Medlytica Privacy Policy

1. Scope, Applicability, and HIPAA Statement

This Privacy Policy describes how Medlytica (“we,” “us,” or “our”) collects, uses, and discloses personal information. This policy applies to:

• Site Visitors: Anyone browsing medlytica.net or interacting with our marketing content.
• Prospects: Individuals who submit information via our waitlist, contact forms, or the Helios case study intake.
• Platform Users: Employees and contractors of Medlytica customers who access our public-facing web application.

HIPAA / PHI Notice. This public-facing application and marketing site are not intended for the collection, processing, or storage of Protected Health Information (PHI) as defined by HIPAA. Where Medlytica processes PHI on behalf of a covered-entity customer through a separate product or service offering, that processing is governed by a Business Associate Agreement between Medlytica and the customer.

2. Categories of Information We Collect

2.1 Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: Name, email address, IP address, and unique device identifiers.
• Customer Records: Practice name and professional contact details.
• Commercial Information: Professional interests and services of interest (e.g., Vault, Consulting, AI Practice Integration) collected via our waitlist and intake forms.
• Internet/Network Activity: Information regarding your interaction with our website, browser type, operating system, and access times.
• Professional/Employment Information: Job title, department, and employer (customer) name.

2.2 Sensitive Personal Information

We collect account log-in credentials (username and password), which are classified as Sensitive Personal Information under the California Privacy Rights Act (Cal. Civ. Code § 1798.140(ae)). We collect and use this information solely for the purpose of authenticating your identity and providing access to your account, consistent with the limitation in Cal. Civ. Code § 1798.121(d). We do not use or disclose this sensitive personal information for any other purpose.

We do not knowingly collect other categories of sensitive personal information (such as Social Security numbers, precise geolocation, or health information) via the public site or waitlist.

3. How We Use Your Information

We use the categories of information listed above for the following business and commercial purposes:

• Service Delivery: To provide, maintain, and secure the Medlytica platform.
• Authentication: To verify user identity and manage account access.
• Product Improvement: To diagnose product issues, debug errors, and improve the user experience.
• Communications: To notify users about product launches, technical updates, and security alerts. Marketing communications are sent only to users who have opted in.
• Security and Fraud Prevention: To detect, protect against, and investigate security incidents or fraudulent activity.
• Legal Compliance: To comply with applicable laws and regulations, including the CCPA/CPRA and other applicable privacy laws.

4. Disclosure of Your Information

No Sale of Personal Information. We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising as defined under CPRA.

We disclose information to the following categories of third parties for business purposes:

• Service Providers: Cloud hosting and infrastructure providers, analytics vendors, and email-delivery providers who perform services on our behalf under written agreements that prohibit them from using your information for any other purpose.
• Affiliates: Our parent company, Bastide Holdings, for centralized administrative purposes consistent with this policy.
• Legal Compliance Recipients: Government authorities, regulators, or other parties when required by applicable law, court order, or other legal process, or as we believe in good faith is necessary to protect our rights, property, or safety, or that of others.
• Business Successors: A buyer or successor in connection with a merger, acquisition, sale of assets, or similar business transaction, subject to confidentiality obligations and continued application of this policy.

5. Cookies and Tracking Technologies

We use essential cookies (for site security and CSRF protection), session cookies (to manage user sessions), and analytics cookies (to understand how visitors use our website). You may control cookies through your browser settings, though disabling certain cookies may affect site functionality.

Global Privacy Control (GPC). We honor GPC signals. If your browser transmits a GPC signal, we treat it as a request to opt out of any “sale” or “sharing” of personal information for cross-context behavioral advertising as those terms are defined under CPRA.

6. Children’s Privacy

The Service is intended for professional use by employees and contractors of healthcare entities and is not directed to children. We do not knowingly collect, sell, or share personal information from individuals under the age of 16. If we learn that we have collected personal information from an individual under 16 without the legally required consent, we will delete that information.

7. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights regarding your personal information:

• Right to Know / Access: Request to know the categories and specific pieces of personal information we have collected, the sources of the information, the purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: Request the deletion of personal information we have collected from you, subject to legal exceptions.
• Right to Correct: Request the correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: Although we do not sell personal information or share it for cross-context behavioral advertising, you have the right to opt out should we ever engage in such practices.
• Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information to the purposes specified in Cal. Civ. Code § 1798.121(a).
• Right to Data Portability: Receive a copy of your personal information in a portable, readily usable format.
• Right to Non-Discrimination: Exercise these rights without discriminatory treatment.

Verification. To protect your privacy, we will verify your identity (typically via confirmation to your registered email) before fulfilling requests. The verification we require depends on the sensitivity of the information requested.

Authorized Agents. You may designate an authorized agent to make a request on your behalf, provided the agent provides written proof of authorization (such as a power of attorney or signed designation). We may verify your identity directly even when an agent submits the request.

Response Time. We acknowledge requests within 10 business days and respond substantively within 45 calendar days. We may extend the response period by an additional 45 days for complex requests, with notice to you.

To exercise these rights, please contact us using the information in Section 9.

8. Retention and Material Changes

Retention. We retain personal information for the period necessary to fulfill the business and commercial purposes outlined in Section 3, unless a longer period is required for legal, employment, or tax compliance.

Material Changes. We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the “Last Updated” date at the top of this policy and, where appropriate, by posting a prominent notice on our homepage at least 30 days prior to the change taking effect.

9. Contact Information

For privacy inquiries or to exercise your privacy rights, please contact: