Privacy Policy

TrueMedIT AI  ·  Effective June 16, 2026

TrueMedIT AI (“TrueMedIT,” “we,” “our,” or “us”) is a secure healthcare lab order management platform. This Privacy Policy explains how we collect, use, store, and protect information when you use the TrueMedIT AI Chrome Extension and Admin Panel. By creating an account, you acknowledge that you have read and agree to this policy.

1. Information We Collect

We collect the following categories of information to operate and improve the platform:

  • Account information — your name, username, and email address provided at registration, as well as authentication credentials managed securely through Supabase Auth.
  • Patient information — patient name, date of birth, MRN, diagnosis codes, insurance details, and ordering provider information entered or extracted during lab order creation. This data is considered Protected Health Information (PHI) and is handled accordingly.
  • Lab order information — lab test selections, specimen collection details, order status, and generated requisition documents.
  • Activity and system logs — session events, order actions, API request logs, and error logs used for auditing, security monitoring, and platform reliability.

2. How We Use Information

  • Authentication and session management — to verify your identity, manage login sessions, and enforce multi-factor authentication requirements.
  • User management — to administer accounts, roles, permissions, and access controls across the platform.
  • Lab order generation and processing — to create, store, transmit, and track lab requisition orders on behalf of clinical users.
  • AI-assisted extraction — to automatically populate order fields using information extracted from electronic health record (EHR) pages via Azure OpenAI services.
  • Audit logging — to maintain a complete and tamper-evident record of system activity for compliance and investigation purposes.
  • Security monitoring — to detect anomalous access patterns, unauthorized usage, and potential security incidents.
  • Product improvement — to analyze platform performance, identify errors, and improve the reliability and accuracy of the system. This analysis uses aggregated or de-identified data only.

3. Data Storage & Security

All account and order data is stored in Supabase, a SOC 2 Type II certified database platform, with row-level security (RLS) policies enforced at the database level. Each user can only access their own data; administrator access is governed by role-based access controls (RBAC).

  • Encryption at rest — all database records are encrypted at rest by the Supabase platform.
  • Encryption in transit — all communication between the extension, the backend, and external services uses TLS (HTTPS). Sensitive data stored locally in the browser extension is encrypted using a device-bound AES-GCM key.
  • Role-based access controls — backend API routes enforce permission checks on every request. Admin Panel users cannot access the extension API, and extension users cannot access administrative routes.
  • Session security — sessions expire after 8 hours of inactivity and require re-authentication. Multi-factor authentication (TOTP) is required for all extension accounts.

4. AI Processing Disclosure

Patient and order information may be processed through Azure OpenAI services for the purpose of extracting, structuring, and automating lab order workflows. This processing occurs only when a clinical user explicitly initiates an order creation action from an EHR patient chart page.

  • AI processing is used exclusively to support order workflow functionality — specifically, auto-populating form fields from structured EHR data.
  • Patient data submitted through Azure OpenAI is not used to train public AI models. Microsoft’s enterprise data protection commitments apply to all processing performed through Azure OpenAI Service.
  • All AI processing occurs through enterprise-grade, HIPAA-eligible Microsoft Azure infrastructure. Data sent for extraction is not retained by Microsoft beyond the immediate API call.
  • Raw extracted data is held in memory for the duration of the order session only and is discarded when the session ends, the order is submitted, or the user closes the extension panel.

5. How We Share Your Data

We share information only as needed to operate the platform, and only with the recipients below. Each receives the minimum information necessary for its function.

  • Your healthcare organization — order and result data is shared within your subscribing organization. Data is scoped to your organization and governed by role-based access controls.
  • Cloud hosting & database provider (Supabase) — hosts our backend database, authentication, and encrypted file storage.
  • AI processing provider (Microsoft Azure OpenAI Service) — performs the automated extraction described in Section 4. Content is sent only when you initiate an order action and is not retained by Microsoft beyond the immediate request.
  • Connected laboratory (TrueMedIT / CE laboratory interface) — receives the requisition you submit so the laboratory can process the order and return results. This includes the patient and order information required to fulfill the lab order.
  • Legal & safety — we may disclose information where required by law, or to protect the rights, safety, and security of users and the platform.

Where these providers process Protected Health Information on our behalf, we put appropriate agreements in place, including Business Associate Agreements where required by HIPAA.

We do not sell your data. We do not share user data with data brokers or information resellers, do not use it for personalized advertising, and do not use it for credit-worthiness or lending decisions. Human access to Protected Health Information is restricted — it is not read by our staff except with your consent, where necessary for security or to comply with the law, or in an aggregated and anonymized form for internal operations.

6. Chrome Web Store Limited Use & Data Policy Compliance

Our collection, use, and transfer of information received from the TrueMedIT AI Chrome Extension adheres to the Chrome Web Store User Data Policy, including its Limited Use requirements. Specifically:

  • We collect and use data only to provide and improve the extension’s single purpose: capturing clinical order information and creating, submitting, and tracking laboratory orders.
  • We do not transfer user data to third parties except as necessary to provide or improve that single purpose, to comply with applicable law, or to protect against security threats such as malware, spam, phishing, or other fraud or abuse.
  • We do not use or transfer user data for personalized advertising, and we do not sell user data.
  • We do not allow humans to read user data except with your explicit consent, where necessary for security purposes, to comply with applicable law, or where the data has been aggregated and anonymized.

7. Your Rights

Subject to applicable law and contractual obligations, you have the following rights with respect to your personal information:

  • Access — you may request a copy of the personal information we hold about your account.
  • Correction — you may request that inaccurate account information be corrected.
  • Deletion — you may request deletion of your account and associated personal data, subject to any regulatory or contractual data retention obligations.
  • Account management — you may update your account credentials through the platform at any time.

To submit a rights request, contact us at support@truemedit.ai.

8. Data Retention

Healthcare-related records, lab order data, and audit history may be retained for up to 7 years, or longer where required by applicable federal or state healthcare regulations (including HIPAA), or where contractual obligations with covered entities mandate a longer retention period. Account data for inactive users may be subject to earlier deletion pursuant to our data minimization policy.

9. Contact Us

If you have questions about this Privacy Policy, how your data is handled, or would like to exercise your rights, please contact us:

TrueMedIT AI — Privacy & Data Requests

support@truemedit.ai

This Privacy Policy may be updated periodically. Material changes will be communicated to active users. Continued use of the platform following an update constitutes acceptance of the revised policy.

© 2026 TrueMedIT. All rights reserved.