Privacy Policy

This policy applies to the MedX Assistant Chrome browser extension and the MedX Assistant website (assistant.medx.to). It covers data processed by the extension running in your browser and data transmitted to the facility-deployed MedX Assistant backend server.

EMR session data. The extension reads clinical data displayed in your Electronic Medical Record (EMR) browser session — including patient demographics, active visit context, laboratory order lists, and order statuses — solely to provide in-context clinical decision support to the authenticated clinician.

Institution identifier. The extension reads a facility-level identifier (the institution e-mail address configured in the EMR) to locate the correct facility backend. This value is never stored on MedX servers.

Extension settings. The backend server URL configured for your facility is stored locally in chrome.storage.local on your device. It is not synced to your Google account and is not transmitted to MedX.

Authentication token. A user identifier issued by your facility's EMR is attached to requests sent to your facility's backend. It is never sent to MedX servers.

All clinical data accessed by the extension is sent exclusively to the facility-deployed backend server operated by your healthcare institution, not to MedX central servers. The backend queries your facility's own database and returns results to the extension in your browser.

We use information only to:

• Generate in-context clinical summaries and duplicate-order alerts for the active patient.
• Route the extension to the correct facility backend.
• Verify that the authenticated clinician is authorised to access the backend.

We do not use patient data for advertising, analytics, machine-learning training, or any purpose unrelated to direct clinical assistance.

We do not sell, rent, or trade personal information or patient health information to any third party.

Because clinical data is processed entirely within your facility's own infrastructure, MedX does not receive, store, or have access to any patient health information. Your facility is the data controller for all patient data.

We may disclose information if required to do so by law or in response to a valid legal process, provided that such disclosure is limited to non-patient information held by MedX.

On your device. The extension stores only the backend URL in chrome.storage.local. This can be cleared at any time by removing the extension or clearing extension storage through Chrome settings.

On facility servers. Query results returned to the extension are held in browser memory only for the duration of the browser session and are not persisted to disk by the extension.

On MedX servers. The MedX website collects standard web server access logs (IP address, browser type, page visited) for security and operational purposes. These logs are retained for 90 days and are not linked to patient records.

MedX Assistant is designed to operate as a component of a HIPAA-covered entity's infrastructure. Clinical data flows exclusively between the clinician's browser and the facility's own backend server over encrypted HTTPS connections. MedX Technologies acts as a Business Associate where required and will execute a Business Associate Agreement (BAA) upon request from covered entities.

All communication between the extension and facility backend is encrypted in transit using TLS. The extension does not inject scripts into pages other than the configured EMR origin. Permissions are limited to the minimum required for the extension to function.

The Service is intended for use by licensed healthcare professionals. We do not knowingly collect personal information from individuals under 18 years of age.

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a revised "Last updated" date. Continued use of the Service after changes are posted constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at privacy@medx.international.