Get Started Free
Legal

Privacy Policy

Last updated: 22 March 2026

This Privacy Policy describes how Medsage (“we,” “us,” or “our”) collects, uses, and shares information when you use the Medsage platform (“Service”). We are committed to protecting the privacy of both practitioners and their patients.

1. Who This Policy Applies To

This policy applies to:

  • Account holders — practitioners, clinic administrators, and students who register for a Medsage account.
  • Patient data — health information about patients that practitioners upload or generate through the Service.
  • Website visitors — anyone who visits medsage.app.

2. Information We Collect

Account Information

  • Name, email address, and password when you register.
  • Account type (practitioner, clinic admin, student).
  • Clinic name (for clinic accounts).
  • Billing information (processed securely through Stripe — we do not store card numbers).

Clinical and Patient Data

  • Consultation audio recordings (uploaded by practitioners during AI scribing).
  • Patient health information including consultation notes, clinical assessments, and SOAP records.
  • Patient intake forms submitted via QR code intake.

You, the practitioner, are the data controller for all patient health information. We process this data solely to provide the Service on your behalf.

Usage Data

  • Log data: IP address, browser type, pages visited, timestamps.
  • Feature usage: which features you use and how often.
  • Device information: browser, operating system, screen size.

3. How We Use Your Information

  • To provide the Service: Processing audio recordings, generating AI-assisted notes, storing clinical records.
  • Account management: Authentication, billing, account support.
  • Service improvement: Aggregate, de-identified analytics to improve features and reliability.
  • Security: Detecting and preventing fraud, abuse, and security incidents.
  • Legal compliance: Meeting obligations under applicable law.
  • Communications: Account notifications, product updates, and (with your consent) marketing communications.

Medsage has configured Gemini API with request logging disabled. Patient health information is not used to train Google's public AI models or retained by Google for model improvement purposes. AI model improvements within Medsage use only de-identified, aggregate patterns — never individual patient records.

4. Google Gemini AI Processing

The AI scribing feature transmits consultation audio to Google's Gemini API for transcription. The following disclosures apply:

  • Purpose: Audio is processed solely for transcription. Google does not use the audio for any other purpose.
  • Cross-border transfer: Audio data may be processed on Google infrastructure outside your country of residence or practice.
  • Logging disabled: Medsage has configured the Gemini API with request logging disabled. Consultation audio and transcription outputs are not logged or reviewed by Google personnel.
  • No model training: Google does not retain or use consultation audio to improve its public AI models under the API usage terms applicable to Medsage.
  • Google's DPA: Google's processing is governed by the Google Cloud Data Processing Addendum, which is in place between Medsage and Google.
  • Practitioner responsibility: You are responsible for informing patients that their consultation audio will be processed by Google Gemini AI and obtaining any consent required by applicable law before using the AI scribing feature.

5. Data Storage and Security

Your data is stored on Google Cloud Platform infrastructure, which maintains SOC 2 Type II certification. We implement:

  • Encryption in transit (TLS 1.2+).
  • Encryption at rest for all stored data.
  • Role-based access controls limiting data access to authorised personnel only.
  • Complete audit trails: raw audio and structured notes are preserved together.
  • Secure session management with server-side tokens.

6. Data Sharing and Subprocessors

We do not sell your data. We share your information only with the following subprocessors as necessary to provide the Service. Data Processing Addenda are in place with all subprocessors.

Google Cloud Platform

Cloud infrastructure (data storage, hosting, compute) and Gemini AI (audio transcription processing).

cloud.google.com/terms/data-processing-addendum

Stripe

Payment processing. Stripe processes billing information on our behalf and is subject to its own privacy obligations as a payment processor.

stripe.com/legal/dpa

We may also share information in the following circumstances:

  • Legal requirements: If required by law, court order, or government authority, and only to the extent required.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before this occurs.

7. International Data Transfers

The Service is operated from Australia. Your data is stored on Google Cloud servers, which may be located in various regions globally. When Medsage uses Google Gemini API for audio transcription, audio may be processed on Google infrastructure outside your jurisdiction. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where required under GDPR, and the Google Cloud Data Processing Addendum for all Google services.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your data (subject to legal obligations to retain records).
  • Portability: You may request a copy of your personal data by contacting privacy@medsage.app. We will provide your data in a commonly used format within 30 days of a verified request.
  • Objection: Object to certain processing activities.
  • Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@medsage.app. We will respond within 30 days.

9. Patient Rights Requests

If a patient wishes to exercise rights over their health data stored in Medsage, they should contact the practitioner or clinic that holds their records. We will assist practitioners in responding to patient rights requests as required by applicable law.

Patients seeking earlier deletion of consultation audio may request this through their practitioner. Practitioners may submit audio deletion requests to privacy@medsage.app.

10. Data Retention

Active accounts
Data is retained for as long as your account is active.
Clinical records
Retained for a minimum of 20 years to comply with the most stringent international healthcare record-keeping requirements. Specific jurisdictions may require shorter periods (e.g., 7 years in Australia, 10 years in New Zealand and parts of Canada), but Medsage applies the 20-year standard globally.
After account closure
Account credentials and personal profile will be deactivated. You may request a copy of your data before closure by contacting privacy@medsage.app. Clinical records are retained in accordance with the applicable retention period (minimum 20 years) unless deletion is specifically requested and the mandatory retention period has expired.
Audio recordings
Retained for a minimum of 20 years as part of the clinical record. Practitioners may request deletion of audio recordings after the mandatory retention period in their jurisdiction has expired.

In the event that Medsage ceases operations, we will provide at least 90 days' notice to all active account holders. During this period, practitioners may request a copy of their data. We will make reasonable efforts to ensure continuity of access to clinical records in accordance with applicable healthcare record-keeping laws.

11. Security Breach Notification

In the event of a confirmed security breach affecting personal data or patient health information:

  • Medsage will begin investigation immediately upon discovery.
  • Affected practitioners will be notified within 72 hours of confirming the breach, consistent with obligations under GDPR and the Australian Privacy Act. Where HIPAA notification requirements apply, notification will occur within 60 days.
  • Notification will include the nature of the data affected, the likely cause, containment steps taken, and guidance for practitioners.
  • Practitioners, as data controllers, are responsible for notifying their own patients in accordance with applicable law.

To report a suspected security incident, contact security@medsage.app.

Anonymous Website Analytics

We collect anonymous usage data on our public website to understand how visitors use our tools and pages. This data includes:

  • Pages visited
  • Country (derived from request headers, not IP geolocation)
  • Device type (mobile, desktop, tablet)
  • Referral source (e.g., Google, direct link)
  • Button clicks on public tools

This data is fully anonymous — we do not use cookies, do not track individual users across sessions, and do not collect any personal information. All analytics data is stored on our own servers (Firebase/Google Cloud) and is never shared with third parties. No data is collected inside the authenticated clinical application.

12. Cookies

We use essential cookies to operate the Service (session management, authentication). We do not use advertising cookies or third-party tracking pixels. You can control non-essential cookies through your browser settings.

13. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such information, contact us immediately.

14. Regulatory Compliance

Our infrastructure and processes are designed to support compliance with:

  • Australia: Privacy Act 1988 (Cth), Australian Privacy Principles, AHPRA standards.
  • European Union: GDPR (General Data Protection Regulation).
  • Singapore: PDPA (Personal Data Protection Act).
  • Canada: PIPEDA (Personal Information Protection and Electronic Documents Act).

HIPAA Notice

Medsage is not a HIPAA-covered entity and does not currently offer HIPAA Business Associate Agreements (BAA). US-based healthcare providers subject to HIPAA should consult their legal advisor before storing regulated Protected Health Information (PHI) in Medsage.

Practitioners are responsible for ensuring their use of the Service complies with the specific regulations applicable to their practice and jurisdiction.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 14 days before the changes take effect. The “Last updated” date at the top of this page indicates when it was last revised.

16. Contact Us

For privacy questions, data requests, or concerns, contact us at:

Medsage
General enquiries: hello@medsage.app
Privacy and data requests: privacy@medsage.app
Security incidents: security@medsage.app

Terms of Service Security & Compliance Back to Home