No PHI for model training
Protected health information never leaves your deployment boundary and is never used to train third-party foundation models. Your data stays yours.
Legal / Privacy
How Mergic protects patient data, complies with HIPAA, and secures protected health information with enterprise-grade encryption and governance.
Key highlights
Protected health information never leaves your deployment boundary and is never used to train third-party foundation models. Your data stays yours.
Business Associate Agreement standard. Audited controls and signed BAA on request.
AES-256 at rest, TLS 1.3 in transit. Patient data encrypted at every layer.
Choose VPC, on-prem, or hybrid deployment. Data never crosses your approved boundaries.
Data collection
When you deploy Mergic to process clinical data, we collect and process the patient data necessary to deliver our platform services, including imaging studies, genomics files, pathology slides, clinical notes, and EHR timelines. This data is processed solely within your designated deployment boundary (VPC, on-prem, or hybrid) and is governed by our Business Associate Agreement.
Mergic does not use PHI to train third-party foundation models, improve products outside your deployment, or share data across customer tenants. Your patient data remains strictly isolated and is used only for the clinical workflows you authorize.
We collect account information (email, name, role, organization) to provision access, manage billing, and provide support. Usage data (query volume, modality types, deployment configurations, feature adoption) is collected in aggregated, de-identified form to improve platform reliability, performance, and feature development.
Our marketing website uses essential cookies for authentication, session management, and basic analytics. We do not sell or share cookie data with third-party advertisers. You can control cookie preferences through your browser settings.
Data usage
Patient data is processed to deliver the Mergic platform services you have contracted for: imaging AI, genomics pipelines, clinical reasoning agents, data unification, and governed deployment controls. Processing occurs only within your designated deployment boundary and is limited to authorized use cases defined in your service agreement.
Aggregated, de-identified usage patterns (not PHI) are analyzed to improve system performance, diagnose bugs, optimize GPU utilization, and develop new features. Individual patient data is never used for model training or cross-customer analysis.
We maintain audit logs of data access, processing activities, and administrative actions to meet HIPAA audit requirements, investigate security incidents, and ensure compliance with our data governance policies and your service agreement.
Account information is used to send service notifications, security alerts, billing statements, and product updates. You can opt out of marketing communications at any time while continuing to receive essential service notifications.
Data sharing
Mergic does not share PHI with third-party AI model vendors for training purposes. Your patient data is never used to improve external foundation models, sold to data brokers, or shared with pharmaceutical companies, insurers, or research organizations without your explicit written consent.
We engage vetted subprocessors (cloud infrastructure, security monitoring, billing) who are bound by HIPAA Business Associate Agreements and process data solely to deliver Mergic services. A current list of subprocessors is available on request.
We may disclose data when required by law, court order, or to protect the safety of individuals, but we will notify you of such requests unless legally prohibited and will challenge overbroad or improper requests.
In the event of a merger, acquisition, or sale of assets, customer data may be transferred to the successor entity, which will be bound by the commitments in this privacy policy and existing Business Associate Agreements.
Security measures
Encryption at rest for all patient data stores
Encryption in transit for all network communication
Type II certified security and availability controls
Identity-based access with least-privilege enforcement and audit logs
Security monitoring and incident response
Mergic implements defense-in-depth security controls including network isolation, role-based access control, automated vulnerability scanning, intrusion detection, security logging, and regular penetration testing. Our security program is audited annually by independent third parties and aligns with NIST Cybersecurity Framework, HIPAA Security Rule, and HITRUST Common Security Framework.
Patient data & HIPAA
Mergic acts as a Business Associate under HIPAA when processing PHI on behalf of Covered Entities and other Business Associates. We sign a Business Associate Agreement (BAA) with every customer who deploys Mergic to process PHI, and we ensure our subprocessors are also bound by BAAs.
Mergic implements the administrative, physical, and technical safeguards required by the HIPAA Security Rule, including access controls, audit trails, integrity controls, transmission security, workforce training, contingency planning, and business associate agreements with subprocessors.
In the event of a breach of unsecured PHI, Mergic will notify affected customers within the timelines required by HIPAA Breach Notification Rule and will cooperate with customer breach investigation and notification obligations.
Mergic supports HIPAA-compliant de-identification workflows (Safe Harbor and Expert Determination methods) to enable consented research use of clinical data while protecting patient privacy. De-identified data is subject to separate governance policies and may be used for platform improvement with customer consent.
Your rights
Request a copy of the personal information we hold about you.
Request correction of inaccurate or incomplete account information.
Request deletion of your account and associated personal data.
Request a machine-readable export of your data for transfer to another service.
Opt out of marketing communications while retaining access to your account.
To exercise your rights: Contact our privacy team at privacy@mergic.com with your request. We will respond within 30 days and may require identity verification to process your request. Note that patient data rights (access, amendment, accounting of disclosures) are typically exercised through your healthcare provider as the Covered Entity, not directly through Mergic.
Contact
For questions about this privacy policy, data practices, or to exercise your privacy rights, contact our privacy team at privacy@mergic.com.
To report a security vulnerability or suspected data breach, contact our security team immediately at security@mergic.com. We maintain a coordinated disclosure program and will respond within 24 hours.
To request a signed BAA or discuss HIPAA compliance requirements, contact our compliance team at compliance@mergic.com.
Mergic may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email and posted on this page with an updated effective date. Continued use of Mergic services after changes indicates acceptance of the updated policy.
Questions
Our compliance team will walk through deployment architecture, BAA terms, and how Mergic protects PHI in your environment.