Medstra Inc. Privacy Policy

Effective Date: December 16, 2025Last Updated: February 4, 2026

1. Introduction and Scope of This Policy

1.1 Our Commitment to Your Privacy

Welcome to Medstra Inc. ("Medstra," "we," "us," or "our"). We provide sophisticated, turnkey white-label telehealth platforms that empower our clients to launch and manage their own telehealth services. Protecting the privacy and security of personal information is the cornerstone of our business and a fundamental component of our commitment to trust and excellence.

This Privacy Policy ("Policy") provides a comprehensive explanation of how we collect, use, process, disclose, and safeguard personal information. It is designed to be transparent, readable, and compliant with the complex web of applicable data privacy laws, including the Delaware Personal Data Privacy Act (DPDPA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other significant state and federal regulations.

1.2 Applicability of This Policy

This Policy applies to all personal information we process in the course of our business, which includes:

  • Medstra's Corporate Website: Information collected when you visit our website, medstra.co, interact with our marketing materials, or inquire about our services.
  • Client Services: Information we collect from our business clients when they subscribe to and use our platform services.
  • Platform End-Users: Information we process on behalf of our clients through their specific, white-labeled telehealth platforms that we host and maintain.

This Policy is intended for an audience within the United States. Our services are not directed at, and we do not intentionally market to, individuals outside the United States. Furthermore, our services are not intended for use by individuals under the age of 16.

2. Understanding Our Dual Role: Data Controller and Data Processor

To understand how your data is protected, it is essential to understand the two distinct legal roles Medstra plays. This distinction is critical under modern privacy laws like the DPDPA and GDPR, and it defines our responsibilities. (See GDPR, Art. 4; DPDPA, § 12D-102).

2.1 Medstra as a Data Controller

We act as a Data Controller when we determine the "purposes and means" of processing personal information for our own business needs. This applies when:

  • You visit our corporate website (medstra.co) and we collect analytics or marketing data.
  • You represent a business that is considering, purchasing, or using our platform, and we collect your contact and billing information.
  • You communicate with our sales or support teams for our corporate services.

In this role, we are directly responsible for ensuring the data is handled in compliance with all applicable privacy laws.

2.2 Medstra as a Data Processor (and HIPAA Business Associate)

We act as a Data Processor when we process personal information on behalf of and under the instruction of our clients. This is our primary role in the context of the telehealth platforms we provide.

  • Your Relationship is with Our Client: If you are a patient or end-user of a telehealth service powered by Medstra, the clinic, hospital, or wellness provider you are interacting with is the Data Controller. They define what information is collected from you and why. Our legal agreements with our clients (Data Processing Addendums) require us to process your data only as they direct.
  • HIPAA Business Associate: When our client is a "Covered Entity" under HIPAA (such as a hospital, clinic, or licensed healthcare provider), Medstra acts as a Business Associate. (See 45 C.F.R. § 160.103). This means we are legally bound by contract (a Business Associate Agreement or "BAA") and by law to implement the stringent privacy and security safeguards required by HIPAA to protect your Protected Health Information (PHI). For details on how a specific provider uses your PHI, you should consult their Notice of Privacy Practices (NPP).

3. The Personal Information We Collect and Process

We believe in data minimization: collecting only the information that is adequate, relevant, and reasonably necessary for the specified purposes. Below is a detailed breakdown of the categories of personal information we process, categorized by our role.

3.1 Information We Collect for Our Own Business (as Data Controller)

Client and Prospect Information:

  • Identity and Contact Data: First and last name, email address, phone number, job title, and company name of individuals who represent our business clients or prospective clients.
  • Financial and Transactional Data: Payment card information, bank account details, billing address, and transaction history related to platform subscription fees. This data is primarily processed by our PCI-compliant payment processor, Stripe, and we do not store full payment card numbers on our systems.
  • Communications Data: Records and contents of your correspondence with us via email, phone, or our website contact forms, including support requests and sales inquiries.

Website Usage and Marketing Data (medstra.co):

  • Technical and Device Data: IP address, browser type and version, operating system, device identifiers, time zone settings, and language preferences. This is collected automatically through server logs.
  • Usage and Interaction Data: Information about how you navigate our corporate website, including the pages you view, the links you click, the time spent on each page, referral sources (how you arrived at our site), and mouse movements. This is collected via analytics services like Google Analytics and Vercel Analytics.
  • Marketing and Advertising Data: Information collected through tracking technologies like the Meta Pixel and Google Ads tracking cookies. This can include information about ads you have viewed or clicked, conversions (e.g., if you fill out a contact form after seeing an ad), and data used to create audiences for targeted advertising on other platforms. This data is often pseudonymous and tied to your browser or device ID.

3.2 Information We Process on Behalf of Our Clients (as Data Processor)

This is the information processed through our clients' white-label telehealth platforms. Medstra securely stores and manages this data but does not control or own it.

End-User Account and Profile Data:

  • Identity Data: Name, date of birth, gender, physical address, email address, and phone number of patients or end-users.
  • Authentication Data: Usernames, hashed and salted passwords, security questions, or other credentials used to secure an end-user's account.

Sensitive Personal Information and Protected Health Information (PHI):

  • Health and Medical Data: This is the most sensitive data we process and is subject to the highest level of protection. It includes patient-reported symptoms, medical history, diagnoses, mental health conditions, treatment plans, prescription information, lab results, and notes entered by healthcare providers.
  • Telehealth Session Data: Depending on the services offered by our client, this may include video or audio recordings, chat logs, or transcripts from telehealth consultations between patients and providers.
  • Insurance Information: Health insurance carrier, policy numbers, group numbers, and other information required for billing and claims processing.
  • Other Sensitive Data: This may also include information defined as "sensitive" under state laws like the DPDPA, such as precise geolocation data (if enabled on a mobile device), or data revealing racial or ethnic origin.

Transactional and Scheduling Data:

  • Appointment Data: Information about scheduled, past, and future appointments, including date, time, and the assigned healthcare provider.
  • Payment Data: Co-pay, deductible, or service fee payment information collected from end-users on behalf of our clients. This is also processed through Stripe to ensure PCI DSS compliance.

4. How and Why We Use Your Personal Information

Every data processing activity we undertake is tied to a specific, legitimate purpose. We are committed to transparency about these purposes.

4.1 Our Purposes as a Data Controller

Purpose of UseData Categories InvolvedLegal Basis (Illustrative)
To Provide and Manage Our Services for ClientsClient Contact & Financial DataPerformance of a Contract
To Process Payments and Manage AccountsClient Financial DataPerformance of a Contract; Legal Obligation (Tax/Financial Law)
To Communicate with Clients & ProspectsClient Contact & Communications DataLegitimate Interest (Business Communication); Performance of a Contract
For Marketing & Advertising Our ServicesWebsite Usage & Marketing DataConsent (for non-essential cookies); Legitimate Interest (Direct Marketing)
To Analyze & Improve Our Corporate WebsiteTechnical & Usage DataLegitimate Interest (Improving our services and user experience)
To Secure Our Systems & Prevent FraudAll Controller Data CategoriesLegitimate Interest (Security); Legal Obligation
To Comply with Legal ObligationsAll Controller Data CategoriesLegal Obligation

4.2 Our Purposes as a Data Processor

As a processor, our purposes are dictated entirely by our clients (the controllers). Our platform is designed to enable them to:

  • Create and manage patient/end-user accounts.
  • Facilitate secure, real-time telehealth consultations.
  • Securely store and manage patient health records.
  • Manage appointment scheduling and patient communications.
  • Process payments for healthcare services.
  • Maintain audit logs for security and compliance purposes.
  • Comply with their own legal and regulatory obligations.

Critically, we are contractually and legally prohibited from using the sensitive personal information we process on behalf of our clients for our own purposes, such as marketing or advertising.

5. How We Disclose or "Share" Your Personal Information

We do not "sell" personal information in the traditional sense of the word. However, under the broad definitions of "sale" and "sharing" in laws like the CPRA and DPDPA, our use of third-party advertising cookies may qualify. We are transparent about the limited circumstances under which your data may be disclosed.

5.1 Disclosures of Data We Control

  • To Our Service Providers (Sub-processors): We engage trusted third-party companies to perform services on our behalf. These vendors are our "sub-processors" and are contractually bound by Data Processing Agreements (DPAs) to protect your data and use it only for the services we have hired them to provide. Key categories include:
    • Cloud Hosting & Infrastructure: Amazon Web Services (AWS) and Vercel provide the secure cloud infrastructure on which our corporate website and platforms are built and data is stored.
    • Payment Processing: Stripe processes all subscription payments from our clients.
    • Analytics Providers: Google Analytics helps us understand traffic and usage patterns on medstra.co.
    • Marketplace/Authentication: Whop may be used for service access or authentication.
  • To Advertising Partners: We may "share" pseudonymous technical and usage data with partners like Meta (Facebook) and Google through tracking technologies to measure the effectiveness of our advertising campaigns and for retargeting purposes. You have the right to opt-out of this sharing, as detailed in Section 6.
  • In Connection with a Business Transaction: If Medstra is involved in a merger, acquisition, financing, or sale of all or a portion of our assets, your information may be transferred as part of that transaction, subject to standard confidentiality agreements.
  • As Required by Law: We may disclose your information if we believe in good faith that it is necessary to comply with a legal obligation, subpoena, court order, or other lawful request by public authorities.

5.2 Disclosures of Data We Process for Clients

As a processor, we only disclose end-user data under the following circumstances:

  • To the Relevant Client (Data Controller): The primary disclosure is back to the healthcare provider or wellness company whose service you are using. They have access to their patient data through the platform.
  • To Our Core Infrastructure Sub-processors: End-user data, including PHI, is securely stored within our AWS environment. We have a BAA with AWS, ensuring they meet HIPAA's stringent security requirements for this data.
  • As Expressly Directed by Our Client: We may disclose data to another party if we are explicitly instructed to do so by our client in writing and as permitted under our agreements.
  • As Required by Law: We may be compelled to disclose information in response to a legal order. In such cases, we will, to the extent legally permitted, notify our client to allow them to seek a protective order.

5.3 Mobile Information Usage

Notwithstanding the above, no mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

6. Your Privacy Rights and How to Exercise Them

You have significant rights concerning your personal information. Medstra is committed to providing you with clear and accessible mechanisms to exercise these rights. The rights available to you may depend on your state of residence.

6.1 Your Comprehensive Privacy Rights

You may have the right to:

  • The Right to Know and Access: Request a copy of the specific pieces of personal information we have collected about you, including the categories of information, the sources of collection, the purposes for collecting it, and the categories of third parties to whom we have disclosed it.
  • The Right to Correction (Rectification): Request that we correct any inaccuracies in your personal information.
  • The Right to Deletion (Erasure): Request that we delete personal information we have collected from you, subject to certain exceptions (e.g., we may need to retain data to complete a transaction, comply with a legal obligation, or for security purposes).
  • The Right to Data Portability: Request a copy of your data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit it to another entity.
  • The Right to Opt-Out of Sale / Sharing / Targeted Advertising: Direct us not to "sell" or "share" your personal information with third parties for purposes of cross-context behavioral advertising or targeted advertising.
  • The Right to Limit the Use of Sensitive Personal Information: For certain jurisdictions like California, you have the right to direct us to limit our use and disclosure of your sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected.
  • The Right to Non-Discrimination: You have the right not to be discriminated against for exercising any of your privacy rights.

6.2 How to Exercise Your Rights

  • For Data Controlled by Medstra: To exercise your rights regarding data Medstra controls (e.g., from our marketing site), please submit a verifiable request through one of the following methods:
    • Email: privacy@medstra.co
  • To Opt-Out of Sale/Sharing: You can exercise your right to opt-out of targeted advertising by clicking the "Do Not Sell or Share My Personal Information" link in the footer of our website and by enabling a universal opt-out preference signal, such as the Global Privacy Control (GPC), in your browser settings. We are configured to honor such signals.
  • For Data Controlled by Our Clients (End-User Data): As we are the processor of this data, you must direct your rights requests to the healthcare provider or wellness company whose service you are using. They are the Data Controller and are responsible for managing and responding to your request. We will assist our clients as needed to help them fulfill your request.
  • Verification Process: To protect your privacy, we will take steps to verify your identity before fulfilling a request. This may require you to provide information to match against our records, such as your name and email address.

7. Our Commitment to Data Security and Integrity

We have implemented a comprehensive, multi-layered security program with administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, disclosure, alteration, or destruction. Our security posture is aligned with the standards of the HIPAA Security Rule and industry best practices.

Administrative Safeguards

  • Security Governance: We have a designated Data Protection Officer, Ryan Morovich, and a formal information security program.
  • Employee Training: All employees undergo mandatory, regular training on data privacy and security protocols.
  • Risk Management: We conduct regular risk assessments to identify and mitigate potential threats to data.
  • Incident Response Plan: We maintain and test a detailed plan to promptly respond to and manage any security incidents.

Technical Safeguards

  • Encryption: All personal information is encrypted both in transit using strong TLS protocols and at rest in our databases using AES-256 or equivalent standards.
  • Access Controls: We enforce strict role-based access control (RBAC) and the principle of least privilege, ensuring personnel can only access data essential to their job function. All access to sensitive data is logged.
  • Network Security: Our infrastructure is protected by firewalls, intrusion detection and prevention systems (IDS/IPS), and undergoes regular vulnerability scanning and penetration testing.

Physical Safeguards

We rely on the world-class physical security of our cloud provider, AWS, whose data centers feature extensive measures including biometric access controls, 24/7 surveillance, and environmental controls.

8. Data Retention and Deletion

We adhere to the principle of storage limitation, retaining personal information only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal, accounting, or reporting requirements.

  • Controller Data: We maintain an internal data retention schedule for data we control. For example, client contract and financial data is retained for the duration of the relationship plus a period required by tax and corporate law (typically 7 years). Marketing data is retained until a user opts-out or becomes inactive.
  • Processor Data: For the end-user data we process on behalf of our clients, our retention policy is governed by our contract with the client. We retain this data for the duration of the client contract and, upon termination, will either securely return the data to the client or securely destroy it according to their instructions and as required by law (including HIPAA).

9. International Data Transfers

While our services are targeted to the U.S., our use of global service providers may result in the transfer of data across borders. We ensure that such transfers are protected by appropriate legal mechanisms. Though we do not intentionally target EU residents, we have implemented frameworks that provide a high standard of protection, such as:

  • EU-U.S. Data Privacy Framework (DPF): Where applicable, we rely on the DPF for transfers of personal data to certified U.S. companies.
  • Standard Contractual Clauses (SCCs): We enter into SCCs with our service providers for international data transfers, which impose contractual data protection obligations approved by the European Commission.

10. Children's Privacy

Our services and platforms are not directed at or intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. Our agreements with our clients contractually require them to enforce this age limit. If we become aware that we have inadvertently collected personal information from a child under 16 without verifiable parental consent, we will take steps to delete it immediately.

11. Cookies, Tracking Technologies, and Analytics

We use cookies, pixels, and other similar technologies on our corporate website (medstra.co). These tools help us operate our site, analyze performance, and deliver targeted advertising.

  • What They Are: Cookies are small text files placed on your device. Pixels are tiny images that can track your activity.
  • How We Use Them:
    • Strictly Necessary: For basic site functions and security.
    • Performance/Analytics: To understand user behavior and improve our site.
    • Functional: To remember your preferences.
    • Targeting/Advertising: To show you relevant Medstra ads on other websites.
  • Your Control: We provide a cookie consent banner on our website that allows you to accept or reject non-essential cookies. You can also manage cookies through your browser settings and by using the opt-out tools described in Section 6.2.

12. Changes to This Privacy Policy

The world of data privacy is constantly evolving. We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will notify you by posting the updated policy on our website and updating the "Last Updated" date. For significant changes, we may also provide more direct notification, such as via email.

13. How to Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, or if you wish to exercise your rights, please contact our Data Protection Officer:

Data Protection Officer

Ryan Morovich

Medstra Inc.

901 N Market Street, Suite 100

Wilmington, DE 19801

Email: privacy@medstra.co