Privacy Policy

Last updated: February 2026

Introduction

4MED.AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered medical research service.

This policy applies to all users of 4MED.AI, including visitors, registered users, and healthcare professionals accessing our platform. By using 4MED.AI, you consent to the data practices described in this policy.

We encourage you to read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the site or use our services.

Information We Collect

Information You Provide Directly

  • Account Information: When you create an account, we collect your email address, name, and authentication credentials through our identity provider (Clerk).
  • Profile Information: Professional credentials, specialty, institution affiliation, and other professional details you choose to provide.
  • Search Queries: The medical research questions and queries you submit to our service.
  • Saved Research: Any research sessions, notes, annotations, or content you choose to save within your account.
  • Communications: Information you provide when contacting us for support, feedback, or other inquiries.
  • Payment Information: If you subscribe to paid features, payment details are processed by our payment processor (Stripe) and we do not store full payment card numbers.

Automatically Collected Information

  • Usage Data: Information about how you interact with our service, including pages visited, features used, search patterns, and time spent.
  • Device Information: Browser type, operating system, device type, screen resolution, and unique device identifiers.
  • Log Data: IP address, access times, referring URLs, and pages viewed.
  • Location Information: Approximate geographic location based on IP address.
  • Cookies and Similar Technologies: We use cookies, web beacons, and similar technologies as described in our Cookies section below.

Information from Third Parties

  • Authentication Providers: If you sign in using Google or other OAuth providers, we receive basic profile information as permitted by your privacy settings.
  • Analytics Partners: We may receive aggregated analytics data from our analytics providers.

Health Information Notice

4MED.AI is not a healthcare provider and is not a "covered entity" or "business associate" under the Health Insurance Portability and Accountability Act (HIPAA). We do not provide medical treatment, maintain medical records, or submit claims to health insurers.

However, we take the privacy of your health-related queries seriously and implement strong security measures to protect all user data.

Important Recommendations:

  • Do NOT include personally identifiable health information in your search queries
  • Frame queries as general research questions rather than personal health concerns
  • Do not include patient names, medical record numbers, or other PHI
  • Do not include your own specific diagnoses or treatment history

If you are a healthcare provider using 4MED.AI for research purposes, you are responsible for ensuring your use complies with HIPAA and other applicable regulations governing patient information.

How We Use Your Information

We use the information we collect for the following purposes:

Service Provision

  • Provide, operate, and maintain our medical research service
  • Process and respond to your search queries using AI
  • Save and synchronize your research across devices
  • Authenticate your identity and manage your account
  • Process payments and manage subscriptions

Service Improvement

  • Improve our AI models and search algorithms
  • Analyze usage patterns to enhance user experience
  • Develop new features and services
  • Conduct research and analytics

Communications

  • Send important service updates and notifications
  • Respond to your inquiries and support requests
  • Send promotional communications (with your consent)

Safety and Compliance

  • Detect and prevent fraud, abuse, or security threats
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Protect the rights and safety of our users and others

Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide our services to you under our Terms of Service.
  • Legitimate Interests: Processing for our legitimate business interests, such as improving our services, preventing fraud, and ensuring security, where these interests are not overridden by your rights.
  • Consent: Where you have given us explicit consent to process your data for specific purposes, such as marketing communications.
  • Legal Obligation: Processing necessary to comply with applicable laws and regulations.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your interactions with our service.

Types of Cookies We Use

Essential Cookies (Required)

These cookies are necessary for the website to function properly. They enable core functionality such as security, authentication, and session management. You cannot opt out of these cookies as they are essential for the service to operate.

Functional Cookies

These cookies enable enhanced functionality and personalization, such as remembering your preferences and settings.

Analytics Cookies

We use analytics cookies to understand how visitors interact with our service. This helps us improve our service and user experience. Our analytics providers include:

  • Vercel Analytics and Speed Insights (page performance and usage)
  • Google Analytics 4 with Google Signals — collects usage data, approximate location, device information, and may associate visitation data with Google account information of signed-in users who have consented to ads personalization. This enables cross-device reporting and audience insights.

You can opt out of analytics cookies via our cookie banner or by visiting Google Analytics Opt-out Browser Add-on. Signed-in Google users can also manage or delete activity at My Activity.

Marketing and Advertising Cookies

With your consent, we may use marketing cookies to support advertising features, including:

  • Google AdSense (when available) for displaying contextual advertisements
  • Aggregated audience insights from Google Analytics

Note: Because 4MED.AI is classified as a health-category service, ads personalization and remarketing are disabled. We do not use your browsing data to build personalized advertising profiles or share remarketing audiences with Google Ads. Any future advertising will be contextual only (based on page content, not user behavior).

These cookies are only activated when you grant marketing consent via our cookie banner. We use Google Consent Mode v2 to ensure that no advertising data is collected or shared without your explicit consent. When marketing cookies are denied, ad identifiers are redacted and no advertising data is sent to Google.

You can manage your Google ads settings at Google Ads Settings.

Managing Cookie Preferences

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all cookies or to indicate when a cookie is being set. However, disabling cookies may affect the functionality of our service.

To learn more about cookies and how to manage them, visit www.allaboutcookies.org.

Do Not Track

Some browsers have a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activity tracked. We currently do not respond to DNT signals, but we honor the Global Privacy Control (GPC) signal where required by law.

Data Sharing and Disclosure

We may share your information in the following circumstances:

Service Providers

We share data with third-party vendors who perform services on our behalf, including:

  • Hosting: Vercel (application hosting and CDN)
  • Database: Supabase (data storage and authentication)
  • Authentication: Clerk (identity management)
  • AI Processing: Anthropic (Claude) and OpenAI (query processing)
  • Payments: Stripe (payment processing)
  • Analytics: Vercel Analytics (usage analytics), Google Analytics 4 (usage analytics, with Google Signals for cross-device insights)
  • Advertising: Google AdSense (contextual ads only, with your consent; ads personalization disabled)
  • Email: Resend (transactional emails)

These service providers are contractually obligated to protect your data and may only use it for the purposes we specify.

AI Model Providers

Your search queries are processed by AI models provided by Anthropic (Claude) and OpenAI. These queries are subject to the privacy policies of these providers. We recommend reviewing their policies:

Google Advertising Features

We use Google Signals for cross-device analytics insights (demographic and interest reports for signed-in Google users who have consented to ads personalization with Google). However, because 4MED.AI operates in the health category:

  • Ads personalization is disabled at the property level
  • No remarketing audiences are created or shared with Google Ads
  • No user data is exported for personalized advertising purposes
  • Google Signals data is used solely for aggregated analytics insights

Our use of Google Analytics complies with the Google Analytics Advertising Features Policy and the Google Advertising Policies. We do not use analytics data to target or profile users based on sensitive categories (as defined by Google's policies), including health conditions, medical treatments, or prescription medications.

Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Subpoenas, court orders, or legal process
  • Requests from law enforcement or government agencies
  • To protect our rights, property, or safety
  • To protect the rights, property, or safety of our users or others

Business Transfers

If we are involved in a merger, acquisition, financing, or sale of business assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or control of your personal information.

With Your Consent

We may share your information for other purposes with your explicit consent.

We do NOT sell your personal information to third parties.

International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country.

We primarily store and process data in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we implement appropriate safeguards for international transfers, including:

  • Standard Contractual Clauses approved by the European Commission
  • Data processing agreements with our service providers
  • Ensuring service providers maintain adequate security measures

By using our services, you consent to the transfer of your information to the United States and other countries where we and our service providers operate.

Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including:

  • Account Data: Retained for as long as your account is active, plus a reasonable period afterward for legal and audit purposes.
  • Search History: Retained for the duration of your account to enable your saved research functionality.
  • Anonymized Data: Search queries may be retained in anonymized form indefinitely to improve our AI models and service quality.
  • Legal Records: Certain data may be retained longer as required by law or for legitimate business purposes (e.g., tax records, legal claims).

You can request deletion of your account and associated data at any time by contacting us. Upon deletion request, we will remove or anonymize your data within 30 days, except where retention is required by law.

Data Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction:

  • Encryption in Transit: All data transmitted to and from our servers is encrypted using TLS 1.2 or higher
  • Encryption at Rest: Sensitive data is encrypted at rest using AES-256
  • Access Controls: Role-based access controls limit data access to authorized personnel
  • Authentication: Multi-factor authentication is available and recommended
  • Infrastructure Security: We use enterprise-grade cloud infrastructure with SOC 2 compliance
  • Regular Audits: We conduct regular security assessments and vulnerability testing
  • Incident Response: We maintain incident response procedures for security events

Despite our security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information, but we are committed to maintaining appropriate safeguards.

Your Rights Under GDPR and UK GDPR

If you are located in the European Economic Area (EEA), you are protected by the EU General Data Protection Regulation (GDPR). If you are in the United Kingdom, you are protected by the UK GDPR (as retained under the UK Data Protection Act 2018), enforced by the Information Commissioner's Office (ICO). Residents of Switzerland are protected by the Swiss Federal Act on Data Protection (FADP). Under these regulations, you have the following rights:

  • Right of Access: You have the right to request a copy of the personal data we hold about you.
  • Right to Rectification: You have the right to request correction of inaccurate or incomplete personal data.
  • Right to Erasure: You have the right to request deletion of your personal data in certain circumstances ("right to be forgotten").
  • Right to Restriction: You have the right to request restriction of processing of your personal data in certain circumstances.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence. For UK residents, this is the Information Commissioner's Office (ICO).

To exercise these rights, please contact us at privacy@4med.ai. We will respond to your request within 30 days (or one calendar month under UK GDPR).

Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to know what personal information we collect, use, disclose, and sell about you.
  • Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Ads personalization is disabled on our platform.
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit the use of sensitive personal information.
  • Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your privacy rights.

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email address, IP address)
  • Internet or other electronic network activity (usage data, search queries, analytics data)
  • Professional or employment-related information (if provided)
  • Inferences drawn from the above categories

To exercise your rights, contact us at privacy@4med.ai or call us at the number provided on our contact page. You may also designate an authorized agent to make a request on your behalf.

Automated Decision-Making and AI

4MED.AI uses artificial intelligence to process your search queries and generate research summaries. This processing is essential to providing our core service and does not involve automated decision-making that produces legal effects or similarly significant effects on you.

The AI-generated content is provided for informational and research purposes only. We do not use automated processing to make decisions about your access to services, pricing, or other matters that would significantly affect you.

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. If you believe any automated processing has affected you in this way, please contact us.

Other U.S. State Privacy Rights

If you reside in a U.S. state with comprehensive privacy legislation, you may have additional rights. Below is a summary of key state laws:

Virginia (VCDPA)

Virginia residents have the right to access, correct, delete, and obtain a copy of their personal data. You also have the right to opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling that produces legal or similarly significant effects. Processing of sensitive data (including health-related data) requires your consent.

Colorado (CPA)

Colorado residents have rights similar to those under the VCDPA, including the right to access, correct, delete, and obtain a portable copy of personal data. You may opt out of targeted advertising, sale of personal data, and certain profiling. We conduct data protection assessments where required for processing that presents a heightened risk of harm.

Connecticut (CTDPA)

Connecticut residents have rights to access, correct, delete, and obtain a copy of their personal data, as well as the right to opt out of targeted advertising, sale of personal data, and profiling. Consent is required for processing sensitive data.

Utah (UCPA) and Other States

Residents of Utah and other states with enacted privacy laws (including Texas, Oregon, Montana, and others) may have similar rights. We endeavor to honor all applicable state privacy rights.

For all U.S. state privacy requests: contact us at privacy@4med.ai. We will respond within the timeframe required by your state's law (typically 45 days). If we deny a request, you have the right to appeal by contacting us at the same address.

Your Rights Under PIPEDA (Canada)

If you are a resident of Canada, your personal information is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, substantially similar provincial legislation (such as Quebec's Law 25, Alberta's PIPA, or British Columbia's PIPA).

Under PIPEDA, you have the right to:

  • Access: Request access to the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete personal information
  • Withdrawal of Consent: Withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions
  • Complaint: File a complaint with the Office of the Privacy Commissioner of Canada

We collect, use, and disclose your personal information only for purposes that a reasonable person would consider appropriate in the circumstances. We obtain meaningful consent before collecting, using, or disclosing personal information, and we limit collection to what is necessary for the identified purposes.

To exercise your rights, contact us at privacy@4med.ai. We will respond within 30 days.

Email Communications (CAN-SPAM)

We comply with the CAN-SPAM Act for commercial email communications. This means:

  • We will not use false or misleading subjects or email addresses
  • We will identify promotional messages as advertisements where required
  • We will include our physical address in promotional emails
  • We will honor opt-out/unsubscribe requests within 10 business days
  • We will not sell or transfer email addresses to third parties for their marketing

You can unsubscribe from marketing emails at any time by clicking the "unsubscribe" link in any promotional email. Note that you may still receive transactional emails related to your account (e.g., password resets, important service notifications).

Children's Privacy

4MED.AI is not intended for use by individuals under 18 years of age.

COPPA Compliance (Under 13): In accordance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect, use, or disclose personal information from children under 13 years of age. We do not direct our service to children under 13, and we do not knowingly allow children under 13 to create accounts or provide personal information. If we become aware that we have collected personal information from a child under 13, we will promptly delete that information from our systems.

Minors 13–17: We do not knowingly collect personal information from individuals between 13 and 17 years of age. Our service is designed for adult healthcare professionals and researchers.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@4med.ai.

Accessibility

We are committed to ensuring that our privacy practices are accessible to all users, including those with disabilities. If you need this privacy policy in an alternative format, please contact us.

We strive to maintain WCAG 2.1 Level AA compliance across our platform to ensure accessibility for users with disabilities.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you as required by applicable law. For users in the EEA, we will notify the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach.

Notifications will include the nature of the breach, the types of data affected, steps we are taking to address the breach, and recommendations for protecting yourself.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Notify you via email or prominent notice on our service
  • Where required by law, obtain your consent to material changes

We encourage you to review this policy periodically to stay informed about how we protect your information.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

For GDPR-related inquiries, you may also contact our Data Protection representative at the email address above.