Our AI models process the de-identified transcript to generate clinical notes, treatment plans, and other documentation.
On-device token re-mapping: The generated documentation is returned to the clinician's device, where standardized tokens are re-mapped to the original identifiers locally. The final clinical document with re-identified information exists only on the clinician's device and within the encrypted platform database — never in an unencrypted state on Mediyn's processing servers.

4.2 Why This Matters

This architecture means that Mediyn's AI processing servers never have access to identifiable patient information. Even in the unlikely event of a server-side data breach, the data on our processing infrastructure cannot be linked back to individual patients without access to the clinician's device-side token mapping.

For a comprehensive technical overview of our security architecture, visit our Security & Trust Center.

5. How We Share Your Information

We do not sell your personal information or Protected Health Information. We have never sold personal information or PHI, and we will never do so. We share information only in the following limited circumstances:

5.1 Business Associates

We may share PHI with subcontractors and service providers who perform functions on our behalf and require access to PHI to provide those functions. All such parties are bound by Business Associate Agreements (BAAs) that impose obligations at least as stringent as those required by HIPAA. These business associates include our cloud infrastructure providers, data backup services, and select technology partners.

5.2 Service Providers

We engage service providers who process personal information (but not PHI) on our behalf for purposes such as payment processing, email delivery, analytics, customer support tooling, and marketing. These providers are contractually prohibited from using your information for any purpose other than providing services to Mediyn.

5.3 Legal Requirements

We may disclose information if required to do so by law, regulation, subpoena, court order, or other governmental request. Where permitted by law, we will notify you before making such a disclosure. We will resist overbroad or otherwise improper requests for information.

5.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, dissolution, reorganization, or similar corporate transaction, your information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your information. Any successor entity will be bound by the terms of this Privacy Policy and applicable BAAs.

5.5 With Your Consent

We may share information with third parties when you have given us explicit consent to do so. For example, you may choose to connect Mediyn with third-party EHR systems or billing platforms, in which case data sharing is governed by your instructions and the third party's privacy practices.

6. HIPAA Compliance

6.1 Our Role

When Mediyn processes PHI on behalf of a covered entity (such as a licensed therapist or mental health practice), Mediyn acts as a Business Associate as defined under HIPAA. We execute a Business Associate Agreement with every customer whose use of the Services involves PHI. A copy of our standard BAA is available at mediyn.com/baa.

6.2 Our Obligations

As a Business Associate, Mediyn is obligated under the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule to:

Use and disclose PHI only as permitted or required by the BAA and applicable law
Implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI)
Report any security incidents or breaches of unsecured PHI to the covered entity without unreasonable delay
Ensure that any subcontractors who access PHI agree to the same restrictions and conditions through downstream BAAs
Make PHI available to the covered entity as needed to satisfy patient rights requests
Maintain records of disclosures and make them available as required by HIPAA

6.3 Patient Rights

Under HIPAA, patients whose PHI is processed through Mediyn have certain rights. These rights are exercised through the covered entity (the clinician or practice), and Mediyn will cooperate with covered entities to fulfill these requests:

Right of access: Patients may request access to their PHI maintained in a designated record set.
Right to amendment: Patients may request that their PHI be amended if they believe it is inaccurate or incomplete.
Right to an accounting of disclosures: Patients may request a list of certain disclosures of their PHI made by or on behalf of the covered entity.
Right to request restrictions: Patients may request restrictions on certain uses and disclosures of their PHI.
Right to confidential communications: Patients may request that communications regarding their PHI be made by alternative means or at alternative locations.
Right to breach notification: Patients are entitled to notification if their unsecured PHI is subject to a breach, as defined under the HIPAA Breach Notification Rule.

7. Data Retention and Deletion

7.1 Clinical Data

Clinical documentation and PHI are retained in accordance with HIPAA requirements and applicable state laws. At a minimum, clinical records are retained for six (6) years from the date of creation or the date when the record was last in effect, whichever is later. Some states require longer retention periods, and Mediyn will honor the longer of the federal or state requirement.

7.2 Account Data

Personal information associated with your account is retained for as long as your account is active or as needed to provide the Services. If you close your account, we will retain your personal information for a reasonable period to fulfill legal obligations, resolve disputes, and enforce our agreements.

7.3 Deletion Requests

You may request deletion of your personal information by contacting us at privacy@mediyn.com. We will process your request in accordance with applicable law. Please note that certain information may need to be retained to comply with legal retention requirements (including HIPAA record retention requirements), even after a deletion request. We will inform you if any such exceptions apply.

7.4 Data Export

Clinicians may export their clinical data from Mediyn at any time through the platform's built-in export functionality. Exported data is provided in standard, interoperable formats to facilitate transfer to other systems. We believe your data belongs to you, and we will never hold it hostage.

8. Security Measures

We implement comprehensive administrative, technical, and physical safeguards to protect your information. Key security measures include:

Encryption at rest: All data stored on Mediyn's infrastructure is encrypted using AES-256 encryption.
Encryption in transit: All data transmitted between your device and Mediyn's servers is protected using TLS 1.3.
Role-based access controls (RBAC): Access to data within the platform is governed by role-based permissions, ensuring that users can only access the information necessary for their role.
Multi-factor authentication (MFA): MFA is available and can be enforced at the organization level to protect against unauthorized account access.
Automatic session timeouts: Sessions are automatically terminated after configurable periods of inactivity to prevent unauthorized access to unattended devices.
Immutable audit trails: Every action taken within the platform is logged in an immutable audit trail that cannot be modified or deleted by any user, including administrators.
SOC 2 compliance: Mediyn undergoes regular SOC 2 Type II audits to verify that our security controls meet or exceed industry standards.
Penetration testing: We conduct regular third-party penetration testing to identify and remediate potential vulnerabilities.
Incident response: We maintain a documented incident response plan and conduct regular tabletop exercises to ensure readiness.

For a detailed overview of our security practices and architecture, visit our Security & Trust Center.

9. Children's Privacy

Mediyn's Services are designed for use by licensed mental health professionals and are not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information promptly.

We recognize that therapists may treat minor patients. In such cases, the clinician (as the covered entity) is responsible for obtaining appropriate consents and authorizations in accordance with HIPAA, state law, and their professional obligations. Mediyn processes PHI related to minor patients in the same manner as all other PHI, subject to the terms of the BAA and this Privacy Policy. Our on-device processing architecture provides the same privacy protections for all patients regardless of age.

10. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information. Please note that PHI processed in accordance with HIPAA is exempt from the CCPA/CPRA. The following rights apply to personal information that is not otherwise exempt:

Right to know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
Right to delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
Right to opt-out of sale: Mediyn does not sell personal information. We have never sold personal information and have no plans to do so. Because we do not sell personal information, there is no need to opt out.
Right to correct: You have the right to request that we correct inaccurate personal information we maintain about you.
Right to limit use of sensitive personal information: To the extent we process sensitive personal information (as defined under the CPRA), you have the right to limit our use and disclosure of such information to purposes that are necessary to provide the Services.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise any of these rights, please contact us at privacy@mediyn.com or submit a request through our contact page. We will verify your identity before processing your request and respond within 45 days as required by law.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

Sending a notification to the email address associated with your account
Displaying a prominent notice within the Mediyn application
Updating the “Last Updated” date at the top of this page

Your continued use of the Services after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you should discontinue use of the Services and contact us to discuss your options, including account deletion and data export.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: privacy@mediyn.com
Mail: Mediyn, Inc., Attn: Privacy Officer, 1234 Innovation Drive, Suite 500, San Francisco, CA 94105
Contact form: mediyn.com/contact

For HIPAA-related inquiries, including requests related to patient rights or breach notifications, please contact us at privacy@mediyn.com with “HIPAA Inquiry” in the subject line. We will respond to all privacy-related inquiries within thirty (30) business days.