Legal

Privacy policy

Last updated: July 2025

This Privacy Policy explains how we collect, use, share, and protect your information, and the choices you have. It applies to information processed by MedAudita ("MedAudita," "we," "us," or "our") through our website at medaudita.com (the "Site"), our chart audit platform (the "Product"), and any related services (together with the Site, the "Services").

For purposes of data protection laws, MedAudita, located at 1209 Mountain Road PL NE, Ste N, Albuquerque, NM 87110, is the data controller of your information collected through the Site. With respect to information processed in the Product on behalf of our clinic customers (including any protected health information), MedAudita acts as a data processor or business associate. See Information we process on behalf of our customers below.

Scope

This Privacy Policy applies to anyone who visits our Site, contacts us, requests a demo, or otherwise interacts with our Services. It also covers information processed in our Product platform, with the distinctions described throughout this policy.

Information we collect

Information you give us

When you fill out our contact form, demo request form, or otherwise communicate with us, we collect information you provide directly, including:

  • Your name and role
  • Email address and phone number
  • The clinic or organization you represent, its website, location, and practice type
  • Information about your clinic's EMR, provider count, encounter volume, payer mix, and current chart audit process
  • Free-form messages, comments, and any other information you choose to share

Information collected automatically when you visit the Site

When you visit the Site, we and our service providers may automatically collect certain information, including:

  • Your IP address, approximate location, browser type and version, device type and operating system, and language preferences
  • Referring URL, pages viewed, links clicked, time spent on pages, and other usage information
  • Cookie identifiers and similar technologies

We do not use third-party advertising or behavioral tracking cookies on the Site.

Information processed in the Product on behalf of our customers

When clinics use our Product, we process chart data and related records on their behalf. This may include protected health information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). MedAudita processes such information strictly as a business associate of the clinic under a written Business Associate Agreement (BAA), and only as needed to provide the Services.

How we use your information

To provide and improve our Services, we use information to:

  • Respond to your inquiries, requests for information, and customer support questions
  • Evaluate fit, schedule, and conduct demo calls
  • Operate, maintain, secure, and improve the Site and Product
  • Develop new features, conduct internal quality control, and perform research and analytics
  • Detect and prevent fraud, security incidents, and prohibited or illegal activity
  • Communicate with you about your inquiries, the Services, policy changes, and other administrative matters
  • Comply with applicable law, regulation, legal process, or governmental request
  • Enforce our terms and any other agreements with you

De-identified and aggregated information

We may de-identify or aggregate information we collect so that it no longer reasonably identifies you, and use it for any lawful purpose, including research, analytics, and improving the Services. De-identified and aggregated information is not personal information.

Legal bases for using your information

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that requires us to state a legal basis for processing personal information, our legal bases are:

  • Contract. We process your information to perform a contract with you or to take steps at your request before entering into one (for example, responding to a demo request).
  • Consent. Where required, we process information based on your express or implied consent, which you may withdraw at any time.
  • Legitimate interests. We process information when it is in our legitimate interest to do so and not overridden by your rights — for example, to operate and secure the Site, to communicate with prospective customers, and to prevent fraud.
  • Legal obligation. We process information where we must do so to comply with applicable law.

How we share your information

Service providers

We share information with vendors and service providers that help us operate the Services, including hosting, analytics, form processing, scheduling, and email delivery. These providers are permitted to use your information only to perform services for us. The third-party services we currently use are described in Third-party services below.

Legal and safety disclosures

We may disclose your information when we believe disclosure is required or appropriate to comply with law, a court order, a subpoena, or other legal process; to respond to lawful requests by public authorities; to enforce our agreements; to protect the rights, property, or safety of MedAudita, our customers, or others; or to investigate or prevent suspected fraud or illegal activity.

Business transfers

If MedAudita is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of some or all of its assets, your information may be transferred as part of that transaction, subject to the protections of this Privacy Policy.

What we do not do

We do not sell your personal information. We do not share your personal information with third parties for their own direct marketing purposes. We do not allow third-party advertising or behavioral tracking on the Site.

Information we process on behalf of our customers

Our clinic customers use the Product to process information about their patients, providers, and operations. This information may include PHI. With respect to this information, MedAudita acts as a data processor and HIPAA business associate, not as a data controller. We process this information only:

  • In accordance with the clinic's written instructions and our BAA with that clinic
  • To provide and support the Services the clinic has engaged us to perform
  • As otherwise permitted or required by applicable law

If you are an individual whose information is processed by us through a clinic's use of the Product (for example, a patient of one of our clinic customers) and you wish to exercise rights regarding your information, please contact the clinic directly. The clinic, as the data controller and HIPAA covered entity, is responsible for responding to your request. We will support our clinic customers in responding to such requests in accordance with our agreements with them.

A current list of our subprocessors is available on request from info@medaudita.com.

Protected health information (PHI)

The Site itself does not collect, store, or process PHI, and we ask that you do not include PHI in messages sent to us through contact or demo request forms.

PHI is only handled within the Product, which is governed by separate HIPAA-compliant policies and the BAA between MedAudita and each clinic customer. Our PHI safeguards include:

  • Encryption of PHI in transit and at rest
  • A BAA executed with each clinic before any chart data is uploaded
  • Role-based access controls so administrators, coders, and providers each see only what they need
  • A tamper-proof audit log that records account and data activity across 29 categories at the database level
  • Ongoing security review and incident response procedures

Cookies and similar technologies

We use a minimal set of cookies and similar technologies to operate the Site, remember preferences, and understand how the Site is used. These include strictly necessary cookies and analytics cookies. We do not use third-party advertising or behavioral tracking cookies.

Most browsers let you refuse or delete cookies through their settings. If you refuse cookies, some parts of the Site may not work as intended.

"Do Not Track" signals

Our Site honors "Do Not Track" (DNT) browser signals to the extent technically feasible. Because we do not use third-party advertising or behavioral tracking, DNT signals do not significantly change how we collect information through the Site.

Your choices

Opting out of marketing communications

If you receive marketing emails from us, you may opt out at any time by following the unsubscribe link in any such email, or by contacting us at info@medaudita.com. You will continue to receive transactional and service-related communications, such as responses to your inquiries and notices about changes to our policies.

Accessing, updating, and deleting your information

You may request to access, correct, update, or delete personal information we hold about you by contacting us as described in Contact us below. We will respond to your request as required by applicable law. Some information may be retained where we have a legitimate business or legal reason to do so, such as to comply with our record-keeping obligations.

Rights for residents of the European Economic Area, United Kingdom, and Switzerland

If you reside in the EEA, the UK, or Switzerland, you have certain rights under applicable data protection laws, including:

  • The right to access personal information we hold about you and to receive a copy
  • The right to correct inaccurate or incomplete personal information
  • The right to request deletion of your personal information
  • The right to restrict or object to certain processing
  • The right to data portability
  • The right to withdraw consent where processing is based on consent
  • The right to lodge a complaint with your local data protection authority

To exercise these rights, contact us at info@medaudita.com. We may need to verify your identity before responding. Some information may be exempt from your request in certain circumstances, including where we must continue processing to comply with a legal obligation or for our legitimate interests.

Rights for California residents

If you are a California resident, you have certain rights under California law, including:

  • The right to know what personal information we collect, use, disclose, and (if applicable) sell, and the categories of sources and recipients
  • The right to request a copy of the specific pieces of personal information we have collected about you
  • The right to request deletion of personal information we have collected about you, subject to certain exceptions
  • The right to correct inaccurate personal information we hold about you
  • The right not to be discriminated against for exercising any of these rights

MedAudita does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under California law. Accordingly, we do not offer a "Do Not Sell or Share My Personal Information" link, but you may still exercise the rights above by contacting us at info@medaudita.com.

To exercise your rights, contact us as described in Contact us below. We may need to verify your identity before responding. You may also designate an authorized agent to make a request on your behalf, subject to verification.

Rights for residents of other U.S. states

Several U.S. states have enacted comprehensive privacy laws that grant residents rights similar to those described above. To the extent these laws apply to MedAudita's processing of your personal information, we will honor applicable rights. To exercise a right under an applicable state privacy law, contact us at info@medaudita.com.

Data retention

We retain personal information for as long as needed to fulfill the purposes described in this Privacy Policy, to comply with our legal and contractual obligations, to resolve disputes, and to enforce our agreements. Specifically:

  • Inquiries and form submissions: retained until your inquiry is resolved and for a reasonable period afterward for business record-keeping
  • PHI processed in the Product: retained for the period required by HIPAA, applicable state law, and our BAA with each clinic — typically at least six years from the date of creation or last use
  • Site usage and analytics data: retained according to the retention settings of our analytics providers

When information is no longer needed, we will delete or de-identify it in accordance with our internal procedures.

Security of your information

We take reasonable administrative, technical, and physical measures to protect personal information against loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction. These measures include encryption of data in transit and at rest, role-based access controls, audit logging, and ongoing security review.

Despite these measures, no method of transmission over the Internet or method of electronic storage is fully secure, and we cannot guarantee absolute security. To the fullest extent permitted by applicable law, we disclaim liability for unintentional disclosure.

If we learn of a security incident affecting your personal information, we will notify you and applicable authorities to the extent required by law.

International data transfers

MedAudita is located in the United States. If you access our Services from outside the U.S., your information may be transferred to, processed, and stored in the U.S., where data protection laws may differ from those in your country. By using the Services, you acknowledge this transfer.

Children's information

The Site and Services are not directed to children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect personal information from children. If you believe we have collected personal information from a child, please contact us at info@medaudita.com and we will take steps to delete it.

Third-party services

The Site and Services rely on the following third-party services, each governed by its own privacy policy:

  • Vercel — hosting, analytics, and performance monitoring
  • Web3Forms — contact and demo request form processing
  • Cal.com — scheduling for demo calls (after fit review)
  • Google Tag Manager — tag management for analytics
  • Google Fonts — web fonts

We do not control how these providers process information they collect under their own privacy policies.

Links to other sites

The Site may contain links to third-party websites and services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing any information.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy on this page and update the "Last updated" date above. Where required by law, we will provide additional notice. Your continued use of the Services after we post the updated policy constitutes your acceptance of the changes.

Definitions

Personal information means information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person.

Processing means any operation performed on personal information, whether or not by automated means, including collection, recording, organization, storage, use, disclosure, transmission, restriction, erasure, or destruction.

Protected health information (PHI) has the meaning given to it in HIPAA and refers to individually identifiable health information held or transmitted by a covered entity or its business associate.

Contact us

If you have questions about this Privacy Policy or our privacy practices, contact us: