Privacy Policy

Last updated: January 2026

Introduction

4MED.AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered medical research service.

This policy applies to all users of 4MED.AI, including visitors, registered users, and healthcare professionals accessing our platform. By using 4MED.AI, you consent to the data practices described in this policy.

We encourage you to read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the site or use our services.

Information We Collect

Information You Provide Directly

  • Account Information: When you create an account, we collect your email address, name, and authentication credentials through our identity provider (Clerk).
  • Profile Information: Professional credentials, specialty, institution affiliation, and other professional details you choose to provide.
  • Search Queries: The medical research questions and queries you submit to our service.
  • Saved Research: Any research sessions, notes, annotations, or content you choose to save within your account.
  • Communications: Information you provide when contacting us for support, feedback, or other inquiries.
  • Payment Information: If you subscribe to paid features, payment details are processed by our payment processor (Stripe) and we do not store full payment card numbers.

Automatically Collected Information

  • Usage Data: Information about how you interact with our service, including pages visited, features used, search patterns, and time spent.
  • Device Information: Browser type, operating system, device type, screen resolution, and unique device identifiers.
  • Log Data: IP address, access times, referring URLs, and pages viewed.
  • Location Information: Approximate geographic location based on IP address.
  • Cookies and Similar Technologies: We use cookies, web beacons, and similar technologies as described in our Cookies section below.

Information from Third Parties

  • Authentication Providers: If you sign in using Google or other OAuth providers, we receive basic profile information as permitted by your privacy settings.
  • Analytics Partners: We may receive aggregated analytics data from our analytics providers.

Health Information Notice

4MED.AI is not a healthcare provider and is not a "covered entity" or "business associate" under the Health Insurance Portability and Accountability Act (HIPAA). We do not provide medical treatment, maintain medical records, or submit claims to health insurers.

However, we take the privacy of your health-related queries seriously and implement strong security measures to protect all user data.

Important Recommendations:

  • Do NOT include personally identifiable health information in your search queries
  • Frame queries as general research questions rather than personal health concerns
  • Do not include patient names, medical record numbers, or other PHI
  • Do not include your own specific diagnoses or treatment history

If you are a healthcare provider using 4MED.AI for research purposes, you are responsible for ensuring your use complies with HIPAA and other applicable regulations governing patient information.

How We Use Your Information

We use the information we collect for the following purposes:

Service Provision

  • Provide, operate, and maintain our medical research service
  • Process and respond to your search queries using AI
  • Save and synchronize your research across devices
  • Authenticate your identity and manage your account
  • Process payments and manage subscriptions

Service Improvement

  • Improve our AI models and search algorithms
  • Analyze usage patterns to enhance user experience
  • Develop new features and services
  • Conduct research and analytics

Communications

  • Send important service updates and notifications
  • Respond to your inquiries and support requests
  • Send promotional communications (with your consent)

Safety and Compliance

  • Detect and prevent fraud, abuse, or security threats
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Protect the rights and safety of our users and others

Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide our services to you under our Terms of Service.
  • Legitimate Interests: Processing for our legitimate business interests, such as improving our services, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
  • Consent: Where you have given us explicit consent to process your data for specific purposes, such as marketing communications.
  • Legal Obligation: Processing necessary to comply with applicable laws and regulations.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your interactions with our service.

Types of Cookies We Use

Essential Cookies (Required)

These cookies are necessary for the website to function properly. They enable core functionality such as security, authentication, and session management. You cannot opt out of these cookies as they are essential for the service to operate.

Functional Cookies

These cookies enable enhanced functionality and personalization, such as remembering your preferences and settings.

Analytics Cookies

We use analytics cookies (including Vercel Analytics and Speed Insights) to understand how visitors interact with our service. This helps us improve our service and user experience. You can opt out of analytics cookies.

Managing Cookie Preferences

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all cookies or to indicate when a cookie is being set. However, disabling cookies may affect the functionality of our service.

To learn more about cookies and how to manage them, visit www.allaboutcookies.org.

Do Not Track

Some browsers have a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. We currently do not respond to DNT signals, but we honor the Global Privacy Control (GPC) signal where required by law.

Data Sharing and Disclosure

We may share your information in the following circumstances:

Service Providers

We share data with third-party vendors who perform services on our behalf, including:

  • Hosting: Vercel (application hosting and CDN)
  • Database: Supabase (data storage and authentication)
  • Authentication: Clerk (identity management)
  • AI Processing: Anthropic (Claude) and OpenAI (query processing)
  • Payments: Stripe (payment processing)
  • Analytics: Vercel Analytics (usage analytics)
  • Email: Resend (transactional emails)

These service providers are contractually obligated to protect your data and may only use it for the purposes we specify.

AI Model Providers

Your search queries are processed by AI models provided by Anthropic (Claude) and OpenAI. These queries are subject to the privacy policies of these providers. We recommend reviewing their policies:

Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Subpoenas, court orders, or legal process
  • Requests from law enforcement or government agencies
  • To protect our rights, property, or safety
  • To protect the rights, property, or safety of our users or others

Business Transfers

If we are involved in a merger, acquisition, financing, or sale of business assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or control of your personal information.

With Your Consent

We may share your information for other purposes with your explicit consent.

We do NOT sell your personal information to third parties.

International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country.

We primarily store and process data in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we implement appropriate safeguards for international transfers, including:

  • Standard Contractual Clauses approved by the European Commission
  • Data processing agreements with our service providers
  • Ensuring service providers maintain adequate security measures

By using our services, you consent to the transfer of your information to the United States and other countries where we and our service providers operate.

Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including:

  • Account Data: Retained for as long as your account is active, plus a reasonable period afterward for legal and audit purposes.
  • Search History: Retained for the duration of your account to enable your saved research functionality.
  • Anonymized Data: Search queries may be retained in anonymized form indefinitely to improve our AI models and service quality.
  • Legal Records: Certain data may be retained longer as required by law or for legitimate business purposes (e.g., tax records, legal claims).

You can request deletion of your account and associated data at any time by contacting us. Upon deletion request, we will remove or anonymize your data within 30 days, except where retention is required by law.

Data Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction:

  • Encryption in Transit: All data transmitted to and from our servers is encrypted using TLS 1.2 or higher
  • Encryption at Rest: Sensitive data is encrypted at rest using AES-256
  • Access Controls: Role-based access controls limit data access to authorized personnel
  • Authentication: Multi-factor authentication is available and recommended
  • Infrastructure Security: We use enterprise-grade cloud infrastructure with SOC 2 compliance
  • Regular Audits: We conduct regular security assessments and vulnerability testing
  • Incident Response: We maintain incident response procedures for security events

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information, but we are committed to maintaining appropriate safeguards.

Your Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of Access: You have the right to request a copy of the personal data we hold about you.
  • Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.
  • Right to Erasure: You have the right to request deletion of your personal data in certain circumstances ("right to be forgotten").
  • Right to Restriction: You have the right to request restriction of processing of your personal data in certain circumstances.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence.

To exercise these rights, please contact us at privacy@4med.ai. We will respond to your request within 30 days.

Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to know what personal information we collect, use, disclose, and sell about you.
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Opt-Out: You have the right to opt out of the sale or sharing of your personal information. Note: We do not sell your personal information.
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit the use of sensitive personal information.
  • Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your privacy rights.

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email address, IP address)
  • Internet or other electronic network activity (usage data, search queries)
  • Professional or employment-related information (if provided)
  • Inferences drawn from the above categories

To exercise your rights, contact us at privacy@4med.ai or call us at the number provided on our contact page. You may also designate an authorized agent to make a request on your behalf.

Automated Decision-Making and AI

4MED.AI uses artificial intelligence to process your search queries and generate research summaries. This processing is essential to providing our core service and does not involve automated decision-making that produces legal effects or similarly significant effects on you.

The AI-generated content is provided for informational and research purposes only. We do not use automated processing to make decisions about your access to services, pricing, or other matters that would significantly affect you.

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. If you believe any automated processing has affected you in this way, please contact us.

Other U.S. State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt out of certain processing of their personal information.

To exercise your rights under these laws, please contact us at privacy@4med.ai.

Email Communications (CAN-SPAM)

We comply with the CAN-SPAM Act for commercial email communications. This means:

  • We will not use false or misleading subjects or email addresses
  • We will identify promotional messages as advertisements where required
  • We will include our physical address in promotional emails
  • We will honor opt-out/unsubscribe requests within 10 business days
  • We will not sell or transfer email addresses to third parties for their marketing

You can unsubscribe from marketing emails at any time by clicking the "unsubscribe" link in any promotional email. Note that you may still receive transactional emails related to your account (e.g., password resets, important service notifications).

Children's Privacy

4MED.AI is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately.

If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to remove that information from our servers.

Accessibility

We are committed to ensuring that our privacy practices are accessible to all users, including those with disabilities. If you need this privacy policy in an alternative format, please contact us.

We strive to maintain WCAG 2.1 Level AA compliance across our platform to ensure accessibility for users with disabilities.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you as required by applicable law. For users in the EEA, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach.

Notifications will include the nature of the breach, the types of data affected, steps we are taking to address the breach, and recommendations for protecting yourself.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Notify you via email or prominent notice on our service
  • Where required by law, obtain your consent to material changes

We encourage you to review this policy periodically to stay informed about how we protect your information.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

For GDPR-related inquiries, you may also contact our Data Protection representative at the email address above.