1. Introduction

Nemedic, Inc. (“Nemedic”, “we”, “us”) operates useBlue.ai, Visit, DocFinderPro, and marketing.nemedic.com (the “Services”). This Privacy Policy explains how we collect, use, disclose, and safeguard information across the Services.

Where the Services process patient information, including PHI, on behalf of a healthcare practice or other Covered Entity, Nemedic acts as a Business Associate under the applicable BAA. The Covered Entity remains responsible for patient privacy notices and HIPAA compliance obligations. See Section 11 for additional information regarding PHI processing.

2. Scope and Product-Specific Notices

This policy applies to all Products. A Product may have an additional notice or supplement; where it does, the supplement controls for that Product to the extent of any conflict.

3. Information We Collect

  • Account Information — name, email, phone number, and authentication credentials, collected through our identity provider.
  • Customer Content — messages, documents, files, and other content you submit or generate, which for some Products may include patient data or PHI (see Section 11).
  • Files and Documents — uploaded files, and text extracted from them via automated optical character recognition, so their contents can be used within the Services.
  • Usage Data — pages visited, features used, timestamps, and similar interaction data.
  • Device and Cookie Data — IP address, browser/user-agent, and identifiers set via cookies and similar technologies (see Section 6).
  • Payment Information — handled by our third-party payment processor; we do not store full card details.
  • Communications — records of your communications with us (e.g., support requests).

4. How We Use Information

  • provide, maintain, secure, and improve the Services;
  • process transactions and manage subscriptions;
  • send service-related communications;
  • analyze usage to improve the Services;
  • comply with legal obligations and enforce our terms;
  • protect against unauthorized access, fraud, and abuse.

Where PHI is processed, Nemedic seeks to limit access, use, disclosure, and processing to the minimum information reasonably necessary to provide the requested services, consistent with applicable legal requirements and operational needs.

5. AI Processing

Some Products use third-party artificial intelligence and document-processing providers to generate responses, analyze documents, and power AI features. To deliver these features, Customer Content you submit is transmitted to and processed by those providers on our behalf.

AI and document-processing providers engaged by Nemedic act as service providers or subprocessors under contractual obligations governing confidentiality, security, and data use restrictions. Where PHI is processed through AI-enabled features, Nemedic seeks to ensure that applicable providers are subject to contractual requirements supporting HIPAA-compliant processing and restricting use of customer content except as necessary to provide contracted services.

6. Cookies and Analytics

Nemedic uses cookies, pixels, local storage, and similar technologies (“Cookies”) to operate, secure, and improve the Services.

We use essential Cookies to enable core functionality, including user authentication, session management, security, fraud prevention, and load balancing. These Cookies are necessary for the operation of the Services and generally cannot be disabled without affecting functionality.

We may also use analytics technologies to understand how visitors and customers interact with our websites and Services, improve performance, develop new features, troubleshoot technical issues, measure product usage, and enhance the overall user experience. Analytics information is generally collected in aggregated or de-identified form where reasonably practicable.

Where required by applicable law, we will obtain any required consent before using non-essential Cookies or similar technologies. Users may manage certain Cookie preferences through their browser settings or other mechanisms made available through the Services.

Certain Products may offer marketing analytics, advertising attribution, or conversion measurement features. These features are intended to operate using information that is not Protected Health Information (“PHI”). Nemedic does not knowingly disclose PHI to advertising or analytics platforms in connection with these services. Customers remain responsible for determining whether their implementation and use of such features complies with applicable law and for obtaining any required notices, authorizations, or consents.

Additional information regarding the Cookies and analytics technologies currently used by Nemedic, including available user choices and opt-out mechanisms where applicable, may be provided in our Cookie Notice or on our website.

7. How We Share Information

We do not sell your personal information. We may share information with:

  • Sub-processors and Service Providers — third parties that help us operate the Services (cloud infrastructure and hosting, authentication, file storage, AI and document processing, payment processing, and email/messaging), each bound by confidentiality and data-protection obligations. We identify our current sub-processors to Customers under the applicable BAA / Data Processing Agreement. All subprocessors that receive, store, transmit, or process customer information on our behalf are subject to contractual confidentiality, privacy, security, and data protection obligations appropriate to the services they perform. Where PHI is involved, applicable subcontractors are required to comply with obligations substantially similar to those imposed on Nemedic under applicable Business Associate Agreements and HIPAA requirements.
  • Legal Requirements — when required by law, subpoena, or government request.
  • Business Transfers — in connection with a merger, acquisition, or sale of assets.
  • Marketing Use — certain products may provide marketing, advertising, analytics, attribution, call-tracking, conversion measurement, or audience measurement features. These services are intended to operate using information that is not PHI and are separate from HIPAA-governed healthcare service functionality. Customers remain responsible for determining whether their implementation and use of such technologies complies with applicable legal requirements and for obtaining any required notices, consents, authorizations, or permissions. Nemedic does not knowingly disclose PHI to advertising or analytics platforms in connection with such services.

8. Data Retention

We retain information for as long as your account is active or as needed to provide the Services. On account deletion, we remove personal data within a commercially reasonable period, except where retention is required by law or for legitimate business purposes, and except as governed by an applicable BAA.

9. Data Security

Nemedic maintains administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of information processed through the Services. These measures may include:

  • encryption of data in transit and at rest where supported;
  • role-based access controls;
  • workforce access management and training;
  • audit logging and monitoring;
  • vulnerability management and security review processes;
  • multi-factor authentication support;
  • backup and disaster recovery measures;
  • vendor and subprocessor security assessments.

We regularly review and update our security controls in light of evolving threats, technologies, and regulatory requirements. No security system can guarantee absolute protection against all threats, and users should maintain appropriate security practices when using the Services.

If Nemedic becomes aware of a confirmed security incident, breach, or unauthorized disclosure affecting personal information or PHI, we will respond in accordance with applicable law and contractual obligations, including applicable HIPAA breach notification requirements where PHI is involved.

10. Your Privacy Rights

Depending on your jurisdiction and applicable law, you may have the right to request access to, correction of, deletion of, or portability of your personal information, to restrict or object to certain processing activities, to withdraw consent where processing is based on consent, and to opt out of certain uses or disclosures of personal information, including where required by applicable law.

To exercise your privacy rights or submit a privacy-related inquiry, please contact Nemedic at security@nemedic.com. We may request additional information to verify your identity before processing your request. We will respond in accordance with applicable law and will not discriminate against you for exercising your privacy rights.

These rights generally do not apply to Protected Health Information (“PHI”) that Nemedic processes solely on behalf of a healthcare provider or other Covered Entity as a Business Associate under HIPAA. Requests relating to PHI should be directed to the applicable healthcare provider or Covered Entity, whose Notice of Privacy Practices governs the use and disclosure of that information.

Residents of certain jurisdictions may have additional rights under applicable privacy laws. Where required, Nemedic will provide any legally required notices, consent mechanisms, or opt-out options, including with respect to cookies, analytics technologies, or other data-sharing practices.

11. Health Information (PHI)

When processing PHI on behalf of a Covered Entity, Nemedic acts as a Business Associate under HIPAA and applicable law. The Covered Entity remains responsible for determining the purposes and means of processing PHI and for providing any required patient notices, authorizations, consents, and privacy disclosures. Nemedic processes PHI only as permitted by applicable agreements, including Business Associate Agreements, Healthcare Services Supplements, and applicable law.

Nemedic may engage subcontractors and service providers to assist in providing the Services. Where such providers process PHI on Nemedic’s behalf, Nemedic requires them to be bound by contractual privacy, confidentiality, and security obligations consistent with applicable legal requirements.

Nemedic does not sell PHI and does not use PHI for advertising, marketing, or fundraising purposes except as expressly permitted by applicable law and authorized agreements.

Nemedic does not knowingly disclose PHI to advertising, analytics, attribution, or marketing platforms. Any marketing, analytics, or conversion measurement services offered by Nemedic are intended to operate using information that is not PHI and remain subject to applicable customer configuration and legal compliance requirements.

As between Nemedic and a healthcare practice, PHI remains under the control of the healthcare practice. Nemedic does not acquire ownership rights in PHI solely by providing the Services.

Nemedic seeks to limit access to, use of, and disclosure of PHI to the minimum necessary to provide the Services, comply with legal obligations, and fulfill authorized business purposes.

Nemedic implements administrative, physical, and technical safeguards designed to protect PHI in accordance with applicable HIPAA Security Rule requirements and contractual obligations.

For useBlue and Visit, PHI is processed on behalf of healthcare practices under a BAA and the Healthcare Services Supplement. In that context, the practice — not Nemedic — determines the purposes and means of processing PHI and remains responsible for HIPAA compliance obligations applicable to Covered Entities.

Nemedic’s processing of PHI is governed by applicable Business Associate Agreements and may be subject to HIPAA, HITECH, state medical privacy laws, breach notification laws, and other applicable healthcare privacy and security requirements. Where a conflict exists between this Privacy Policy and an applicable Business Associate Agreement regarding PHI, the Business Associate Agreement will control.

12. Children’s Privacy

The Services are not intended for individuals under 18, and we do not knowingly collect their personal information.

13. Changes to This Policy

We may update this policy and will notify you of material changes via the Services or email. Continued use after changes take effect constitutes acceptance.

14. Contact

Nemedic, Inc. — security@nemedic.com