Atlas.md Privacy Policy

Last Updated: November 19, 2025

Scope: This Privacy Policy applies to the Atlas.md web application, mobile applications, and website (collectively, the “Services”) provided by Atlas CRM, LLC (“Atlas.md,” “we,” or “us”). It describes how we collect, use, disclose, and protect personal information. This policy covers data of our clinic customers (healthcare providers and their staff), patients whose information is managed on our platform, and visitors to our website.

Atlas.md is a specialized software for healthcare practice management, and therefore we handle sensitive personal data, including health information. We are committed to protecting your privacy and complying with applicable privacy laws. In many cases, Atlas.md acts as a “Business Associate” to healthcare providers under HIPAA, meaning we process Protected Health Information on behalf of our clinic customers. We strive to uphold the trust placed in us by implementing strong privacy and security practices.

By using our Services or by providing us with personal information, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the Services. If you have any questions about this policy, you can contact us at support@atlas.md.

1. Information We Collect

We collect various types of information through our Services. In most cases, the data we collect is provided by users (either healthcare providers or patients) or generated through the use of our platform. Here are the categories of information we handle:

• Account and Contact Information: When a clinic signs up for Atlas.md, we collect information about the clinic and its staff. This may include the provider’s name, practice name, address, phone number, email address, payment information for billing the subscription, and credentials (such as medical license information if needed). For patient users, if you create an account on the patient portal or mobile app, we may collect your name, email, phone number, and a password (or we may rely on information your provider entered about you and a signup link).
• Patient Health Information (PHI): Atlas.md is used to store and manage patient medical records. This means we handle any information that a provider or patient inputs into the system, which can include:
  • Personal identifiers: full name, date of birth, gender, address, contact information, insurance info (if any), etc.
  • Medical history and records: symptoms, diagnoses, treatment plans, medications, allergies, immunizations, progress notes, and any documents or images uploaded (e.g. PDF records, x-ray images, photos of rashes taken via the app, etc.).
  • Lab orders and results: information about lab tests ordered (like blood tests) and the results returned from the lab.
  • Prescription and dispensing data: records of medications prescribed, filled, or dispensed, including medication names, dosages, and refill history.
  • Communication content: any messages sent via the platform’s text messaging feature, emails via the system, voicemails recorded, or notes from phone/video consultations. These could include discussions about health issues, appointment reminders, etc. (Note: voice or video calls themselves are generally live and not recorded by default, but if a voicemail is left or a call is transcribed by the app, that content is stored).
  • Billing and payment records: invoices generated for a patient, records of payments made (including payment method, date, and amount), membership subscription details if the clinic runs on monthly fees, etc.
• Financial Information: For clinics, we collect payment details to charge subscription fees (this could be a credit card on file). For patient payments, as described, we integrate with Stripe. When a patient enters credit card or bank information to pay a clinic, that information goes directly to Stripe. Atlas.md itself might store a token or record of the transaction, the last 4 digits of a card, card brand, and expiration date, but we do not store full credit card numbers or bank account numbers on our servers. We also may store information needed for refunds or tracking transactions (like Stripe transaction IDs).
• Usage Data: We collect data about how the Services are accessed and used. This includes:
  • Technical Logs: When you use Atlas.md, our servers automatically record certain information (“log data”). This may include information like your web request or action (e.g., viewing a patient’s chart, sending a message), Internet Protocol (IP) address, browser type, device information (such as device model and operating system for mobile apps), pages or features accessed, and the date and time of each action. These logs are used primarily for security, debugging issues, and audit trails (for example, keeping track of who accessed a medical record and when).
  • Cookies and Similar Technologies: Our website and web app use cookies (small text files stored on your device) and similar technologies (like local storage or web beacons) to enhance user experience. For instance, we use cookies to keep you logged in during a session, to remember your preferences, or to understand how you navigate our interface. We do not use cookies for advertising, and we do not sell cookie data to third parties. You can disable cookies in your browser settings, but note that some parts of our Service may not function properly if cookies are disabled (for example, you might be repeatedly asked to log in).
  • Analytics Data: We may use internal or third-party analytics tools to collect information about general usage patterns. This could include metrics like how often certain features are used, what paths users take through our UI, or performance metrics of the app. This information helps us improve the design and functionality of Atlas.md. When we use third-party analytics, we do not send them any identifying personal data from medical records – typically it’s aggregated or anonymized usage stats. For example, we might track that “Feature X was used by 30% of clinics this week” without revealing any PHI.
• Support and Feedback: If you contact us for support or with feedback (via email, phone, or within-app chat/helpdesk), we will collect the information you choose to share. This could include your contact information, details about a problem you’re experiencing, or suggestions. We keep these communications and any attached information (like screenshots) to help resolve your issue and improve our services. We treat any patient information sent to support as confidential. Our support staff is trained to handle PHI appropriately (for instance, if you send us a patient chart snippet to illustrate an issue, we protect that just like data on our platform).

Special Note on Sensitive Personal Information: Because Atlas.md is used for healthcare data, much of the information in our system is sensitive personal data, including health information. We apply the highest standard of care to protecting this information (see Section 4: How We Protect Your Information). We do not use sensitive health data for any purpose other than providing our Services, except in an anonymized way to improve our tools (e.g., to refine an AI algorithm, we might analyze hundreds of lab results trends without any patient identifiers attached).

2. How We Use Your Information

Atlas.md uses the collected information for the following purposes:

• Providing the Service: The primary use of your information is to deliver the functionality of the Atlas.md platform to you. This includes using data in patient charts to display and print medical records, scheduling appointments, sending communications (e.g., sending a text or email to a patient as initiated by the provider), processing payments, and integrating with labs or pharmacies. In short, everything you or your clinic does intentionally on the platform with the data is a use of that data by us on your behalf. We use account and login information to authenticate users and authorize access to the appropriate records (for example, ensuring a doctor can see their patients’ records, and a patient can only see their own data or messages).
• Improving and Developing the Service: We continually work to enhance Atlas.md’s features, usability, and security. We use usage data and feedback to identify areas of improvement. For instance, we might analyze support tickets to see common pain points, or review logs to detect slow performance in certain features. We may use de-identified health data to develop new features; for example, training an AI model to suggest possible diagnoses might involve analyzing many past anonymized records or using machine learning on text (with identifying details removed or masked). Any such development use of data is done under strict controls, and primarily to benefit our users by making the software smarter and more helpful.
• Communication: We use contact information (email, phone number) to communicate with you about the Service. This includes:
  • Service and Transactional Emails: Such as welcome emails, password reset messages, billing invoices, subscription renewal notices, alerts about lab results availability, appointment reminders, and notifications of secure messages. These are necessary for running the Service.
  • Updates and Announcements: We may email clinic users about new features, security updates, downtime notices, or policy changes (like updates to this Privacy Policy or Terms of Service). We try to keep these relevant and not too frequent.
  • Marketing and Newsletters: For clinic users (providers and staff), we may occasionally send newsletters, educational content about direct care, or invitations to webinars and events related to Atlas.md or DPC. You can opt out of marketing emails at any time by clicking “unsubscribe” in those emails. Note: We will not send marketing emails to patients without separate consent; patients might only receive communications related to their care (as sent by their provider through Atlas.md).
  • In-App Notifications: Within our apps, we might show notifications for certain updates or prompts (for example, a prompt to try a new feature or a security tip).
• Compliance and Protection: We may use your information as necessary to comply with applicable laws and regulations, and to enforce our agreements or protect our rights. For example:
  • We keep audit logs and may review them if we suspect improper access or if needed for legal purposes (like investigating a security incident or responding to a lawful subpoena).
  • We might use data to investigate potential violations of our Terms of Service (for instance, misuse of the platform or complaints).
  • If required by law, we might use and disclose data to respond to law enforcement requests or legal processes (more on that in the next section).
  • We use information (such as log-in history, IP addresses, and other signals) to detect and prevent fraud, security threats, or other malicious activity. For instance, if we notice an unusual login (e.g., from a new location or multiple failed attempts), we might log that and potentially alert the user or temporarily lock the account to prevent a breach.
• Business Transfers: If we consider or undertake a business transaction such as a merger, acquisition, reorganization, or sale of assets, we may use the information in evaluating and negotiating the transaction. If a sale or transfer occurs, the acquiring entity would gain access to the information as part of the business assets transferred, but they would still be bound by this Privacy Policy (or one with equivalent protections).

We do not use personal data for any purposes not described above without obtaining consent or providing notice. In particular, we do not sell personal information to data brokers or advertisers. We do not use patient data to advertise or market third-party products to patients. Any use of data for research (for example, analyzing outcomes across clinics) would be done in an aggregated and anonymized manner unless we obtain explicit permission for a specific identifiable use.

3. How We Share and Disclose Information

Atlas.md will share personal information with third parties only in ways that are necessary to provide our Services or as required by law. Below are the circumstances and partners with whom we may share data:

• With the Clinic and Authorized Users: If you are a patient, the information you provide or that your doctor enters is shared with your healthcare provider and their authorized staff through Atlas.md. For instance, if you send a message via the patient portal, the clinic’s users (doctor, nurse, etc.) will see that message and your identifying details. Similarly, lab results about you are accessible to the ordering provider. Within a clinic’s Atlas.md account, data may be visible to all users that the clinic has permitted (for example, all doctors in a group practice might access a common patient record, or front-desk staff might see billing info). These internal sharing settings are controlled by the clinic’s admin. Atlas.md just provides the platform for it.
• With Your Consent or Direction: We will share or disclose information if you explicitly ask us to or consent to it. For example, if as a provider you decide to integrate a third-party service not already integrated with Atlas.md and it requires data sharing, we would do so at your direction (assuming it’s technically feasible via our APIs). As a patient, if you request us to send a copy of your records to another doctor (through a feature or via support), we would only do that with clear permission from you or your provider.
• Service Providers (Subprocessors): We use a few carefully chosen third-party service providers to operate and improve Atlas.md. These providers act on our behalf and under our instructions, and they are bound by contractual obligations to protect the confidentiality and security of data (including signing BAAs when handling PHI). Key service providers include:

  • Hosting and Infrastructure: As mentioned, Atlas.md is hosted on Amazon Web Services (AWS). Our databases and files are stored on AWS servers in the USA. AWS may incidentally have access to data for storage and backup purposes, but they do not access content unless needed to resolve an infrastructure issue, and they are bound by strict privacy and security terms (including a BAA for PHI).

  • Communication Services: We share necessary data with Twilio, our communications platform, to send text messages, make calls, route faxes, and conduct video sessions. For example, when a text is sent to a patient, Twilio receives the patient’s phone number and the content of the SMS to deliver it. Twilio also processes phone call connections (receiving the numbers and the voice packets), and fax transmissions (digital files of faxes). Twilio is a HIPAA-compliant service provider and we have a BAA with them. They are authorized to use the data only to perform the communication services and not for other purposes.

  • Payment Processors: Stripe is our payment processor for handling credit/debit card and ACH transactions. When a patient pays a clinic bill online, the payment information and transaction details are shared with Stripe to complete the transaction. Stripe, as a financial services provider, may store some of this information (like a token for the card, or account info for recurring billing) and transaction history. Stripe is responsible for its use of that data under its own privacy policy (which we encourage users to review at stripe.com/privacy). Atlas.md only shares with Stripe what is necessary: typically the payment amount, the patient’s name and email (for receipts), and the card or bank details input by the patient. Stripe in turn provides us confirmation of payment and related info. We also use Stripe to process our subscription billing for clinics, so clinic payment info is handled by Stripe as well.

  • Email and Notifications: For sending emails (like invitation emails to patients, appointment reminders, or broadcast messages), we might use an email delivery service such as SendGrid (by Twilio) or AWS SES. These services would get the recipient’s email address and the content of the email. They are not allowed to use that information except to send the message.

  • Analytics/Crash Reporting: To improve our apps, we might use tools like Google Analytics (for web analytics on our marketing site or aggregated app usage) or Sentry (for error/crash reporting in the application). These tools might collect some device or usage information. We configure them not to receive any patient-identifying data whenever possible. For example, we would not send full names or any PHI to analytics events. Instead, we might send an event like “user clicked X button” with an anonymous ID. Crash logs might include user IDs or device info to help us troubleshoot, but again, we strive to avoid any sensitive content in those.

  • AI Services: If we use any third-party AI or machine learning services to power features (for example, a cloud service to transcribe audio or to run a machine learning model), we would send the minimum necessary data to those services. For instance, if we use a transcription service to convert a recorded conversation to text, the audio content would be sent securely to that service and the text returned. Any provider we use for such tasks would be under a BAA (if PHI is involved) or contractual obligation to not store or misuse the data. We will be transparent about any significant external AI processing in our user documentation.

  • Opt-In Google Integration: As part of our optional Google integration, we use your Google user data as follows:

    • Fetch your emails from Google’s servers and display those emails within our platform as part of our services.
    • View your Google email address so we can cross reference with what we have in our platform.
    • Fetch your files from folder(s) you have granted us permission to access on Google’s servers and display those files within our platform as part of our services.

    Atlas MD’s use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

  • Stripe Identity: We use Stripe for identity document verification. Stripe collects identity document images, facial images, ID numbers and addresses as well as advanced fraud signals and information about the devices that connect to its services. Stripe shares this information with us and also uses this information to operate and improve the services it provides, including for fraud detection. You may also choose to allow Stripe to use your data to improve Stripe’s biometric verification technology. You can learn more about Stripe and read its privacy policy at https://stripe.com/privacy. Stripe retains a copy of all the data provided as part of a verification. You may also have consented to allow Stripe to use your data to improve their technology. You can delete your information from Stripe’s servers or revoke your consent by visiting https://support.stripe.com.

  • Others: We limit the use of third-party subprocessors, but there may be additional ones for specialized functions (like our helpdesk system if you email support, or a content delivery network to serve the app faster). A current list of our key subprocessors can be provided upon request. We review our subprocessors regularly to ensure they meet our standards.

• Lab and Pharmacy Partners: When you choose to integrate with a lab like Quest Diagnostics or LabCorp through Atlas.md, we share patient data with those lab partners as needed (order details, patient demographics, etc.). Similarly, if ordering medications via a partner like AndaMed or using e-prescribing, we share necessary info with pharmacies or pharmacy systems (such as SureScripts network or similar eRx providers) according to the workflows. These partners may become recipients of PHI and are typically considered “covered entities” or “downstream BAs” under HIPAA themselves, obligated to protect that information. Atlas.md will only share with these entities when you use the integration (i.e., if you don’t order labs, no data goes to a lab). The data returned (lab results, confirmation of prescription fills, etc.) will be stored in our system under the patient’s record.
• Legal Requirements and Safety: We may disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to (a) comply with a legal obligation, such as a subpoena, court order, or other government demand; (b) protect and defend the rights or property of Atlas.md, our customers, or others; (c) act in urgent circumstances to protect the personal safety of users of the Services or the public; or (d) investigate and help prevent security threats, fraud, or other malicious activity. We will attempt to notify the affected user (for example, a clinic) about any legal demands for data, unless we are legally prohibited from doing so or it’s an emergency situation. For instance, if law enforcement presents us with a valid subpoena for certain records, we would normally inform the clinic before turning over information, providing them a chance to object, unless the law forbids notifying them.
• Business Transfers: As noted earlier, if Atlas.md (Atlas CRM, LLC) is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, your information may be transferred as part of such a transaction. We would ensure that any new owner or successor entity is either bound by the existing Privacy Policy or provides notice of any changes and allows you (and clinics) to opt out or export data before data is transferred in a way inconsistent with this policy. Your data remains your data; a change in company ownership will not change that.
• Aggregated or De-Identified Data: We may share information that has been aggregated (grouped together) or de-identified (stripped of personal identifiers) such that it cannot reasonably be used to identify an individual. For example, we might publish or share statistics like “The average number of patients per clinic using Atlas.md is X” or “In 2025, Atlas.md users collectively managed Y number of prescriptions.” Such information would not include any personal details and would not violate patient privacy. We might share these insights in marketing materials, with researchers, or partners interested in the DPC model, but always in a privacy-preserving manner.

No Selling of Personal Information: We want to clarify that we do not sell or rent personal information to third-party marketers. We do not share patient lists or contact information with pharmaceutical companies or the like. All sharing is only what’s needed to run our service or what is directed by our users, as outlined above.

4. Data Security: How We Protect Your Information

Atlas.md takes the security of personal and health information very seriously. We have implemented a comprehensive security program with administrative, technical, and physical safeguards designed to protect your data from unauthorized access, disclosure, or alteration. Here are key aspects of our security approach:

• Encryption: All data transmitted between your device (web browser or mobile app) and our servers is encrypted using industry-standard TLS (HTTPS). This ensures that eavesdroppers cannot read data in transit. Additionally, we encrypt sensitive data at rest in our database and storage (for example, PHI, account passwords, and other critical data are encrypted or hashed such that even if someone gained access to the raw storage, the data would not be easily readable).
• Access Controls: Within our organization, access to databases and systems containing PHI is limited to authorized personnel who require it for their job (for example, system administrators or support staff, and even then, they access it under strict conditions when needed to resolve an issue). Our staff are trained on privacy and security practices, including HIPAA obligations, and are required to sign confidentiality agreements. Two-factor authentication is used on internal admin accounts, and administrative access to production systems is logged and monitored.
• Secure Development Practices: We follow secure coding guidelines and conduct regular code reviews to catch security issues early. We keep our software libraries and dependencies up-to-date to patch known vulnerabilities. Before new features are released, they undergo testing (including security testing).
• Third-Party Audits and Assessments: We perform annual security assessments and penetration tests using independent security firms. These experts attempt to probe our system for vulnerabilities so we can fix them proactively. We also conduct periodic self-audits and are open to 3rd-party audits that our customers might require for compliance reasons (reach out if you need to conduct one – typically under an NDA).
• Backup and Recovery: We perform regular backups of data to guard against accidental loss or corruption. Backups are encrypted and stored securely (often in a different AWS region or secure offsite location) to ensure that we can restore availability in case of a major incident. We have a disaster recovery plan and have tested restoring from backups. In the case of data loss or system outage, our goal is to recover quickly and minimize any data loss (Recovery Point Objective and Recovery Time Objective are part of our internal plans).
• Monitoring and Incident Response: Our systems are monitored for suspicious activities. We use intrusion detection systems and have alerts for unusual patterns (for example, many failed login attempts, or a sudden spike in server errors). We have an incident response plan in place. If a security incident (like a data breach) is detected, we will act swiftly to contain and investigate it. We will also notify affected customers and users in accordance with applicable laws (for example, HIPAA requires notifying covered entities and potentially individuals of breaches involving PHI, and state laws often have breach notification requirements for personal data).
• Physical Security: Since we rely on cloud infrastructure, physical data center security is largely handled by AWS, which has robust measures (guarded facilities, biometric access controls, etc.). Any physical servers or devices we manage directly (for example, employee laptops that might access the servers) are encrypted and secured as well. Our office (if/when we have physical records or access) is access-controlled.
• User Controls: We provide features that allow clinics to enhance security on their side: for example, user role-based permissions (so not every staff member can access all data), session timeouts (configurable logout timing), and soon two-factor authentication for logins (if not already in place). We encourage our users to use these features and follow best practices (like not sharing accounts, using unique passwords, and being mindful of where they access the system).
• Voluntary HIPAA Compliance Stance: As mentioned under Terms, Atlas.md can be used in a HIPAA-compliant way and we choose to adhere to most HIPAA Security Rule and Privacy Rule standards, even if some clients are not strictly under HIPAA. This means we treat all health data with the same high level of protection. We also sign Business Associate Agreements to formalize these commitments. However, we do not enforce certain policies on users (like forcing password rotations) because we balance usability for DPC clinics. Instead, we provide guidance and features to help you stay secure and compliant at your comfort level.

Despite our efforts, it’s important to acknowledge that no security measure is foolproof. The healthcare industry can be a target for cyber threats, and while we do everything reasonably possible to protect data, we cannot guarantee absolute security. Users should also play their part in security (see the “Your Security Responsibilities” under Terms of Service). If you have reason to believe that your data or account has been compromised, please contact us immediately.

5. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, or as required by law, or as otherwise stated in this Privacy Policy.

• Patient Health Records: As a default, Atlas.md retains patient medical records indefinitely on behalf of the clinic that created them. This retention aligns with the needs of medical practice (doctors often need to maintain records for many years). We do not delete or purge patient data on an arbitrary schedule. Even if a patient is inactive or a clinic stops using Atlas.md, records may be archived but retained unless deletion is requested (and authorized) by the clinic. This indefinite retention helps clinics comply with record retention laws (for example, many states require at least 7-10 years retention, and potentially longer in pediatric cases) and also ensures data is available if a patient returns or if records are needed for legal reasons (e.g. defense in a malpractice claim that might arise years later).
• Clinic Account Data: We retain a clinic’s account information and usage data while the account is active. If a clinic terminates their subscription, we may retain their account data (including patient records) for a grace period in case they return or need a copy of their data. We generally inform the clinic and give options: for example, we may offer to export the data to them and then delete from our systems if they prefer. If not instructed otherwise, we may keep the data archived for a longer period (since, as mentioned, deletion might not be desired). If a clinic explicitly requests deletion of all their data, we will comply (after confirming any necessary authorizations, since deleting medical records is a serious action). However, we might retain minimal information about the account in our records for legitimate business purposes, like proving that the person had an account (for legal/accounting records) or retaining email correspondence history in our support system.
• Communications: Copies of communications (emails, texts, chat logs) sent through Atlas.md are generally retained as part of the medical record (if they are patient-related). Administrative communications (like emails we send you with updates) are kept for reference as needed in our email logs (usually for a year or two, unless longer retention is needed). If you opt out of marketing emails, we will keep that preference (meaning we keep your email on a suppression list to ensure we don’t accidentally email you).
• Logs and Backups: Our system logs, which may include personal data like IP addresses or user IDs, are generally retained for a finite period (e.g., logs might be kept for 1 year) unless we need to preserve them longer for security analysis or legal purposes. Backups containing personal data are retained according to our backup retention schedule (which may keep daily/weekly backups for several weeks, monthly backups for a few months, and some yearly snapshots). When backups expire, they are deleted securely.
• Anonymized Data: If we have derived anonymized or aggregated data from personal information, we may retain that indefinitely, as it no longer contains personal information. For instance, general statistics or improvements to algorithms gleaned from historical data may be kept.

Legal Hold: Note that if we are under a legal obligation to preserve data (e.g., a litigation hold, government investigation, or specific law requiring certain data retention), we will suspend routine deletion until that obligation is fulfilled.

When we do dispose of personal data, we take care to do so securely. For example, digital data deletion involves deleting from databases and overwriting or encrypting backups when they cycle out, and physical media (if any) would be shredded or destroyed.

6. Individual Rights and Choices

Depending on who you are (patient, provider, website visitor) and applicable laws, you may have certain rights regarding your personal information. We are committed to honoring applicable rights requests in a timely manner. Below are ways you can control your information and exercise rights:

• Access and Correction:
  • Providers/Clinics: As a user of our platform, you can access and update much of your account information directly (for example, you can edit your profile, update contact info, change settings). For patient records, providers can correct or update information in the charts as needed (e.g., if a birthdate was entered incorrectly, you can fix it). If you need assistance accessing data that isn’t readily available through the app (for instance, an old log or an archived record), you can contact us.
  • Patients: If you want to access your health records on Atlas.md, the best approach is to contact your healthcare provider. They can provide you records or enable access via the patient portal. We rely on the clinic to verify identity and give out records appropriately. However, under laws like HIPAA, you have a right to obtain a copy of your medical records from your provider (with few exceptions). Atlas.md will assist our client (the clinic) in fulfilling such requests. If needed, you (or your provider) can also contact us at support@atlas.md for help exporting data. If you believe any information about you is incorrect or incomplete, you can request the provider to correct it; if the data is within Atlas.md, the provider can edit the record, or we can assist them if needed.
• Deletion (Right to Erasure):
  • Providers/Clinics: You may request deletion of certain data (for example, deleting a test patient you created or removing a file). In many cases you can do this yourself in-app. For complete account or data deletion, an authorized person should contact us with that request. We will then coordinate to verify the request and discuss the consequences (as deleting medical data is significant). We will honor legitimate deletion requests by permanently deleting personal data, except where retention is required or permitted by law (see Data Retention above).
  • Patients: You can request your provider to delete your record. If the provider determines that they can comply (considering medical recordkeeping duties), they might delete or anonymize your data in the system. If a provider asks us to delete patient data, we will do so and confirm once completed. If you directly request us (the platform) to delete your data, we will refer you to your provider or get confirmation from them. In cases where the clinic has ceased to operate or you cannot reach them, we will work with you to find a solution, but we may need to ensure the request is legitimate before deleting any health records.
• Portability:
  If you (provider or patient) need a copy of your data in a common format, we support data export. Providers can export patient records (often as PDFs for charts or spreadsheets for certain lists) via the app. If more extensive export is needed (like an entire database for moving to another system), we can provide data in CSV or other formats upon request. Patients can ask their provider for a copy of records (as per HIPAA Right of Access, typically within 30 days of the request).
• Restriction of Processing:
  If you are a patient who has concerns about how your data is used, you might ask your provider (and indirectly us) to restrict certain uses. For example, you might not want your doctor to share your data with a particular integration (like, say, you opt out of having your data used in an AI feature). The provider can often accommodate that (by not using that feature for you). From Atlas.md’s side, if we receive such a request (likely via the provider), we can offer suggestions, like marking the record or ensuring it’s excluded from any de-identified analytical processes if that’s the concern. Generally, because we process data at the direction of the clinic, we’d follow their lead on any restrictions.
• California Privacy Rights (CCPA/CPRA):
  If you are a resident of California, you may have additional rights under the California Consumer Privacy Act (as amended by the CPRA). However, please note that personal health information handled by a provider may be exempt from CCPA if it’s PHI under HIPAA or if Atlas.md is considered a medical service provider. That said, we want to be transparent and supportive of privacy rights. California residents can request: (a) a notice of categories of personal information we have collected, used, and shared; (b) access to specific pieces of information (which, as discussed, is usually via your provider if it’s PHI); (c) deletion of personal information (with similar caveats that medical record laws may override pure deletion rights); and (d) information about whether your personal data was sold or shared for “valuable consideration” (we can clearly state we do not sell personal data, and we don’t share it for cross-context behavioral advertising). To exercise California rights, you can contact us at support@atlas.md. We will need to verify your identity and that you are a California resident making the request. If it’s about patient data, we might also involve the clinic as needed. We will not discriminate against anyone for exercising their privacy rights (meaning we won’t deny service or change pricing just because you made a data request).
• Other State-Specific Rights:
  Other states (like Colorado, Virginia, etc.) have privacy laws effective in 2023-2025 that give individuals certain rights similar to CCPA. Atlas.md will extend similar courtesy and processes to individuals from those states. You can reach out to us, and we’ll work to fulfill your request in line with applicable law. Much of the approach will be similar: verifying identity, coordinating with the data controller (the clinic) for health data, and responding within required time frames (typically 30 to 45 days).
• Opt-Out of Communications:
  • If you are a provider user and you no longer want to receive our newsletter or promotional communications, you can opt out by clicking the unsubscribe link in those emails or by contacting support. Note that you cannot opt out of essential service communications (like billing notices or security alerts).
  • Patients typically won’t get general communications from us directly, but if you for some reason receive something, you can opt out similarly. For text messages or emails sent by your clinic via Atlas.md (like appointment reminders), you may opt out by contacting your clinic or following any opt-out instructions in the message (for instance, replying “STOP” to a text message may opt you out of future texts from that clinic’s number, as per telecom regulations).
• Do Not Track (DNT):
  Our websites and web application currently do not respond to “Do Not Track” signals from browsers. We do limit tracking as described (we don’t do third-party ad tracking), but if you enable DNT, we haven’t implemented changes in behavior based on that. We will review such preferences if standards emerge.

If you have any questions about your rights or how to exercise them, please contact us at support@atlas.md. We will be happy to explain and help with the process. In many cases, because of the nature of our service, we will advise you to also speak with your healthcare provider (for anything related to your health record) to ensure proper handling under medical privacy rules.

7. Children’s Privacy

Atlas.md is not directed to children for direct sign-up. However, it does store personal information about children in a healthcare context (for example, pediatric patients of a clinic will have records in the system). Any such data is provided by the child’s parent or guardian and the healthcare provider, and is used only for the purposes of healthcare services for that child. We do not knowingly collect personal information from children under 13 directly through any public-facing portal without parental consent. If a patient under 13 is given access to, say, a messaging app by their parent/guardian, it is assumed the parent/guardian supervised that and consented.

If you are a parent or guardian and believe that a minor’s personal information has been provided to us without proper consent, please contact us. We will work with you and the clinic to address any concerns, including deleting any inadvertent unauthorized information. In practice, since we operate through clinics, the clinic obtains parental consent for treating minors and for using Atlas.md as part of that service.

8. International Users

Atlas.md is designed for use by clinics and patients in the United States. Our infrastructure is based in the U.S., and our operations are subject to U.S. laws. If you are accessing the Services from outside the U.S., be aware that your information will be transferred to, stored, and processed in the United States. The data protection laws of the U.S. may differ from those in your country of residence. By using our Services or providing us with your information, you acknowledge this transfer and processing in the U.S.

If you are in the European Economic Area (EEA), United Kingdom, or other regions with comprehensive data protection laws (like GDPR), please note that Atlas.md is likely not offering services to you directly (as our focus is U.S. clinics). Any personal data of EU individuals in our system would typically be there because a U.S.-based clinic entered it (which may happen if an EU citizen is a patient of a clinic here, or a user decides to use it abroad). In those cases, the clinic would be the data controller and Atlas.md a data processor. We would handle that data under the contractual instructions of the clinic (likely via a Data Processing Addendum in line with GDPR standards). If GDPR applies, individuals have rights similar to those described in Section 6, and we will assist the controller (clinic) in fulfilling those. We also ensure adequate safeguards for any EU data, such as standard contractual clauses if appropriate, and we treat all personal data with high security regardless of origin.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes to the policy, we will notify our users in an appropriate manner:

• Clinics/Providers: We may notify you via email (sent to the account owner or admin) or via an in-app notification, and by updating the “Last Updated” date at the top of this policy. We encourage you to review this Privacy Policy periodically for any changes.
• Patients: If you are a patient and we have your email on file (e.g., for portal access), we might also notify you of significant changes that affect how your data is handled. However, in many cases the provider will be your point of contact. We may rely on the clinics to communicate privacy policy updates to their patients if needed. We will also post any revised Privacy Policy on our website (atlas.md) and within the app where it can be viewed.

If we were to make a change that we believe retroactively reduces your privacy rights (for example, if we decided to start using data in a new way that you didn’t originally agree to), we would either obtain your consent or give you a clear ability to opt out of that new use. Most changes are likely to be minor or clarifying. Your continued use of the Services after the effective date of a revised policy will signify your acceptance of the updated terms, to the extent permitted by law.

For any questions regarding the changes or to get the previous version of the policy, you can contact us.

10. Contact Us

If you have any questions, concerns, or comments about this Privacy Policy or our data practices, please don’t hesitate to contact us:

• By Email: support@atlas.md. (Email is often the quickest way to reach us for privacy queries. Please do not include sensitive information in the subject line. If you are a patient inquiring about your data, note that we may loop in your provider or ask you to verify identity before disclosing or deleting data.)
• By Mail: Atlas CRM, LLC (Attn: Privacy) – 6600 E. Summerside Place, Bel Aire, KS 67226, USA.

We will address your inquiries as promptly as possible. If you have a dispute with us regarding privacy, we will work in good faith to resolve it. If you feel we have not satisfactorily addressed your concern, you may have the right to lodge a complaint with a supervisory authority (for example, a data protection authority or the U.S. Department of Health & Human Services Office for Civil Rights, in the case of HIPAA issues). We would appreciate the chance to deal with your concerns directly first.

Your trust is vital to us. Atlas.md is built around the idea of providing personal, reliable service for direct care, and that extends to how we handle your data. We appreciate you taking the time to read this Privacy Policy.

Vulnerability Disclosure Policy