Legal / Privacy

Privacy Policy

How Mergic protects patient data, complies with HIPAA, and secures protected health information with enterprise-grade encryption and governance.

Effective June 1, 2026

Key highlights

Built for healthcare privacy from the ground up.

No PHI for model training

Protected health information never leaves your deployment boundary and is never used to train third-party foundation models. Your data stays yours.

HIPAA compliance

Business Associate Agreement standard. Audited controls and signed BAA on request.

End-to-end encryption

AES-256 at rest, TLS 1.3 in transit. Patient data encrypted at every layer.

Data residency control

Choose VPC, on-prem, or hybrid deployment. Data never crosses your approved boundaries.

Data collection

What data we collect and why.

Protected Health Information (PHI)

When you deploy Mergic to process clinical data, we collect and process the patient data necessary to deliver our platform services, including imaging studies, genomics files, pathology slides, clinical notes, and EHR timelines. This data is processed solely within your designated deployment boundary (VPC, on-prem, or hybrid) and is governed by our Business Associate Agreement.

Mergic does not use PHI to train third-party foundation models, improve products outside your deployment, or share data across customer tenants. Your patient data remains strictly isolated and is used only for the clinical workflows you authorize.

Account and usage data

We collect account information (email, name, role, organization) to provision access, manage billing, and provide support. Usage data (query volume, modality types, deployment configurations, feature adoption) is collected in aggregated, de-identified form to improve platform reliability, performance, and feature development.

Cookies and analytics

Our marketing website uses essential cookies for authentication, session management, and basic analytics. We do not sell or share cookie data with third-party advertisers. You can control cookie preferences through your browser settings.

Data usage

How we use the data we collect.

Service delivery

Patient data is processed to deliver the Mergic platform services you have contracted for: imaging AI, genomics pipelines, clinical reasoning agents, data unification, and governed deployment controls. Processing occurs only within your designated deployment boundary and is limited to authorized use cases defined in your service agreement.

Platform improvement

Aggregated, de-identified usage patterns (not PHI) are analyzed to improve system performance, diagnose bugs, optimize GPU utilization, and develop new features. Individual patient data is never used for model training or cross-customer analysis.

Compliance and security

We maintain audit logs of data access, processing activities, and administrative actions to meet HIPAA audit requirements, investigate security incidents, and ensure compliance with our data governance policies and your service agreement.

Communications

Account information is used to send service notifications, security alerts, billing statements, and product updates. You can opt out of marketing communications at any time while continuing to receive essential service notifications.

Data sharing

When and how we share data.

No third-party model training

Mergic does not share PHI with third-party AI model vendors for training purposes. Your patient data is never used to improve external foundation models, sold to data brokers, or shared with pharmaceutical companies, insurers, or research organizations without your explicit written consent.

Service providers

We engage vetted subprocessors (cloud infrastructure, security monitoring, billing) who are bound by HIPAA Business Associate Agreements and process data solely to deliver Mergic services. A current list of subprocessors is available on request.

Legal obligations

We may disclose data when required by law, court order, or to protect the safety of individuals, but we will notify you of such requests unless legally prohibited and will challenge overbroad or improper requests.

Business transfers

In the event of a merger, acquisition, or sale of assets, customer data may be transferred to the successor entity, which will be bound by the commitments in this privacy policy and existing Business Associate Agreements.

Security measures

How we protect your data.

AES-256

Encryption at rest for all patient data stores

TLS 1.3

Encryption in transit for all network communication

SOC 2

Type II certified security and availability controls

Zero-trust

Identity-based access with least-privilege enforcement and audit logs

24/7

Security monitoring and incident response

Mergic implements defense-in-depth security controls including network isolation, role-based access control, automated vulnerability scanning, intrusion detection, security logging, and regular penetration testing. Our security program is audited annually by independent third parties and aligns with NIST Cybersecurity Framework, HIPAA Security Rule, and HITRUST Common Security Framework.

Patient data & HIPAA

Our commitment to HIPAA compliance.

Business Associate Agreement

Mergic acts as a Business Associate under HIPAA when processing PHI on behalf of Covered Entities and other Business Associates. We sign a Business Associate Agreement (BAA) with every customer who deploys Mergic to process PHI, and we ensure our subprocessors are also bound by BAAs.

HIPAA safeguards

Mergic implements the administrative, physical, and technical safeguards required by the HIPAA Security Rule, including access controls, audit trails, integrity controls, transmission security, workforce training, contingency planning, and business associate agreements with subprocessors.

Breach notification

In the event of a breach of unsecured PHI, Mergic will notify affected customers within the timelines required by HIPAA Breach Notification Rule and will cooperate with customer breach investigation and notification obligations.

De-identification

Mergic supports HIPAA-compliant de-identification workflows (Safe Harbor and Expert Determination methods) to enable consented research use of clinical data while protecting patient privacy. De-identified data is subject to separate governance policies and may be used for platform improvement with customer consent.

Your rights

How you can control your data.

Access

Request a copy of the personal information we hold about you.

Correction

Request correction of inaccurate or incomplete account information.

Deletion

Request deletion of your account and associated personal data.

Portability

Request a machine-readable export of your data for transfer to another service.

Opt-out

Opt out of marketing communications while retaining access to your account.

To exercise your rights: Contact our privacy team at privacy@mergic.com with your request. We will respond within 30 days and may require identity verification to process your request. Note that patient data rights (access, amendment, accounting of disclosures) are typically exercised through your healthcare provider as the Covered Entity, not directly through Mergic.

Contact

Privacy and data protection contacts.

Privacy inquiries

For questions about this privacy policy, data practices, or to exercise your privacy rights, contact our privacy team at privacy@mergic.com.

Security incidents

To report a security vulnerability or suspected data breach, contact our security team immediately at security@mergic.com. We maintain a coordinated disclosure program and will respond within 24 hours.

Business Associate Agreement

To request a signed BAA or discuss HIPAA compliance requirements, contact our compliance team at compliance@mergic.com.

Policy updates

Mergic may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email and posted on this page with an updated effective date. Continued use of Mergic services after changes indicates acceptance of the updated policy.

Questions

Ready to discuss privacy and security requirements?

Our compliance team will walk through deployment architecture, BAA terms, and how Mergic protects PHI in your environment.