Skip to content

Privacy

Privacy Notice

Effective May 1, 2026

Privacy Notice

Effective date: May 1, 2026

1. Who we are

Medulla is built by Medulla Technologies Inc. (“Medulla”, “we”, “our”, or “us”), based in Ontario, Canada. We provide clinical practice intelligence software, including a web application and a browser extension that integrates with electronic medical record (“EMR”) systems used by Canadian clinicians.

This Privacy Notice explains how we collect, use, store, disclose, and protect personal information when people use Medulla.

2. Who this notice applies to

This notice applies to:

  • Clinicians and clinic staff (“Users”) who access or use Medulla.
  • Patients (“Patients”) whose information may be processed through Medulla because their clinician is using Medulla during care.

We use the word “you” throughout this notice. Where a section applies only to Users or only to Patients, we say so.

3. What information we collect, and how

We may collect personal information, health information, and technical information in the following ways.

A. Information from Users

When a User signs in to or uses Medulla, we may collect:

  • account information such as name, email address, practice affiliation, and role
  • authentication and session information used to sign the User in and keep the account secure
  • support and communication information if a User contacts us directly
  • product usage information, such as which features were accessed and when

B. Information from a clinic’s EMR through the browser extension

When a User opens the Medulla browser extension on a supported EMR page, the extension reads the patient context shown on that page so Medulla can support the clinical task at hand.

Depending on the workflow, this may include:

  • an internal patient identifier used by the EMR
  • encounter context visible to the User in the EMR
  • limited clinical record information relevant to the feature being used

The extension does not intentionally transmit a Patient’s name, phone number, email address, postal address, health card number, or date of birth through the workflow described above.

C. Information from clinical encounters and AI scribe use

If a User starts a Medulla scribe session during a patient encounter, Medulla may process:

  • the audio recording submitted by the User
  • the Patient’s and clinician’s spoken words if the encounter is recorded
  • a transcript of the encounter
  • a clinical note generated from the transcript
  • suggested chart updates, coding support, billing items, or similar outputs derived from the transcript

Medulla only receives the encounter data the User chooses to record, upload, or otherwise submit for processing.

D. Information from our website and product infrastructure

When you use our website or product, we may automatically collect limited technical information such as:

  • IP address
  • browser type
  • device and operating system information
  • timestamps, pages viewed, and navigation events
  • diagnostic and error information used for security, reliability, and product improvement

If you contact us through a website form, email, or another support channel, we collect the information you provide in that communication.

4. Why we use information

We use the information we collect to:

  • provide, maintain, and improve Medulla
  • authenticate Users, manage sessions, and protect accounts
  • operate AI-powered product features requested by the User
  • generate transcripts, notes, and other clinical outputs
  • communicate with Users about their account, support requests, or product updates
  • monitor reliability, prevent misuse, investigate incidents, and protect our systems
  • comply with legal, regulatory, and contractual obligations

We do not sell personal information. We do not use personal information or health information processed through Medulla for advertising.

5. How Medulla uses artificial intelligence

Medulla uses artificial intelligence to deliver features such as transcription, note generation, and related clinical assistance. To provide these features, we use Medulla-operated systems and may also use third-party AI service providers acting on our behalf.

We do not use the personal information or health information processed through Medulla to train or improve general-purpose AI models, whether ours or a third party’s. We do not permit our AI service providers to use that information for their own model training or product purposes.

Our AI providers are contractually required to:

  • process information only to provide the services we request
  • maintain appropriate safeguards
  • not use the information for their own independent purposes

Where appropriate and lawful, Medulla may use de-identified or aggregated information for security, analytics, product quality, or product improvement.

6. How Medulla interacts with EMR software

Most clinicians store and manage patient records in EMR software. Medulla’s browser extension runs alongside supported EMRs to help clinicians work more efficiently.

The extension reads information visible on the EMR page so the User can, for example:

  • chat about a Patient in clinical context
  • generate notes from an encounter
  • receive suggestions for chart updates or billing support

Medulla does not write back to the EMR unless the User explicitly chooses to take that action.

Medulla is not the custodian of the Patient’s EMR record. Questions about the contents of the EMR record, corrections to the chart, or medical-record retention should be directed to the clinic or clinician responsible for that record.

Users are responsible for obtaining any consent required by applicable law, professional obligations, or clinic policy before using Medulla in connection with a Patient, including before recording an encounter.

If a Patient does not want their information processed through Medulla, they should tell their clinician. The clinician can choose not to use Medulla during that interaction.

8. How we share information

We share information only when reasonably necessary to operate Medulla or when we are legally required to do so.

We may share information with:

  • Service providers that help us host infrastructure, process data, monitor errors, deliver communications, or support AI functionality
  • Professional advisors and transaction counterparties in connection with audits, financings, reorganizations, mergers, acquisitions, or similar business transactions
  • Government authorities, courts, regulators, or law enforcement where disclosure is required by law or valid legal process

We require service providers handling personal information on our behalf to protect it and use it only for the services they provide to us.

We do not sell or rent personal information to third parties.

9. Where we store information

Personal information collected by Medulla is primarily hosted in Canadian data centres operated by reputable cloud providers.

Some product features, including AI-powered processing or supporting infrastructure, may involve limited processing by service providers located outside Canada, including in the United States. Information processed outside Canada is subject to the laws of the jurisdiction where it is processed, which may permit access by local governments, courts, or regulators.

10. How long we keep information

We keep information only for as long as reasonably necessary to provide Medulla, support the requested workflow, meet legal and regulatory obligations, resolve disputes, and enforce our agreements.

In particular:

  • Raw scribe audio is retained only to transcribe the recording and, if needed, to help the clinician and Medulla troubleshoot a transcription or processing issue. It is kept for no longer than 48 hours and is not retained for general product improvement or model training.
  • Transcripts, notes, billing support outputs, and related scribe artifacts are retained as part of the clinician’s ongoing Medulla workspace so they can review prior scribe sessions, revisit patient encounters, edit outputs, and, where applicable, copy them into the clinical record. These records remain available for day-to-day use unless they are deleted, and may also be retained as needed to meet applicable legal, regulatory, or operational requirements.
  • Technical logs and support records may be retained for security, debugging, compliance, and audit purposes for a limited period appropriate to those purposes.

Retention obligations for the clinic’s own medical records are determined by the clinic and applicable law, not by this notice alone. Patients should contact their clinic with questions about retention of their clinical chart.

When information is no longer needed, we delete it or de-identify it.

11. How we keep information accurate

We take reasonable steps to keep information in our custody accurate and up to date. In many cases, we rely on Users and clinics to provide accurate information and to tell us when account or contact information changes.

12. How we protect information

We use administrative, technical, and physical safeguards designed to protect information against unauthorized access, use, disclosure, alteration, and destruction.

These safeguards include:

  • encryption in transit using industry-standard TLS
  • encryption at rest for databases and file storage
  • application-layer encryption of sensitive content such as chat messages, scribe transcripts, and clinical notes
  • access controls based on least privilege
  • audit logging and security monitoring
  • routine review of our infrastructure and code

13. Your rights

Subject to applicable law, you may have the right to:

  • request access to the personal information we hold about you
  • request correction of inaccurate or incomplete information
  • request deletion of information, subject to legal and operational limitations
  • withdraw consent where our processing is based on consent
  • complain to a privacy regulator

For Users, requests can be made by contacting us using the details in Section 15.

For Patients, the clinic and clinician generally control the Patient’s medical record in the EMR and are usually the right first point of contact for access, correction, or deletion requests relating to that record. If you believe Medulla separately holds personal information about you, you may contact us directly.

14. Children

Medulla is not intended for children to use directly as consumer users. Any Patient information relating to minors is processed only at the direction of the treating clinician or clinic, which is responsible for obtaining any required consent from a parent or guardian or otherwise having legal authority to provide care.

15. Changes to this notice

We may update this Privacy Notice from time to time. If we make material changes, we will update the effective date above and may provide additional notice through the product, by email, or by other appropriate means.

16. Contact us

If you have questions, concerns, or requests about this Privacy Notice or how Medulla handles personal information, please contact:

Medulla Technologies Inc. Ontario, Canada Email: [email protected]

If you are not satisfied with our response, you may also contact the privacy regulator in your jurisdiction, including:

  • Office of the Privacy Commissioner of Canada: www.priv.gc.ca
  • Information and Privacy Commissioner of Ontario: www.ipc.on.ca
  • Office of the Information and Privacy Commissioner for British Columbia: www.oipc.bc.ca

Questions? Email [email protected].

← Back to home