MedSALO Privacy Policy

Effective Date: Feb. 06, 2026
Last Updated: Feb. 06, 2026

MedSALO is a healthcare technology platform operated by SALO AI LLC (“MedSALO,” “SALO AI,” “we,” “us,” or “our”). We provide secure, AI-enabled communication and workflow tools for healthcare providers. We are committed to protecting personal data, protected health information (“PHI”), and business data in accordance with applicable federal and state laws.

1. Applicability and Scope

This Privacy Policy applies to the MedSALO platform and all related services, including clinic and provider dashboards, patient communications facilitated by MedSALO, and any SMS, email, voice, or automated notifications sent through the platform. It also applies to MedSALO-operated websites, portals, application programming interfaces, integrations, and AI-assisted administrative workflows used to support healthcare operations and care coordination.

MedSALO operates as a technology service provider and, where applicable, as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), processing information solely on behalf of authorized healthcare providers and in accordance with applicable Business Associate Agreements.

This Privacy Policy does not replace or modify a healthcare provider’s Notice of Privacy Practices, which governs how covered entities use and disclose protected health information for treatment, payment, and healthcare operations.

2. Categories of information Collected

2.1 Personal Information

MedSALO may collect personal information from platform users, including healthcare providers, clinic staff, and other authorized users. This information may include an individual’s name, email address, telephone number, and organization or clinic affiliation. MedSALO also collects account authentication information, such as user credentials, which are stored using industry-standard hashing and encryption practices to protect against unauthorized access.

2.2 Patient and Healthcare Information

In the course of providing its services, MedSALO may process patient and healthcare-related information on behalf of authorized healthcare providers. This information may include appointment scheduling data, care coordination communications, prescriptions, imaging, and laboratory workflow notifications, as well as documents submitted by patients or providers through secure links. MedSALO may also process limited technical or operational metadata that is necessary to deliver healthcare services and facilitate authorized workflows.

MedSALO does not independently create, control, or maintain complete medical records and processes patient information solely as directed by healthcare providers and in accordance with applicable law and contractual obligations.

2.3 Payment and Financial Information

When applicable, MedSALO may process limited payment and financial information in connection with the services it provides to healthcare providers. This information may include payment status metadata, billing or transaction identifiers, and confirmations related to completed or pending transactions. MedSALO does not process, store, or retain full payment card numbers or sensitive card authentication data.

All payment card transactions are handled exclusively by third-party payment processors that are compliant with the Payment Card Industry Data Security Standard (PCI-DSS). MedSALO relies on these processors to securely handle payment information in accordance with applicable financial and security requirements.

2.4 Technical and Usage Information

MedSALO may automatically collect certain technical and usage information when authorized users interact with the platform. This information may include internet protocol (IP) addresses, device and browser identifiers, login timestamps, and related session information.

MedSALO also maintains system logs, audit trails, and performance or security metrics to monitor platform functionality, ensure operational integrity, support compliance obligations, and detect or prevent unauthorized activity.

3. Legal Bases for Processing

MedSALO processes personal information and, where applicable, patient and healthcare-related information pursuant to one or more lawful bases, depending on the nature of the data and the context in which it is processed. These legal bases may include the individual’s consent, the necessity of processing to perform contractual obligations, and activities related to healthcare treatment, payment, and operations as permitted under applicable law. Information may also be processed to comply with legal or regulatory obligations or where processing is necessary for MedSALO’s legitimate business interests, provided that such interests do not override applicable data protection rights and protections.

4. Use of Information

MedSALO uses information strictly for purposes related to the operation of its healthcare technology platform and the support of authorized healthcare providers. Information may be used to facilitate healthcare communications, deliver transactional notifications, support appointment scheduling and intake workflows, and enable the secure exchange of documents and information. MedSALO also uses information to operate and improve AI-assisted administrative workflows, maintain platform security and integrity, and comply with applicable legal, regulatory, and contractual obligations.

MedSALO does not sell personal data and does not engage in behavioral advertising or targeted marketing practices.

5. HIPAA Compliance and Business Associate Status

When MedSALO handles protected health information on behalf of a healthcare provider that is a covered entity, MedSALO acts as a Business Associate as that term is defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations. In this role, MedSALO processes protected health information solely to support authorized healthcare operations and in accordance with applicable Business Associate Agreements.

MedSALO implements administrative, physical, and technical safeguards designed to comply with the HIPAA Security Rule. These safeguards include internal policies and workforce training, access governance and authentication controls, infrastructure and facility protections, encryption of data in transit and at rest, and continuous system monitoring. Use and disclosure of protected health information are limited to those purposes permitted by applicable law and the terms of the relevant Business Associate Agreements.

6. Provider Responsibilities and Use of MedSALO

Healthcare providers and clinics that use MedSALO are responsible for ensuring that their use of the platform complies with applicable laws, regulations, and professional obligations, including those related to patient consent, privacy, and clinical decision-making. Providers control the patient information they input into or access through MedSALO and determine how MedSALO services are configured and used within their practices.

MedSALO acts solely as a technology service provider and, where applicable, as a Business Associate processing information on behalf of providers in accordance with applicable Business Associate Agreements and provider instructions. MedSALO does not own patient data and does not use such data for purposes other than providing services to authorized providers, supporting platform functionality, and meeting legal and regulatory obligations.

Healthcare providers remain solely responsible for the accuracy, completeness, and appropriateness of information entered into the MedSALO platform, as well as for obtaining any required patient authorizations or consents related to communications, data processing, and care delivery. MedSALO does not replace clinical judgment, medical advice, or a provider’s independent obligations under applicable law.

7. SMS, Email, and Communications Compliance

MedSALO facilitates transactional healthcare communications solely for the purpose of supporting authorized patient care, care coordination, and related healthcare operations. Communications transmitted through the platform, including SMS, email, voice, and automated notifications, are limited to non-promotional, service-related messages such as appointment confirmations, scheduling updates, verification codes, care instructions, and other communications necessary to support treatment, payment, and healthcare operations.

MedSALO does not use communication channels to deliver marketing or advertising messages to patients, and messaging activities are conducted only in accordance with applicable consent requirements, healthcare regulations, and industry standards governing electronic communications.

8. SMS Communications

SMS communications facilitated by MedSALO are sent only after the patient or authorized individual has provided affirmative consent through the applicable healthcare provider. Message frequency may vary depending on the nature of the healthcare services and interactions involved. Standard message and data rates may apply based on the recipient’s mobile service plan. Recipients may opt out of receiving SMS communications at any time by replying STOP, and assistance is available by replying HELP.

Mobile phone numbers and SMS consent data are not shared with third parties for marketing or promotional purposes and are used exclusively to support authorized healthcare communications and related operational needs.

9. Artificial Intelligence and Automated Processing

MedSALO uses artificial intelligence and automated processing technologies to support healthcare administrative functions and improve operational efficiency for authorized healthcare providers. These technologies are used to automate administrative workflows, summarize communications, route patient requests, and reduce provider administrative burden associated with non-clinical tasks. AI-assisted features are designed to operate within defined parameters established by MedSALO and the applicable healthcare provider and are intended to support, rather than replace, human decision-making.

MedSALO’s AI systems do not independently make medical decisions, diagnoses, or treatment determinations and are not intended to be used as clinical decision support tools. All clinical judgments and patient care decisions remain under the exclusive control and responsibility of licensed healthcare professionals.

Automated processing activities are conducted in accordance with applicable laws and regulatory frameworks, including the Health Insurance Portability and Accountability Act (HIPAA), relevant state healthcare and data protection laws, and, where applicable, emerging state laws governing the use of automated decision-making technologies. MedSALO implements governance measures, access controls, and monitoring processes to ensure that AI-assisted workflows are used appropriately, securely, and in a manner consistent with healthcare compliance and patient safety obligations.

10. Cookies and Tracking Technologies

MedSALO may use cookies and similar technologies to maintain user sessions, support authentication and platform functionality, and monitor system performance and reliability. These technologies are used to ensure the secure and effective operation of the platform, improve user experience, and identify technical issues.

Cookies and similar technologies used by MedSALO are not employed for targeted advertising, behavioral profiling, or cross-site tracking, and MedSALO does not use third-party advertising cookies or tracking mechanisms for marketing purposes.

11. Data Sharing and Disclosures

MedSALO discloses information only as necessary to operate its services and to support authorized healthcare operations. Information may be shared with authorized healthcare providers and their designated users, as well as with third-party vendors that provide cloud infrastructure, security services, messaging and communication services, and payment processing functionality required for the operation of the platform. Information may also be disclosed to governmental, regulatory, or law enforcement authorities when required to comply with applicable law, legal process, or regulatory obligations.

All third-party vendors that receive access to information through MedSALO are subject to contractual confidentiality, security, and data-use restrictions designed to protect the information and limit its use to authorized purposes. Where applicable, such disclosures are governed by Business Associate Agreements, data processing agreements, or other legally binding arrangements consistent with HIPAA, applicable state privacy laws, and industry security standards.

12. Data Retention

MedSALO retains information only for as long as is reasonably necessary to provide its services, fulfill contractual obligations, comply with applicable healthcare, financial, and regulatory requirements, and maintain audit, security, and compliance records. Retention periods are determined based on the type of information involved, the purpose for which it is processed, and applicable legal or regulatory obligations.

Retention schedules may vary depending on data category, contractual requirements with healthcare providers, and the jurisdictions in which services are provided.

13. State and Territorial Privacy Rights

MedSALO currently provides services primarily to healthcare providers and patients located in the Commonwealth of Puerto Rico. Personal information and patient data are processed in accordance with applicable federal law, including the Health Insurance Portability and Accountability Act (HIPAA), as well as applicable laws and regulations of Puerto Rico.

To the extent MedSALO expands its services to individuals residing in other U.S. states or territories, additional privacy rights may apply under state consumer privacy laws, such as the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act, as amended from time to time. Where required by applicable law, MedSALO will honor rights related to access, correction, deletion, or limitation of processing of personal information, subject to applicable legal, healthcare, and regulatory exemptions.

Nothing in this section is intended to waive, limit, or replace obligations imposed by federal healthcare laws or regulations, including HIPAA, where such laws apply.

14. International Data Transfers

MedSALO primarily processes and stores information within the United States. In the event that information is accessed, transferred, or processed outside the United States, MedSALO will implement appropriate safeguards consistent with applicable legal and regulatory requirements to protect the confidentiality and security of such information. These safeguards may include contractual protections, security controls, and other measures designed to ensure that information continues to be handled in a manner consistent with this Privacy Policy and applicable law.

15. Children and Minors

related to minors is processed solely under the authorization and direction of a parent, legal guardian, or authorized healthcare provider and in accordance with applicable healthcare, privacy, and child protection laws. MedSALO processes such information only as necessary to support authorized healthcare services and does not knowingly collect personal information directly from children outside of healthcare-related contexts permitted by law.

16. Security Measures

MedSALO employs reasonable and appropriate administrative, technical, and physical safeguards designed to protect information from unauthorized access, disclosure, alteration, or destruction. These measures include, among other controls, encryption of data in transit and at rest, role-based access controls, authentication and authorization mechanisms, system monitoring, and incident detection and response procedures. Security practices are reviewed and updated periodically to address evolving risks and regulatory expectations.

While MedSALO is committed to maintaining a robust security posture, no system or method of data transmission can be guaranteed to be completely secure. Users acknowledge and accept the inherent risks associated with electronic data processing and transmission.

17. Legal Obligations and Enforcement

MedSALO may disclose information as required to comply with applicable law, regulation, legal process, or enforceable governmental request, including subpoenas, court orders, or regulatory inquiries. Information may also be disclosed where MedSALO determines, in good faith, that such disclosure is necessary to protect the rights, safety, or security of MedSALO, healthcare providers, patients, users of the platform, or the public, or to investigate or prevent fraud, misuse, security incidents, or violations of applicable agreements or law.

18. Changes to This Privacy Policy

MedSALO may update this Privacy Policy from time to time to reflect changes in its practices, services, legal requirements, or regulatory obligations. When material changes are made, the updated Privacy Policy will be posted with a revised effective date to indicate when the changes take effect.

19. Contact Information

For questions regarding privacy or data practices:

SALO AI LLC
Email: support@saloai.net