Privacy Policy

1. Information We Collect

1.1 Personal Information

• Account Data: When you authenticate via OAuth (using Google Sign-In), we collect your name, email address, and profile picture from your identity provider.
• OAuth Token Data: We issue and store OAuth access tokens and refresh tokens that allow AI assistant clients (such as Claude Desktop, ChatGPT, or other MCP-compatible applications) to access the Service on your behalf.
• MCP Client Registration: When AI clients register with our Service using dynamic client registration (RFC 7591), we collect client metadata including client name, redirect URIs, and a unique client identifier.
• No PHI: The Service is not intended to receive or store Protected Health Information (“PHI”) as defined under HIPAA. You agree not to submit PHI to us. If you inadvertently share PHI, contact us immediately at privacy@erudio.com so we can delete it. We are not a HIPAA Business Associate or Covered Entity.

1.2 Usage Information

• API Usage Data: We collect information about your use of MCP tools, including search queries, content fetched, and API call timestamps for rate limiting and service improvement.
• Log Data: We may collect information such as your IP address, browser type, device information, and referral URLs to analyze usage trends and manage the Service.
• Cookies and Similar Technologies: We use cookies, web beacons, and similar tools to improve your experience, remember preferences, and gather usage data. Persistent cookies we set may remain on your device for up to 12 months, unless you delete them earlier through your browser settings. Disabling cookies may affect certain functionalities of the Service.

Essential Cookies: All cookies used by MedAffairsAI MCP are essential for the functioning of the Service and are only set after you log in. These cookies are necessary for maintaining your session, remembering your preferences, and providing the core features of the Service. Some of these essential cookies are persistent and may remain on your device for up to 12 months to maintain your login session and preferences. As they are strictly necessary, we do not require separate consent for their use, but we inform you about them here for transparency. You can manage these cookies through your browser settings, but disabling them may affect your ability to use the Service.

Do Not Track

Some web browsers transmit “Do Not Track” (DNT) signals to websites. We do not currently respond to DNT signals or similar mechanisms. You can configure your browser settings to reject or disable certain tracking technologies.

1.3 Third-Party AI Platform Access

When you use MedAffairsAI MCP through third-party AI assistants (such as Claude, ChatGPT, or other MCP-compatible applications), those platforms access our Service on your behalf using OAuth tokens. We do not control how those third-party platforms handle your data. Please review the privacy policies of:

• Anthropic (Claude): anthropic.com/privacy
• OpenAI (ChatGPT): openai.com/privacy

1.4 Third-Party Sources

We may receive information about you from third-party services that integrate with or supplement our Service. This helps us enhance our user experience or provide additional features.

2. How We Use Your Information

We process your personal information for the following purposes, each based on a specific legal basis under GDPR and UK GDPR:

• Service Provision and Maintenance: To authenticate users via OAuth, issue and manage access tokens, enforce rate limits, and operate the core functionalities of MedAffairsAI MCP. (Legal Basis: Performance of a contract - GDPR Article 6(1)(b))
• Rate Limiting and Fair Usage: To track API usage and enforce rate limits (120 requests/minute for tool calls, 30 requests/minute for token requests) to ensure fair access for all users. (Legal Basis: Legitimate interests - GDPR Article 6(1)(f))
• Analytics and Improvement: To understand user behavior, analyze trends, and improve the accuracy and features of our Service. We may use aggregated, anonymized data to generate internal reports or industry research. (Legal Basis: Legitimate interests - GDPR Article 6(1)(f))
• Communications: To send service-related communications (e.g., account verification, technical notices, security alerts). (Legal Basis: Performance of a contract and Legitimate interests)
• No PHI Use: We do not use or process PHI. Any medical or clinical details you share are processed solely for educational or informational responses, and you acknowledge it is not a substitute for professional medical advice.

3. How We Share Your Information

3.1 Service Providers

We engage third-party vendors (e.g., Vercel for hosting, Google Cloud for infrastructure, Turbopuffer for vector search, OpenAI for embeddings, authentication providers) who assist in hosting, database management, AI processing, and security. They have access to your information only as needed to perform their services, and they are contractually obligated to protect it.

3.2 Third-Party AI Platforms

When you authorize an AI assistant (such as Claude or ChatGPT) to access MedAffairsAI MCP on your behalf, that platform will receive search results and content from our Service. We share only the data necessary to fulfill your requests through those platforms.

3.3 Compliance with Laws

We may disclose your information if required by law, legal process, or governmental request. We may also disclose information to protect our rights, privacy, safety, or property, or that of our affiliates, you, or others.

3.4 Business Transfers

In connection with any merger, financing, acquisition, or dissolution transaction or proceeding, we may transfer the information we have collected to the relevant third party under appropriate confidentiality obligations.

3.5 Aggregated or De-Identified Data

We may share aggregated or de-identified data (e.g., usage statistics, search query patterns, or analyses of API usage) with third parties for analytics, insights, research, marketing, or other commercial purposes. This data cannot reasonably be used to identify you.

3.6 We Do Not Sell Personal Information

We do not sell your personal information to third parties. If our practices change in the future, we will update this Privacy Policy and provide you with any required notices or consents under applicable law.

4. Data Retention

We retain personal information for as long as needed to provide the Service, fulfill legitimate business purposes, or comply with legal obligations. Specifically:

• Account information is retained as long as your account is active and for a reasonable period thereafter, depending on legal requirements.
• OAuth tokens are retained until they expire or are revoked.
• API usage logs are retained for up to 90 days for rate limiting and security purposes.
• MCP client registrations are retained as long as the client remains active.

If you request account deletion, we will delete or anonymize your personal data as outlined in Section 7 (Your Rights and Choices), unless retention is required by law or for legitimate business purposes.

5. Security Measures

We maintain robust administrative, technical, and physical safeguards to protect your information. Our security measures include:

• Encryption (AES-256) at rest.
• Use of HTTPS for data in transit.
• OAuth 2.1 with PKCE for secure authentication flows.
• Multi-factor authentication for employee access to sensitive data.
• Regular security auditing and vulnerability assessments.
• Employee training on data security and privacy practices.

However, no method of electronic transmission or storage is fully secure, and we cannot guarantee absolute security.

Security Incidents: In the event we become aware of a Security Incident (e.g., unauthorized access or disclosure of your personal information), we will promptly investigate, take steps to contain and mitigate the impact, notify affected users in a timely manner, and cooperate with law enforcement and regulatory authorities as required.

6. International Data Transfers

Your information may be transferred to—and maintained on—servers located outside of your state or country, including to countries that may not have data protection laws as comprehensive as those in your home country. For users in the European Union, we ensure that any transfer of your personal data to countries outside the EU is done in compliance with the General Data Protection Regulation (GDPR). We use standard contractual clauses with our data processors to provide appropriate safeguards for your data.

By using our Service, you consent to such transfers. We will take steps reasonably necessary to ensure your data is treated securely and in accordance with this Privacy Policy.

7. Your Rights and Choices

All users have the right to access, correct, or delete their personal information, subject to applicable laws. For users in the European Union and the United Kingdom, additional rights may apply under GDPR and UK GDPR, including the right to data portability, the right to object to processing, and the right to restrict processing.

To exercise any of your rights, please contact us at privacy@erudio.com. We will respond to your request in accordance with applicable law.

7.1 Access, Correction, and Deletion

To request access to, correction of, or deletion of your data, email us at privacy@erudio.com. We will remove or anonymize your data unless retention is required by law or for legitimate business purposes.

7.2 Token Revocation

You can revoke access tokens at any time by re-authenticating with the Service or contacting us to revoke all tokens associated with your account.

7.3 Cookie Preferences

You can manage how your browser handles cookies and other tracking technologies. Persistent cookies we set may last for up to 12 months, unless you clear them sooner. Disabling certain cookies may impact the functionality of the Service.

7.4 No PHI

If you believe you have inadvertently provided PHI, please contact us immediately at privacy@erudio.com. We will delete such information if identified as PHI.

7.5 California Residents (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete or correct personal information, the right to opt out of the sale of personal information (note: we do not sell personal information), and the right to non-discrimination for exercising your rights.

8. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you learn that a child under 13 has provided us with personal information, please contact us at privacy@erudio.com.

9. No PHI / No HIPAA Relationship

We are not a “Covered Entity” or “Business Associate” under HIPAA, and our Service is not intended to process Protected Health Information. By using the Service, you agree not to submit any PHI. If you believe you have inadvertently provided PHI, please contact us immediately at privacy@erudio.com. We will review and, if confirmed as PHI, delete such information in accordance with our policies and applicable laws.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by updating the “Effective Date” and, where appropriate, provide a more prominent notice. By continuing to use the Service after such updates take effect, you agree to be bound by the revised policy.

11. Contact Us

For questions, concerns, or requests related to this Privacy Policy, please contact us at:

Erudio Health Inc.
31416 Agoura Road #105, Westlake Village, CA 91361
Email: privacy@erudio.com

For any data protection-related inquiries or concerns, please contact our Data Protection Lead, Audun Utengen, at audun@erudio.com.