Last updated: February 21, 2026

Privacy Policy

MyHeroMed, Inc. ("MyHeroMed," "we," "our," or "us") is committed to protecting your privacy and the confidentiality of your health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our telehealth platform at myheromed.com and related services (the "Platform"). By using the Platform, you consent to the practices described in this policy.

HIPAA Compliance and Protected Health Information

MyHeroMed operates as a HIPAA-compliant platform. We treat all health information you share during consultations as Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). This includes your medical history, symptoms, diagnoses, treatment plans, prescriptions, and any files or images you share with your specialist.

We maintain Business Associate Agreements (BAAs) with every third-party service that processes or stores PHI on our behalf. Our technical infrastructure, policies, and procedures are designed to meet or exceed HIPAA Security Rule requirements for the protection of electronic PHI (ePHI).

Information We Collect

Information You Provide

Account information: Name, email address, phone number, date of birth, and login credentials.
Health information: Symptoms, medical history, medications, allergies, and any other health details you share during consultations, including uploaded photos, documents, and lab results.
Payment information: Credit or debit card details, billing address, and transaction history. Card details are processed and stored by our PCI-certified payment processor and are never stored on our servers.
Communications: Messages, attachments, and video session data exchanged between you and your specialist.

How We Use Your Information

Providing care: Facilitating specialist consultations, matching you with appropriate providers, and enabling secure messaging and video sessions.
Processing payments: Authorizing and capturing payments, issuing refunds, and providing transaction records.
Platform operations: Maintaining account security, authenticating users, preventing fraud, and providing customer support.
Service improvement: Analyzing aggregate, de-identified data to improve platform reliability, specialist matching, and overall care quality. See our Artificial Intelligence and Automated Processing section below for details on how we protect your identity in this process.
Legal compliance: Meeting obligations under HIPAA, state telehealth regulations, and other applicable laws.
Communications: Sending appointment notifications, consultation updates, and essential service communications. We will never send marketing emails without your explicit opt-in consent.

Artificial Intelligence and Automated Processing

We want to be completely transparent about how technology is used on our platform and how your data helps us improve care for everyone.

Anonymized data for improvement: We use anonymized, de-identified data to train and improve our AI systems and platform capabilities. Before any data is used for this purpose, all personal identifiers — including your name, contact details, account information, and any other information that could identify you — are permanently removed. No individual can be identified from this anonymized data. This process helps us improve specialist matching, platform reliability, and overall care quality for all patients.
Your identifiable data stays private: Your personal medical records, consultation messages, and health information are never shared in identifiable form with AI training systems or any third party. Only fully de-identified, aggregate data is ever used for improvement purposes.
Specialist matching: We may use algorithmic matching to help connect you with a specialist in the right medical field based on the category of concern you select. This is rule-based routing, not AI-driven diagnosis or triage.
All clinical decisions are made by humans: Every diagnosis, treatment plan, and prescription decision is made by a licensed, board-certified specialist — never by an algorithm or AI system.
No automated health decisions: We do not use automated decision-making or profiling that produces legal or similarly significant effects on you based on your health data.

Data Security

We implement multiple layers of security to protect your information:

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. This includes every message, file upload, and video session.
Encryption at rest: All stored data, including health information and personal records, is encrypted at rest using AES-256 encryption.
End-to-end encrypted messaging: Consultation messages between you and your specialist are transmitted over encrypted channels.
Secure video: Video consultations use encrypted, peer-to-peer connections with no recording or storage of video content.
Access controls: Access to patient data is restricted on a need-to-know basis. Only your assigned specialist and authorized support personnel can access your consultation data. All access is logged and auditable.
Infrastructure security: Our platform runs on enterprise-grade cloud infrastructure with network isolation, intrusion detection, and regular security assessments.
Secure file storage: Uploaded files and attachments are stored in encrypted, access-controlled storage with signed, time-limited access URLs.

Third-Party Services

We partner with trusted, industry-leading service providers to operate the Platform securely and reliably. We carefully vet every vendor and hold them to the same high standards we set for ourselves. Here is how we keep your data safe across our service providers:

HIPAA-compliant infrastructure: All vendors that process or store Protected Health Information operate under signed Business Associate Agreements (BAAs) and meet HIPAA Security Rule requirements.
PCI-certified payment processing: Your payment card details are handled exclusively by a PCI DSS Level 1 certified payment processor. Card numbers are never stored on MyHeroMed servers.
Encrypted messaging and video: Our messaging and video consultation providers transmit all data over encrypted channels. Message content is not retained by infrastructure providers after delivery, and no video content is recorded or stored after your session ends.
Minimum necessary access: Each service provider receives only the minimum data required for its specific function. Providers that handle authentication or operational workflows do not have access to your health information.
Encrypted data storage: All account and consultation records are stored in encrypted, HIPAA-compliant database infrastructure with encryption at rest and in transit.

We do not sell, rent, or trade your personal information or health data to any third party for marketing, advertising, or any other purpose.

Data Retention

We retain your health and consultation records for a minimum of seven (7) years from the date of your last consultation, as required by healthcare record retention laws in most jurisdictions. Account information is retained for as long as your account is active. Payment records are retained as required by applicable financial regulations.

If you request account deletion, we will delete or de-identify your personal data within 30 days, except where retention is required by law (such as medical record retention requirements). We will notify you of any data we are legally required to retain.

Your Rights

You have the following rights regarding your personal and health information:

Access: You may request a copy of the personal and health information we hold about you. Under HIPAA, you have the right to access your medical records.
Correction: You may request that we correct inaccurate or incomplete personal information.
Deletion: You may request deletion of your personal data, subject to legal retention requirements for medical records.
Data portability: You may request your health records in a standard, machine-readable format for transfer to another provider.
Restrict processing: You may request that we limit how we use your data in certain circumstances.
Withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time.
Accounting of disclosures: Under HIPAA, you may request an accounting of certain disclosures of your PHI made by us.

To exercise any of these rights, contact us at [email protected]. We will respond to all requests within 30 days.

State Privacy Laws

If you are a resident of a state with specific privacy legislation (such as the California Consumer Privacy Act, Virginia Consumer Data Protection Act, or similar state laws), you may have additional rights. We honor all applicable state privacy rights. Contact us at [email protected] to exercise any state-specific rights.

Children's Privacy

MyHeroMed is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected information from a child under 18, we will promptly delete it. If you believe a child has provided us with personal information, please contact us at [email protected].

Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on our Platform at least 30 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or our data practices, or if you wish to exercise any of your rights, please contact us:

Privacy inquiries: [email protected]
General support: [email protected]