Privacy Policy

Last Updated: May 20, 2026

Welcome to MediBridgeX. We are committed to protecting the privacy and security of your data. As a healthcare interoperability platform, we operate under the strictest standards of data protection, including HIPAA compliance. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (medibridgex.io) or use our application and services.

1. Information We Collect

We collect information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer, device, or organization.

  • Account Information: Name, email address, job title, role, hospital/organization name, and password.
  • System & Usage Data: API keys, webhook endpoints, and metadata regarding the volume and routing of HL7 and FHIR messages.
  • Protected Health Information (PHI): As an interoperability platform, we process PHI (such as patient demographics, clinical records, and billing data) strictly on behalf of our clients. We only process this data as outlined in our Business Associate Agreements (BAA).

2. How We Use Your Information

We use the information we collect primarily to provide, maintain, and improve our interoperability services.

  • To Provide Services: Routing HL7 messages, performing FHIR conversions, and authenticating user access.
  • For Security: Detecting and preventing unauthorized access, data breaches, or fraudulent activity.
  • Aggregated Telemetry (Non-PHI): We collect aggregated, anonymized telemetry data (e.g., message throughput rates, API latency) to improve our platform. This system data never contains PHI and cannot be reverse-engineered to identify individuals or organizations.

3. HIPAA & Healthcare Compliance (BAA)

For our healthcare clients in the United States, MediBridgeX acts as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA).

  • All processing of PHI is strictly governed by a mutually executed Business Associate Agreement (BAA).
  • MediBridgeX does not use PHI for marketing, advertising, or any purpose other than providing the interoperability services contracted by the covered entity.

4. AI and Machine Learning Policy

MediBridgeX does not use your Protected Health Information (PHI) to train, fine-tune, or develop artificial intelligence, large language models (LLMs), or machine learning algorithms without explicit, separate written consent and rigorous de-identification protocols.

5. Data Security, Encryption & Residency

The security of your data is our highest priority.

  • Encryption: All data is encrypted in transit (using TLS 1.3+) and at rest (using AES-256).
  • Access Control: We employ strict Role-Based Access Control (RBAC) and comprehensive audit logging.
  • Data Residency: All data processed for United States clients remains exclusively within US-based, highly available data centers to ensure strict data sovereignty.

6. Incident Response & Breach Notification

In the highly unlikely event of a security incident or data breach, MediBridgeX commits to notifying your designated security contacts within 24 hours of discovery, in full compliance with the HIPAA Breach Notification Rule and our overarching Service Level Agreements (SLAs).

7. Sharing and Disclosure (Sub-processors)

We do not sell your personal information or PHI. We utilize enterprise-grade cloud infrastructure providers (e.g., AWS) to host our services. All sub-processors are contractually bound to protect your data and have signed a BAA with us. We maintain a public list of all active sub-processors and will notify clients 30 days prior to introducing any new sub-processor.

8. Vulnerability Disclosure

We take security seriously. If you are a security researcher and have discovered a vulnerability in our platform, please report it immediately to security@medibridgex.io. We provide safe harbor for responsible disclosure.

9. Your Data Rights

  • Account Users: You have the right to access, update, or delete your personal developer/admin account information.
  • Patient Records: If you are a patient seeking to access or delete your medical records, you must contact your healthcare provider (the Data Controller) directly. MediBridgeX cannot delete or modify patient records directly without authorization from the hospital.

10. Contact Us

If you have questions or comments about this Privacy Policy, please contact our Data Protection Officer at:

  • Email: privacy@medibridgex.io
  • Address: [Your Company Address]