We process personal information (a) as a controller when we determine why and how data is processed (for example, for account management, product analytics, or marketing), and (b) as a processor or HIPAA Business Associate when we handle protected health information (PHI) on behalf of our enterprise customers. When we act as a processor, our customers are responsible for providing privacy notices to individuals and honoring their rights. This policy describes our controller activities and the support we provide to customers for processor activities.

• Privacy inquiries: privacy@meddra.co
• HIPAA privacy officer: hipaa-privacy@meddra.co
• Security incidents: security@meddra.co
• Data Protection Officer (EU/UK): dpo@meddra.co
• Mailing address: MedDRA AI, Inc., 638 College Ave, Palo Alto, CA 94306, United States.

We will publish EU/UK representative details prior to launching services in those regions.

The information we collect depends on how you and your organization use the Services.

• Direct submissions via forms, uploads, APIs, or support communications.
• Automated collection through cookies, SDKs, telemetry, and server logs.
• Voice and telephony providers that deliver recordings and transcripts.
• Third-party integrations (safety databases, CRMs, cloud storage) configured by Customer.
• Public or regulatory sources when Customer instructs us to import data (e.g., FAERS, EudraVigilance).
• Payment processors, analytics vendors, and other service providers that assist in delivering the Services.

When we act as a controller, we rely on the legal bases noted below for GDPR/UK GDPR purposes and applicable HIPAA allowances under a BAA.

We do not use PHI for marketing without explicit authorization and never sell personal information or PHI.

• With subprocessors and service providers that host infrastructure, provide AI/ML capabilities, telephony, analytics, support, and billing. Subprocessors sign agreements imposing confidentiality, security, and data protection obligations aligned with HIPAA, GDPR, and our BAA commitments.
• With Customers when needed to fulfill instructions (for example, delivering reports, audit logs, or integration data). Authorized Users may see activity within their organization based on role-based permissions.
• With regulators, public health authorities, or law enforcement to comply with legal obligations or protect rights. We limit disclosures to the minimum required and notify Customers when legally allowed.
• In corporate transactions such as mergers, acquisitions, or financing, provided personal information remains subject to this Policy and affected Customers receive notice.
• With consent from the individual or Customer.

We do not sell personal information or share it for cross-context behavioral advertising as defined by the California Consumer Privacy Act (CCPA/CPRA).

We store primary production data in the United States and may transfer personal information across borders to operate the Services. When required, we implement safeguards such as Standard Contractual Clauses, UK addenda, Data Privacy Framework participation (pending certification), and contractual and technical protections for subprocessors. Region-specific hosting may be available per Order.

• Encryption in transit and at rest for PHI and sensitive data.
• Network segmentation, zero-trust access, security monitoring, and incident response playbooks.
• Multi-factor authentication and least-privilege access for staff, plus training and background checks where permitted.
• Secure development lifecycle, code reviews, penetration testing, and vulnerability management.
• Disaster recovery and business continuity planning.

If we identify a breach affecting personal information, we will notify affected Customers and, where required, affected individuals and regulators without undue delay, consistent with the BAA and applicable law.

• We retain personal information for the duration of the Subscription Term and renewal periods, plus up to 30 days after termination to support data export.
• We retain data longer when required by law, regulation, audit obligations, or to resolve disputes (for example, pharmacovigilance record retention timelines).
• We may store de-identified or aggregated data indefinitely, provided it cannot reasonably identify an individual or Customer.

We use first- and third-party cookies, pixels, and analytics tools to maintain session security, remember preferences, measure usage, and support marketing analytics for business contacts. Where legally required, we obtain consent for non-essential cookies. Users can manage cookies via browser settings or in-product controls. We honor Global Privacy Control signals by limiting analytics and advertising cookies for browsers that send the signal. We do not respond to legacy “Do Not Track” headers.

• MedDRA AI's AI features capture adverse event details, classify cases, generate narratives, and surface risk signals. Outputs are advisory; qualified personnel must review them before external use.
• We maintain model versioning, training data provenance, validation artifacts, and override logs to support audit trails.
• We conduct bias, accuracy, and drift assessments consistent with the NIST AI Risk Management Framework and FDA guidance for AI-enabled medical software.
• We use de-identified or synthetic data to improve models unless a Customer authorizes broader use of identifiable information. Customers may opt out of shared model improvements, which may limit certain features.
• We do not make solely automated decisions that produce legal or similarly significant effects without human oversight.

Rights vary by jurisdiction. We honor requests as required and support our Customers in fulfilling their obligations when we act as a processor.