How Med Foresight handles information collected through the marketing site, our product, and pilot deployments. Plain-language version, with the formal terms preserved.
Last updated: May 1, 2026Effective: May 1, 2026
Draft for legal reviewThis policy is a starting draft based on the conventions used by comparable US clinical-AI products. It must be reviewed by counsel and tailored to Med Foresight's actual data practices, sub-processors, and jurisdictions before publication.
1 · Scope
This Privacy Policy describes how Med Foresight (“Company,” “we,” “us,” or “our”), with its business address at PO Box 187, Issaquah, WA 98027, collects, uses, and shares information in three distinct contexts:
The marketing site at med4sight.com — open to visitors who are typically clinicians, health-system decision-makers, investors, and partners.
The Patient Foresight Pro (PFP) product — used by clinical staff at customer practices.
Pilot deployments in which we process Protected Health Information (PHI) on behalf of a customer practice under an executed Business Associate Agreement (BAA).
If you are a patient whose record may have been processed by Med Foresight, your privacy rights flow through your healthcare provider, who is the HIPAA Covered Entity. Contact your provider to exercise those rights.
2 · Data we collect
2.1 · Marketing site visitors
Identifiers you provide through demo requests, contact forms, and email — name, work email, phone, organization, role, and the message content.
Device and usage data automatically collected by our analytics tooling — IP address, user-agent, referrer, pages viewed, time on page, and approximate geolocation derived from IP.
Cookies and similar technologies — see Section 11.
2.2 · Product users (clinical staff)
Account identifiers (name, work email, role) provisioned by the customer practice.
Product telemetry (feature usage, error logs, session metadata) used to operate, secure, and improve PFP.
2.3 · Patient data (PHI)
We process PHI only on behalf of customer practices and only under a BAA. The categories of PHI we may process are governed by that BAA and the integration scope agreed with the practice — typically demographic identifiers, encounter data, problem lists, medications, lab and imaging references, pathology reports, and clinical notes pulled from the customer's EHR via HL7 / FHIR.
3 · How we use data
Respond to demo requests, sales inquiries, and support questions.
Provide, maintain, secure, and improve the marketing site and the PFP product.
Authenticate users, enforce access controls, and produce audit logs.
Generate aggregated, de-identified analytics about product usage to inform roadmap decisions.
Comply with applicable law, respond to lawful requests, and enforce our agreements.
We do not sell personal information, and we do not use marketing-site analytics for cross-context behavioral advertising.
4 · PHI and the Business Associate Agreement
For pilot and production deployments, Med Foresight acts as a HIPAA Business Associate of the customer practice. Our handling of PHI is governed by:
The executed BAA between Med Foresight and the customer practice.
HIPAA Privacy and Security Rules and the HITECH Act, as applicable to Business Associates.
The customer's configured access policies and role definitions inside PFP.
We do not use PHI for any purpose outside of providing the contracted service to the customer practice, except as permitted or required by the BAA and applicable law (for example, our own management, administration, and legal obligations).
Need a BAA before a pilot? Email info@m4sight.com with subject “BAA Request” and we will route to counsel.
5 · AI / model training
We do not use customer PHI to train or fine-tune third-party foundation models. When PFP invokes a foundation model (for example, an AWS Bedrock-hosted model) to generate a clinical summary or answer a clinician question, the request is processed by the model provider under contractual terms that prohibit training on customer inputs and outputs.
We may use de-identified data — stripped of HIPAA identifiers per the Safe Harbor or Expert Determination method — for internal evaluation, prompt engineering, and quality assurance. We may use aggregated, non-identifying telemetry to improve the product.
6 · Sharing & sub-processors
We share information only with:
Sub-processors that operate the infrastructure underlying the marketing site and the product — including cloud hosting, model inference, email delivery, and analytics. Each sub-processor is contractually bound to confidentiality, security, and (where PHI is in scope) HIPAA Business Associate obligations. A current list of sub-processors is available on request.
The customer practice for whose patients we process PHI.
Professional advisors — accountants, auditors, lawyers — under confidentiality.
Legal & compliance recipients when required by subpoena, court order, or applicable law.
Successors in a merger, acquisition, or asset sale, subject to the same protections that apply under this policy.
7 · Data security
Encryption in transit (TLS 1.2+) and at rest (AES-256).
Role-based access control with least-privilege defaults and periodic access reviews.
Audit logging across product surfaces that touch PHI; tamper-evident retention.
Network isolation, secrets management, and dependency monitoring across the production environment.
Background checks and HIPAA training for personnel with access to PHI.
Documented incident response and breach notification procedures consistent with HIPAA and applicable state law.
No system is perfectly secure. We continuously evaluate our controls and update them as the threat landscape evolves.
8 · Data retention
Marketing site contacts: retained for as long as needed to respond to your inquiry and for a reasonable follow-up period, then deleted on a rolling schedule (typically 24 months) unless you opt to remain on a future newsletter.
Product account data: retained for the duration of the customer's contract and a defined wind-down period thereafter, then deleted or returned per the BAA.
PHI: retained per the customer's BAA and applicable record-retention requirements. Deleted or returned on contract termination as the BAA specifies.
Audit logs and security records: retained for a minimum of six (6) years consistent with HIPAA documentation requirements.
9 · Your rights
Depending on where you are located and the nature of the data, you may have the right to:
Access the personal information we hold about you.
Correct inaccurate or incomplete information.
Request deletion of personal information we hold (subject to exceptions for legal-retention obligations).
Object to or restrict certain processing, and withdraw consent where processing is based on consent.
Request a portable copy of personal information.
Lodge a complaint with a supervisory authority.
To exercise these rights for marketing-site or product account data, contact us at the address in Section 15. For PHI, contact your healthcare provider — they are the Covered Entity responsible for handling your record-access requests.
10 · California residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, grants you specific rights regarding your personal information.
Right to know & access — what categories and specific pieces of personal information we have collected about you, the sources, and the purposes.
Right to delete — subject to exceptions.
Right to correct — inaccurate personal information.
Right to opt out of sale or sharing of personal information for cross-context behavioral advertising. We do not sell personal information and do not share it for cross-context behavioral advertising.
Right to limit the use of sensitive personal information.
Right to non-discrimination for exercising any of the above.
To exercise a California right, email info@m4sight.com. We may need to verify your identity before responding. Authorized agents may submit requests with proof of authorization.
Note: PHI processed under HIPAA is exempt from CCPA — those rights are governed by HIPAA and are exercised through your healthcare provider.
11 · Cookies & analytics
The marketing site uses a small number of strictly necessary cookies and may use first-party analytics to understand how visitors discover and use the site. We do not use the marketing site for behavioral advertising and do not share marketing-site analytics with ad networks.
You can disable cookies in your browser. The marketing site remains usable without them.
12 · International data transfers
Med Foresight operates in the United States. If you access the marketing site or product from outside the US, the information you provide may be transferred to and processed in the US. We rely on appropriate safeguards (including standard contractual clauses where applicable) for transfers from jurisdictions that require them.
13 · Children's privacy
The marketing site and product are not directed to children under 16, and we do not knowingly collect personal information from children. PHI relating to pediatric patients may be processed under a customer's BAA in the same protected manner as other patient data.
14 · Changes to this policy
We may update this policy as our product, infrastructure, or legal obligations change. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated through the marketing site and, where relevant, through the product or to customer practices.
15 · Contact us
Med ForesightPO Box 187, Issaquah, WA 98027 Email: info@m4sight.com Phone: +1 425 802 3823