Privacy Policy

1. Introduction

Mediyn, Inc. (“Mediyn,” “we,” “us,” or “our”) is committed to protecting the privacy and security of the personal information and Protected Health Information (PHI) entrusted to us by clinicians, their practices, and the patients they serve.

This Privacy Policy describes how Mediyn collects, uses, discloses, retains, and safeguards information when you use our website at mediyn.com, our web application, our iOS application, and any related services (collectively, the “Services”). It also describes your rights and choices with respect to your information.

Mediyn provides an AI-powered clinical documentation and practice-management platform designed specifically for mental health professionals. Because our Services process clinical information, we are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, and its implementing regulations. Where applicable, we also operate in a manner consistent with 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records), the California Medical Information Act (CMIA), the Washington My Health My Data Act, and analogous state health-privacy laws. This Privacy Policy should be read alongside the Business Associate Agreement (BAA) we execute with each covered-entity customer, available at mediyn.com/baa.

By accessing or using the Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

2. Our Privacy Architecture

Mediyn employs a patent-pending on-device processing architecture specifically designed to minimize the exposure of Protected Health Information. This architecture is a core differentiator of our platform and central to how we protect patient privacy. The guarantees below are enforced by the software itself, not by policy alone.

2.1 How It Works

1. On-device transcription. When a clinician records a therapy session, the audio is transcribed locally on the clinician's device. The raw audio file never leaves the device and is not transmitted to Mediyn servers.
2. On-device PHI redaction. Before any transcript data is transmitted, our de-identification engine runs locally on the device to detect and redact PHI, including patient names, dates of birth, addresses, phone numbers, Social Security numbers, and the other identifiers defined under the HIPAA Safe Harbor method. Clinicians can select Standard or Strict redaction modes, and every redaction event is logged.
3. De-identified data transmission. Only the de-identified transcript — with PHI replaced by standardized tokens — is transmitted to Mediyn's AI-processing tier over TLS 1.3.
4. AI documentation generation. Our AI models process the de-identified transcript to generate clinical notes, treatment plans, assessments, and other documentation. The processing tier does not persist transcripts or outputs beyond the duration required to return a response.
5. On-device token re-mapping. The generated documentation is returned to the clinician's device, where standardized tokens are re-mapped to the original identifiers locally.
6. Encrypted storage. The finished clinical document — which at this stage contains the patient identifiers the clinician intentionally chose to include — is stored in Mediyn's application database, encrypted at rest with AES-256 using keys managed in a Hardware Security Module (HSM). The AI-processing tier and the application-storage tier are separate environments; the AI-processing tier never sees identified PHI.

2.2 Why This Matters

Even in the unlikely event of a compromise of the AI-processing tier, the data there cannot be linked back to individual patients without access to the clinician's device-side token mapping. This is a meaningfully stronger posture than products that send raw session audio to a cloud transcription service.

For a comprehensive technical overview of our security architecture, visit our Security & Trust Center.

3. Information We Collect

3.1 Clinician and Practice Information

When a clinician or practice creates an account, subscribes to a plan, or contacts us, we may collect:

• Full name, email address, phone number, and professional credentials (e.g., LCSW, PhD, PsyD, LMFT)
• National Provider Identifier (NPI) and state licensure information
• Practice name, address, and organizational affiliation
• Billing information, including payment card details (processed by our PCI-compliant payment processor; Mediyn does not store full card numbers)
• Professional profile information you choose to provide, such as specialties, treatment modalities, and practice demographics

3.2 Clinical and Protected Health Information (PHI)

In the course of providing the Services, Mediyn processes clinical information that may constitute PHI under HIPAA. This includes:

• Session recordings. Audio captured during therapy sessions is processed entirely on the clinician's device. Raw audio is never uploaded to Mediyn servers.
• De-identified transcripts. Transcripts generated on-device, with PHI redacted, before transmission to our AI-processing tier.
• Clinical notes. AI-generated progress notes, treatment plans, intake assessments, and other clinical documentation created from de-identified session data.
• Telehealth session data. When clinicians conduct video sessions through Mediyn's built-in telehealth feature, audio is processed using the same on-device transcription and de-identification pipeline described in Section 2. Video streams are encrypted in transit and are not recorded or stored by Mediyn unless the clinician explicitly enables session recording, in which case recordings are encrypted at rest and subject to the same retention and deletion policies as all other clinical data.
• Assessments and worksheets. Standardized assessments (e.g., PHQ-9, GAD-7) and therapeutic worksheets assigned, completed, and scored through the platform, including patient responses and automatically calculated severity scores.
• Patient demographic and clinical-profile information. Names, contact information, dates of birth, addresses, insurance details, emergency contacts, guardian information (for minor patients), pronouns, and risk flags entered by clinicians or patients into the platform.

3.3 Patient Portal Data

Patients who are granted access to the Mediyn patient portal by their clinician may interact with the Services directly. In that context, we process:

• Profile information patients add or update (contact details, emergency contacts, insurance, pronouns, and similar fields permitted by the clinician).
• Secure messages patients send to their clinician. Patient-initiated messaging is limited to the text-message channel within a therapist-initiated conversation; patients cannot upload attachments.
• Worksheet and assessment responses patients submit, including draft responses saved in progress.
• Invoice and payment information, including amounts due, invoice status (pending, paid, payment failed, voided), and payment-method details handled by our PCI-compliant processor.
• Notification preferences and the resulting in-app, email, or SMS notifications.
• Authentication events, including login timestamps, device identifiers for trusted-device management, and multi-factor authentication activity.

Patients cannot create or cancel sessions, initiate new conversations, upload files, purchase session packages, or modify invoices through the patient portal. Those actions are reserved to the clinician or practice staff.

3.4 Usage Data

We automatically collect certain information about how you interact with the Services, including:

• Device information (device type, operating system, browser type and version, screen resolution)
• IP address, approximate geographic location (city/region level), and internet service provider
• Feature-usage patterns, page views, session duration, and navigation paths
• Error logs and performance data used to diagnose and resolve technical issues
• Referring URLs, search terms used to find our site, and marketing-attribution data

Where technically feasible, usage data is separated from PHI and stored in a distinct analytics environment.

3.5 Cookies and Similar Technologies

We use strictly necessary cookies and local storage to maintain your session, remember your preferences, and support security controls such as trusted-device recognition. We use a limited set of analytics cookies on our marketing website (mediyn.com) to understand traffic. We do not use cookies to track PHI, and we do not use third-party advertising or cross-site tracking cookies inside the Mediyn application. You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may limit the functionality of the Services.

4. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and operate the Services: to create and manage your account, authenticate your identity, and deliver the clinical documentation, practice management, billing, telehealth, assessment, and patient-portal features you subscribe to.
• Generate AI clinical documentation: to process de-identified transcript data through our AI pipeline and produce clinical notes, treatment plans, assessments, worksheets, and related documentation.
• Process payments and billing: to issue invoices, process transactions, manage subscriptions, and generate Good Faith Estimates and related disclosures required by the No Surprises Act for self-pay patients.
• Communicate with you: to send service-related notifications, respond to support requests, provide product updates, and deliver information you have requested.
• Improve and secure the Services: to analyze aggregated, de-identified usage patterns, monitor for suspicious activity, detect and respond to security incidents, prevent fraud, and enforce our terms of service.
• Comply with legal obligations: to meet our obligations under HIPAA, 42 CFR Part 2 (where applicable), state privacy and health-information laws, tax regulations, and other applicable legal requirements.

5. AI and Model Training

Because Mediyn is an AI-powered platform, we want to be explicit about how patient data does and does not interact with AI systems.

• We do not sell patient data. Not identified. Not de-identified. Not in any form.
• We do not use patient data to train general-purpose AI models. Session recordings, transcripts, clinical notes, messages, worksheet responses, and assessment responses are never used as training data for any public or foundation model.
• Our third-party language-model providers operate under zero-retention agreements. De-identified transcripts transmitted to these providers for inference are not logged, retained, or used by them to train their models. These providers are bound by Business Associate Agreements and contractual prohibitions on secondary use.
• Our own model improvement uses aggregate, de-identified signals only. For example, we may measure how often a generated note is edited in a given section, in aggregate, to improve prompt templates. We do not use patient content (transcripts, notes, messages) as training data, and we do not retain individual patient records for model-improvement purposes.
• You can disable AI features. Clinicians can turn off AI-assisted documentation entirely at the account level, in which case no transcript data is transmitted to our AI-processing tier.

6. How We Share Your Information

We do not sell your personal information or PHI. We have never sold personal information or PHI and we will never do so. We share information only in the following limited circumstances.

6.1 Sub-processors and Business Associates

We engage a small, vetted set of sub-processors to help us operate the Services. Sub-processors that access PHI are bound by Business Associate Agreements imposing obligations at least as stringent as those required by HIPAA. The categories of sub-processors we currently use are:

• Cloud infrastructure and data storage — the underlying compute, storage, and network services that host the Mediyn application.
• AI language-model providers — large language model inference providers that receive only de-identified transcript data, under zero-retention BAAs.
• Payment processing — Stripe, Inc., which processes payment-card details and subscription billing. Stripe processes payment-card information as an independent data controller for payment transactions and as our service provider for subscription management; Stripe's privacy policy governs its handling of payment data.
• Email and SMS delivery — transactional email and SMS notification providers.
• Error monitoring and operational observability — services that help us detect, diagnose, and resolve technical issues; configured to exclude PHI from captured data.
• Telehealth media transport — the real-time audio and video infrastructure that carries encrypted telehealth streams. Media passes through this infrastructure in encrypted form and is not recorded by the provider.

A current list of named sub-processors, including the specific vendor in each category and the data they process, is available on request by emailing privacy@mediyn.com. We will provide reasonable advance notice of material changes to our sub-processor list to customers with active BAAs.

6.2 Legal Requirements

We may disclose information if required to do so by law, regulation, subpoena, court order, or other governmental request. Where permitted by law, we will notify the affected customer before making such a disclosure. We will resist overbroad or otherwise improper requests for information.

6.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, dissolution, reorganization, or similar corporate transaction, your information may be transferred as part of that transaction. We will notify affected customers of any such transfer and any choices they may have regarding their information. Any successor entity will be bound by the terms of this Privacy Policy and applicable BAAs.

6.4 With Your Consent

We may share information with third parties when you have given us explicit consent to do so. For example, you may choose to connect Mediyn to a third-party EHR or billing system, in which case data sharing is governed by your instructions and the third party's privacy practices.

7. HIPAA Compliance and Related Health-Privacy Laws

7.1 Our Role Under HIPAA

When Mediyn processes PHI on behalf of a covered entity (such as a licensed therapist or mental-health practice), Mediyn acts as a Business Associate as defined under HIPAA. We execute a Business Associate Agreement with every customer whose use of the Services involves PHI, at no additional cost. A copy of our standard BAA is available at mediyn.com/baa.

7.2 Our Obligations

As a Business Associate, Mediyn is obligated under the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule to:

• Use and disclose PHI only as permitted or required by the BAA and applicable law
• Implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI)
• Detect and report security incidents and breaches of unsecured PHI to the covered entity without unreasonable delay, and in any event within the timeframes required by the HIPAA Breach Notification Rule (notification to covered entities no later than 60 days from discovery, and typically far sooner in practice)
• Ensure that any subcontractors who access PHI agree to the same restrictions and conditions through downstream BAAs
• Make PHI available to the covered entity as needed to satisfy patient rights requests
• Maintain records of disclosures and make them available as required by HIPAA

7.3 Patient Rights Under HIPAA

Patients whose PHI is processed through Mediyn have certain rights under HIPAA. These rights are exercised through the covered entity (the clinician or practice), and Mediyn will cooperate with covered entities to fulfill these requests:

• Right of access — patients may request access to their PHI maintained in a designated record set.
• Right to amendment — patients may request that their PHI be amended if they believe it is inaccurate or incomplete.
• Right to an accounting of disclosures — patients may request a list of certain disclosures of their PHI made by or on behalf of the covered entity.
• Right to request restrictions — patients may request restrictions on certain uses and disclosures of their PHI.
• Right to confidential communications — patients may request that communications regarding their PHI be made by alternative means or at alternative locations.
• Right to breach notification — patients are entitled to notification if their unsecured PHI is subject to a breach, as defined under the HIPAA Breach Notification Rule.

7.4 42 CFR Part 2 (Substance Use Disorder Records)

Where a customer's practice qualifies as a Part 2 program, Mediyn treats records identifying patients as having a substance use disorder under the stricter confidentiality requirements of 42 CFR Part 2 and executes the applicable Qualified Service Organization Agreement in addition to the BAA. Part 2 records are not disclosed, used for any AI training or model improvement, or subject to disclosure exceptions permitted under HIPAA that are not also permitted under Part 2.

7.5 No Surprises Act — Good Faith Estimates

For self-pay and uninsured patients, federal law requires clinicians to provide a Good Faith Estimate (GFE) of expected charges. Mediyn provides tooling to generate, deliver, and retain GFEs and associated acknowledgments as part of the clinical and billing record. GFE records are retained in accordance with federal retention requirements.

7.6 State Health-Privacy Laws

Depending on the clinician's and patient's state of residence, additional laws may apply, including the California Medical Information Act (CMIA), the Washington My Health My Data Act, New York's mental-health confidentiality provisions, and similar state statutes. Where these laws provide rights or protections that exceed HIPAA, Mediyn will honor the more protective standard.

8. Data Retention and Deletion

8.1 Clinical Data

Clinical documentation and PHI are retained in accordance with HIPAA requirements and applicable state laws. At a minimum, clinical records are retained for six (6) years from the date of creation or the date when the record was last in effect, whichever is later. Some states require longer retention periods, and Mediyn will honor the longer of the federal or state requirement.

8.2 Audit Logs

Immutable audit logs of actions taken within the platform are retained for seven (7) years to support HIPAA audit obligations and forensic review.

8.3 Account Data

Personal information associated with your account is retained for as long as your account is active or as needed to provide the Services. If you close your account, we will retain your personal information for up to ninety (90) days to allow for data export, after which it will be deleted except as needed to fulfill legal obligations, resolve disputes, and enforce our agreements, for which we may retain limited records for up to three (3) years following account closure.

8.4 Deletion Requests

You may request deletion of your personal information by contacting us at privacy@mediyn.com. We will process your request in accordance with applicable law. Certain information may need to be retained to comply with legal retention requirements (including HIPAA and state record-retention requirements), even after a deletion request. We will inform you if any such exceptions apply.

8.5 Data Export

Clinicians may export their clinical data from Mediyn at any time through the platform's built-in export functionality. Exported data is provided in standard, interoperable formats to facilitate transfer to other systems. We believe your data belongs to you, and we will never hold it hostage.

9. Security Measures

We implement comprehensive administrative, technical, and physical safeguards to protect your information. Key security measures include:

• Encryption at rest: all data stored on Mediyn's infrastructure is encrypted using AES-256, with keys managed in a Hardware Security Module (HSM) and rotated on a configurable schedule.
• Encryption in transit: all data transmitted between your device and Mediyn's servers is protected using TLS 1.3.
• Role-based access controls and PHI masking: access to data within the platform is governed by role-based permissions, enforced server-side, with re-authentication required to unmask sensitive fields. Every unmasking event is logged.
• Multi-factor authentication (MFA): MFA is available and can be enforced at the organization level to protect against unauthorized account access.
• Automatic session timeouts and device management: sessions are automatically terminated after configurable periods of inactivity, and trusted-device management limits access to recognized hardware with remote-revocation capability.
• Immutable audit trails: every action taken within the platform is logged in an immutable audit trail that cannot be modified or deleted by any user, including administrators.
• Malware scanning: every uploaded file is quarantined and scanned before it becomes accessible.
• Incident response: we target detection of qualifying security incidents within one (1) hour and notification of affected covered entities within twenty-four (24) hours of confirmation, which is materially faster than the HIPAA Breach Notification Rule requires.
• SOC 2 compliance: Mediyn undergoes regular SOC 2 Type II audits to verify that our security controls meet or exceed industry standards.
• Penetration testing and responsible disclosure: we conduct regular third-party penetration testing and operate a bug-bounty program for responsible vulnerability disclosure.

For a detailed overview of our security practices and architecture, visit our Security & Trust Center.

10. Your State Privacy Rights

Depending on where you live, you may have additional rights with respect to your personal information. Note that PHI processed pursuant to HIPAA is generally exempt from state consumer privacy laws — your HIPAA rights, described in Section 7.3, continue to apply to that information.

10.1 California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, provides you with the following rights over your non-PHI personal information:

• Right to know the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to delete personal information we have collected from you, subject to certain exceptions.
• Right to correct inaccurate personal information we maintain about you.
• Right to opt out of sale or sharing. Mediyn does not sell personal information and does not share personal information for cross-context behavioral advertising. Because we do not engage in either, there is nothing to opt out of.
• Right to limit use of sensitive personal information to purposes necessary to provide the Services.
• Right to non-discrimination for exercising any of your CCPA/CPRA rights.

10.2 Washington Residents (My Health My Data Act)

Washington residents have rights with respect to “consumer health data” as defined under the My Health My Data Act, including the right to confirm whether we collect such data, to access it, to have it deleted, and to withdraw consent for collection or sharing. Mediyn does not sell consumer health data. To exercise these rights, contact us as described below.

10.3 Other States

Residents of other states with comprehensive privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, and Oregon) may have rights to access, correct, delete, or port their personal information, and to opt out of certain processing activities. We honor these rights where applicable.

To exercise any of these rights, please contact us at privacy@mediyn.com or submit a request through our contact page. We will verify your identity before processing your request and will respond within the timeframes required by applicable law (typically 45 days).

11. International Data Transfers

Mediyn's Services are hosted in the United States. If you access the Services from outside the United States, information we collect will be transferred to, stored, and processed in the United States and other jurisdictions where our sub-processors operate. By using the Services, you consent to such transfer and processing. Where required by applicable law, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) to protect personal information transferred across borders.

12. Children's Privacy

Mediyn's Services are designed for use by licensed mental health professionals and are not directed at children under the age of 13. We do not knowingly collect personal information directly from children under 13. If we learn that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information promptly.

We recognize that therapists commonly treat minor patients. In those cases, the clinician (as the covered entity) is responsible for obtaining appropriate consents and authorizations in accordance with HIPAA, state law, and their professional obligations. Mediyn processes PHI related to minor patients in the same manner as all other PHI, subject to the terms of the BAA and this Privacy Policy. Our on-device processing architecture provides the same privacy protections for all patients regardless of age.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• Sending a notification to the email address associated with your account
• Displaying a prominent notice within the Mediyn application
• Updating the “Last Updated” date at the top of this page

Your continued use of the Services after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you should discontinue use of the Services and contact us to discuss your options, including account deletion and data export.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

• Email: privacy@mediyn.com
• Contact form: mediyn.com/contact

For HIPAA-related inquiries, including requests related to patient rights, breach notifications, or sub-processor lists, please email privacy@mediyn.com with “HIPAA Inquiry” in the subject line. We will respond to all privacy-related inquiries within thirty (30) business days.