Privacy Policy — IMEridian

IMEridian (“IMEridian,” “we,” “us,” or “our”) provides a mobile application for licensed physicians to document independent medical examinations (IMEs), generate reports, and support utilization review (UR) and peer review workflows. This Privacy Policy explains what information the IMEridian iOS application (the “App”) collects, how it is used, when it is shared, and the choices you have. By downloading, installing, or using the App, you agree to this Policy.

1. Who This Policy Applies To

This Policy applies to physicians and other authorized clinical users who use the App to perform examinations and generate documentation (“Users”). It also describes how we handle limited information about the individuals examined or referenced in those examinations (“Claimants”). Claimants do not interact with the App directly; their information is entered by the User in the course of clinical documentation.

The App is intended solely for use by licensed healthcare professionals in the United States. It is not intended for use by patients, claimants, the general public, or anyone under the age of 18.

2. Information We Collect

2.1 Account Information

When you create an IMEridian account we collect information you provide directly, including:

Name, professional credentials, NPI, and practice address
Email address and password (passwords are stored only as salted hashes)
Specialty, licensure jurisdictions, and IME panel affiliations (optional)
Billing contact and payment information (processed by our payment processor; see Section 6)

2.2 Clinical Content You Enter

While using the App, you enter clinical and case content that may include Protected Health Information (“PHI”) about Claimants. This may include:

Claimant identifiers (name, date of birth, claim number, employer, jurisdiction)
Referral source, date of injury, and claim history
Records reviewed, history of present illness, and physical examination findings
Diagnostic impressions, causation analysis, and apportionment
UR / peer review determinations and supporting guideline citations
Generated IME reports and exported PDFs

This content is stored in encrypted form and is treated as PHI under our Business Associate framework (see Section 5).

2.3 Device and Usage Information

To operate, secure, and improve the App, we automatically collect limited technical information:

Device model, iOS version, App version, and language
Anonymized device identifier used for session and license validation
Crash logs, diagnostic events, and feature-usage telemetry (in aggregate, non-PHI form)
IP address and approximate region (for security and fraud prevention only)

We do not collect precise geolocation, contacts, photos, microphone audio, or camera content unless you explicitly enable a feature that requires it (for example, attaching a photo to a case file). Permissions are requested at the point of use and can be revoked at any time in iOS Settings.

2.4 Information We Do Not Collect

The App does not collect advertising identifiers (IDFA) and does not include third-party advertising SDKs. We do not sell, rent, or trade personal information or PHI under any circumstance.

3. How We Use Information

We use the information described above only for the following purposes:

Provide the Service: authenticate you, store and retrieve your cases, generate reports, and deliver features such as guideline references and exports.
Maintain Security: detect and prevent unauthorized access, abuse, and fraud, and enforce our Terms of Use.
Improve the App: diagnose crashes, analyze feature usage in aggregate, and prioritize improvements. This work uses non-identified or de-identified data wherever possible.
Communicate With You: send service-related messages, security alerts, billing notices, and (only if you opt in) product updates.
Comply With Law: meet legal, regulatory, and audit obligations applicable to healthcare technology.

We do not use PHI to train machine-learning models. Any AI-assisted text generation occurs within secure, contractually constrained inference environments and the resulting output remains your work product.

4. Legal Bases and Roles

With respect to PHI entered into the App, the User (or the User’s practice) is the Covered Entity under HIPAA, and IMEridian acts as a Business Associate. Use of the App for clinical documentation is governed by our Business Associate Agreement (“BAA”), which is offered to all professional accounts and supersedes any conflicting term of this Policy with respect to PHI.

5. How Information Is Stored and Secured

We design the App with security and minimal data retention in mind:

Encryption in transit: all communication between the App and our servers uses TLS 1.2+.
Encryption at rest: case content is stored using AES-256 encryption on the device and on our servers.
Access controls: role-based access, least-privilege staff permissions, and audit logging.
Authentication: support for strong passwords and biometric (Face ID / Touch ID) unlock on supported devices.
U.S.-based hosting: data is hosted on HIPAA-eligible U.S. infrastructure under a signed BAA with the hosting provider.
Backups: encrypted backups are retained on a rolling 30-day schedule for disaster recovery only.

No method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, but we maintain administrative, physical, and technical safeguards designed to comply with the HIPAA Security Rule.

6. When We Share Information

We share information only in these limited circumstances:

Service providers: hosting, error monitoring, and payment processing vendors that operate under written contracts and, where applicable, BAAs. Current sub-processors include cloud hosting (AWS), error reporting (Sentry, configured to scrub PHI), and payment processing (Stripe — billing information only; Stripe does not receive PHI).
At your direction: when you export, share, or transmit a report, the recipient is determined by you.
Legal compliance: in response to a valid subpoena, court order, or other legal process, after we evaluate its scope and notify the affected User where permitted by law.
Business transitions: in connection with a merger, acquisition, or sale of assets, subject to continued protection of your information consistent with this Policy.
To protect rights and safety: where reasonably necessary to investigate fraud, enforce our agreements, or protect users and the public.

We do not share PHI with advertisers, data brokers, or analytics providers for marketing purposes.

7. Data Retention and Deletion

Case content is retained for as long as your account is active or as required to provide the Service. You may delete individual cases at any time within the App. When you close your account, we will delete or de-identify your case content within 60 days, except where retention is required by law, professional obligation, or to resolve disputes. Encrypted backup copies cycle out of storage within an additional 30 days.

You are responsible for retaining a copy of any reports you produce in the App in accordance with your professional record-keeping obligations.

8. Your Choices and Rights

You can:

Access, correct, or export your account information from within the App
Delete individual cases or your entire account
Disable optional permissions (camera, photos, notifications) in iOS Settings at any time
Opt out of non-essential product communications via the unsubscribe link in those messages

Depending on your state of residence (for example, California, Colorado, Texas, or Virginia), you may have additional rights regarding personal information we hold about you as a User, including the right to request access, correction, deletion, or a copy in a portable format. To exercise these rights, contact us using the information in Section 13. We will not discriminate against you for exercising any privacy right.

9. Children’s Privacy

The App is not directed to children under 18 and we do not knowingly collect personal information from children. Claimant records may incidentally reference minors as part of clinical documentation entered by a User; that information is treated as PHI and protected under the safeguards described in this Policy and the BAA.

10. International Use

The App is operated from, and intended for use within, the United States. If you access the App from outside the U.S., you understand that information will be processed and stored in the United States, where data protection laws may differ from those in your jurisdiction.

11. Apple App Store

When you download the App, Apple may collect limited information (such as your Apple ID, download history, and device identifiers) under Apple’s own privacy practices. Apple is an independent controller of that information; we do not control Apple’s collection. Please review Apple’s privacy policy at apple.com/legal/privacy for details.

12. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you in the App or by email before the changes take effect. The “Effective” date at the top of this Policy indicates when it was last revised. Continued use of the App after the effective date constitutes acceptance of the updated Policy.

13. Contact Us

Questions, requests, or concerns about this Policy or your information can be directed to our Privacy Officer:

IMEridian Privacy Officer

Email: privacy@imeridian.app

Mail: IMEridian, c/o Privacy Officer, Wooster, OH 44691

For Business Associate Agreements or security disclosures, write to security@imeridian.app.