Privacy Policy
Privacy Policy
Effective Date: June 1, 2026 Last Updated: June 1, 2026
Thinera, Inc. ("Thinera," "we," "our," or "us") operates the MediMic.Ai platform, including the MediMic mobile applications, web portal, and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Service.
1. Who We Are
Thinera, Inc. is a healthcare technology company headquartered in the United States. We provide a HIPAA-compliant real-time medical interpretation platform. For healthcare customers, we act as a Business Associate under HIPAA and execute Business Associate Agreements with Covered Entities and their Business Associates.
2. Information We Collect
2.1 Information You Provide
- Account information: Name, email address, and password when you create a Provider account.
- Profile information: Display name and professional role, used during sessions.
- Payment information: Billing address and payment card details, processed by our payment processor (Stripe). We do not store payment card numbers.
- Support requests: Information you provide when contacting support.
2.2 Information Collected Automatically
- Device information: Device model, operating system version, app version, and a unique device identifier.
- Usage data: Sessions created, session dates and durations, participant counts, and session mode. We do not collect session content (speech or transcripts) in a readable form — all session content is end-to-end encrypted before leaving your device.
- Log data: IP addresses, request timestamps, error logs, and audit events. Logs do not contain session content.
- Cookies: We use session cookies for portal authentication (HttpOnly, Secure, SameSite=Strict). We do not use advertising or tracking cookies.
2.3 Protected Health Information (PHI)
When the Service is used in a clinical context, session content may constitute Protected Health Information under HIPAA. Because all session content is end-to-end encrypted on your device before transmission, MediMic does not have access to the plaintext content of sessions. PHI is stored in encrypted form and is only accessible to devices that hold the corresponding session key.
For paid subscribers, this processing is governed by our Business Associate Agreement (BAA) rather than this Privacy Policy.
3. How We Use Information
| Purpose | Information Used |
|---|---|
| Providing the Service | Account info, device info, usage data |
| Authentication and security | Account info, device info, session tokens |
| Session management | Session metadata (not content) |
| Billing and subscriptions | Account info, usage data, payment info |
| Customer support | Account info, device info, logs |
| Platform improvement | Aggregate usage statistics (no PHI) |
| Legal compliance | Account info, logs, audit records |
We do not use session content for advertising, analytics, or AI model training.
4. How We Share Information
We do not sell your personal information.
We may share information with:
| Recipient | Basis | Information Shared |
|---|---|---|
| Microsoft Azure | Infrastructure provider; BAA in place | Account data, encrypted session data, logs |
| Stripe | Payment processor | Billing information (no PHI) |
| Law enforcement | Legal obligation (court order, subpoena) | As required by law |
| Successors | Merger, acquisition, or asset sale | As disclosed at the time |
We do not share session content with any third party. Because content is end-to-end encrypted, we are technically incapable of doing so.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Session metadata | 365 days from session end (configurable for Enterprise) |
| Encrypted session transcripts | 365 days from session end |
| Account data | Duration of account + 90 days post-deletion |
| Audit logs | 6 years (HIPAA minimum) |
| Payment records | 7 years (financial record-keeping requirements) |
| Application logs | 90 days |
You may request deletion of your account and associated data at any time by contacting [email protected]. Note that some data (audit logs) must be retained for legal and regulatory compliance.
6. Your Rights
Depending on your location, you may have certain rights regarding your personal information:
All Users
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate personal information.
- Deletion: Request deletion of your account and personal information (subject to retention obligations).
- Portability: Request an export of your data in a machine-readable format.
California Residents (CCPA)
California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected and sold (we do not sell personal information), the right to opt out of sale (not applicable), and the right to non-discrimination for exercising these rights.
European Union / UK Residents (GDPR / UK GDPR)
EU and UK residents have rights under GDPR, including the right to object to processing, the right to restrict processing, and the right to lodge a complaint with a supervisory authority. Our lawful basis for processing is contractual necessity (to provide the Service) and, where applicable, compliance with a legal obligation.
To exercise any of these rights, contact [email protected].
7. Patient Privacy (PHI)
When MediMic processes Protected Health Information on behalf of a Covered Entity, patients' rights regarding that PHI are governed by:
- HIPAA (45 CFR Part 164)
- The Covered Entity's own privacy notice
- Our Business Associate Agreement with the Covered Entity
Patients wishing to exercise HIPAA rights (access, amendment, accounting of disclosures) should contact their healthcare provider, not MediMic.
8. Security
We implement technical and organizational measures to protect your information:
- End-to-end AES-256-GCM encryption for all session content
- TLS 1.2/1.3 for all data in transit
- AES-256 database encryption at rest (Azure SQL TDE)
- HTTPS-only access with HSTS
- Role-based access controls for all internal systems
- Audit logging of all administrative access
- Regular security reviews
No security measure is perfect. If you believe your account has been compromised, contact [email protected] immediately.
9. Children's Privacy
MediMic is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13 without parental consent, we will promptly delete it.
10. Third-Party Links
The Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice in the portal at least 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
12. Contact Us
Privacy inquiries and requests: [email protected]
Security issues: [email protected]
General: Thinera, Inc. [email protected]