MyPreOp.aiBack to Login

Privacy Policy

Effective Date: April 8, 2026  |  Last Updated: April 8, 2026

1. Introduction

MyPreOp.ai ("Company," "we," "us," or "our") is committed to protecting the privacy and security of the information we collect and process. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our AI-powered pre-operative clearance platform (the "Service").

We comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the HITECH Act, applicable state privacy laws, and all other relevant federal and state regulations governing protected health information ("PHI").

2. Information We Collect

2.1 Account Information

When you register for the Service, we collect your name, email address, NPI number (optional), and payment information processed through Stripe.

2.2 Protected Health Information (PHI)

Through your use of the Service, you may input patient health information including but not limited to: medical histories, medication lists, laboratory results, vital signs, diagnoses, and surgical procedure details. All PHI is processed in accordance with our Business Associate Agreement (BAA) and HIPAA regulations.

2.3 De-Identified Health Data

With your consent, we create de-identified versions of patient data processed through the Service. De-identification is performed in strict compliance with the HIPAA Safe Harbor method under 45 CFR § 164.514(b)(2). All 18 categories of identifiers specified by HIPAA are removed or transformed, including:

  • Names (patient, provider, and family)
  • Geographic data smaller than state level (ZIP codes truncated to 3 digits)
  • All dates (except year) related to an individual
  • Phone numbers, fax numbers, email addresses
  • Social Security numbers
  • Medical record numbers, health plan beneficiary numbers
  • Account numbers, certificate/license numbers
  • Vehicle identifiers, device identifiers and serial numbers
  • Web URLs, IP addresses
  • Biometric identifiers (fingerprints, voiceprints)
  • Full-face photographs and comparable images
  • Any other unique identifying number, characteristic, or code

Additionally, ages 90 and over are aggregated into a single "90+" category, and all remaining ages are grouped into 5-year ranges to provide additional privacy protection beyond minimum HIPAA requirements.

3. How We Use Information

3.1 Service Delivery

We use PHI solely to provide the pre-operative clearance analysis service as directed by our authorized users (healthcare providers and surgical coordinators) under the terms of our BAA.

3.2 De-Identified Data Usage

Under HIPAA, once data has been properly de-identified in accordance with 45 CFR § 164.514(b), it is no longer considered PHI and is not subject to HIPAA restrictions. With your explicit consent provided at account registration, we use de-identified data for:

  • Healthcare Research: Contributing to medical knowledge, procedure safety studies, and population health analytics
  • Quality Improvement: Analyzing trends in pre-operative assessments to improve our AI models and service quality
  • Aggregate Analytics: Producing statistical reports on procedure types, comorbidity prevalence, clearance outcomes, and medication trends
  • Licensed Data Products: Making de-identified, aggregated datasets available to qualified healthcare researchers, academic institutions, pharmaceutical companies, and medical device manufacturers under strict data use agreements

3.3 What We Never Do

  • We never sell, share, or disclose PHI to any third party except as permitted under our BAA and HIPAA
  • We never attempt to re-identify de-identified data
  • We never combine de-identified data with external datasets in a manner that could enable re-identification
  • We never use PHI for marketing, advertising, or any purpose unrelated to the Service

4. Analytics and Session Recording

To improve the product, we use Mixpanelto collect anonymized usage analytics (page views, button clicks, feature adoption, flow completion) and may record anonymized user interaction sessions (“session replay”) on non-clinical pages.

Never recorded:

  • Any page that displays patient records (patient detail pages)
  • The clearance analysis flow once a chart has been uploaded
  • The contents of any form field — every input, textarea, and password field is masked at the browser level before any data is transmitted

What is recorded on general pages (signup, dashboard home, settings, pricing, blog, validation study):

  • Cursor movements, clicks, page navigations, and general element interactions
  • All text content remains masked in recordings
  • Browser, device, and viewport size (for debugging display issues)

How to opt out: Enable your browser’s “Do Not Track” (DNT) setting. We honor DNT requests and will not record sessions for browsers that send that header.

We do not sell this analytics data. We do not share it with any third party except Mixpanel itself, acting as our data processor under their privacy policy. Analytics data is strictly separate from the PHI protected under our HIPAA-covered safeguards described in sections 2 and 5.

5. Data Security

We implement industry-standard administrative, technical, and physical safeguards including:

  • AES-256 encryption at rest for all stored data (AWS DynamoDB)
  • TLS 1.2+ encryption for all data in transit
  • JWT-based authentication with secure token management
  • Role-based access controls ensuring users access only their own patient data
  • Automated de-identification pipeline with no human access to raw PHI during processing
  • Separate storage tables for PHI and de-identified data with distinct access controls
  • Regular security monitoring and logging

6. Data Retention

PHI: Patient records are retained for the duration of your active subscription plus 30 days after account termination, after which they are permanently deleted. Users may delete individual patient records at any time.

De-Identified Data: Because de-identified data contains no PHI and cannot be linked to any individual, it may be retained indefinitely for research and analytics purposes as permitted under HIPAA.

7. Third-Party Services

We use the following third-party services to operate the platform:

  • Amazon Web Services (AWS): Cloud infrastructure, database hosting (DynamoDB), and email delivery (SES)
  • Anthropic (Claude AI): AI-powered medical analysis — PHI is processed per Anthropic's HIPAA-compliant API terms
  • Stripe: Payment processing — we do not store credit card information

8. Your Rights

You have the right to:

  • Access and review your account information
  • Delete patient records you have entered
  • Request account termination and data deletion
  • Withdraw consent for de-identified data collection (note: previously de-identified data cannot be recalled as it contains no link to your identity or your patients' identities)
  • Receive a copy of your data in a portable format upon request
  • File a complaint with the HHS Office for Civil Rights if you believe your privacy rights have been violated

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 30 days before they take effect. Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related questions, concerns, or requests:

MyPreOp.ai
Email: support@mypreop.ai
Privacy Officer: Dennis Diaz