MediWing

Privacy Policy

Last Updated: January 3, 2026

Your privacy matters to us. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your personal data.

In short: We only collect what's necessary to provide our service, we protect your data with industry-standard security, and you have full control over your information.

1. Information We Collect

Account Information

When you create an account, we collect:

  • Email address (required for login and notifications)
  • Name (to personalize your experience)
  • Password (encrypted with industry-standard bcrypt hashing)

Medical Documents

When you upload documents, we store:

  • Document files (PDFs, images of lab results, medical reports)
  • Extracted text from documents
  • AI-generated interpretations and analysis
  • Upload timestamps

Payment Information

We use Stripe to process payments. We do NOT store your credit card details. Stripe collects:

  • Credit/debit card information (stored securely by Stripe, not us)
  • Billing address
  • Transaction history

Usage Data

To improve our service, we collect:

  • Number of uploads and analyses
  • Document types processed
  • Feature usage patterns
  • Error logs (to fix bugs)

Technical Data

Standard web data collected automatically:

  • IP address (for security and rate limiting)
  • Browser type and version
  • Device information
  • Access times

2. How We Use Your Information

We use your data to:

  • Provide our service: Process documents, generate AI interpretations
  • Improve accuracy: Refine our AI models (with anonymized data)
  • Communicate with you: Send account notifications, analysis results, support responses
  • Process payments: Handle subscriptions and billing (via Stripe)
  • Ensure security: Prevent fraud, abuse, and unauthorized access
  • Comply with laws: Meet legal obligations (GDPR, CCPA, etc.)

We NEVER sell your personal information to third parties.

3. Third-Party Services We Use

🤖 Anthropic (Claude AI)

Purpose: Powers AI interpretations of medical documents

Data Shared: Extracted text from your documents (anonymized when possible)

Privacy: Anthropic Privacy Policy

💳 Stripe

Purpose: Secure payment processing

Data Shared: Payment information, billing address

Note: We never see or store your credit card details

Privacy: Stripe Privacy Policy

🗄️ Supabase

Purpose: Database and file storage

Data Shared: Account info, documents, analysis results

Security: Encrypted at rest and in transit

Privacy: Supabase Privacy Policy

📧 Email Service (Production)

Purpose: Send verification emails, password resets, notifications

Data Shared: Email address, name

Provider: Resend, SendGrid, or AWS SES (TBD in production)

4. How We Protect Your Data

We implement industry-standard security measures:

  • Encryption: All data encrypted in transit (HTTPS/TLS) and at rest
  • Password Security: Passwords hashed with bcrypt (cost factor 12)
  • Access Control: Role-based permissions, you can only access your own data
  • Rate Limiting: Protection against brute force attacks
  • Regular Backups: Automated backups to prevent data loss
  • Security Headers: CSP, HSTS, and other protections
  • Monitoring: 24/7 security monitoring and alerts

Important: No security system is 100% foolproof. While we do our best to protect your data, we cannot guarantee absolute security. Use strong, unique passwords and enable two-factor authentication when available.

5. Your Rights & Choices

✓ Access Your Data

You can view all your documents and analysis results in your dashboard anytime.

✓ Download Your Data

Request a complete export of your data by contacting privacy@mediwing.com. We'll provide it in a portable format within 30 days.

✓ Delete Your Data

You can permanently delete your account and all associated data through Settings → Delete Account. This action is irreversible and complies with GDPR "Right to be Forgotten."

✓ Correct Your Data

Update your name or email in account settings. Contact support for other corrections.

✓ Opt Out of Communications

Unsubscribe from marketing emails via the link in any email. Note: We'll still send essential account notifications (password resets, security alerts).

6. How Long We Keep Your Data

We retain your data only as long as necessary:

  • Active accounts: Data kept while your account is active
  • Deleted accounts: Permanently deleted within 30 days
  • Legal requirements: Some data retained for tax/legal compliance (typically 7 years)
  • Anonymized analytics: May be retained indefinitely for service improvement

7. HIPAA Notice

MediWing is NOT a HIPAA-covered entity.

We are not a healthcare provider, health plan, or healthcare clearinghouse. Therefore, we do not operate under HIPAA (Health Insurance Portability and Accountability Act) regulations.

When you upload medical documents to MediWing, you are voluntarily sharing your health information with us for educational purposes. While we implement strong security measures, we do not provide HIPAA-compliant services.

If you require HIPAA-compliant medical services, please use your healthcare provider's patient portal instead.

8. Children's Privacy

MediWing is not intended for children under 18. We do not knowingly collect information from minors.

If you're under 18, please ask a parent or guardian to create an account for you.

If we discover we've collected data from a child under 18, we'll delete it immediately. Contact us at privacy@mediwing.com if you believe this has occurred.

9. International Users

MediWing is based in the United States. Your data may be transferred to and processed in the US or other countries where our service providers operate.

For EU/UK users: We comply with GDPR requirements, including lawful data transfer mechanisms.

For California users: We comply with CCPA (California Consumer Privacy Act). You have additional rights under CCPA - contact us for details.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We'll notify you of significant changes via email or in-app notification at least 30 days before they take effect.

The "Last Updated" date at the top shows when changes were made.

Continued use after changes indicates acceptance of the new policy.

11. Contact Us About Privacy

Questions, concerns, or requests about your privacy?

Privacy Team

Email: privacy@mediwing.com

General Support: support@mediwing.com

We respond to privacy requests within 30 days.

Privacy in Plain English

✓ We collect only what's needed to provide our service

✓ We NEVER sell your data to third parties

✓ We use Stripe for payments (we don't store credit cards)

✓ We use Anthropic Claude AI to interpret your documents

✓ Your data is encrypted and protected

✓ You can download or delete your data anytime

✓ We're NOT a HIPAA-covered entity

✓ We comply with GDPR and CCPA

Terms of ServiceBack to Home