CharterMD Privacy Policy

Last updated: 2026-06-02 · **Draft pending final review by licensed counsel.** This policy describes our current practices; material changes will be re-published with a new effective date.

1. Who we are

CharterMD LLC ("CharterMD", "we", "us") provides a software platform that independent, licensed physicians use to deliver direct-care and telehealth services. When your Provider uses CharterMD to deliver care, CharterMD acts as a Business Associate (under HIPAA) of your Provider, who is the Covered Entity. We handle Protected Health Information ("PHI") only to provide the Platform and as permitted by our Business Associate Agreements (BAAs) and law.

2. Information we collect

3. How we use information

We do not sell your personal information. Our AI features run on Azure OpenAI under our Microsoft BAA and are not used to train third-party foundation models on your data.

4. How we share information

We share information only as needed to provide the Platform and as law allows:

5. Security

We use encryption in transit (TLS) and at rest, role-based access controls, multi-factor authentication, audit logging, and least-privilege access. No system is perfectly secure, but we work to protect your information and to meet the HIPAA Security Rule's safeguards.

6. Data retention

Medical records are retained as required by law (generally at least six years) regardless of membership status. Other data is retained as long as needed for the purposes above or as law requires, then deleted or de-identified.

7. Your rights

Subject to law, you may access the PHI we hold (self-service export in the Platform), request amendment of inaccurate records, request an accounting of certain disclosures, and restrict or revoke certain authorizations (with limits where care or law requires retention). Where applicable state privacy laws grant additional rights, you may exercise them by contacting us. Use Settings → My Data, or contact privacy@chartermd.ai.

8. Breach notification

If a breach of unsecured PHI occurs, we will notify the affected Provider (Covered Entity) and support required notifications to individuals and authorities within the timeframes required by the HIPAA Breach Notification Rule.

9. Children

The Platform is intended for adults (18+) or minors with verified guardian consent where permitted.

10. Changes

We may update this policy; material changes will be posted with a new "Last updated" date and, where required, communicated to you.

11. Contact

Privacy questions or requests: privacy@chartermd.ai. For HIPAA matters, your Provider is the Covered Entity and may also be contacted directly.

Questions? privacy@chartermd.ai