Effective Date: July 28, 2025
Version: 3.0
Data Controller: Verisight Analytics, LLC
Location: 342 N Water St Suite 600, Milwaukee, WI 53202
Privacy Officer: privacy@mdsgenie.ai
Data Protection Officer: dpo@mdsgenie.ai
HIPAA Compliance: hipaa@mdsgenie.ai
Your Rights: - Access your personal data - Correct inaccurate data - Delete your data (with exceptions) - Port your data - Object to processing - Restrict processing - Withdraw consent
Key Facts: - We do NOT sell personal data - We do NOT store PHI - only ephemeral processing - We use encryption for all data - We comply with HIPAA, CCPA, and other privacy laws
Verisight Analytics, LLC ("Company," "we," "us," or "our") provides MDS Genie, a clinical decision support platform for healthcare facilities. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Service.
This Policy applies to: - MDS Genie platform (the "Service") - Our marketing website (www.mdsgenie.ai) - Communications between you and Verisight Analytics - Data processing under our Business Associate Agreement
By using MDS Genie, you consent to the data practices described in this Policy.
What We Collect: - Full name - Professional credentials and license numbers - Email address (business) - Phone number (business) - Facility name and NPI number - Job title and role - Username and password
How We Collect: Directly from you during registration and account management
Purpose: Account creation, authentication, communication, compliance verification
What We Collect: - Login times and frequency - Features accessed - Assessment types generated - System performance metrics - Error logs (no PHI included)
How We Collect: Automatically through system monitoring
Purpose: Service improvement, troubleshooting, security monitoring
What We Process (NOT Store): - Clinical notes submitted for analysis - MDS assessment context - Generated recommendations
How We Handle: - Processed in volatile memory only - Immediately discarded after processing - Never stored in databases or logs - No retention whatsoever
Purpose: Generate MDS coding suggestions
What We Collect: - Billing name and address - Last 4 digits of payment card - Transaction history
How We Collect: Through Stripe (PCI-DSS compliant)
Note: We do NOT store full payment card numbers
What We Collect: - Pages visited - Time on site - General geographic location (city level) - Browser and device type - Referral source
How We Collect: Google Analytics (marketing site only)
Purpose: Improve website experience, marketing effectiveness
What We Collect: - Support tickets and inquiries - Training completion records - Feedback and surveys
How We Collect: Directly from you
Purpose: Customer service, compliance tracking, service improvement
We process your information based on:
We never sell, rent, or trade your personal information to third parties.
We share information with vendors who help us provide services:
| Provider | Purpose | Data Shared | Safeguards |
|---|---|---|---|
| Microsoft Azure | Infrastructure/AI | Processing data (ephemeral) | BAA, SOC 2, HIPAA compliant |
| Stripe | Payment processing | Payment information | PCI-DSS Level 1 |
| Google Analytics | Website analytics | Anonymous usage data | No PHI, marketing site only |
| [Email Provider] | Communications | Email addresses | Encryption, no PHI |
We may disclose information when required by: - Court orders or subpoenas - Government investigations - HIPAA-permitted disclosures - Emergency situations
If we merge, sell, or reorganize, information may transfer to successors who agree to protect it similarly.
We may share aggregated or de-identified data that cannot identify individuals for: - Industry reports - Research - Public health purposes - Quality improvement initiatives
Encryption: - At Rest: AES-256 encryption - In Transit: TLS 1.3 minimum - Key Management: Automated rotation
Access Controls: - Multi-factor authentication required - Role-based access control - Principle of least privilege - Automatic session timeout (15 minutes) - Account lockout after 5 failed attempts
Monitoring: - 24/7 security monitoring - Intrusion detection systems - Audit logs (7-year retention) - Monthly vulnerability scanning - Annual penetration testing
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Active + 7 years | Legal/tax requirements |
| Clinical processing | 0 (ephemeral only) | Privacy by design |
| Audit logs | 7 years | HIPAA requirement |
| Payment records | 7 years | Tax/financial regulations |
| Support tickets | 3 years | Service improvement |
| Marketing analytics | 2 years | Analytics purposes |
| Training records | Active + 3 years | Compliance tracking |
Deletion: Upon expiration, data is securely deleted using NIST 800-88 standards.
Right to Access: Request a copy of your personal data
Right to Correct: Request correction of inaccurate data
Right to Delete: Request deletion (subject to legal requirements)
Right to Restrict: Limit how we process your data
Right to Object: Object to certain processing activities
Right to Portability: Receive data in machine-readable format
Right to Withdraw Consent: Withdraw previously given consent
Additional rights under California law: - Right to know categories and specific pieces of personal information - Right to know purposes of collection and use - Right to know if information is sold or disclosed (we don't sell) - Right to opt-out of sale (not applicable - we don't sell) - Right to non-discrimination - Right to correct inaccurate information - Right to limit use of sensitive personal information
To Exercise Rights: - Email: privacy@mdsgenie.ai - Toll-free: [To be provided] - Online form: [To be provided]
Verification: We verify identity before processing requests
Response Time: Within 45 days (may extend additional 45 days with notice)
Virginia (VCDPA): Similar rights to CCPA plus right to appeal
Colorado (CPA): Similar rights plus right to opt-out of profiling
Connecticut (CTDPA): Similar comprehensive rights
Illinois: Rights under BIPA for biometric data (if applicable)
Nevada: Right to opt-out of sale (not applicable)
For Protected Health Information: - Right to access PHI - Right to amend PHI - Right to accounting of disclosures - Right to restrict uses/disclosures - Right to confidential communications - Right to file complaints with HHS
If GDPR applies: - All rights listed in Section 8.1 - Right to lodge complaint with supervisory authority - Right to withdraw consent - Right to object to automated decision-making
Our marketing website uses cookies for:
Essential Cookies: Required for site functionality - Session management - Security features - Load balancing
Analytics Cookies: Understand site usage - Google Analytics - Page views and paths - Time on site
Preference Cookies: Remember your choices - Language preferences - Cookie consent choices
The MDS Genie platform does NOT use cookies or tracking technologies
Browser Controls: Set preferences in your browser
Cookie Banner: Use our consent tool on marketing website
Google Analytics Opt-out: https://tools.google.com/dlpage/gaoptout
We honor Do Not Track signals on our marketing website.
MDS Genie is not intended for individuals under 18. We do not knowingly collect information from children. If we discover we have collected information from a child, we will promptly delete it.
To Report: Contact privacy@mdsgenie.ai
Primary Processing: United States
Safeguards for International Transfers: - Standard Contractual Clauses (EU) - Appropriate safeguards per GDPR - Encryption for all transfers
Regardless of location, you maintain all privacy rights described in this Policy.
Our Service may contain links to third-party sites. We are not responsible for their privacy practices. Please review their policies.
If we collect biometric data (e.g., for authentication):
We comply with all applicable state biometric privacy laws.
In the event of a breach affecting your personal information, we will:
Notification Timeline: - HIPAA Covered Entities: Within 10 business days - Individuals: As required by law (typically 30-60 days) - Regulators: As required by law
Notification Content: - What happened - Information involved - Steps we're taking - Steps you can take - Contact information for questions
| Category | Examples | Sources | Purpose | Shared With |
|---|---|---|---|---|
| Identifiers | Name, email | You directly | Service delivery | Service providers |
| Professional Info | License, credentials | You directly | Compliance | Verification services |
| Commercial Info | Transaction history | Service use | Billing | Payment processor |
| Internet Activity | Usage data | Automatic | Analytics | None |
| Geolocation | City-level only | IP address | Analytics | None |
We DO NOT sell personal information as defined by CCPA
We limit use of sensitive personal information to purposes permitted by CCPA.
See Section 7 for retention periods.
See Section 8.2 for CCPA rights.
MDS Genie uses AI to analyze clinical notes and suggest codes. However: - All outputs are suggestions only - Human review is always required - No automated decisions affect legal rights - You can request human review of any output
You have the right to: - Understand the logic involved - Request human intervention - Express your point of view - Contest any suggestions
Material Changes: - 30 days advance notice via email - Banner notice on platform - Ability to review changes before effective date
Minor Changes: - Updated policy posted on website - Effective date updated
If you disagree with changes: - Download your data - Close your account - Continue under existing policy until renewal
We strive to make our Privacy Policy accessible to all: - Plain language where possible - Screen reader compatible - Available in alternative formats upon request
Contact: accessibility@mdsgenie.ai
Email: privacy@mdsgenie.ai
Phone: [To be provided]
Mail:
Verisight Analytics, LLC
Attn: Privacy Officer
342 N Water St Suite 600
Milwaukee, WI 53202
Response Time: Within 30 days
Email: hipaa@mdsgenie.ai
Phone: [To be provided]
Email: dpo@mdsgenie.ai
Phone: [To be provided]
You may also contact:
HHS Office for Civil Rights (HIPAA)
https://www.hhs.gov/ocr
California Privacy Protection Agency (CCPA)
https://cppa.ca.gov
Illinois Attorney General (BIPA)
https://www.illinoisattorneygeneral.gov
Personal Information Protection Act: - Breach notification within 5 business days - Notice to AG if 500+ residents affected
Biometric Information Privacy Act: - See Section 13 for biometric data handling
Medical Records: - Retained per state requirements (5+ years) - Patient access within 30 days
We comply with all applicable state privacy laws. Contact us for state-specific information.
We adhere to the following principles:
1. Minimization: Collect only what's necessary
2. Purpose Limitation: Use only for stated purposes
3. Transparency: Clear about our practices
4. Security: Protect with appropriate measures
5. Accountability: Take responsibility for compliance
6. Privacy by Design: Build privacy into our systems
7. User Control: Provide choices and rights
"De-identified Data": Data that cannot reasonably identify an individual
"Personal Information": Information that identifies or could identify you
"PHI": Protected Health Information under HIPAA
"Processing": Any operation performed on data
"Service": MDS Genie platform
"Service Provider": Third party that processes data for us
| Cookie Name | Provider | Purpose | Expiry | Type |
|---|---|---|---|---|
| _ga | Analytics | 2 years | Analytics | |
| _gid | Analytics | 24 hours | Analytics | |
| sessionid | Verisight | Session | Session | Essential |
| consent | Verisight | Consent tracking | 1 year | Essential |
Browser Settings: - Chrome: Settings > Privacy > Cookies - Firefox: Options > Privacy > Cookies - Safari: Preferences > Privacy - Edge: Settings > Privacy > Cookies
Mobile Devices: - iOS: Settings > Safari > Block Cookies - Android: Chrome > Settings > Site Settings > Cookies
| Processing Activity | Lawful Basis | Article 6 Reference |
|---|---|---|
| Account management | Contract | 6(1)(b) |
| Compliance | Legal obligation | 6(1)(c) |
| Security | Legitimate interest | 6(1)(f) |
| Marketing | Consent | 6(1)(a) |
| Analytics | Legitimate interest | 6(1)(f) |
We have conducted assessments confirming our legitimate interests don't override your rights for: - Security monitoring - Service improvement - Fraud prevention - Direct marketing (existing customers)
ACCEPTANCE
BY USING MDS GENIE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.
Last Updated: July 28, 2025
Version: 3.0
© 2025 Verisight Analytics, LLC. All rights reserved.