1. Information We Collect
We collect information you provide directly when creating your health profile: full name, date of birth, gender, state of residence, WhatsApp phone number, medical history (conditions and allergies), and emergency contact details.
During consultations, we collect: symptom descriptions (text and voice), images you share with your doctor, consultation messages, AI triage classifications, and doctor-generated SOAP notes and summaries.
For prescriptions and orders: prescription details, pharmacy selection, delivery address, and payment information (processed by Stripe — we never store raw card data).
Automatically: session metadata, message timestamps, and access logs for HIPAA compliance purposes.
2. How We Use Your Information
We use your health information exclusively to: provide you with healthcare services, route you to the appropriate specialist, enable your doctor to provide informed care, generate and deliver prescriptions, process lab orders and pharmacy orders, facilitate insurance applications and claims, and send medication reminders at your requested times.
We do not use your health information for advertising, marketing profiling, or sale to third parties. Ever.
3. HIPAA & Protected Health Information
WhatsAppMD is a HIPAA-covered entity. Your health information is Protected Health Information (PHI) under HIPAA. We store all PHI exclusively in AWS HealthLake, a HIPAA-eligible service. We have signed Business Associate Agreements (BAAs) with every vendor that may access PHI, including AWS, Stripe, Anthropic (Claude API), OpenAI (Whisper), LabCorp, and Quest Diagnostics.
No PHI is ever transmitted in plain WhatsApp message text. Documents containing PHI (prescription PDFs, lab results) are delivered via presigned S3 URLs that expire after 24 hours.
4. Who We Share Your Information With
We share your information only as necessary to provide your requested services: with your chosen doctor (for consultation), with pharmacies (for prescription fulfilment), with LabCorp or Quest (for lab orders), with your insurance provider (for policy administration and claims), and with payment processors (Stripe) for billing. All sharing is governed by BAAs where required by HIPAA.
We will share your information with law enforcement only as required by law, or in a genuine emergency situation where disclosure is necessary to prevent serious harm.
5. Your Rights
Right to Access: Request a copy of your full health record in FHIR JSON or PDF format at any time through your WhatsAppMD settings.
Right to Correct: Request corrections to inaccurate health information via WhatsApp support.
Right to Delete (Right to Erasure): Request deletion of your account and all associated PHI. We will fulfil deletion requests within 30 days. Anonymised aggregate statistics and legally-required audit logs are retained per HIPAA's minimum retention requirements (6 years).
Right to Data Portability: Request your health data in FHIR R4 format for transfer to another healthcare provider or EHR system.
Right to Restrict Processing: Request that we limit how we use your information in certain circumstances.
6. Data Security
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. We conduct annual penetration testing by an independent security firm. Payment data is never stored — Stripe tokenisation handles all card transactions. Access to PHI is restricted to authorised personnel with documented legitimate purposes, and every access is logged.
7. Contact Our Privacy Team
For privacy requests, HIPAA complaints, or questions about this policy:
Email: [email protected]
WhatsAppMD Privacy Officer · HitchAfrica Technologies Limited