BORRADOR — Estos documentos se proporcionan con fines informativos durante nuestra beta y no han sido revisados por asesoría jurídica. No constituyen un acuerdo vinculante. Por favor, revísalos con un abogado cualificado antes de basarte en ellos.

Privacy Policy

Medna, LLC ("Medna," "we," "us," or "our")

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Medna web application and related services (the "Service"). Medna is a documentation tool for licensed mental-health professionals in the United States.

1. Who this policy covers

Medna is a business-to-business service used by therapists, clinicians, and the organizations they work for ("Customers"). This policy describes our practices as a service provider to those Customers. Where we process protected health information ("PHI") on a Customer's behalf, we act as a Business Associate under the Health Insurance Portability and Accountability Act ("HIPAA"), and our handling of PHI is governed by the Business Associate Agreement ("BAA") between us and the Customer.

2. Information we collect

  • Account information you provide at sign-up and onboarding: name, email address, professional license type, license state and number, NPI number, and organization details.
  • Clinical content you enter to generate documentation: session notes, transcripts, questionnaire responses, group and client records, and the progress notes we generate from them. This may include PHI.
  • Usage and technical data: log data, device and browser information, and audit records of actions taken in the Service (sign-in, record access, report generation, export, and deletion).

3. How we use information

  • To provide, maintain, and secure the Service.
  • To generate clinical documentation at your direction.
  • To maintain audit logs required for security and HIPAA compliance.
  • To communicate with you about the Service.
  • To comply with our legal obligations.

We do not sell personal information or PHI. We do not use your clinical content to train third-party foundation models.

4. Third-party processors (subprocessors)

We rely on a limited set of vendors to operate the Service, each engaged under appropriate data-protection terms (and a BAA where PHI is involved):

  • Supabase — database, authentication, and file storage (hosted in the United States).
  • Vercel — application hosting.
  • Anthropic — AI generation of clinical documentation.
  • Voyage AI — text embeddings for our knowledge base.
  • OpenAI — audio transcription (used only where audio features are enabled).

Clinical content is de-identified before it is sent to AI providers wherever technically feasible, and our agreements restrict these providers from retaining or using your data for their own purposes.

5. Data security

We use administrative, technical, and physical safeguards designed to protect your information, including encryption in transit and at rest, row-level access controls, automatic session timeout after 15 minutes of inactivity, immutable audit logging, and private storage with time-limited signed URLs for files.

6. Data retention and your rights

We retain account and clinical records for as long as your account is active and as required by law (HIPAA generally requires retention of certain records for six years). You may access, export, or request deletion of your data through the Service or by contacting us. Records are soft-deleted and removed on a defined schedule, subject to legal retention requirements.

7. Beta program

During our beta program, the Service must be used with fictitious or fully de-identified data only, unless a signed BAA is in place. Do not enter real patient information until you have confirmed that a BAA covers your use.

8. Children's privacy

The Service is intended for use by licensed professionals and is not directed to individuals under 18. We do not knowingly collect personal information directly from children.

9. Changes to this policy

We may update this policy from time to time. Material changes will be communicated through the Service or by email. The "last updated" date below reflects the current version.

10. Contact

Questions about this policy may be sent to privacy@medna.io.

Última actualización: June 8, 2026