This privacy policy (“Privacy Policy”) sets forth how MediGO, Inc. (“MediGO,” “we,” “us” or “our”) collects, uses and protects any information that we may collect from you or that you may provide when you use any service, product, application, website, domain, sub-domain, product or service that references this Privacy Policy, collectively our “Services.” This Privacy Policy will be effective as of September 23, 2022 (the “Last Updated Date”).

HIPAA Compliance:

MediGO is HIPAA compliant with all HIPAA Privacy and Security Rules specified ‘Required’ and ‘Addressable’ requirements being complied with as applicable. MediGO has Data Privacy Policy as required by HIPAA. All interactions on any Products are recorded in the Audit Logs. Logs are retained for at least seven years. MediGO security administrators can generate reports from logs as required. The integrity of the audit trail is maintained for disabled or deactivated users and Products will record date/time when accounts have been compromised, disabled or deactivated. Logs are monitored regularly with periodic reports and exception alerts.

HITECH Compliance:

MediGO products transfer and store electronic PHI through direct input from Customer/users as text, videos, or images. MediGO Products are not considered EHR systems by HITECH.

Information / Data Security:

All data transferred and stored by MediGO Products reside and processed within the United States. Data is encrypted at rest and in transit (TLS 1.2) meeting NIST Special Publications 800-52 Rev1 and 800-111 standards. Data destruction/sanitation and storage reclamation processes are designed to prevent customer data form being exposed to unauthorized individuals. These processes follow techniques detailed in DoD 5220.22-M and NIST 800-88r1. No removeable drives are used for PHI/PII storage. Each customer’s data will be segregated from other customers through logical controls. Backend access is controlled and includes role-based controls to manage and audit admin/backend users. Customer data will never be shared with third parties without express permission from customer. Customer will be informed in case of requirements of customer data sharing with regulators or law enforcement agencies.

MediGO uses Amazon Web Services (AWS) for hosting its products and services. AWS is SSAE18 certified with SOC 2 Type 2 completed regularly. AWS provides several reports from third-party auditors who have verified compliance with a variety of computer security standards and regulations (aws.amazon.com/compliance) including ISO 27001 ISMS. MediGO has signed a BAA with AWS after fulfilling the compliance requirements.

Redundancy is built into the databases and products offering customizable data archiving and retention as required by HIPAA and other regulations. Customer data will be retained, available from export at the termination of the contract, and then sanitized from MediGO exceeding guidelines from NIST SP 800-88 rev1.

MediGO engages third parties for conducting VAPT tests on its Products and environment periodically. MediGO has implemented an Incident Management policy along with associated procedures for notifications to customers, regulators and other stakeholders.

Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP):

MediGO has implemented a documented and tested BCP and DRP as required by HIPAA. BCP and DRP are updated, reviewed and exercised on a regular basis, atleast once every year and anytime a major change is made to the Product or environment. AWS hosting used by MediGO is ISO 22301 BCMS compliant as certified by third party auditors.

Account Security:

In order to access Products, unique login and password are required. Account and password criteria, expiration, auto-logoff, and other administrative policies/procedures are configurable by administrators from backend. Session lockouts and logoffs have been implemented for enhanced security.

Mobile Access

MediGO products are accessible via any of our certified web or mobile platforms. For native mobile application Products, a user is registered using a phone number and email. Data is not stored locally or in cache on any Products, data is merely accessed by Products and displayed for the users. Data is transferred to/from the phone using TLS v1.2 or above.

Consent

By checking the “I Consent” checkbox when accessing these Services, you agree that you:

• have read and understood this Privacy Policy, which describes how we use your information; and
• you consent to the use, storage and disclosure of your information by us in the manner described in this Privacy Policy.

If you have questions or concerns regarding this statement or your choices and rights regarding such use, or wish to revoke your consent to collect, use and store your data according to this Privacy Policy, please contact us by mail at 1703 S. Clinton St., Baltimore MD 21224, or via email at support@gomedigo.io.

Information Collected

We collect the following information for the purpose of providing you with the functionality of our app:

• information provided directly to us when you enroll in our SMS notification system, through the Contact Us page of our Services or when you email, write or call us (“Personal Information);
• Non-Personal Information collected automatically as you utilize our Services, including information collected through cookies (or web beacons if applicable).

“Personal Information” means any data, whether used alone or when combined with other identifying information, which can be used to distinguish or trace your identity, such as your name or other personally identifiable information, financial and payment information, authentication information, phonebook, contacts, device location, SMS and call related data, inventory of other apps on the device, microphone, camera, location data and other sensitive device or usage data, company name, email, address or telephone number. Unless you or your organization provides it to us voluntarily, we do not collect Personal Information about you in connection with your use of our Services.

“Non-Personal Information” means data that cannot be used on its own to trace or identify you. This includes your web browser type, domain name, referring site(s), date/time, and IP address from which you utilized our Services, as well as from your transactions with us and our affiliates or non-affiliated third parties. This “Non-Personal Information” is used to improve the operations, functionality, and appearance of our Services.

Please note that this Privacy Policy is in addition to, and does not limit, any protections afforded to your information pursuant to any separate contracts relating to confidentiality of information provided to us.

Information Pertaining to Minors

We do not intend to collect Personal Information from minors (children under 18 years of age, or any other age of minority as defined by applicable law). If we become aware that a minor is attempting to or has submitted Personal Information via our Services, we will notify the user that we will not accept their Personal Information. We will then delete any such Personal Information from our records. If you believe that a minor has submitted their Personal Information, please contact us at 1703 S. Clinton St., Baltimore MD 21224.

Cookies

Cookies are small data files that are stored on your computer by a web server when you utilize our Services. Cookies help us to deliver the best user experience possible. We use cookies for advertising, social media, and analytics purposes.

When you visit our Services, we may use cookies and similar technologies for the following purposes:

• to help us recognize you when you return to our Services (just a number without any Personal Information);
• to avoid requiring registration for access to content on the Services;
• to develop leads for our business development team and our business partners and to provide direct marketing communications to you if you have consented to receive such communications;
• to compile anonymous, aggregated statistics that allow us to understand how users interact with our Services; and
• to help us improve the structure and user experience of our Services.

Data Usage

We use your Personal Information only for the purpose for which it was submitted. For example, if you enroll in our SMS notification system, we will send text message notifications to the provided phone number. We may use Non-Personal Information to help diagnose problems with our server, and to administer our Services, for example, to:

• provide and improve the content and features of our website and mobile app for you;
• provide you with information about our products and services, solely at your election;
• provide you with expiration or renewal notices for your account;
• enforce our rights or carry out our obligations under this Privacy Policy or our website Terms;
• notify you of any changes to this Privacy Policy or our website Terms.

Data Retention

We will retain your Personal Information only for as long as necessary to fulfill the purpose of collection. We may retain your Personal Information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. We will establish and maintain commercially reasonable safeguards against the destruction, loss or alteration of Personal Information in our possession that are no less rigorous than those in effect for our operations.

We may also retain Non-Personal Information for internal analysis purposes. Non-Personal Information will be disposed of and/or destroyed in accordance with industry best practices when no longer needed.

Links to Third-Party Sites

The Services include links to other third-party web sites including access to content, products and services of such affiliated and non-affiliated entities. If you choose to use these provided links, you may be taken to a third-party’s website. This Privacy Policy does not bind any third party and we urge you to familiarize yourself with the individual privacy policy and other terms for each linked site prior to submitting your information to such sites.

Disclosure of Information to Third-Parties

We may share Non-Personal Information with our affiliates or third parties who have agreed to provide at least the same protections as this Privacy Policy. We make every reasonable effort to preserve user privacy. We reserve the right to disclose Personal Information when required or permitted by law and we have a good-faith belief that such action is necessary to comply with an appropriate law enforcement investigation, current judicial proceeding, court order, or legal process served on us.

Chat Service

Our platform includes a live chat service that enables you to communicate with us as well as other users of our platform. You hereby acknowledge that any content that you post when using the chat service will be visible to those other users with whom you are communicating, and we are not responsible for maintaining your privacy with respect to those messages.

Effect of Changes

We will alert you to material changes to this Privacy Policy via the conspicuous posting of the new or modified Privacy Policy on any websites or apps utilized for our Services or by email (if you have provided one). Any modifications will be effective as of the Last Updated Date. You should review the Privacy Policy periodically for updates, including prior to the disclosure of any Personal Information.

‍

For clarifications and reporting Information Security / Privacy concerns please contact:
‍Chief Compliance and Privacy Officer, MediGO
‍Email: compliance@gomedigo.io
‍Call: (443) 961-9444
‍Address:
1703 S. Clinton Street,
Baltimore, Maryland 21224
USA