Privacy Policy

Last Updated: April 19, 2026

1. Introduction

This Privacy Policy describes how Lexmata LLC, a Delaware limited liability company ("we," "us," "our," or "Lexmata"), collects, uses, maintains, and discloses information collected from users ("you" or "user") of our website and services at Lexmata.ai.

This policy has been developed in compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), applicable regulations promulgated by the U.S. Department of Health and Human Services ("HHS"), and other applicable federal and state privacy laws, including the Delaware Personal Data Privacy Act (6 Del. C. ch. 12C).

This Privacy Policy is incorporated into and governed by our Terms of Service.

2. HIPAA Compliance Overview

2.1 Our Role Under HIPAA

Lexmata LLC operates as a Business Associate under HIPAA when processing Protected Health Information ("PHI") on behalf of Covered Entities. We maintain a comprehensive HIPAA compliance program that meets or exceeds the requirements of the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E), the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), and the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D).

2.2 Business Associate Agreements

Before any PHI is submitted to or processed through the Service, Covered Entities and their Business Associates must execute a Business Associate Agreement ("BAA") with Lexmata LLC. The BAA governs our permitted uses and disclosures of PHI and establishes the specific safeguards we maintain. To request a BAA, contact privacy@lexmata.com.

2.3 Minimum Necessary Standard

Lexmata LLC adheres to the HIPAA minimum necessary standard. We limit our use, disclosure, and requests for PHI to the minimum amount reasonably necessary to accomplish the intended purpose of the use, disclosure, or request.

3. Protected Health Information (PHI)

3.1 Definition

Protected Health Information ("PHI") includes any individually identifiable health information that Lexmata LLC creates, receives, maintains, or transmits in any form or medium, whether electronic ("ePHI"), written, or oral, as defined in 45 C.F.R. § 160.103.

3.2 Collection of PHI

Lexmata LLC may receive or access PHI when:

You upload medical records, health-related documents, or legal records containing health information to the platform
You submit healthcare-related information through our document processing services
You communicate with our support team regarding matters involving PHI
Our AI-powered tools process, analyze, or extract information from documents containing PHI
PHI is transmitted to us by a Covered Entity pursuant to an executed BAA

3.3 Categories of PHI We May Process

Depending on the documents submitted, PHI processed through the Service may include:

Patient names, addresses, dates of birth, and other demographic information
Medical record numbers and health plan beneficiary numbers
Diagnoses, treatment information, and clinical notes
Laboratory results, imaging reports, and prescription records
Billing and insurance information related to healthcare services
Any other individually identifiable health information contained within submitted records

4. Other Information We Collect

4.1 Account Information

When you create an account, we collect:

Name, email address, and contact information
Organization or firm name
Professional role and credentials
Billing and payment information (processed through PCI-DSS compliant payment processors)

4.2 Usage Information

We automatically collect certain information about your use of the Service:

Log data (IP address, browser type, pages visited, timestamps)
Device information (operating system, device identifiers)
Service usage patterns and feature interactions

4.3 Cookies and Similar Technologies

We use cookies and similar tracking technologies to:

Maintain session security and authentication state
Improve website functionality and performance
Analyze aggregate usage patterns and trends
Remember user preferences and settings

Important: We do not use cookies or tracking technologies to collect, store, or transmit PHI. PHI is processed exclusively through our secure platform infrastructure.

4.4 Third-Party Analytics

We may use third-party analytics services (such as privacy-focused analytics tools) to understand website usage. These services collect only non-PHI data and operate under their own privacy policies. We do not share PHI with analytics providers.

5. Use and Disclosure of Information

5.1 Use of PHI

We use PHI strictly as permitted by HIPAA and any applicable BAA for:

Performing the document analysis, review, and processing services described in our Terms of Service
Providing technical support directly related to the Service
Maintaining audit trails and security logs as required by HIPAA
Complying with legal and regulatory obligations

5.2 Use of Non-PHI Information

We use non-PHI information for:

Providing, maintaining, and improving the Service
Processing transactions and sending service-related communications
Responding to customer support inquiries
Analyzing aggregate usage to improve platform features and performance
Enforcing our Terms of Service and protecting our legal rights
Complying with applicable laws and regulations

5.3 Disclosures Without Authorization

Lexmata LLC may use or disclose PHI without individual authorization only as permitted or required by HIPAA, including for:

Legal compliance: As required by federal or state law, including HIPAA
Public health activities: To public health authorities for disease prevention or control
Health oversight: To health oversight agencies for legally authorized activities
Judicial and administrative proceedings: In response to a court order, subpoena, or discovery request that meets HIPAA requirements
Law enforcement: Under specific circumstances as permitted by 45 C.F.R. § 164.512(f)
To avert a serious threat to health or safety

5.4 No Sale of PHI

Lexmata LLC does not and will not sell PHI. We do not use PHI for marketing purposes. We do not disclose PHI to third parties for their own independent use.

6. Security Measures

6.1 Technical Safeguards

Lexmata LLC implements comprehensive technical safeguards in compliance with 45 C.F.R. § 164.312, including:

Encryption: AES-256 encryption for data at rest; TLS 1.2+ encryption for data in transit
Access controls: Unique user identification, automatic logoff, multi-factor authentication, and role-based access controls enforcing the principle of least privilege
Audit controls: Comprehensive logging of all system access, PHI access, modifications, and transmissions
Integrity controls: Mechanisms to authenticate ePHI and protect against improper alteration or destruction
Transmission security: End-to-end encryption for all PHI transmissions
Infrastructure: HIPAA-compliant cloud infrastructure with SOC 2 Type II certification, hosted within the United States

6.2 Administrative Safeguards

We maintain administrative safeguards in compliance with 45 C.F.R. § 164.308, including:

Designated HIPAA Privacy Officer and Security Officer
Regular workforce training on HIPAA privacy and security requirements
Documented policies and procedures for PHI handling, access, and security
Business Associate Agreements with all subcontractors and vendors who may access PHI
Regular risk assessments and management processes
Sanction policy for workforce members who violate HIPAA requirements
Contingency planning including data backup, disaster recovery, and emergency mode operations

6.3 Physical Safeguards

We maintain physical safeguards in compliance with 45 C.F.R. § 164.310, including:

Secure data center facilities with access controls, surveillance, and environmental protections
Workstation use and security policies for all workforce members
Device and media controls governing the receipt, removal, and disposal of hardware and electronic media containing ePHI

7. Breach Notification

7.1 Our Obligations

In the event of a breach of unsecured PHI (as defined in 45 C.F.R. § 164.402), Lexmata LLC will:

Notify affected Covered Entities without unreasonable delay and no later than sixty (60) calendar days after discovery of the breach, as required by 45 C.F.R. § 164.410
Provide all information required for the Covered Entity to fulfill its notification obligations to affected individuals and HHS under 45 C.F.R. §§ 164.404 and 164.408
Cooperate fully in breach investigation, mitigation, and remediation efforts
Document the breach and maintain records for a minimum of six (6) years

7.2 Non-PHI Breaches

For security incidents involving personal information that does not constitute PHI, we will comply with applicable state breach notification laws, including the Delaware Computer Security Breaches Act (6 Del. C. § 12B-102), which requires notification without unreasonable delay.

8. Your Rights

8.1 HIPAA Rights

If your PHI is processed through the Service, you may have the following rights under HIPAA (exercisable through the applicable Covered Entity):

Right of access: Inspect and obtain copies of your PHI maintained by the Service
Right to amendment: Request corrections to your PHI if you believe it is inaccurate or incomplete
Right to an accounting of disclosures: Receive a list of certain disclosures of your PHI
Right to request restrictions: Request limitations on the use and disclosure of your PHI
Right to confidential communications: Request that communications regarding your PHI be made by alternative means or at alternative locations
Right to breach notification: Receive notification if your unsecured PHI is breached

8.2 Delaware Privacy Rights

If you are a Delaware resident, you may have additional rights under the Delaware Personal Data Privacy Act, including:

The right to confirm whether we are processing your personal data
The right to access your personal data
The right to correct inaccuracies in your personal data
The right to delete your personal data
The right to obtain a portable copy of your personal data
The right to opt out of the processing of your personal data for targeted advertising, sale, or profiling

To exercise any of these rights, contact us at privacy@lexmata.com. We will respond within the timeframes required by applicable law.

8.3 Filing a Complaint

If you believe your privacy rights have been violated, you may:

Contact us at privacy@lexmata.com
File a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights at https://www.hhs.gov/hipaa/filing-a-complaint/
File a complaint with the Delaware Department of Justice

We will not retaliate against you for filing a complaint.

9. Data Retention and Disposal

9.1 Retention Periods

Lexmata LLC retains data as follows:

PHI: Retained for the period specified in the applicable BAA, or as required by law. In the absence of a BAA specification, PHI is retained for the duration of the service relationship plus thirty (30) days to permit data retrieval
Account information: Retained for the duration of the account plus a reasonable period for legal and compliance purposes
Usage and log data: Retained for a period of up to twenty-four (24) months for security and operational purposes
HIPAA documentation: Policies, procedures, and compliance records are retained for a minimum of six (6) years as required by 45 C.F.R. § 164.530(j)

9.2 Secure Disposal

When disposing of data containing PHI or personal information, we:

Use NIST SP 800-88 compliant methods for electronic media sanitization
Maintain certificates of destruction and disposal logs
Verify complete and irreversible removal of data
Ensure all backup copies are included in the disposal process

10. Subcontractors and Third Parties

10.1 Subcontractors

Any subcontractor or third-party service provider that may create, receive, maintain, or transmit PHI on our behalf is required to:

Execute a Business Associate Agreement with Lexmata LLC
Implement safeguards consistent with HIPAA requirements
Limit use and disclosure of PHI to the purposes specified in the agreement

10.2 Third-Party Links

Our website may contain links to third-party websites or services not operated by Lexmata LLC. We are not responsible for the privacy practices of third-party websites. We encourage you to review the privacy policies of any third-party sites you visit.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.

12. International Data

The Service is hosted in and operated from the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

13. Changes to This Policy

Lexmata LLC reserves the right to update this Privacy Policy at any time. We will notify users of material changes by:

Posting the updated policy on our website with a revised "Last Updated" date
Sending email notification to registered users at least thirty (30) days before material changes take effect
Displaying a prominent notice on the platform

Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.

14. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law principles, except to the extent preempted by HIPAA and other applicable federal law.

15. Contact Information

For privacy-related questions, concerns, or requests, contact:

Privacy Officer
Lexmata LLC
1800 JFK Blvd., Suite 1525
Philadelphia, PA 19103
Email: privacy@lexmata.com

For general legal inquiries:
Email: legal@lexmata.com

For HIPAA complaints or to request a Business Associate Agreement:
Email: privacy@lexmata.com

By using Lexmata LLC's services, you acknowledge that you have read and understand this Privacy Policy and agree to its terms.