Privacy Policy & NPP

Privacy Policy & Notice of Privacy Practices

HIPAA-compliant privacy protection through our AWS-native security architecture. Your logistical facilitation data is safeguarded within our encrypted fortress.

Effective Date: January 29, 2026

Notice of Privacy Practices (NPP)

HIPAA Privacy Rule Compliance

Medical Tourism Chat is a HIPAA-compliant platform engineered from the ground up to safeguard your privacy. This Notice of Privacy Practices (NPP) describes how we collect, use, and disclose Logistical Facilitation Data in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

Our platform is built on a 100% AWS-native infrastructure designed to keep your data secure within a single, encrypted ecosystem. Unlike conventional platforms that rely on third-party tracking and analytics services, Medical Tourism Chat processes all data internally through AWS services protected by a Business Associate Agreement (BAA).

HIPAA Compliance Officer

Medical Tourism Chat has designated a HIPAA Compliance Officer responsible for ensuring adherence to all applicable privacy and security regulations:

Compliance Officer

  • Name: Josiah Brown
  • Email: help@medicaltourismchat.com
  • Role: Oversees HIPAA compliance, privacy practices, and data security protocols

For all privacy-related inquiries, complaints, or requests to exercise your rights under HIPAA, please contact our Compliance Officer directly at help@medicaltourismchat.com.

What We Are: Educational Resources & Logistical Facilitation

Medical Tourism Chat provides Educational Resources for Medical Travel and Logistical Facilitation services. We help users explore international healthcare options, understand procedural considerations, and coordinate travel logistics.

We are NOT a medical provider, healthcare facility, or licensed medical practice. We do not provide medical advice, diagnoses, treatment recommendations, or clinical services. All medical decisions should be made in consultation with qualified, licensed healthcare professionals.

Privacy by Design: The AWS Fortress

100% Internal Data Processing

Medical Tourism Chat is engineered as a privacy-first platform. We have intentionally eliminated all third-party tracking technologies that could compromise your privacy. Every component of our infrastructure is designed to keep your data within a secure, HIPAA-compliant AWS environment.

What We Do NOT Use

  • ❌ No Google Analytics or GA4 tracking
  • ❌ No Facebook Pixel or social media trackers
  • ❌ No ContentSquare or other session replay/heatmap software
  • ❌ No third-party advertising networks or retargeting pixels
  • ❌ No external geolocation services
  • ❌ No data brokers or marketing platforms

What We DO Use (to maintain HIPAA compliance)

  • ✅ AWS CloudWatch RUM for internal analytics
  • ✅ AWS infrastructure exclusively for all data processing
  • ✅ First-party data collection only
  • ✅ Anonymized, aggregated metrics for platform improvement

This architecture ensures that your Logistical Facilitation Data never leaves our secure AWS environment and is never shared with third-party analytics or advertising platforms.

Information We Collect

Logistical Facilitation Data

We collect information necessary to provide Educational Resources and Logistical Facilitation services. All information is processed exclusively within our secure AWS infrastructure:

Information You Provide Directly

  • Chat Interactions: Conversational data about medical travel interests, procedural inquiries, destination preferences, budget considerations, and travel logistics
  • Account Information: Name, email address, and optional phone number for service coordination and authentication
  • Travel Preferences: Destination interests, timing considerations, and logistical requirements
  • Procedural Interests: General inquiries about medical procedures for educational and planning purposes (not clinical advice)
  • User-Uploaded Content: Images and audio recordings you choose to share for trip planning purposes

Information Collected Automatically

  • Technical Data: Device type, browser characteristics, IP address (anonymized), and session identifiers
  • Usage Analytics: Page views, navigation patterns, feature interactions, and performance metrics collected through AWS CloudWatch RUM
  • Security Logs: Access logs, authentication events, and security monitoring data stored in AWS CloudWatch Logs
  • Error Data: Application errors and performance issues for system improvement

Information We Do NOT Collect

  • ❌ Insurance information or payment card details (we do not process payments)
  • ❌ Precise geolocation tracking
  • ❌ Biometric data or health monitoring information
  • ❌ Browsing history outside of our platform

The AWS Security Fortress

Our HIPAA-Compliant Infrastructure

Medical Tourism Chat operates on a fully integrated AWS infrastructure designed to meet and exceed HIPAA security requirements. Your data never leaves our secure AWS environment. Every service we use is covered by Amazon Web Services' Business Associate Agreement (BAA).

Data Storage & Encryption

  • AWS RDS (PostgreSQL): All trip planning data, user profiles, and conversation history stored in an encrypted relational database with automatic backups
  • AWS S3: User-uploaded images and audio files stored with server-side encryption (AES-256) and access controls
  • Encryption in Transit: All data transmitted using TLS 1.2+ encryption between your browser and our servers
  • Encryption at Rest: All stored data encrypted using AWS-managed encryption keys with regular key rotation

Identity & Access Management

  • AWS Cognito: Enterprise-grade authentication and user identity management with secure password policies
  • Multi-Factor Authentication (MFA): Available for enhanced account security
  • Role-Based Access Control (RBAC): Strict permission boundaries ensuring personnel access only necessary data
  • Session Management: Secure JWT token-based authentication with automatic expiration and refresh mechanisms

AI Intelligence (Privacy-Protected)

  • AWS Bedrock: AI-powered conversational assistance using foundation models hosted within AWS infrastructure
  • No Training on User Data: Your conversations are NEVER used to train AI models or shared with model providers
  • Isolated Processing: All AI inference occurs within our AWS environment with no external API calls
  • Content Filtering: Automated safeguards to prevent inappropriate content and maintain professional interactions

Audio Processing

  • AWS Transcribe: HIPAA-compliant audio-to-text transcription service for voice messages
  • Temporary Storage: Audio files stored temporarily in S3 during processing, then automatically deleted
  • Medical Vocabulary: Custom medical terminology support for accurate transcription of healthcare-related terms
  • Secure Processing: All transcription occurs within AWS infrastructure with no third-party services

Analytics & Monitoring

  • AWS CloudWatch RUM: HIPAA-compliant real user monitoring for performance tracking and error detection
  • AWS CloudWatch Logs: Centralized logging for security monitoring, audit trails, and compliance reporting
  • No Third-Party Analytics: All analytics data stays within AWS infrastructure—never sent to Google, Facebook, or other platforms
  • Anonymized Metrics: Performance data aggregated and anonymized to protect individual privacy

This comprehensive AWS-native architecture ensures that your Logistical Facilitation Data remains within a single, HIPAA-compliant ecosystem protected by Amazon Web Services' Business Associate Agreement (BAA). We do not use any third-party services that could access or process your data outside this secure environment.

How We Use Your Information

We process Logistical Facilitation Data exclusively for the following legitimate purposes:

  • Service Delivery: Providing AI-assisted trip planning, educational resources, and logistical coordination for medical travel
  • Communication: Responding to inquiries, providing service updates, and facilitating introductions to healthcare providers when requested
  • Platform Improvement: Analyzing usage patterns (using anonymized, aggregated data) to enhance features, performance, and user experience
  • Security & Compliance: Monitoring for security threats, preventing abuse, maintaining HIPAA compliance, and protecting user data
  • Legal Obligations: Complying with applicable laws, regulations, and lawful requests from authorities
  • Account Management: Managing user accounts, authentication, and access to personalized features

How We Share Information

Business Associates & Service Providers

Medical Tourism Chat shares information only with HIPAA-compliant Business Associates who are contractually obligated to protect your data. We have a zero-tolerance policy for unauthorized data sharing.

AWS (Amazon Web Services) - Primary Business Associate

  • Services Used: RDS (database), S3 (file storage), Cognito (authentication), Bedrock (AI), Transcribe (audio processing), CloudWatch (monitoring and analytics)
  • BAA Status: ✅ Signed Business Associate Agreement in place
  • Data Residency: us-east-2 (Ohio, United States) region
  • Purpose: Core infrastructure and all data processing operations
  • Compliance: AWS services are HIPAA-eligible and covered by our BAA

Healthcare Provider Introductions

  • When you explicitly request an introduction to a specific healthcare facility or provider, we share only the minimum necessary information to facilitate that connection
  • You maintain full control over which providers receive your information and can decline any introduction
  • Providers are independently responsible for their own HIPAA compliance and privacy practices
  • We do not share your information with providers without your explicit consent

Legal Disclosures

  • We may disclose information when required by law, court order, subpoena, or regulatory authority
  • We may disclose information to prevent serious harm, protect public safety, or assist law enforcement in urgent situations
  • We will notify you of legal disclosures unless prohibited by law or court order

We do NOT sell, rent, or trade your Logistical Facilitation Data to third parties for marketing purposes. We do NOT share your data with advertising networks, data brokers, social media platforms, or any other third-party services outside our AWS infrastructure.

Your Rights Under HIPAA

As a HIPAA-compliant platform, Medical Tourism Chat respects and upholds your rights regarding your Logistical Facilitation Data:

Right to Access

  • You have the right to inspect and obtain a copy of your Logistical Facilitation Data
  • Request access by contacting our HIPAA Compliance Officer at help@medicaltourismchat.com
  • We will respond within 30 days of your request with the requested information or an explanation if access is denied

Right to Amendment

  • You may request corrections to inaccurate or incomplete information in your records
  • We will review your request and respond within 60 days
  • If we deny your request, we will provide a written explanation and information about your right to submit a statement of disagreement

Right to an Accounting of Disclosures

  • You may request a list of certain disclosures we have made of your information
  • The accounting will cover up to six years prior to your request
  • We will provide the first accounting free of charge; subsequent requests within 12 months may incur a reasonable, cost-based fee

Right to Request Restrictions

  • You may request restrictions on how we use or disclose your information for treatment, payment, or healthcare operations
  • We will consider your request but are not required to agree to all restrictions
  • If we agree to a restriction, we will comply with it unless the information is needed for emergency treatment

Right to Confidential Communications

  • You may request that we communicate with you in a specific way or at a specific location
  • We will accommodate reasonable requests without requiring an explanation

Right to a Paper Copy of This Notice

  • You may request a paper copy of this Notice at any time, even if you have agreed to receive it electronically
  • Contact help@medicaltourismchat.com to request a printed copy by mail

To exercise any of these rights, contact our HIPAA Compliance Officer, Josiah Brown, at help@medicaltourismchat.com. We will verify your identity and respond within the timeframes required by HIPAA.

Your Rights Under GDPR & CCPA

Additional Privacy Rights for EU, UK, and California Residents

In addition to HIPAA protections, we provide enhanced privacy rights for residents of the European Union, United Kingdom, and California:

  • Right to Know: Request information about the categories and specific pieces of personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information (subject to legal retention requirements and exceptions)
  • Right to Opt-Out: Opt out of the sale of personal information (note: we do not and will never sell personal information)
  • Right to Non-Discrimination: Exercise your privacy rights without discriminatory treatment, denial of service, or different pricing
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format for transfer to another service
  • Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
  • Right to Restrict Processing: Request restriction of processing in certain circumstances

To exercise these rights, contact help@medicaltourismchat.com. We will verify your identity and respond within the timeframes required by applicable law (typically 30-45 days).

Data Retention & Deletion

We retain Logistical Facilitation Data only as long as necessary to provide services, comply with legal obligations, resolve disputes, and maintain security:

  • Active Accounts: Data retained while your account is active and for a reasonable period thereafter to provide continuity of service
  • Inactive Accounts: Data may be deleted after 24 months of inactivity (unless legal retention is required)
  • Deletion Requests: We will delete your data within 30 days of a verified deletion request (subject to legal exceptions)
  • Backup Retention: Deleted data may persist in encrypted backups for up to 90 days before permanent deletion from all systems
  • Legal Holds: Data subject to legal proceedings, regulatory investigations, or compliance requirements will be retained until the hold is lifted
  • Audit Logs: Security and access logs may be retained for up to 7 years for compliance and audit purposes

Upon deletion, your data is permanently removed from our production systems and cannot be recovered. We will confirm deletion upon request.

International Data Transfers

Medical Tourism Chat is headquartered in Canada and operates AWS infrastructure in the United States (us-east-2 region in Ohio). If you access our Services from outside North America, your information will be transferred to and processed in the United States.

We rely on appropriate safeguards for international transfers:

  • AWS Business Associate Agreement (BAA) for HIPAA compliance
  • Standard Contractual Clauses (SCCs) for EU/UK data transfers
  • Encryption in transit and at rest for all data transfers
  • Strict access controls and monitoring of all data access
  • Regular security assessments and compliance audits

By using our Services, you consent to the transfer of your information to the United States and processing in accordance with this Privacy Policy and applicable data protection laws.

Security Measures

Technical & Organizational Safeguards

Medical Tourism Chat implements comprehensive security measures to protect your Logistical Facilitation Data from unauthorized access, use, disclosure, alteration, or destruction:

Technical Safeguards

  • Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access control (RBAC) with principle of least privilege
  • Authentication: Multi-factor authentication (MFA) required for administrative access
  • Monitoring: 24/7 security monitoring through AWS CloudWatch with automated alerts
  • Vulnerability Management: Regular security assessments, penetration testing, and patch management
  • Incident Response: Documented procedures for security incident detection, response, and recovery
  • Network Security: Firewalls, intrusion detection systems, and DDoS protection

Organizational Safeguards

  • HIPAA Training: All personnel receive comprehensive HIPAA privacy and security training
  • Background Checks: Security screening for all personnel with data access
  • Confidentiality Agreements: All personnel and contractors sign confidentiality agreements
  • Audit Trails: Comprehensive logging of all data access, modifications, and administrative actions
  • Business Associate Agreements: Contracts with all service providers handling data
  • Incident Response Team: Dedicated team for security incident management
  • Regular Audits: Periodic compliance audits and security reviews

While we implement industry-leading security measures and follow best practices, no system is completely secure. We cannot guarantee absolute security but commit to promptly notifying you of any security breaches as required by law and taking immediate action to mitigate harm.

Cookies & Tracking Technologies

Medical Tourism Chat uses minimal cookies and tracking technologies, all processed within our AWS infrastructure. We do not use third-party cookies or tracking scripts.

Essential Cookies (Required for Functionality)

  • Authentication: Session tokens for secure login and user authentication (AWS Cognito)
  • Security: CSRF protection tokens and security headers to prevent attacks
  • Functionality: User preferences, language settings, and session state

Analytics Cookies (HIPAA-Compliant, Optional)

  • AWS CloudWatch RUM: Performance monitoring, error tracking, and user experience analytics
  • No Third-Party Tracking: All analytics data stays within AWS infrastructure
  • Anonymized Data: Individual user behavior is not tracked or identified
  • Aggregated Metrics: Data is aggregated for platform improvement only

We do NOT use advertising cookies, social media pixels, retargeting cookies, or third-party tracking scripts. You can disable non-essential cookies through your browser settings, though this may limit some functionality.

Children's Privacy

Medical Tourism Chat is intended for adults aged 18 and older. We do not knowingly collect, use, or disclose information from children under 18 years of age.

If we learn that we have collected information from a child under 18, we will delete that information immediately and terminate any associated account. If you believe we may have collected information from a child, please contact us immediately at help@medicaltourismchat.com.

Breach Notification

In the event of a data breach involving your Logistical Facilitation Data, Medical Tourism Chat will comply with all applicable breach notification requirements:

  • Notify affected individuals within 60 days of discovery (as required by HIPAA)
  • Notify the U.S. Department of Health and Human Services (HHS) as required by HIPAA
  • Notify media outlets if the breach affects more than 500 individuals in a jurisdiction
  • Provide detailed information about the breach, including what data was affected, steps taken to mitigate harm, and actions you can take to protect yourself
  • Offer credit monitoring or identity protection services if appropriate

We maintain a comprehensive incident response plan and will act swiftly to contain any breach, investigate the cause, and prevent future occurrences.

Changes to This Privacy Policy

We may update this Privacy Policy and Notice of Privacy Practices to reflect changes in our practices, technology, legal requirements, or business operations. We are committed to transparency and will notify you of material changes.

Material changes will be communicated by:

  • Updating the "Effective Date" at the top of this page
  • Posting a prominent notice on our website homepage
  • Sending email notification to registered users for significant changes
  • Providing a summary of changes in the notification

Your continued use of the Services after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree to the changes, you should discontinue use of the Services and contact us to delete your account.

Complaints & Enforcement

If you believe your privacy rights have been violated, you have the right to file a complaint. You will not be retaliated against for filing a complaint.

Internal Complaint

  • Contact: Josiah Brown, HIPAA Compliance Officer
  • Email: help@medicaltourismchat.com
  • We will investigate your complaint thoroughly and respond within 30 days
  • We will take appropriate corrective action if a violation is found

External Complaint (U.S. Department of Health and Human Services)

  • Office for Civil Rights (OCR)
  • U.S. Department of Health and Human Services
  • Website: www.hhs.gov/ocr/privacy/hipaa/complaints/
  • Phone: 1-800-368-1019
  • You have 180 days from when you knew or should have known of the violation to file a complaint

We take all complaints seriously and are committed to resolving privacy concerns promptly and fairly.

Contact Information

For privacy questions, to exercise your rights, or to file a complaint, please contact:

HIPAA Compliance Officer

  • Name: Josiah Brown
  • Email: help@medicaltourismchat.com
  • Company: Medical Tourism Chat
  • Location: Canada

General Inquiries

  • Email: help@medicaltourismchat.com
  • Website: medicaltourismchat.com