📋 Introduction

MedConnect Pro ("we", "our", "the Platform") operates a multi-tenant telehealth platform and an optional e-commerce storefront add-on. This Privacy Policy applies to all services provided through the MedConnect Pro platform, including the Storefront e-commerce system where applicable.

By using our services, you agree to the collection and use of information as described in this policy. If you are a healthcare provider or practice using our platform to treat patients, please refer to our HIPAA Compliance page and Business Associate Agreement for additional obligations.

📥 Information We Collect

Platform Users (Providers, Staff, Administrators)

  • Name, email address, phone number
  • Professional credentials and license information (providers)
  • Login credentials (encrypted)
  • Activity logs and access records

Patients

  • Name, date of birth, contact information
  • Medical intake form responses
  • Consultation records and provider notes
  • Prescription history
  • Identity verification documents (temporarily stored, auto-deleted after 90 days)

Storefront Customers

  • Name, email address, phone number
  • Shipping and billing addresses
  • Order history and transaction records
  • Subscription details (plan, renewal dates, status)
  • Payment information (securely processed — raw card numbers are never stored on our servers)

Website Visitors

  • Browser type, IP address, pages visited
  • Referring URL and search terms
  • Contact form submissions

🔧 How We Use Your Information

  • Service Delivery: To provide telehealth consultations, e-prescribing, patient management, and e-commerce services
  • Account Management: To manage your account, process payments, and communicate about your subscription
  • Compliance: To comply with HIPAA, state regulations, and legal obligations
  • Security: To detect and prevent fraud, unauthorized access, and security threats
  • Improvement: To improve our platform features, performance, and user experience
  • Communication: To send service-related notifications, updates, and support responses

🔐 How We Protect Your Information

  • Encryption: AES-256 encryption at rest, TLS 1.2+ in transit, HSTS with preload
  • Access Control: Role-based access with two-factor authentication and session timeout
  • Audit Logging: All data access logged with PHI-safe sanitization
  • Tenant Isolation: Multi-tenant data isolation prevents cross-tenant data access
  • Input Sanitization: All input sanitized to prevent XSS and injection attacks
  • Regular Assessment: Periodic security assessments and vulnerability testing

📊 Cookies & Session Data

We use cookies and session data to provide platform functionality:

  • Session Cookies: Required for authentication and maintaining your login state
  • CSRF Tokens: Required for form security and preventing cross-site request forgery
  • Preferences: To remember your display preferences and settings

For the Storefront, additional session data is used for:

  • Shopping cart contents
  • Customer authentication state
  • Recently viewed products

We do not use third-party advertising cookies. Session data is automatically purged after 90 days of inactivity.

🤝 Information Sharing

We do not sell, rent, or trade your personal information. We share information only in the following circumstances:

  • Service Providers: With contracted service providers who assist in platform operations (e.g., DoseSpot for e-prescribing), under appropriate agreements
  • Healthcare Providers: Patient information is shared with the healthcare providers assigned to your consultation, as part of care delivery
  • Legal Requirements: When required by law, regulation, legal process, or enforceable governmental request
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate safeguards

🗑 Data Retention

  • Patient Health Information: Retained for a minimum of 7 years from last patient encounter per HIPAA requirements
  • Audit Logs: Retained for a minimum of 6 years
  • ID Verification Photos: Automatically deleted after 90 days
  • Storefront Order Data: Retained for the duration of the customer relationship plus applicable tax and legal retention periods
  • Session Data: Purged after 90 days of inactivity
  • Account Data: Retained until account deletion is requested, subject to legal retention requirements

⚖️ Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of your personal information
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your information (subject to legal retention requirements)
  • Data Export: Request a portable copy of your data
  • Restriction: Request restriction of certain processing activities

To exercise these rights, contact us at privacy@medconnectpro.com. We will respond within 30 days.

📝 Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through a notice on our platform. Continued use of our services after changes constitutes acceptance of the updated policy.

📧 Contact Us

For privacy-related questions or concerns:

Privacy Team: privacy@medconnectpro.com

Last updated: April 2026