Privacy Policy
EHealthMed AI Translator Effective Date: 13 March 2026 Last Updated: 13 March 2026
EHealthMed Ltd (“EHealthMed“, “we“, “us“, or “our“) operates the EHealthMed AI Translator mobile application and the associated website at ehmed.ai (collectively, the “Service“). This Privacy Policy explains what information we collect, how we use it, what we deliberately do not collect or store, and the rights you have over your data.
We encourage you to read this policy in full. If you have questions, contact us at privacy@ehmed.ai before using the Service.
1. Who This Policy Applies To
This policy applies to:
•Clinicians and healthcare professionals who use the EHealthMed AI Translator app to facilitate patient communication
•Enterprise administrators who manage organisational accounts
•Visitors to ehmed.ai
It does not apply to patients whose speech may be processed through the app. Patients do not create accounts and no patient data is retained by EHealthMed. See Section 4 for details.
2. The Controller
The data controller responsible for your personal information is:
3. Information We Collect
3.1 Account Registration Data
When you create an account, we collect:
Data Element | Purpose | Legal Basis |
Email address | Account identification, login, and service communications | Contract performance |
Password (bcrypt-hashed, never stored in plain text ) | Authentication | Contract performance |
Account creation timestamp | Audit trail and security | Legitimate interest |
Subscription tier and usage minutes | Service entitlement management | Contract performance |
We do not collect your name, date of birth, phone number, or any demographic information unless you voluntarily provide it when contacting support.
3.2 Usage and Audit Logs
For security and compliance purposes, we maintain an audit log that records:
Log Entry | What Is Recorded | Retention |
Login events | Timestamp, account ID, IP address | 90 days |
Translation session events | Timestamp, account ID, source/target language pair, session duration | 90 days |
Account changes | Timestamp, account ID, type of change | 90 days |
Auto sign-off events | Timestamp, account ID | 90 days |
Audit logs do not contain any speech audio, transcribed text, or translated text. They record only metadata (when, who, which language pair) — never the content of any medical communication.
3.3 Device and Technical Data
When you use the app, we may automatically receive:
•Device type and operating system version (for compatibility and crash reporting)
•App version number
•General geographic region derived from IP address (country level only, not precise location)
We do not use device fingerprinting or persistent advertising identifiers.
4. What We Deliberately Do Not Collect or Store
This section is central to the design of EHealthMed AI Translator and is a core commitment to our users.
We do not store, log, or retain any of the following:
•Voice recordings or audio files from clinician or patient speech
•Speech-to-text transcripts of spoken medical phrases
•Translated text in any language
•Patient names, identifiers, or any information that could identify a patient
•Medical record numbers, diagnoses, or clinical notes
All speech audio, transcription output, and translation output are processed entirely in memory during an active translation session. When the session ends, this data is discarded. It is never written to disk, never transmitted to our database, and never retained in any log.
This architecture means that EHealthMed AI Translator does not create, receive, maintain, or transmit Protected Health Information (PHI) as defined under the HIPAA Privacy Rule (45 CFR §160.103) in the course of normal operation. The Service is designed to minimise PHI exposure at the infrastructure level.
5. Third-Party Services
To deliver the translation functionality, your speech is transmitted to the following third-party processors during an active session. These transmissions occur in real time and the third parties do not retain the data beyond their own processing pipelines.
Processor | Function | Data Transmitted | Their Privacy Policy |
OpenAI (Whisper API) | Speech-to-text transcription | Audio recording (in-session only) | |
OpenAI (TTS API) | Text-to-speech audio synthesis | Translated text (in-session only) | |
Google Cloud (Translation API) | Text translation | Transcribed text (in-session only) | |
Railway | Backend hosting and database infrastructure | Account data, audit logs | |
Netlify | Web frontend hosting | Web traffic metadata |
We are in the process of executing Business Associate Agreements (BAAs) with OpenAI and Google Cloud as required under HIPAA for covered entities. Enterprise customers requiring a BAA with EHealthMed Ltd should contact admin@ehmed.ai.
6. How We Use Your Information
We use the information we collect for the following purposes:
Service delivery. Your account data is used to authenticate you, manage your subscription entitlement, and enforce usage limits.
Security and fraud prevention. Audit logs are used to detect unauthorised access, investigate security incidents, and enforce our Terms of Service.
Service communications. We may send you transactional emails (account confirmation, password reset, subscription renewal notices). We do not send marketing emails without your explicit consent.
Legal compliance. We may process and retain data as required by applicable law, including healthcare regulations and financial record-keeping obligations.
We do not sell your personal data to third parties. We do not use your data for advertising or behavioural profiling.
7. Data Retention
Data Category | Retention Period | Basis |
Account registration data (email, hashed password) | Duration of account + 30 days after deletion request | Contract performance |
Subscription and billing records | 7 years | Legal obligation (financial records) |
Audit logs (login, session metadata) | 90 days | Security and HIPAA audit trail requirements |
Speech audio, transcripts, translations | Not retained — zero retention | Privacy by design |
Support correspondence | 2 years from last contact | Legitimate interest |
When an account is deleted, all account registration data is removed within 30 days. Audit log entries associated with the account are anonymised (account ID replaced with a pseudonymous hash) rather than deleted, to preserve the integrity of the security audit trail.
8. Data Security
We implement the following technical and organisational measures to protect your data:
Encryption in transit. All communications between the app, the backend, and third-party APIs use TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced.
Encryption at rest. The database is hosted on Railway’s managed MySQL infrastructure, which encrypts data at rest.
Password security. Passwords are hashed using bcrypt with a cost factor of 12. Plain-text passwords are never stored or logged.
Access control. Backend API endpoints are protected by JWT authentication. Administrative endpoints require a separate admin credential. Rate limiting is applied to all authentication endpoints to prevent brute-force attacks.
Inactivity sign-off. The app automatically signs out users after 30 minutes of inactivity, with a 60-second warning, to protect data on unattended devices.
Audit logging. All authentication and session events are logged with timestamps for security review and compliance auditing.
No security system is infallible. In the event of a data breach that affects your personal information, we will notify affected users and relevant regulatory authorities within the timeframes required by applicable law.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
Right | Description | How to Exercise |
Access | Request a copy of the personal data we hold about you | Email privacy@ehmed.ai |
Rectification | Request correction of inaccurate data | Email privacy@ehmed.ai |
Erasure | Request deletion of your account and associated data | |
Restriction | Request that we limit processing of your data | Email privacy@ehmed.ai |
Portability | Request your data in a structured, machine-readable format | Email privacy@ehmed.ai |
Objection | Object to processing based on legitimate interest | Email privacy@ehmed.ai |
Withdraw consent | Where processing is based on consent, withdraw it at any time | Email privacy@ehmed.ai |
GDPR (EEA/UK users). If you are located in the European Economic Area or the United Kingdom, you have the rights listed above under the General Data Protection Regulation (GDPR) or UK GDPR. You also have the right to lodge a complaint with your local supervisory authority.
CCPA (California residents). If you are a California resident, you have the right to know what personal information we collect, to request deletion, and to opt out of the sale of personal information. We do not sell personal information.
HIPAA. EHealthMed AI Translator is designed to minimise PHI handling. Where EHealthMed acts as a Business Associate under HIPAA, your rights with respect to PHI are governed by your covered entity’s Notice of Privacy Practices, not this policy.
We will respond to all rights requests within 30 days. We may ask you to verify your identity before fulfilling a request.
10. Children’s Privacy
The Service is intended for use by licensed healthcare professionals and is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@ehmed.ai and we will delete it promptly.
11. International Data Transfers
EHealthMed’s backend infrastructure is hosted in the United States via Railway. If you access the Service from outside the United States, your account data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards for transfers of personal data from the EEA or UK to the United States.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:
•Update the “Last Updated” date at the top of this page
•Notify registered users by email at least 14 days before the change takes effect
•Where required by law, seek your consent before applying the change
Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.
13. Contact Us
For privacy-related enquiries, data subject rights requests, or to report a concern:
Privacy Officer EHealthMed Ltd Email: privacy@ehmed.ai General: admin@ehmed.ai Support: https://ehmed.ai/support
We aim to respond to all enquiries within 5 business days.
This Privacy Policy was last reviewed and approved on 13 March 2026.