Privacy Policy

1. Who we are

ClaraMed™, Inc. is a Delaware healthcare technology company operating

an independent medical second opinion platform at claramed.us. We connect patients worldwide with peer-vetted physicians from leading US academic medical institutions for written expert opinions delivered in 5 to 7 business days. Data controller: ClaraMed, Inc., ClaraMed, Inc. c/o Legalinc Corporate Services Inc.
131 Continental Dr, Suite 305, Newark, DE 19713, United States. Contact: privacy@claramed.us

ClaraMed does not provide clinical treatment, medical advice, prescriptions, or ongoing physician-patient care. The content of this Privacy Policy and the ClaraMed website is provided for informational purposes only and does not constitute medical advice.

2. Information we collect

2.1 Information you provide Personal

identification: name, email address, country of residence, preferred language. Medical information: diagnosis, medical records, imaging, lab results, treatment history submitted through our secure upload portal. Case information: the clinical questions you submit, your service tier selection, your charity preference. Payment information: processed directly by Stripe, Inc. ClaraMed does not store payment card numbers. Communications: emails and messages sent to info@claramed.us or privacy@claramed.us.

2.2 Information collected automatically Website usage data: pages

visited, time spent, device type, browser type, IP address. Form submission data: intake form responses, physician application responses, partner inquiry responses.

3. How we use your information

ClaraMed uses your information

for the following purposes: Case management: matching you with the appropriate physician, preparing your case brief, coordinating opinion delivery. HIPAA-compliant record processing: de-identifying and structuring your medical records using AI-assisted tools before sharing with the reviewing physician. Communication: sending case confirmations, secure upload links, opinion delivery notifications, and charity donation confirmations. Payment processing: transmitting case fee information to Stripe for payment processing. Quality assurance: reviewing completed opinions for completeness and clinical quality before delivery. Legal compliance: maintaining records as required by HIPAA (6-year retention) and responding to lawful requests from regulatory authorities. Platform improvement: using anonymised and aggregated data to improve our service. We never use identifiable patient data for marketing or product development. If AI processing is considered automated decision-making with significant effects, additional disclosure and consent may be required.

AI-assisted tools are used solely to organise, structure, translate, summarise, and prepare records for physician review. Final medical opinions are prepared and issued by human physicians only. No automated medical decisions are made by ClaraMed. ClaraMed does not use submitted medical records to train AI models or for any commercial purpose other than delivering the expert opinion service.

4. How we store and protect your information

4.1 Storage

location All patient medical records are stored in Microsoft Azure Storage (East US region) in HIPAA-compliant private containers. No patient record is stored on personal devices beyond the minimum period necessary for case processing. Physician case materials are shared through Microsoft SharePoint with time-limited, expiring access links. Physicians are contractually required to delete or securely destroy patient records after completion of the review and expiration of the permitted access period.

4.2 Security measures secure, HIPAA-compliant storage: Microsoft Azure (signed Business Associate Agreement in place)

with Microsoft Online Services Data Protection Addendum (BAA) in place. Encryption at rest: all patient records encrypted at rest in Azure Storage. Encryption in transit: all data transfers over HTTPS only. Multi-factor authentication (MFA) is required for all ClaraMed platform access. While ClaraMed uses reasonable security measures to protect the confidentiality of personal information under our control and appropriately limits access to it, no security measures are perfect or impenetrable. ClaraMed cannot ensure or warrant the security of any information you transmit to us. Electronic transmissions via the internet are not guaranteed to be secure from interception. Role-based access controls (RBAC): patient records accessible only to authorised ClaraMed staff and the assigned reviewing physician during the case review period. Time-limited access: all upload and download links expire within 48 hours. Physician SharePoint access expires on the case deadline date. Audit logging: all access to patient records logged in Microsoft Azure for HIPAA compliance. Malware scanning: all patient uploads scanned automatically by Microsoft Defender for Storage.

4.3 Data retention

ClaraMed retains personal information for as long as necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements. Specifically:

Medical records and case files are retained for six years from the date of case completion as required by HIPAA. Payment records are retained for seven years for tax and accounting compliance. Website usage data is retained for 24 months. Upon expiry, records are securely deleted. You may request deletion of your personal information subject to applicable legal retention requirements by contacting privacy@claramed.us.

4.4 Data breach notification

In the event of a data breach involving personal information or protected health information, ClaraMed will act as follows:

Under HIPAA: ClaraMed will notify all affected individuals within 60 days of discovering a breach involving unsecured protected health information. Where required, ClaraMed will also notify the US Department of Health and Human Services.

Under GDPR (for EU/EEA patients): ClaraMed will notify the relevant supervisory authority within 72 hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of natural persons. Affected individuals will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Breach notifications will describe the nature of the breach, the categories and approximate number of individuals concerned, the likely consequences, and the measures taken or proposed to address the breach. To report a suspected data breach, contact privacy@claramed.us immediately.

5. How we share your information

information only as follows: Reviewing physicians: your de-identified case brief and medical records are shared with the assigned reviewing physician solely for the purpose of preparing your written expert opinion. Physicians are contractually required to delete all case materials upon completion. Microsoft: your data is stored and processed using Microsoft Azure and Microsoft 365 services under a signed Business Associate Agreement. Stripe: your payment information is processed by Stripe, Inc. under their own Privacy Policy and PCI DSS compliance framework. DocuSign or HelloSign: your signed patient consent form is processed through our digital signature provider under a signed Business Associate Agreement. Legal requirements: we may disclose your information if required by law, court order, or regulatory authority. We never sell, rent, or share your personal information with third parties for marketing purposes.

Legal defense and enforcement of rights. ClaraMed may process and where necessary disclose personal information to defend against legal claims, enforce our Terms and Conditions, comply with court orders or legal process, and respond to lawful requests from regulatory or government authorities. The legal basis for such processing is our legitimate interest in legal defense and our legal obligation to comply with applicable law.

Sanctions and legal compliance. ClaraMed may process personal information as necessary to comply with applicable sanctions, export control, anti-money laundering, and legal compliance requirements including requirements of the U.S. Office of Foreign Assets Control (OFAC) and other applicable regulatory bodies.

6. Your rights

6.1 Rights for all patients Access: you may

request a copy of the personal information ClaraMed holds about you. Correction: you may request correction of inaccurate personal information. Deletion and erasure: you may request deletion or erasure of your personal information, subject to our legal retention obligations under HIPAA and applicable law. Portability: you may request your personal information in a structured, machine-readable format.

6.2 Additional rights for EU and Gulf patients (GDPR) Right to

object: you may object to processing of your personal information in certain circumstances. Right to restrict processing: you may request that we restrict processing of your information in certain circumstances. Right to lodge a complaint: you may lodge a complaint with your local data protection authority.

6.3 How to exercise your rights To exercise any of these rights,

email privacy@claramed.us with the subject line ‘Privacy Request’. We will respond within 30 days. We may require identity verification before processing your request. Each has specific requirements. The rights sections above cover GDPR but may be insufficient for Gulf patients.

7. International data transfers

ClaraMed is a US-based platform. Patient data is stored and processed exclusively on Microsoft Azure infrastructure in the United States (East US region) and the European Union (Sweden Central region). ClaraMed does not use servers in Asia or any other region.

Your information is stored and processed in the United States. By using ClaraMed you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence. For patients in the European Economic Area: transfers are made under Standard Contractual Clauses approved by the European Commission. For patients in other jurisdictions: transfers are made in accordance with applicable local law and with appropriate safeguards in place. ClaraMed processes personal data on the following legal bases: (1) with your explicit consent; (2) as necessary to provide the services you have requested; (3) to comply with legal obligations including HIPAA; and (4) as necessary for our legitimate interests in providing the service where those interests do not override your fundamental rights and freedoms related to data privacy.

8. Cookies and tracking

ClaraMed’s website uses minimal tracking. We use standard web analytics to understand how visitors use our website. We do not use advertising cookies, remarketing pixels, or third-party tracking for commercial purposes. You may disable cookies in your browser settings; this will not affect your ability to use the ClaraMed service.

ClaraMed does not currently use Google Analytics or other third-party analytics platforms. If this changes, this policy will be updated with explicit disclosure before any such analytics are activated.

Do Not Track signals. ClaraMed does not currently respond to browser Do Not Track signals. ClaraMed does not track users across third-party websites or online services for advertising or commercial purposes.

9. Children

ClaraMed’s service is not directed at children under the age of 18. We do not knowingly collect personal information from children. If a parent or guardian believes their child’s information has been submitted to ClaraMed, please contact privacy@claramed.us immediately. ClaraMed does accept cases submitted by parents or legal guardians on behalf of minor patients, provided the submitting adult confirms their legal authority to submit the patient’s medical records. Authorized representatives may also submit cases on behalf of patients with appropriate legal authority.

10. Changes to this Privacy Policy

ClaraMed may update this Privacy Policy from time to time. We will notify you of material changes by email to the address associated with your case. The updated policy will be posted at claramed.us with the revised effective date. Continued use of our service after changes constitutes acceptance of the updated policy.

11. Links to other websites

ClaraMed's website contains links to external websites including our charity partner organisations — Direct Relief, Partners in Health, UNICEF, Aga Khan Foundation, Islamic Relief Worldwide, and Doctors Without Borders. These links are provided for the patient's convenience. ClaraMed is not responsible for the privacy practices or content of linked websites. We encourage you to review the privacy policy of any external website you visit.

12. Business transfers

In the event of a merger, acquisition, reorganisation, or sale of some or all of ClaraMed's assets, personal data held by ClaraMed may be transferred to the acquiring entity as part of that transaction. Any such transfer will be subject to the same privacy protections described in this policy. We will notify you of any such change by updating this Privacy Policy and, where required by applicable law, by direct notification.