Privacy Policy
How we collect, use, and protect your information
Last updated: January 29, 2026
1. Introduction
MedTWIN AI ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal and health-related information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our medical research platform.
Important: MedTWIN is designed to handle Protected Health Information (PHI) in compliance with HIPAA regulations. We maintain strict security controls and sign Business Associate Agreements (BAAs) with covered entities.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Name and email address
- Institutional affiliation
- Professional credentials
- Password (encrypted)
2.2 Research Data
When you use our platform for research, you may upload:
- Clinical datasets (potentially containing PHI)
- Research manuscripts and drafts
- Analysis configurations
- Citations and references
2.3 Usage Information
We automatically collect:
- Log data (IP address, browser type, access times)
- Device information
- Feature usage patterns
- Error reports and performance data
3. How We Use Your Information
We use your information to:
- Provide our services: Process your research data, generate analyses, and create manuscript drafts
- Improve our platform: Analyze usage patterns to enhance features and user experience
- Communicate with you: Send service updates, security alerts, and support responses
- Ensure compliance: Maintain audit logs and comply with legal obligations
- Prevent fraud: Detect and prevent unauthorized access or misuse
4. Data Protection & Security
We implement comprehensive security measures including:
- Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.3)
- Access Controls: Role-based access with multi-factor authentication
- Audit Logging: Complete audit trail of all data access and modifications
- Data Isolation: Tenant-isolated data storage with logical separation
- Regular Assessments: Annual security audits and penetration testing
5. HIPAA Compliance
For users handling Protected Health Information (PHI):
- We enter into Business Associate Agreements (BAAs) as required
- PHI is processed in HIPAA-compliant infrastructure
- We maintain minimum necessary access principles
- Breach notification procedures are in place per HIPAA requirements
- Workforce training on HIPAA compliance is mandatory
6. Data Retention
We retain your data as follows:
- Account data: Until you delete your account, plus 30 days for recovery
- Research data: As configured by you, with default retention of 7 years for audit purposes
- Audit logs: 7 years minimum for compliance
- Usage data: Aggregated and anonymized after 2 years
7. Data Sharing & Disclosure
We do not sell your personal information. We may share data with:
- Service providers: Cloud infrastructure, analytics, and support tools (under strict DPAs)
- Legal requirements: When required by law, court order, or regulatory obligation
- Business transfers: In connection with merger, acquisition, or asset sale (with notice)
- With your consent: When you explicitly authorize sharing
8. Your Rights
You have the right to:
- Access: Request a copy of your personal data
- Correction: Update inaccurate information
- Deletion: Request deletion of your data (subject to legal retention requirements)
- Export: Download your data in machine-readable format
- Opt-out: Unsubscribe from marketing communications
- Restriction: Limit how we process your data
9. Cookies & Tracking
We use cookies and similar technologies for:
- Essential cookies: Required for platform functionality (cannot be disabled)
- Analytics cookies: Help us understand usage patterns (can be disabled)
- Preference cookies: Remember your settings (can be disabled)
You can manage cookie preferences in your browser settings.
10. International Data Transfers
Your data may be processed in the United States and Australia. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) for EU data transfers
- Compliance with applicable data protection laws
- Data processing agreements with all sub-processors
11. Children's Privacy
Our platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we discover we have collected information from a child, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by:
- Posting the updated policy on our website
- Sending email notification to registered users
- Displaying in-app notification
13. Contact Us
For privacy-related inquiries or to exercise your rights, contact us at:
- Email: privacy@medtwin.ai
- Mail: MedTWIN AI, Privacy Officer, Sydney, Australia
For HIPAA-specific concerns, contact our HIPAA Privacy Officer at hipaa@medtwin.ai.