Legal

Privacy Policy

Your medical identity deserves the highest level of protection. This policy explains how MedXShield collects, uses, stores, and safeguards your personal and health information.

Effective Date: March 24, 2026 · Last Updated: March 24, 2026

1. Information We Collect

Personal Information

When you create a MedXShield account, we collect your full name, email address, phone number, date of birth, and government-issued identification for identity verification purposes.

Health & Claims Data

With your explicit consent, we retrieve health-related data through authorized third-party integrations:

  • Flexpa — Adjudicated claims, Explanations of Benefits (EOBs), insurance coverage details, and pharmacy data via CMS-mandated Patient Access APIs from 400+ payer endpoints.
  • Health Gorilla — Clinical encounters, lab results, medications, and procedure history via the national TEFCA network for Individual Access Services (IAS).

All health data is normalized to the FHIR R4 standard and stored in a HIPAA-compliant environment.

Device & Usage Data

We automatically collect device type, operating system, browser version, IP address, and usage analytics to improve service performance and security monitoring.

2. How We Use Your Information

We use the information we collect to:

  • Monitor your medical claims and health records for signs of identity theft, billing errors, and unauthorized transactions
  • Deliver real-time alerts categorized by severity (Critical, High, Medium) through push notifications, SMS, and email
  • Translate complex medical billing codes into plain language so you can understand and act on flagged records
  • Verify your identity during onboarding through government ID verification and passive liveness detection
  • Process subscription billing and manage your account
  • Improve our anomaly detection models and fraud prevention capabilities
  • Comply with legal and regulatory obligations, including HIPAA

3. HIPAA Compliance

MedXShield is designed from the ground up to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the FTC Health Breach Notification Rule.

Business Associate Agreements

We maintain BAAs with all third-party service providers that access, process, or store Protected Health Information (PHI).

PHI Protection

All PHI is tokenized before being passed to AI analysis layers. Raw PHI is never exposed to large language models or stored outside of HIPAA-compliant infrastructure.

Encryption

PHI is encrypted at rest using AES-256 and in transit using TLS 1.3. Sensitive fields such as payer OAuth tokens receive additional field-level encryption via Google Cloud KMS.

Minimum Necessary Standard

We apply the HIPAA minimum necessary standard to all data access — our systems only retrieve and process the specific data elements required for fraud detection and monitoring.

4. Data Sharing & Third Parties

We never sell your personal information or health data. Period.

We share data only with the following categories of service providers, each bound by BAAs and strict data processing agreements:

verified

Flexpa

Claims & coverage data aggregation via payer Patient Access APIs

verified

Health Gorilla

Clinical & EHR data retrieval via the TEFCA network

verified

Stripe

Subscription billing and payment processing (no health data shared)

verified

Stripe Identity

Identity verification (KYC) during onboarding

verified

Google Cloud Platform

Infrastructure hosting, data storage, and processing within a HIPAA-compliant environment

We may also disclose information when required by law, court order, or government regulation, or to protect the rights, safety, or property of MedXShield and its users.

5. Your Rights

You have the following rights regarding your personal and health information:

visibility

Right to Access

Request a copy of all personal and health data we hold about you.

edit_note

Right to Correction

Request corrections to inaccurate or incomplete personal information.

delete

Right to Deletion

Request deletion of your account and associated data, subject to legal retention requirements.

download

Right to Data Portability

Receive your data in a structured, machine-readable FHIR R4 format.

block

Right to Opt-Out

Opt out of non-essential data processing and marketing communications at any time.

gavel

Right to File a Complaint

File a complaint with the HHS Office for Civil Rights if you believe your privacy rights have been violated.

To exercise any of these rights, contact our Privacy Team. We will respond within 30 days.

6. Data Security

We employ enterprise-grade security measures to protect your data:

lock

Encryption

AES-256 at rest, TLS 1.3 in transit, KMS field-level encryption for sensitive tokens

shield

VPC Service Controls

All health data processing occurs within a Google Cloud VPC security perimeter

security

Cloud Armor WAF

Web application firewall with OWASP CRS protection on all API endpoints

admin_panel_settings

Access Controls

Role-based access control, multi-factor authentication, and audit logging on all data access

7. Data Retention & Deletion

We retain your data only as long as necessary to provide our services and comply with legal obligations:

Data TypeRetention Period
Account informationDuration of account + 30 days
Health & claims data (FHIR)Duration of account + 90 days
Alert & dispute records7 years (regulatory requirement)
Billing records7 years (tax/audit requirement)
Audit logs3 years
Identity verification dataDuration of account

When you request account deletion, we initiate our automated deletion pipeline. Personal data and health records are purged within the retention windows above. A confirmation is sent once deletion is complete.

8. Children's Privacy

MedXShield is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a person under 18, we will promptly delete that information and terminate the associated account.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Post the updated policy on this page with a revised effective date
  • Notify you via email or in-app notification at least 30 days before changes take effect
  • Obtain renewed consent where required by applicable law

10. Contact Information

If you have questions about this Privacy Policy, wish to exercise your rights, or need to report a privacy concern, contact us:

mail
apartment

Mailing Address

MedXShield, a division of STL Innovation, Inc.
Address on file — contact privacy@medxshield.com

support_agent

HIPAA Privacy Officer

For HIPAA-related inquiries, contact our HIPAA Privacy Officer