Privacy Policy

1. Overview

Medical Legal Connect ("we," "us," or "our") is committed to protecting the privacy and security of information entrusted to us by our users ("you," "your"). This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our platform at medicallegalconnect.com.

This Policy is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA), the Texas Medical Records Privacy Act, the California Consumer Privacy Act (CCPA) where applicable, and other applicable privacy laws.

2. Information We Collect

2.1 Information You Provide

We collect information you directly provide, including during registration, case creation, document upload, and secure messaging.

2.2 Automatically Collected Information

We automatically collect certain technical information when you use the Platform, including your IP address, browser type, device identifiers, and access timestamps. This data is used for security monitoring and HIPAA audit logging.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Platform
• Authenticate users and manage sessions securely (15-minute HIPAA-compliant session timeout)
• Generate HIPAA-required audit logs of all PHI access events
• Send transactional emails (e.g., password resets, invitation links, e-signature requests)
• Detect and prevent fraud, security incidents, and unauthorized access
• Comply with legal obligations, including HIPAA breach notification requirements
• Process subscription payments

We do not use your data for advertising or sell your data to third parties — ever.

4. Protected Health Information (PHI)

PHI is treated with the highest level of protection on our Platform. Key commitments:

• BAA Required: PHI may only be processed by organizations that have executed a Business Associate Agreement with us
• Encryption: All PHI is encrypted at rest (AES-256) and in transit (TLS 1.3)
• Access Control: PHI access is strictly role-based and org-isolated — no cross-organization data leakage
• Minimum Necessary: We access PHI only to the extent necessary to provide the service
• Audit Trail: Every PHI access event is logged with user, timestamp, and IP address
• Breach Response: We will notify you within 60 days of discovering any confirmed breach of unsecured PHI

5. Information Sharing

We do not sell, trade, or rent your personal information. We may share information only in these limited circumstances:

5.1 With Your Authorization

When you explicitly share a case or document with another organization on the Platform (cross-org access grants), the receiving organization can view only the data you specifically authorized.

5.2 Service Providers (Sub-processors)

We work with a limited number of trusted sub-processors who assist in delivering our services, each subject to strict data processing agreements:

• Supabase — Database hosting (HIPAA-eligible infrastructure)
• Resend — Transactional email delivery
• Dropbox Sign (HelloSign) — Electronic signature services (SOC 2 Type II certified)
• Stripe — Payment processing (PCI DSS Level 1 certified)
• Render — API server hosting

5.3 Legal Requirements

We may disclose information if required to do so by law, court order, or governmental authority, or to protect the rights, property, or safety of Medical Legal Connect, our users, or the public.

6. Data Security

We implement administrative, technical, and physical safeguards to protect your information, including:

• AES-256 encryption of all data at rest
• TLS 1.3 encryption of all data in transit
• Bcrypt password hashing (cost factor 12)
• JWT tokens with 8-hour expiry and automatic rotation
• Multi-Factor Authentication (MFA) support via TOTP authenticator apps
• Automatic 15-minute session timeout with identity re-verification
• Comprehensive audit logging of all access events
• Organization-level data isolation (multi-tenant architecture)

7. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Specific retention periods:

• Account data: Retained for the duration of your subscription plus 90 days post-cancellation
• Audit logs: Retained for 6 years in accordance with HIPAA requirements
• PHI: Retained per your organization's retention policy and applicable law; upon written request, we will assist in PHI deletion in compliance with applicable regulations
• Session tokens: Expire after 8 hours and are invalidated on logout

8. Your Rights

Depending on your location and applicable law, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete personal information
• Delete your personal information (subject to legal retention requirements)
• Export your data in a portable format (available via account settings or by request)
• Opt out of non-essential communications

For HIPAA-related rights regarding PHI (including the right to access, amend, or request an accounting of disclosures), please contact us at compliance@medicallegalconnect.com.

To exercise any privacy right, email privacy@medicallegalconnect.com. We will respond within 30 days.

9. Cookies & Local Storage

The Platform uses browser localStorage (not third-party cookies) to maintain your authenticated session token and user preferences. We do not use advertising cookies or cross-site tracking technologies.

Session data is automatically cleared when you log out or when your session expires.

10. Children's Privacy

The Platform is designed for use by licensed professionals and is not directed to children under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at privacy@medicallegalconnect.com.

11. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. We will notify you of material changes via email or a prominent Platform notice at least 30 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the revised Policy.