Introduction

MediCureOn ("we," "us," "our," or "Company") respects your privacy and is committed to protecting it. This Privacy Policy explains how we collect, use, disclose, and otherwise process personal information, including health-related information, through our website, mobile application (the "Platform"), and related services. By accessing and using the Platform, you agree to this Privacy Policy.

Phase 01 Scope

This Privacy Policy applies to:

• Personal information collected on or through the Platform
• Information we collect directly from you and use our site
• Information collected through integrated IoMT (Internet of Medical Things) devices
• Information we collect from third parties (healthcare providers, insurers, device manufacturers)

Information We Collect

A. Information & Wellness Data (Self-Reported)

• Demographics: Name, age, gender, contact information (email, phone, address)
• Medical history: Chronic conditions, allergies, medications, past surgeries, family medical history
• Lifestyle information: Activity levels, dietary preferences, health goals, stress levels
• Wellness preferences: Healthcare provider preferences, alternative medicine interests
• Insurance information: Insurance provider, policy details, coverage types

B. IoMT Device Data

If you connect wearable devices or IoMT devices (e.g., smartwatches, fitness trackers, blood pressure monitors, glucose monitors), we collect:

• Heart rate, steps, sleep patterns, activity duration
• Blood pressure, glucose levels, temperature readings
• Real-time health metrics and trends
• Device identifiers and connection status

C. Platform Usage Information (User-Provided)

• Account information: Username, password (encrypted), authentication details
• Consultation preferences: Healthcare provider selections, appointment history
• Transaction history: Payments made through MediCoin or traditional methods
• Communication records: Messages with healthcare providers, support requests

Purpose Information

We use your information to:

• Deliver personalized healthcare recommendations and treatment plans
• Connect you with appropriate healthcare providers (traditional and alternative)
• Facilitate secure payments through MediCoin or other payment methods
• Enable real-time health monitoring through IoMT device integration
• Improve our Platform and user experience
• Ensure compliance with healthcare regulations (HIPAA, GDPR, HITRUST)
• Support medical research and public health initiatives (with consent)
• Prevent fraud and maintain platform security
• Communicate important updates and notifications

How Information Is Used (User-Provided)

• Personalized Care Delivery: We use your health data to provide customized treatment recommendations that align with your preferences and medical history
• Provider Matching: Your information helps us connect you with the most suitable healthcare providers for your needs
• Preventive Care: AI analysis of your IoMT data enables predictive healthcare interventions
• Treatment History: We maintain a comprehensive, portable health record for seamless care coordination
• Payment Processing: Your transaction data is used solely for billing and payment verification

Data Sharing & Disclosure

Trusted Healthcare Partners:

• Licensed healthcare providers (MDs, DOs, alternative practitioners) participating in our platform
• Insurance companies and payers for coverage verification and claims processing
• Pharmaceutical partners for medication interactions and safety checks
• IoMT device manufacturers for data integration and device functionality
• Diagnostic laboratories for test result processing

All sharing is conducted under stringent confidentiality agreements and Data Processing Agreements (DPA) in compliance with HIPAA and GDPR.

We Do NOT:

• Sell your personal or health data to third parties
• Share data with marketing companies or advertisers
• Disclose information for non-healthcare purposes without explicit consent
• Transfer data outside the United States without adequate safeguards

Data Security & Protection

MediCureOn implements industry-leading security measures to protect your information:

• Encryption: All data transmitted and stored uses AES-256 encryption
• Access Controls: Role-based access ensures only authorized personnel can view sensitive health information
• Audit Logs: All access to your data is logged and monitored for suspicious activity
• Regular Security Audits: Third-party penetration testing and vulnerability assessments conducted quarterly
• Multi-Factor Authentication (MFA): Required for all account access
• Compliance Certifications: HIPAA-compliant, GDPR-compliant, SOC 2 Type II certified, HITRUST CSF certified
• Azure Infrastructure: Powered by Microsoft Azure with enterprise-grade data centers and disaster recovery protocols

User Rights & Control

You have the following rights regarding your information:

• Right to Access: Request a copy of all your personal and health data in a portable format (Data Export)
• Right to Correction: Correct inaccurate or incomplete information
• Right to Deletion: Request deletion of your account and associated data (with legal compliance exceptions)
• Right to Restrict Processing: Limit how your data is used
• Right to Withdraw Consent: Revoke consent for specific data processing activities at any time
• Right to Data Portability: Receive your data in a structured, machine-readable format (FHIR format)
• Right to Object: Object to certain processing activities

To exercise any of these rights, contact us at: privacy@medicureon.com

Retention & Storage

• Active account data is retained for the duration of your Platform membership
• Medical records are retained for the minimum period required by healthcare regulations (typically 7-10 years)
• Transaction records are retained for 7 years for tax and compliance purposes
• Upon account deletion, data is securely purged within 30 days (except where legal obligations require retention)
• All data is stored on secure, encrypted servers within the United States

FHIR & Interoperability

MediCureOn uses the HL7 FHIR (Fast Healthcare Interoperability Resources) standard to ensure your health data is portable and interoperable. This means:

• Your data can be easily shared with other healthcare providers using FHIR-compliant systems
• You have the right to download your complete health record in FHIR format
• Data exchange with partners follows secure FHIR APIs

Regulation & Compliance

HIPAA (Health Insurance Portability & Accountability Act):

• MediCureOn is HIPAA-compliant and fully implements HIPAA Privacy and Security Rules
• We execute Business Associate Agreements (BAAs) with all partners handling PHI (Protected Health Information)
• All workforce members undergo HIPAA training

GDPR (General Data Protection Regulation):

• For users in the European Union, we comply fully with GDPR requirements
• Legal basis for processing is based on consent, contract necessity, or legitimate interests
• We have appointed a Data Protection Officer (DPO)

HITRUST CSF (Security Framework):

• MediCureOn maintains HITRUST certification, combining HIPAA, HITECH Act, and ISO 27001 standards

Profile Information Usage Limitations

Your profile information (age, gender, location, preferences) is used exclusively for:

• Providing personalized healthcare recommendations
• Connecting you with relevant providers
• Improving Platform features through aggregated, anonymized analytics

We never:

• Share profile data with third-party marketers
• Use your data for targeted advertising
• Conduct profiling for purposes unrelated to healthcare

Account Information: Identity & Access Management (IAM)

Multi-Factor Authentication (MFA):

• All accounts require MFA for login and sensitive actions
• Options include SMS, email verification, or authenticator apps

Password Security:

• Passwords are hashed using industry-standard bcrypt algorithms
• We enforce strong password requirements
• Regular password reset reminders are sent

Session Management:

• Sessions automatically expire after 30 minutes of inactivity
• Users can manually log out at any time
• All device sessions are monitored and can be remotely terminated

Security Commitment Summary

• Enterprise-grade encryption (AES-256)
• Real-time threat monitoring and incident response
• Regular third-party security audits
• Insurance coverage for data breach incidents
• 24/7 security operations center (SOC)
• Compliance with international security standards

NOTE FOR APPLICABILITY

This Privacy Policy is applicable to all users of the MediCureOn Platform, including:

• Individual healthcare consumers and patients
• Healthcare providers (traditional and alternative medicine practitioners)
• Insurance companies and payers
• Pharmaceutical partners and IoMT device manufacturers
• Any entity with access to the MediCureOn ecosystem

Data Usage & Analytics

Aggregated & Anonymized Analytics:

• We analyze de-identified data to improve Platform functionality and provider matching
• Trends are used to enhance AI/ML algorithms for better health recommendations
• No individual user is identifiable in these analyses

Data Processing Details

Purpose Limitation:

• We only process data for explicitly stated healthcare purposes
• Processing activities are documented and available upon request

Future Research Participation (Optional)

We may conduct medical research to improve healthcare outcomes. Participation is entirely optional and requires explicit, informed consent. You can:

• Opt-in to research programs
• Withdraw consent at any time
• Request specific details about research initiatives

Data Sharing & Disclosure

• We share data only when necessary for treatment, payment, or healthcare operations
• All recipients sign Data Processing Agreements (DPA)
• Sharing is logged and auditable

Global Data Storage Regions

MediCureOn primarily stores data in the United States (Microsoft Azure data centers). For users subject to GDPR, we provide European data center options. International data transfers comply with:

• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Adequacy decisions

Data Security & Protection

• Data encryption in transit (TLS 1.3) and at rest (AES-256)
• Regular vulnerability assessments
• Incident response plan with 1-hour notification requirement
• Zero-trust security architecture

International Transfers

If you access MediCureOn from outside the United States, your data may be transferred to and stored in the US or other countries. By using the Platform, you consent to such transfers, which are protected by adequate safeguards as described above.

Data Security & Protection

• All staff receives HIPAA and data security training
• Confidentiality agreements are mandatory
• Access is strictly limited to job-necessary personnel
• Termination procedures include data access revocation

HIPAA Interoperability

As required by HIPAA Interoperability Rules, MediCureOn enables patients to:

• Access their complete EHR in HL7 FHIR format
• Share health information securely with other providers
• Transmit records electronically to providers of choice

Apple Health Disclosure (Required)

If you use Apple Health integration:

• You grant MediCureOn permission to read from/write to Apple Health
• Your Apple Health data is used solely for healthcare purposes on the MediCureOn Platform
• Data is never shared with unaffiliated third parties
• You can revoke access at any time through Apple Health settings

Content Management

• User-generated content (messages, notes, files) is encrypted and access-controlled
• Content deletion follows your retention preferences

Data Deletion Process

Upon account termination or data deletion request:

• Personal information is purged from active systems within 30 days
• Backup systems retain encrypted data for disaster recovery (90 days max)
• Legal hold applies if required by law or litigation
• Certificate of destruction available upon request

No Emergency Use

Important: MediCureOn is not designed for emergency medical situations. If you are experiencing a medical emergency, please:

• Call 911 (US) or your local emergency services
• Visit the nearest emergency room
• MediCureOn recommendations are for non-emergency healthcare only

Third-Party Services

• Microsoft Azure (data hosting): Compliant with HIPAA, SOC 2, ISO 27001
• Stripe (payment processing): PCI-DSS compliant
• Twillio (SMS verification): HIPAA-compliant messaging
• Partner IoMT manufacturers: Subject to HIPAA Business Associate Agreements

No Medical Device Intent

MediCureOn is a healthcare platform, not a medical device. While we integrate with medical devices, the Platform itself does not:

• Diagnose medical conditions (recommendations only)
• Prescribe medications
• Replace medical advice from licensed practitioners

Policy Updates

We may update this Privacy Policy as our services evolve or regulations change. We will:

• Post changes to this page with an updated "Effective Date"
• Notify users of material changes via email
• Request explicit consent for substantial changes
• Continue to honor our previous commitments during transition periods

Contact Information

For privacy questions, concerns, or to exercise your rights:

• Email: privacy@medicureon.com
• Mail: MediCureOn LLC, Milwaukee, Wisconsin, USA
• Phone: +1 (414) 501-3923
• Data Protection Officer: dpo@medicureon.com

We will respond to privacy requests within 30 days (or as required by law).

User Consent

By using MediCureOn, you acknowledge that you have read and understood this Privacy Policy and consent to:

• Collection and processing of your personal and health information
• Use of data for the purposes described herein
• Sharing of information with trusted healthcare partners under confidentiality agreements
• International data transfers (where applicable) with appropriate protections

Last Updated: October 24, 2025

Effective Date: October 24, 2025