Last Updated: March 24, 2026

Clear.md, Inc. (dba “Vidscrip”) takes the privacy and protection of personal information very seriously. This Privacy Policy governs your use of the Vidscrip platform and services (the “Services”).

Vidscrip maintains a comprehensive compliance program, including HIPAA (Health Insurance Portability and Accountability Act), SOC-2 Type II security standards, and the General Data Protection Regulation (GDPR).

1. Scope and Roles

This policy applies to two types of users:

• Healthcare Providers ("Providers"): Professionals who log in to record, manage, and share content.
• Patients ("Viewers"): Individuals who view content shared by Providers, typically without a login.

Data Roles under GDPR/HIPAA:

• For Provider account data, Vidscrip is the Data Controller.
• For Patient data and Protected Health Information (PHI) uploaded by Providers, Vidscrip acts as a Business Associate (under HIPAA) and a Data Processor (under GDPR). The Provider is the Data Controller.

2. Information We Collect

A. Information Provided Voluntarily

• Providers: We collect names, NPI numbers, clinical affiliations, email addresses, and billing information.
• Patients: While login is not required, we collect information you voluntarily submit via contact forms, feedback loops, or text message prompts (e.g., name, phone number).
• Health Information: Any information shared within a "Vidscrip" that identifies a patient is treated as Protected Health Information (PHI) under HIPAA and Special Category Data under GDPR.

B. Information Collected via Technology (SOC-2 & GDPR Compliance)

To ensure system integrity and security, we collect:

• Log Data: IP addresses, browser types, and device identifiers.
• Cookies: Necessary cookies for session management and functional cookies for user preferences. You may manage cookie settings in your browser, though some Services may be limited.

3. Compliance Standards

HIPAA Compliance (U.S. Healthcare)

Vidscrip complies with HIPAA regulations for the protection of ePHI. We enter into Business Associate Agreements (BAAs) with all Healthcare Providers. We utilize encryption, audit controls, and data integrity tools to ensure PHI is never accessed by unauthorized parties.

SOC-2 Type II Compliance

As a SOC-2 compliant organization, Vidscrip follows the Trust Services Criteria regarding Security, Availability, and Confidentiality. This includes:

• Continuous Monitoring: 24/7 security oversight of our cloud infrastructure.
• Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Access Control: Strict "Principle of Least Privilege" access for Vidscrip employees.

GDPR Compliance (EU & UK Users)

For individuals in the EEA and UK, we process data under the following legal bases:

1. Contractual Necessity: To provide the service to the Provider.
2. Legal Obligation: To comply with healthcare record-keeping and security laws.
3. Legitimate Interests: For fraud prevention and platform optimization.

4. Use and Disclosure of Information

We use your information to provide, maintain, and improve our Services.

• No Sale of Data: Vidscrip does not sell Personal Information or PHI to third parties.
• Third-Party Service Providers: We may share data with "Sub-processors" (e.g., cloud hosting) who are contractually bound to the same privacy standards as Vidscrip.
• Legal Requirements: We may disclose information if required by a valid subpoena, court order, or to protect the safety of our users.

5. Your Rights and Choices

Under GDPR and various U.S. state laws (such as CCPA/CPRA), you have the following rights:

• Access and Portability: Request a copy of the personal data we hold about you.
• Correction/Rectification: Request updates to inaccurate information.
• Deletion: Request that we delete your personal data (subject to medical record retention requirements under HIPAA).
• Withdrawal of Consent: Where processing is based on consent, you may withdraw it at any time.

Note to Patients: Because Vidscrip acts as a service provider to your doctor, requests to access or delete clinical information should be directed to your Healthcare Provider. We will cooperate with them to fulfill your request.

6. International Data Transfers

Vidscrip is based in the United States. For users in the EU/UK, we utilize Standard Contractual Clauses (SCCs) and other approved transfer mechanisms to ensure your data receives an equivalent level of protection as it would within the EEA.

7. Security and Confidentiality

We have implemented appropriate technical and organizational measures to protect data. However, no method of transmission over the Internet is 100% secure. In the event of a data breach, Vidscrip maintains a Breach Notification Policy in compliance with SOC-2, HIPAA, and GDPR timelines.

8. Shortcode (SMS) Data

Data obtained through our SMS program (e.g., "73771") will not be shared with third parties for marketing purposes. Mobile phone numbers collected for notification purposes are kept strictly confidential.

9. Contact Us

If you have questions regarding this policy or wish to exercise your data rights, please contact our Data Protection Officer (DPO) at:

Email: privacy@vidscrip.com

Address:
Clear.md, Inc. (dba Vidscrip)
2112 Broadway Street Northeast, STE 225 #320

Minneapolis, MN 55413

Would you like me to draft a Data Processing Agreement (DPA) or a Business Associate Agreement (BAA) template to accompany this policy?