Privacy Policy

Medical Supplai (“Medical Supplai,” “we,” “us,” or “our”) is committed to protecting the privacy of the practices, providers, staff, and patients who interact with our platform. This Privacy Policy describes our practices in connection with information we collect through:

• Our website at medicalsupplai.com (the “Site”);
• Our cloud-based platform, including AI voice agents, SMS, scheduling, intake, insurance verification, and integrated dashboards (the “Service”);
• Communications you have with us — calls, texts, emails, demos, and support interactions.

By using the Site or Service, you acknowledge that you have read and understood this Privacy Policy. Our use of the Service is also governed by our Terms of Service.

Medical Supplai plays two roles depending on context:

• Business Associate — When we process protected health information (PHI) on behalf of a healthcare practice (a “Covered Entity” under HIPAA), we act as a Business Associate. Our handling of PHI is governed by HIPAA and the Business Associate Agreement (BAA) we sign with each practice. In that capacity, the practice — not Medical Supplai — controls the purposes for which PHI is used.
• Data Controller — When we collect information directly from prospects, customers, or website visitors (for example, contact form submissions, account registration data, billing information, marketing analytics), we act as a data controller. This Privacy Policy governs those activities.

If you are a patient whose information is being processed by Medical Supplai on behalf of your healthcare provider, please contact your provider directly for requests regarding your health information.

Information you provide directly

• Contact information (name, email, phone, practice name, role) when you book a demo, request information, or create an account;
• Account and billing information (login credentials, payment method, billing address);
• Configuration data (practice details, hours, scheduling rules, scripts, integrations);
• Communications you send to us (support tickets, emails, recorded calls with your consent).

Information collected from your use of the Service

• Patient communications routed through the Service (voice recordings, transcripts, SMS messages, intake forms, insurance documents) — handled as PHI where applicable;
• Usage data (features accessed, credits consumed, error logs, IP address, device and browser metadata);
• Aggregated performance metrics (call volume, response times, conversion rates).

Information from third parties

• Data exchanged with EHR, practice management, payment, and communications vendors you connect to the Service;
• Eligibility and benefits data returned by clearinghouses and payers;
• Marketing and enrichment data from publicly available sources.

We use information to:

• Provide, operate, maintain, and improve the Service;
• Answer calls, send messages, schedule appointments, verify insurance, and perform the other tasks your practice configures;
• Authenticate users, prevent fraud, and secure the platform;
• Bill for usage, process payments, and meet our accounting obligations;
• Communicate with you about your account, security alerts, support, product updates, and (where permitted) marketing;
• Train and tune AI models only on de-identified data or aggregated data, except where you have separately authorized us to use identifiable data for that purpose;
• Comply with legal obligations, respond to lawful requests, and enforce our agreements.

When Medical Supplai processes PHI on behalf of a Covered Entity, we do so as a Business Associate under HIPAA. Our handling of PHI is bound by the terms of the BAA executed with each Covered Entity, including limits on:

• The purposes for which PHI may be used or disclosed;
• The security safeguards we implement (administrative, physical, and technical);
• Reporting of any breach or unauthorized disclosure of PHI;
• Return or destruction of PHI upon termination, where feasible.

Medical Supplai does not sell PHI and does not use PHI for advertising. AI model training on PHI requires either (a) full de-identification in accordance with HIPAA's Safe Harbor or Expert Determination methods, or (b) the Covered Entity's separate written authorization.

If you are a patient and have questions about how your PHI is handled, please contact your healthcare provider directly — they are the controller of your health record.

We share information only in the following circumstances:

• With your practice and authorized users. Information you or your practice submits is accessible to your authorized users via the Service.
• With service providers. Vendors who help us operate the Service — cloud hosting, telephony, SMS, payment processing, analytics, customer support — and who are bound by confidentiality and (where applicable) BAAs.
• With integrations you connect. We exchange data with the EHR, practice management, calendar, and payment systems you authorize, solely as necessary to provide the Service.
• For legal reasons. When required by law, subpoena, court order, or to protect the rights, property, or safety of Medical Supplai, our users, or others.
• Business transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets — subject to confidentiality protections.

We do not sell personal information or PHI.

The Service integrates with third-party systems — including EHR/PMS platforms, clearinghouses, telephony and SMS providers, and payment processors. Your use of those systems is governed by the third party's own privacy practices, which we do not control. We recommend reviewing the privacy policies of any third-party service you choose to connect.

We retain information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Specifically:

• PHI is retained for the duration of your subscription and then deleted or returned in accordance with the BAA, unless retention is required by law;
• Account and billing records are retained for the period required by accounting and tax law (typically 7 years);
• Marketing data is retained until you opt out or for a reasonable period thereafter.

You may export Customer Data within 30 days of termination. After that, we may delete it in accordance with our retention schedule.

Medical Supplai implements administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of information processed through the Service, including:

• Encryption in transit (TLS) and at rest (AES-256);
• Role-based access controls and least-privilege provisioning;
• Audit logging and monitoring;
• Regular vulnerability scanning and security reviews;
• Background checks for personnel with access to PHI;
• Incident response procedures with breach notification.

No system is perfectly secure. You are responsible for safeguarding your account credentials and notifying us promptly of any suspected compromise.

If you are a customer or prospect:

• Access, correct, or delete your account information from your account settings or by emailing us;
• Opt out of marketing emails using the unsubscribe link or by emailing us;
• Request a copy of personal information we hold about you;
• Object to or restrict certain processing where permitted by law.

If you are a California resident (CCPA/CPRA):

Subject to certain exceptions, you have the right to (a) know what personal information we collect, use, and disclose; (b) request deletion of personal information; (c) correct inaccurate personal information; (d) opt out of the “sale” or “sharing” of personal information (Medical Supplai does not sell or share personal information as those terms are defined under the CCPA); and (e) not be discriminated against for exercising these rights.

If you are a patient:

Requests regarding your health information must be directed to the healthcare provider whose practice processes that information. They are the controller of your record; Medical Supplai processes PHI only on their behalf.

The Site uses cookies and similar technologies to remember preferences, analyze traffic, and measure marketing effectiveness. Categories include:

• Strictly necessary — required for the Site to function;
• Analytics — help us understand how the Site is used;
• Marketing — measure ad performance and (with consent) deliver relevant content.

You can control cookies through your browser settings. The Service application itself (i.e., the authenticated product, not the marketing site) does not use advertising cookies.

The Site and the Service are not directed to children under 13, and we do not knowingly collect personal information from children under 13 outside the context of a healthcare practice serving its patients. If you believe we have collected information from a child without appropriate parental consent, please contact us so we can remove it.

Medical Supplai is operated from the United States. If you access the Site or Service from outside the U.S., your information may be transferred to, stored in, and processed in the U.S. and other countries where our service providers operate. By using the Service, you consent to that transfer. We rely on standard contractual safeguards where required by law.

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be communicated by email or through the Service before they take effect. Continued use after the effective date constitutes acceptance of the updated Policy.

Questions about this Privacy Policy, requests regarding your information, or to report a privacy concern — please reach out:

This Privacy Policy is provided as a general framework and does not constitute legal advice. Medical Supplai recommends that practices consult their own counsel regarding HIPAA, state privacy laws, and other obligations applicable to their use of the Service.