Privacy Policy

Last Updated: May 9, 2026

Introduction

MedGrid (operated by Skydell Holdings, Inc., “MedGrid,” “we,” “us,” or “our”) provides a clinical intelligence performance engine that connects physicians, clinics, manufacturers, and patients to a verified outcomes data layer. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use medgrid.com, the MedGrid mobile experience, the MedGrid ERP / EMR / EHR, the MedGrid Marketplace, the MedGrid Forum, the BridgeMed telehealth integration, and any related services (collectively, the “Services”).

By using the Services, you agree to this Privacy Policy. If you do not agree, do not use the Services.

Our platform is exclusively for verified healthcare professionals including physicians (MD, DO), nurse practitioners (NP), and licensed specialists.

1. Who This Policy Applies To

The Services are used by several distinct populations. Different sections apply to different users:

Population Key Sections Notes
Physicians (independent or MSO-enrolled) §4, §6, §10 Business Associate Agreement (BAA) governs PHI.
Clinics, sales reps, and other partners §3, §4, §6, §11 Includes Skydell Medical reps and BridgeMeds vendors.
Patients (telehealth, portal, directory inquiries) §3, §5, §7, §10 The Notice of Privacy Practices in §10 also applies.
Manufacturers and data licensees §3, §6, §11 Outcomes data licensed under §11 is de-identified per 45 CFR §164.514(b).
Visitors to medgrid.com (no account) §3, §8 Limited tracking; see §8 for cookies.

2. Definitions

  • PHI — Protected Health Information as defined under HIPAA.
  • De-identified data — Information that has been processed to remove identifiers per the HIPAA Safe Harbor method or Expert Determination method.
  • Personal Data — Any information that identifies or can reasonably identify a living individual, including under GDPR, CPRA, and similar laws.
  • Tenant — A clinic, group, or enterprise that uses MedGrid as its EMR/EHR. Each tenant is logically isolated; see Tenant Isolation.
  • Outcomes Data — De-identified, structured records produced by ClinicalX and described in §11.

3. Information We Collect

3.1 Information you provide

  • Account & credentialing. Name, email, phone, password (hashed), NPI, DEA, state medical license, malpractice attestation, employer/clinic, billing address.
  • Profile & directory. Specialty, years of practice, treatment focus areas, optional photo, public bio, availability windows for peer consults and telehealth.
  • Patient charts (if you are a clinician). Demographics, history, vitals, labs, prescriptions, diagnoses, notes. This is PHI and is governed by your BAA with us.
  • Marketplace orders. Items, quantities, batch numbers, shipping addresses, payment method (tokenized via Stripe — we never store full card numbers).
  • Forum and consult content. Case studies, protocols, peer reviews, scheduled consultations and the recordings you choose to retain.
  • Support requests and survey responses.

3.2 Information we collect automatically

  • Device, browser, OS, IP, approximate geolocation derived from IP.
  • Pages viewed, features used, search queries inside MedGrid, click and scroll behaviors.
  • Authentication events (logins, MFA prompts, session lifetimes, failed attempts).
  • Performance and crash telemetry.

3.3 Information from third parties

  • Identity & credentialing services (NPI registry, DEA, state medical boards, LegitScript) — to verify your license.
  • Payment processors — Stripe returns confirmation, last-4, and chargeback events.
  • Single sign-on — Google OAuth (per Google OAuth) and any future SAML providers return your email, name, and profile photo.
  • Manufacturers and pharmacies — batch, lot, COA, and tracking events for your orders.
  • BridgeMed telehealth + 503A pharmacy network — when you use the integrated telehealth flow.

3.4 Information we do NOT collect

  • We do not collect biometric data unless you proactively upload it as part of a clinical assessment.
  • We do not collect children's data — the Services are not directed to anyone under 18, and patient portal accounts require an adult guardian.
  • We do not buy data from data brokers.

4. How We Use Information

We use information only for the purposes set out below. Some uses below depend on features that are still being built — see Release Notes for what's live today.

  1. Operate and secure the Services — authenticate, provision tenants, route orders, render the EMR (where the EMR module is live for your tenant), run patient follow-ups, prevent fraud and abuse.
  2. Provide clinical workflow tools — protocol assignment, dosing schedules, lab interpretation, pharmacovigilance, telehealth scheduling. Several of these tools are rolling out incrementally; the Release Notes lists what is currently live, in pipeline, or coming soon.
  3. Process orders and payments — including marketplace fees, MSO management fees, and payouts to sellers.
  4. Improve the Services and Genesis AI — model training is performed only on de-identified Outcomes Data per §7. We do not use identifiable PHI to train models that serve other tenants. The retraining loop is operational; the data feedback effect grows as the outcomes layer captures more structured records.
  5. Communicate with you — service notices, security alerts, billing, release notes, and (with your consent) product updates and educational content.
  6. Meet our legal obligations — including HIPAA, state medical-board reporting where applicable, and law-enforcement requests under §9.

We will not use your information for advertising, profiling, or sale.

5. Patient Information & HIPAA

If you are a patient, the MedGrid Notice of Privacy Practices (NPP) in §10 is the controlling document. In summary:

  • Your provider — not MedGrid — is the covered entity under HIPAA.
  • MedGrid is the provider's business associate, governed by a BAA.
  • We use and disclose your PHI only as permitted by the BAA, this Privacy Policy, and the NPP.
  • You may request access to your records, an accounting of disclosures, amendment, or restriction of uses by writing to privacy@medgrid.com or to your provider directly.

6. How We Share Information

We share information only as described below:

  • With your provider and care team — for treatment.
  • With vendors / sellers in the Marketplace — only the data necessary to fulfill an order (recipient, ship-to, item, batch).
  • With BridgeMed and Skydell MSO partners — only the data necessary to deliver the integrated telehealth, pharmacy, and clinic-operations services you opted into.
  • With service providers — Supabase (database/auth), Vercel (hosting), Stripe (payments), Twilio/SendGrid (messaging), GPU cloud providers running our self-hosted Genesis AI clusters. Each is bound by a written DPA and BAA where applicable.
  • In a corporate transaction — if MedGrid or Skydell Holdings is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred subject to this Privacy Policy and applicable law.
  • For legal reasons — to comply with law, respond to lawful requests, enforce our Terms and Conditions, protect rights and safety.

We do not sell your Personal Data. We do not share PHI for marketing.

7. Outcomes Data, ClinicalX, and Manufacturer Licensing

A core MedGrid roadmap goal is structured, attributed clinical outcomes. The ClinicalX outcomes engine and the manufacturer-licensing program are still being built — see Release Notes for current status. The terms below apply prospectively, and govern data captured once the relevant features go live for your tenant.

  • What we capture today. At launch, the Services capture order, batch, prescriber, protocol, and chart-linkage data. Structured 30 / 60 / 90 day outcome capture (labs, PROs, physician assessment) is in pipeline.
  • Future state. Where you use a Med Director protocol on the Services once the outcomes layer is live, the resulting de-identified Outcomes Data will belong to MedGrid per the platform agreement and may be licensed to manufacturers, payers, and research institutions.
  • De-identification. Outcomes Data will be de-identified before licensing using the HIPAA Safe Harbor method or, where appropriate, Expert Determination. We will retain a limited dataset internally for protocol improvement that is segregated from any licensed exports.
  • Choice. Independent physicians who do not wish to contribute to ClinicalX may opt out of the data-share program at signup or at any time in Settings → Privacy → Outcomes Sharing. Opting out does not disable use of the platform; it removes future contributions from the licensable corpus.
  • Patient consent. Patients will be informed at intake that de-identified outcomes from their care may be aggregated into ClinicalX. Patients may opt out via the patient portal.
  • No re-identification. Recipients of licensed Outcomes Data are and will be contractually prohibited from attempting to re-identify any individual.
  • No licensing without the data. Until the outcomes corpus exists at sufficient scale, no licensing program is offered. We will not represent capabilities we do not have.

8. Cookies, Analytics, and Tracking

We use a small set of cookies and similar technologies:

  • Strictly necessary — session, CSRF, tenant routing.
  • Functional — remember language, theme, recent searches.
  • Analytics — first-party event analytics to improve the Services. We do not use third-party advertising trackers on authenticated pages.

You can manage non-essential cookies via the Cookie Settings link in our footer or your browser settings.

9. Your Rights

Depending on where you live, you may have rights to:

  • Access, correct, port, or delete your Personal Data (HIPAA, GDPR, UK GDPR, CPRA, VCDPA, CPA, CTDPA).
  • Object to or restrict certain processing.
  • Withdraw consent for marketing.
  • Lodge a complaint with a supervisory authority.

To exercise rights, email privacy@medgrid.com or write to the address in §13. We respond within 30 days; HIPAA access requests are answered within 30 days as required by 45 CFR §164.524.

California residents see the California Privacy Notice below in §12.

10. Notice of Privacy Practices (Patients)

This section also satisfies the patient-facing NPP under 45 CFR §164.520. As a patient on MedGrid:

  • Your provider may use and disclose your PHI for treatment, payment, and health-care operations.
  • We will obtain your written authorization for any other use, including sale of PHI, marketing other than for your treatment, and most psychotherapy notes (we do not currently store psychotherapy notes).
  • You have the right to: receive a paper copy of this notice, request restrictions on uses and disclosures, request confidential communications, inspect and copy your records, request amendment, receive an accounting of disclosures, and file a complaint with us or with the U.S. Department of Health and Human Services.
  • You may revoke a prior authorization in writing at any time, except as already relied upon.

We are required to notify you of any breach of unsecured PHI without unreasonable delay and within 60 days, per the HIPAA Breach Notification Rule.

11. Sales Reps, Marketplace, and Third-Party Vendors

  • Reps see only the orders and providers in their assigned territory and downline.
  • Vendors see only the orders placed for their products.
  • Third-party vendors operating shops on the Marketplace are bound by separate vendor agreements and must comply with this Privacy Policy when handling Personal Data they receive through MedGrid.

12. Region-specific notices

California (CPRA)

Categories of Personal Information collected, purposes, sources, and disclosures are described in §3, §4, and §6. We do not sell or share Personal Information for cross-context behavioral advertising. California residents may request to know, delete, correct, and limit the use of sensitive Personal Information by emailing privacy@medgrid.com.

Other U.S. states

We comply with CDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), MHMD (Washington — health data specific), FDBR (Florida), OCPA (Oregon), TDPSA (Texas), MCDPA (Montana), NHDPA (New Hampshire), NJDPA (New Jersey), DPDPA (Delaware), MNDPA (Minnesota), TNDPA (Tennessee), ICDPA (Iowa), and similar emerging state privacy laws. Residents in those states may exercise the rights granted by their state law by emailing privacy@medgrid.com. State medical-board, pharmacy, and telehealth rules are separately tracked in the State & Country Availability Matrix at medgrid.com/availability — those rules can prohibit a feature in your state even when this Policy otherwise permits it.

European Economic Area / UK (GDPR / UK GDPR)

Our lawful bases are: (i) performance of a contract; (ii) compliance with legal obligations; (iii) legitimate interests in operating and securing the Services; and (iv) consent for marketing and certain analytics. We transfer data outside the EEA/UK only under Standard Contractual Clauses or another approved mechanism. The data controller for medgrid.com is Skydell Holdings, Inc. EEA / UK residents may contact our representative at eu-rep@medgrid.com (designated where required under Article 27 / UK GDPR Article 27).

Canada

Personal information is handled in line with PIPEDA federally and Quebec Law 25 for Quebec residents. Quebec residents may request portability and the cessation of dissemination per Law 25 by emailing privacy@medgrid.com.

Brazil — LGPD · Australia — Privacy Act · Switzerland — FADP · Other countries

Where applicable, residents may exercise rights granted by their local law. Contact privacy@medgrid.com. Where local law imposes stricter requirements (e.g., shorter retention, mandatory data-localization), those stricter requirements apply for the relevant residents and data flows.

Conflicts between regimes

If two regulatory regimes conflict on a single user's data — for example, a Canadian patient seen by a Texas physician — we apply the rule that gives the user the strongest privacy protection that is also lawful under the other regime. Where compliance with both is genuinely impossible, we will tell you and stop the relevant processing rather than violate either.

13. Security

We follow defense-in-depth practices appropriate for a HIPAA-regulated platform: encryption in transit (TLS 1.2+) and at rest (AES-256), strict tenant isolation (see Tenant Isolation), MFA for staff, principle-of-least-privilege access, audit logging, vulnerability scanning, and a managed bug-bounty program. Our certification program is HIPAA-aligned today, with SOC 1, LegitScript, and GDPR alignment targeted for Phase 1; SOC 2 Type II, SureScripts, and ISO 27001 targeted for Phase 2. Current status of each certification is published openly at /trust and Release Notes.

No system is perfectly secure. If you suspect a security issue, write to security@medgrid.com.

14. Data Retention

  • Account data — for the lifetime of your account plus 12 months; longer where required by law.
  • Patient charts (PHI) — for the longer of (i) the period required by your state's medical-record retention law and (ii) the term of the BAA.
  • Marketplace orders, invoices, sales orders, payment records — at least 7 years for tax and audit purposes.
  • Outcomes Data (de-identified) — indefinitely, in line with §7.
  • Logs and security telemetry — 18 months.

When retention ends we destroy or fully de-identify the data.

15. International Users

The Services are operated from the United States. If you are accessing them from elsewhere, you consent to the transfer of your information to and storage in the U.S., subject to §12 and applicable safeguards. Some features (telehealth, 503A patient-specific compounding, controlled-substance prescribing, BridgeMed pharmacy fulfillment) are not lawful in many countries and will be disabled for non-U.S. accounts where required by law. The current per-country availability is published at medgrid.com/availability.

16. Children

The Services are not intended for children under 18. We do not knowingly collect Personal Data from anyone under 18 without verifiable parental consent. If you believe a child has provided us Personal Data, contact privacy@medgrid.com and we will delete it.

17. Changes to this Policy

If we make material changes we will notify you by email, an in-product banner, or both, at least 30 days before they take effect. We will keep an archive of prior versions at medgrid.com/privacy/archive.

18. Contact

For privacy questions, requests, or complaints:

  • Email: privacy@medgrid.com
  • Mail: MedGrid · Privacy Office · Skydell Holdings, Inc. · [Street Address] · [City, State ZIP]
  • Patient portal users may also message their provider directly.

For HIPAA complaints to the federal government:

  • U.S. Department of Health and Human Services, Office for Civil Rights — https://www.hhs.gov/hipaa/filing-a-complaint/