Medula Health, Inc.

Privacy Policy

Last Updated: September 1, 2025

This Privacy Policy explains how Medula Health, Inc. ("Medula Health," "we," or "us") collects, uses, and discloses information when you access or use our websites, software integrations, and other online products and services that link to this Privacy Policy (collectively, the "Service"), contact our customer service team, engage with us on social media, or otherwise interact with us.

We may change this Privacy Policy from time to time. If we make changes, we will update the "Last Updated" date at the top of this policy and, where appropriate, provide additional notice (such as posting an update on our homepage or sending a notification). We encourage you to review this Privacy Policy whenever you interact with us to stay informed about our practices.

Collection of Information
Use of Information
Sharing of Information
Analytics
Data Retention
Transfer of Information to the United States and Other Countries
Your Choices
Your California Privacy Rights
Additional Disclosures for Individuals in Europe
Contact Us

Collection of Information

Information You Provide to Us

Currently, Medula Health works primarily with healthcare providers and organizations. We do not collect data directly from patients through the Service. However, if we introduce patient-facing features in the future, we may collect information that you provide directly to us. Examples include when you create an account, complete a form, request support, communicate with your healthcare provider through the Service, or otherwise engage with us.

Name and contact details (such as email address, postal address, and phone number)
Healthcare information you choose to provide or access via the Service (such as medical history, conditions, symptoms, medications, diagnostic information, or appointments)
Any other information you choose to share with us

Protections Applicable to Your Information. Medula Health is not itself a healthcare provider or Covered Entity under HIPAA. However, we may act as a Business Associate to Covered Entities and are therefore subject to HIPAA requirements regarding the safeguarding of protected health information ("PHI"). Where required, Medula Health enters into a Business Associate Agreement with each Covered Entity that uses our Service.

Automatically Collected Information

When you access or use our Service, we automatically collect information such as:

Activity Information: Pages visited, features used, and actions taken within the Service.
Log Information: Browser type, app version, access times, IP address, and referring pages.
Device Information: Hardware model, operating system/version, device identifiers, and network data.
Cookies and Tracking Technologies: We and our partners use cookies, pixels, and similar tools to improve functionality, analyze use, and support security.

Information from Other Sources

We may receive information about you from healthcare providers, business partners, or publicly available sources, and combine that with data we collect directly.

Use of Information

Provide, maintain, and improve our Service
Support provider workflows and clinical operations
Personalize and improve user experience
Communicate with you about updates, security alerts, or administrative matters
Monitor usage trends and improve Service functionality
Detect, investigate, and prevent fraud or misuse
Comply with legal, regulatory, and contractual obligations
Carry out any other purpose described at the time of collection

Sharing of Information

With Providers: At the direction of Covered Entities or authorized users, including sharing PHI as permitted under HIPAA.
With Service Providers: Vendors, consultants, and advisors who perform services on our behalf.
For Legal Purposes: To comply with applicable law, legal processes, or government requests.
In Business Transfers: In connection with mergers, financing, acquisitions, or similar transactions.
With Affiliates: Among Medula Health affiliates and subsidiaries.
With Consent: As otherwise directed or authorized by you or your healthcare provider.
Aggregated/De-Identified Data: We may share de-identified or aggregated information that cannot reasonably be used to identify you.

Analytics

We may engage third-party analytics providers to collect data about Service usage to help us understand performance, security, and user behavior.

Data Retention

We retain information as long as necessary for the purposes for which it was collected, including to comply with legal and contractual obligations.

Transfer of Information to the United States and Other Countries

Medula Health is based in the United States. Information collected is processed and stored in the United States, and may be transferred to other jurisdictions where we or our vendors operate.

Your Choices

Account Information: You may update or correct your information by contacting us at privacy@medulahealth.com.
Cookies: You may manage browser cookie preferences, though some features may not function properly without cookies.
Communications: You may opt out of promotional emails by following unsubscribe instructions. We may still send non-promotional communications related to your use of the Service.

Your California Privacy Rights

If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA), including the right to request information about our data practices and the right to request deletion of personal information, subject to exceptions.

Additional Disclosures for Individuals in Europe

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under applicable data protection laws, including rights to access, correct, or delete your personal data, and to object to or restrict processing.

Contact Us

If you have questions or concerns about this Privacy Policy or our practices, please contact us at:

Medula Health, Inc.
10 Audrey Ct
Tiburon, CA 94920
privacy@medulahealth.com