Privacy Policy

Last updated: June 1, 2026

This Privacy Policy explains how MemAlgo (MemAlgo AI LLC in the United States and MemAlgo AI LLP in India - "MemAlgo," "we," "us") collects, uses, and protects personal information through memalgo.ai (the "Site") and our EHR and AI Scribe products (the "Services").

At a glance

  • We never store audio recordings - consultations are transcribed in real time and the audio is discarded.
  • We never use patient data to train AI models.
  • We never sell personal information.
  • Your hospital or clinic controls patient data; MemAlgo processes it only on their instructions.
  • Data for Indian customers is stored in India (AWS Mumbai).

Our role

The Services are used by hospitals, clinics, and provider organisations ("Customers"). When we process patient information through the Services ("Customer Data"), we act as a data processor under the Customer's instructions - governed by a Business Associate Agreement under HIPAA in the U.S., or a Data Processing Agreement under the Digital Personal Data Protection Act, 2023 in India. The Customer is responsible for obtaining patient consent. If you are a patient, please contact your healthcare provider for its privacy notice.

Information we collect

  • Account information - clinician name, work email, phone, organisation, role, and login activity.
  • Consultation data - live consultation audio (processed in real time, never stored), the resulting transcript, AI‑generated draft notes, and session metadata such as timestamps and encounter types.
  • Site data - device and browser information, IP address, and interaction data collected via cookies to operate and improve the Site.

How we use information

We use personal information to provide, secure, and improve the Services; create and authenticate accounts; generate transcripts and draft clinical notes; provide support; prevent fraud and abuse; and comply with legal obligations. AI‑generated notes are drafts that support - never replace - the treating clinician's judgement. Service improvement uses only de‑identified, aggregated data as permitted by our customer agreements and applicable law.

Security and retention

We use encryption in transit (TLS 1.2+) and at rest (AES‑256), role-based access controls, multi-factor authentication for administrative access, and audit logging. Session metadata is retained for 180 days; then purged. Audio is never stored. Clinical records in the EHR belong to the Customer and are retained, returned, or deleted under our agreement with them.

United States

Where we handle Protected Health Information, we act as a Business Associate under HIPAA and the applicable BAA governs. Depending on your state of residence (including under the CCPA/CPRA), you may have the right to access, correct, delete, or opt out of the "sale" or "sharing" of your personal information, and to appeal - without discrimination. We honor Global Privacy Control signals where required and provide breach notifications consistent with HIPAA, FTC, and state law. The Site is not directed to children under 13.

India

Our processing in India is governed by the DPDP Act, 2023, the DPDP Rules, 2025, and the IT Act, 2000 and SPDI Rules, 2011, under which health information is sensitive personal data. Customer Data is stored in India (AWS Mumbai). As a Data Principal, you have the right to access, correct, and erase your personal data, withdraw consent, nominate a representative, and seek grievance redressal by contacting our Grievance Officer below.

Changes to this policy

We may update this Policy from time to time. Material changes will be reflected in the "Last updated" date above and posted on the Site.