Legal

Privacy Policy

Version 1.6 | Last updated: May 5, 2026

PRIVACY POLICY

Last updated: May 5, 2026

This Privacy Notice for LumiMD, Inc. ("Company," "we," "us," or "our") describes how and why we may access, collect, store, use, and share ("process") your personal information when you use our services ("Services"), including when you:

  • Visit our website at lumimd.app or any website of ours that links to this Privacy Notice
  • Download and use our mobile application (LumiMD), or any other application of ours that links to this Privacy Notice
  • Engage with us in other related ways, including support, marketing, and events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have questions or concerns, contact us at tyler@lumimd.app.

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice. You can find more details by using the table of contents below.

  • What personal information do we process? We may process personal information depending on how you interact with us and the Services.
  • Do we process sensitive personal information? Yes. We may process sensitive information, including health data and precise geolocation, when necessary and as permitted by law.
  • Do we collect information from third parties? Yes, in limited cases such as sign-in providers you choose to use and service providers that return processing results for requested features.
  • How do we process your information? We process information to provide, improve, and secure our Services, communicate with you, and comply with law.
  • When do we share personal information? We may share information with service providers, in business transfer scenarios, or when legally required.
  • How do we keep data safe? We use reasonable technical and organizational safeguards, but no method is 100% secure.
  • What are your rights? Depending on where you live, you may have rights to access, correct, delete, or obtain copies of your personal information.

TABLE OF CONTENTS

  1. WHAT INFORMATION DO WE COLLECT?
  2. HOW DO WE PROCESS YOUR INFORMATION?
  3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
  4. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?
  5. HOW LONG DO WE KEEP YOUR INFORMATION?
  6. HOW DO WE KEEP YOUR INFORMATION SAFE?
  7. DO WE COLLECT INFORMATION FROM MINORS?
  8. WHAT ARE YOUR PRIVACY RIGHTS?
  9. CONTROLS FOR DO-NOT-TRACK FEATURES
  10. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
  11. DO WE MAKE UPDATES TO THIS NOTICE?
  12. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
  13. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide when you register on the Services, request information about products and features, participate in activities on the Services, or contact us.

Personal Information Provided by You. The personal information we collect may include:

  • Names
  • Email addresses
  • Usernames
  • Passwords
  • Caregiver names, email addresses, relationship labels, invite messages, and care-team messages you choose to provide
  • Visit details such as provider, specialty, location, visit date, notes, summaries, medication changes, diagnoses, tests, action items, and education content
  • After Visit Summary photos or PDFs, lab results, imaging reports, portal screenshots, and other medical source documents you choose to upload
  • Health journal entries, symptoms, vitals, medications, allergies, and medical history you choose to enter
  • Audio recordings of medical visits, transcripts generated from those recordings, and processing status metadata

We collect this information directly from you when you create an account, enter profile or health information, record a visit, upload a visit-summary document, invite a caregiver, send messages, or otherwise use app features. Some information, such as transcripts and summaries, is generated from the recordings or documents you choose to provide.

If you choose to sign in with Google or Apple, we may receive account identifiers and contact information from that provider so we can authenticate your account.

Sensitive Information

When necessary and as permitted by applicable law, we may process sensitive personal information, including:

  • Health data

Application Data

If you use our app, we may request access to the following device data and permissions:

  • Geolocation Information. We request access to your device location to determine your U.S. state and apply the correct audio-recording consent requirements for your jurisdiction (single-party vs. all-party consent).
  • Microphone. We request access to the microphone to record visit audio for transcription and summarization.
  • Camera and Photo Library. We request access to the camera and photo library to capture or select After Visit Summary documents for processing.
  • Push Notifications. We may request permission to send account and feature-related notifications.

You can change these permissions in your device settings. This information helps us maintain security and operation of the app, troubleshoot issues, and support internal analytics.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, support security and fraud prevention, and comply with legal obligations.

We process personal information for purposes including:

  • Account creation and authentication. To create and maintain user accounts.
  • Service delivery. To provide requested functionality and support product operation.
  • Support and inquiries. To respond to questions, support requests, and troubleshooting.
  • Usage trends. To understand usage patterns and improve product performance.
  • Legal compliance. To comply with applicable law and lawful requests.

3. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We may share information in specific situations and with specific third parties.

We may share personal information in the following cases:

  • Business Transfers. In connection with, or during negotiations of, a merger, sale of company assets, financing, or acquisition.
  • Service Providers. With processors and vendors who provide hosting, infrastructure, analytics, communications, and support services. Our current service providers include:
    • Google Firebase — hosting, authentication, database, file storage, and cloud functions. Privacy policy: firebase.google.com/support/privacy
    • Vercel — web portal hosting, serverless execution, and deployment infrastructure. Privacy policy: vercel.com/legal/privacy-policy
    • AssemblyAI — audio transcription for visit recordings. Privacy policy: assemblyai.com/legal/privacy-policy
    • OpenAI — text, document, medication safety, question-answering, and summary analysis for transcripts, After Visit Summary photos/PDFs, visit summaries, medication details, allergies, LumiBot questions, diagnosis insights, medication insights, and Spanish summary translation. Trust center: trust.openai.com
    • Sentry — crash and error reporting (optional; may be disabled in Settings). Privacy policy: sentry.io/privacy/
    • Resend — transactional email delivery. Privacy policy: resend.com/legal/privacy-policy
    • Expo — push notification delivery. Privacy policy: expo.dev/privacy-explained
    • Apple — Apple Sign-In authentication and Apple Push Notification service delivery when you use those features. Privacy policy: apple.com/legal/privacy/
    • Google Sign-In — authentication when you choose Google sign-in. Privacy policy: policies.google.com/privacy
    • National Library of Medicine (NLM) — MedlinePlus and RxNav reference lookups for medication and condition information. Privacy policy: nlm.nih.gov/privacy.html
    • Configured incident webhook destination — if enabled, operational escalation routing for high-severity post-visit escalation alerts. The destination depends on our configured incident-management provider.
  • Legal and Safety. Where required by law or to protect rights, safety, and security.

These service providers may process information in the United States or other locations where they or their subprocessors operate, subject to their terms, privacy policies, and our applicable agreements with them.

4. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?

In Short: Yes. We offer AI-powered products, features, and tools.

As part of our Services, we provide features powered by artificial intelligence, machine learning, or related technologies ("AI Products").

Use of AI Technologies

We provide AI Products through third-party AI service providers, including AssemblyAI and OpenAI. We ask for in-app permission before sending personal data to these providers for AI processing, and we ask again if that permission is cleared or materially changes. Inputs, outputs, and related personal information may be processed by these providers to deliver AI functionality.

Our AI Products

  • AI transcription (converting visit audio to text)
  • AI summarization (extracting diagnoses, medications, and next steps from transcripts)
  • AI document extraction (reading After Visit Summary photos/PDFs, lab results, imaging reports, portal screenshots, and other source documents to identify medications, instructions, tests, action items, and plain-language context)
  • AI translation (translating visit summaries and related education into Spanish when requested)
  • AI medication safety review (checking medication names, doses, frequencies, medication lists, and allergies for potential safety warnings)
  • AI LumiBot visit question answering (answering questions using the visit summary, education, medications, diagnoses, follow-ups, and next steps)
  • AI web insights (providing patient-friendly diagnosis and medication explanations in the web portal)

What Data Is Sent To AI Providers

  • AssemblyAI: Visit audio recordings are sent to AssemblyAI to create a transcript. AssemblyAI returns transcript text and related transcription metadata.
  • OpenAI: Transcript text, uploaded After Visit Summary photos/PDFs, lab results, imaging reports, portal screenshots, extracted visit details, existing summary text, medication names, doses, frequencies, current medication lists, allergies, user-entered LumiBot questions, limited visit education context, and diagnosis or medication names entered in the web portal may be sent to OpenAI to generate plain-language notes, medication changes, action items, education, Spanish translations, medication safety review, LumiBot answers, and web medication or diagnosis insights.

We do not sell this information. We use these providers only to provide the requested LumiMD features. We require service providers that process personal information for LumiMD to protect that information under contractual obligations designed to provide the same or equal protection described in this Privacy Notice and required by applicable App Store privacy requirements.

How We Process Your Data Using AI

Personal information processed by AI features is handled according to this Privacy Notice and applicable agreements with service providers.

Audio retention. Our systems are designed to delete audio recordings from our servers after your visit notes are generated, typically within seconds of processing. A daily automated safety sweep checks for processing artifacts that were not deleted immediately and retries cleanup. Source documents you choose to keep in LumiMD, such as After-Visit Summaries, lab results, imaging reports, and portal screenshots, remain in your account so you can cross-check summaries against the original file. These source documents are deleted when you delete the document, delete your account, or request deletion, subject to legal, security, and operational retention obligations. Transcripts, summaries, and related account records may remain in your account until you delete them or request account deletion, subject to legal, security, and operational retention obligations.

Retention with AI providers. Audio and transcripts shared with AssemblyAI for transcription have their transcript records deleted via API call after processing completes; AssemblyAI's own handling of any incidental copies is governed by their privacy policy and our agreement with them. Data sent to OpenAI for summarization, document extraction, translation, medication safety review, LumiBot question answering, and web insights is sent to the OpenAI API, not ChatGPT consumer products. We configure OpenAI API requests to avoid optional retention where supported, including using store: false on supported requests. OpenAI's handling of API inputs and outputs is governed by OpenAI's API terms, privacy commitments, and our account settings; we do not intentionally opt user health data into model training.

5. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep personal information for as long as necessary to fulfill the purposes described in this Privacy Notice, unless a longer period is required by law.

We keep personal information while accounts are active and as needed for legal, security, and operational purposes. When we no longer have a legitimate business need, we delete or anonymize personal information where feasible.

If deletion is not immediately possible (for example, due to secure backups), we isolate and protect data until deletion is possible.

6. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through technical and organizational security measures.

We implement reasonable safeguards designed to protect personal information. However, no electronic transmission or storage method can be guaranteed 100% secure. You should access Services within a secure environment and keep credentials confidential.

7. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from children under 18 years of age.

If we learn that personal information from a person under 18 has been collected without proper authorization, we will deactivate related accounts and take reasonable steps to delete that data. If you believe we may have collected such data, contact us at tyler@lumimd.app.

8. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on your location, you may have rights that allow you to access, update, correct, export, or delete personal information.

Withdrawing consent

If processing relies on consent, you may withdraw consent at any time by contacting us. Withdrawal does not affect lawful processing completed before withdrawal.

Account Information

You may review or update account information, export a copy of your user-facing account and health data, or request account deletion directly from the app's Settings → Data & Privacy section. You may also contact us to make these requests.

Upon deletion request, we will delete or deactivate account data from active systems, subject to legal, security, backup, and operational retention obligations.

For other privacy-rights requests, contact tyler@lumimd.app.

9. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems include a Do-Not-Track (DNT) setting. Because no uniform technical standard has been finalized, we do not currently respond to DNT signals.

10. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: If you reside in certain U.S. states (including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia), you may have additional privacy rights.

Categories of Personal Information We Collect

The table below describes categories of personal information collected in the prior 12 months.

Category Examples Collected
A. Identifiers Name, alias, contact details, IP address, account name YES
B. California customer records information Name and contact information YES
C. Protected classifications Demographic data where provided YES
D. Commercial information Purchase and transaction records NO
E. Biometric information Fingerprints, voiceprints NO
F. Internet or network activity Website, app, and API interaction data, IP address, user agent, device, and diagnostic metadata YES
G. Geolocation data Device location YES
H. Audio and similar information Audio recordings and related data YES
I. Professional or employment information Business contact and work history NO
J. Education information Student records and directory data NO
K. Inferences Visit summaries, action items, medication safety warnings, care insights, and similar outputs generated from user-provided information YES
L. Sensitive personal information Account login data, health data, precise geolocation YES

Your Rights

You may have rights to:

  • Know whether we process your personal data
  • Access your personal data
  • Correct inaccuracies
  • Request deletion
  • Obtain a copy of your data
  • Not be discriminated against for exercising rights
  • Opt out of certain processing where applicable

How to Exercise Your Rights

Data export and account deletion are available directly in the LumiMD app under Settings → Data & Privacy. For other rights requests, email tyler@lumimd.app. We may verify identity before processing a request.

Appeals

If we deny a request and appeal rights apply, you may appeal by emailing tyler@lumimd.app.

California "Shine The Light" Law

California residents may request information, once per year and free of charge, about categories of personal information disclosed to third parties for direct marketing purposes in the prior calendar year.

11. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we may update this notice as necessary to remain compliant with law.

The updated version will be identified by a revised "Last updated" date. For material changes, we may provide additional notice.

12. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, contact us at:

LumiMD, Inc.
251 Little Falls Drive
Wilmington, Delaware 19808
United States
Email: tyler@lumimd.app

13. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Subject to applicable law, you may review, update, export, or delete personal information directly in the app under Settings → Data & Privacy. You may also submit a request by contacting tyler@lumimd.app.

We will review and respond to requests in accordance with applicable data protection laws.