Marvix AI Privacy Policy
Version: 3.0
Last Updated: May 4th , 2026
1. Overview
This Privacy Policy explains how Marvix AI, Inc., its subsidiaries and affiliates (“Marvix,” “Company”,“we,” “us,” or “our”) collects, uses, discloses, retains, and protects user and patient (“you”, “your”)information through our websites, mobile applications, web applications, desktop applications, APIs,
integrations, and related products and services (collectively, the “Services”).
Marvix provides AI-powered clinical documentation software for healthcare organizations. References
to AI may include machine learning (“ML”) and large language model (“LLM”) technologies interchangeably, and other related technologies where applicable. Our Services are intended for use by healthcare professionals and healthcare organizations, not by patients directly.
This Privacy Policy applies to information we process through the Services and our public websites, including information about website visitors, prospective customers, customer personnel and users, business contacts, and individuals whose information is submitted to or processed by the Services by or on behalf of a Customer. It is subject to any applicable Cloud Services Agreement, Terms of Service, Terms of Use, Business Associate Agreement (“BAA”), Data Retention Policy, customer settings, and customer-specific written configuration. If there is a conflict between this Privacy Policy and an applicable BAA with respect to Protected Health Information (“PHI”), the BAA controls.
2. HIPAA, PHI, and Our Role
When Marvix receives or processes PHI on behalf of a healthcare provider, health plan, or another HIPAA-regulated entity, we generally act as a Business Associate under HIPAA and process PHI in accordance with the applicable BAA and customer instructions.
Our healthcare customers are responsible for obtaining any required patient notices, consents, authorizations, and opt-outs before recording, uploading, transmitting, or otherwise making information available through the Services, including where required under recording, biometric privacy, consumer privacy, or health privacy laws. Customers and users represent that they have the rights, permissions, authorizations, consents, and legal basis required to submit, record, upload, transmit, or otherwise make information available through the Services. Customers are responsible for their own privacy notices and privacy practices.
For patient requests to access, amend, delete, restrict, or receive an accounting of PHI, patients should contact their healthcare provider. Where required by an applicable BAA, Marvix will assist the customer in responding to such requests.
3. Information We Collect
We may collect the following categories of information, depending on how you interact with the Services:
| Category |
Examples |
| Account and user information |
Name, email address, phone number, organization, role, specialty,
login credentials, settings, preferences, and support communications.
|
| Customer and billing information |
Business contact information, subscription details, invoices,
payment-related information, order forms, contracts, and customer
relationship records.
|
| Clinical and product content |
Audio recordings, transcripts, uploaded files, copy-pasted or manually
entered patient data, EHR-pulled content, CCDAs, XML/HTML files, labs,
imaging documents, generated notes, letters, patient recaps,
coding-related outputs, and intermediate processing files.
|
| Integration data |
EHR, practice management, RCM, scheduling, patient demographic,
appointment, clinical document, note insertion, and API integration data.
|
| Usage, device, and log data |
IP address, browser type, device identifiers, operating system, pages
viewed, app events, feature usage, timestamps, system logs, diagnostic
data, referring/exit pages and clickstream data, audit logs, and
integration logs.
|
| Website and marketing data |
Website analytics, cookie data, prospect and lead information, event
attendance, form submissions, communications preferences, and marketing
engagement.
|
| De-identified and aggregated data |
Information processed so that it does not identify an individual and is
retained or used in accordance with applicable law and our agreements.
|
We may also maintain audit logs identifying users who access, create, modify, export, transmit, or delete patient-related information through the Services.
Audio recordings are created only when an authorized user initiates recording or dictation in the Services. Marvix does not use audio recordings to identify or authenticate individuals by voice print unless expressly agreed or disclosed separately.
4. Sources of Information
- Information you or other authorized users provide directly, including account, support, uploaded, dictated, recorded, or manually entered content.
- Information retrieved from third-party systems at the customer’s direction, including EHR, practice management, RCM, scheduling, and other healthcare systems.
- Information generated by the Services, including transcripts, intermediate processing files, generated outputs, audit logs, metadata, and usage data.
- Information from service providers, business partners, analytics providers, marketing tools, app stores, EHR marketplaces, and public or commercially available sources.
5. How We Use Information
We use information for the following purposes:
- Provide, operate, maintain, secure, troubleshoot, and support the Services.
- Record, transcribe, summarize, structure, and generate clinical documentation and related outputs at the direction of authorized users.
- Authenticate users, administer accounts, manage subscriptions, process payments, and communicate about the Services.
- Integrate with EHR, practice management, RCM, scheduling, and other third-party systems at the customer’s direction.
- Provide customer support, onboarding, training, implementation, technical assistance, and service communications.
- Monitor security, prevent fraud, investigate misuse, enforce our agreements, and comply with legal obligations.
- Perform analytics, quality assurance, LLM evaluation and model improvement, service improvement, and product development, including using de-identified or aggregated data where permitted by applicable law and agreement.
- Send marketing, educational, and product communications where permitted; recipients may opt out of marketing communications.
6. AI-Generated Outputs and Human Review
The Services may generate AI-assisted clinical documentation, summaries, coding-related outputs, and other draft content. AI-generated outputs may be inaccurate or incomplete and must be reviewed and validated by a licensed healthcare professional before clinical use, billing use, disclosure, or transmission to another healthcare provider. Marvix does not provide medical advice, diagnosis, treatment recommendations, or reimbursement guarantees.
7. De-Identified and Aggregated Data
Marvix may create, retain, use, and disclose de-identified or aggregated data in accordance with applicable agreements, customer settings, retention configurations, and our Data Retention Policy for analytics, quality assurance, LLM evaluation and model improvement, service improvement, security, benchmarking, and other lawful business purposes, subject to applicable law and agreements. Where applicable, Marvix’s de-identification process is designed to meet the HIPAA Safe Harbor de- identification requirements under 45 CFR §164.514(b)(2), including removal of direct identifiers and measures designed to prevent Marvix from reasonably re-identifying individuals from the retained service-improvement dataset.
8. How We Disclose Information
We may disclose information as follows:
- To a customer and its authorized users, administrators, affiliates, and personnel.
- To service providers, subprocessors, contractors, and vendors that support hosting, infrastructure, transcription, AI processing, analytics, customer support, security, billing, communications, and product operations.
- To EHRs, practice management systems, RCM systems, app marketplaces, and integration partners at the customer’s direction or as needed to provide integrations.
- To professional advisors, auditors, insurers, and compliance reviewers.
- To comply with law, legal process, contractual obligations, security requirements, or to protect rights, safety, and property.
- In connection with a financing, merger, acquisition, reorganization, sale of assets, corporate transaction, or similar event.
- With consent or at the direction of the customer or authorized user.
Do Not Sell or Share. We do not sell PHI. We do not use PHI for targeted advertising. We do not sell personal information for money. If our website analytics or advertising technologies are deemed a “sale”, “sharing”, or targeted advertising under applicable privacy laws, you may opt out by using the “Do Not Sell or Share My Personal Information” link on our website or by contacting us as below.
Global Privacy Controls. Where required by applicable law, we will treat recognized browser-based opt-out preference signals, such as Global Privacy Control, as a request to opt out of sale, sharing, or targeted advertising for the browser or device sending the signal.
9. Cookies, Analytics, and Similar Technologies
Our websites and Services may use cookies, pixels, SDKs, local storage, analytics tools, and similar technologies to operate the Services, authenticate users, remember preferences, analyze usage, improve performance, secure the Services, and support marketing. You may be able to control cookies
through browser settings or other tools we provide. Disabling cookies may affect functionality.
Some browsers offer “Do Not Track” signals. Because there is no uniform industry standard for such signals, we may not respond to them unless required by law. This does not limit our treatment of Global Privacy Control or other legally recognized opt-out preference signals where required by law.
10. Retention, Deletion, and Backups
Marvix retains information in accordance with its Data Retention Policy, applicable agreements, customer settings, and legal, security, operational, support, and compliance needs. Customers may configure supported retention periods through Marvix settings or written request, subject to product, deployment, backup, legal, and customer-specific limitations.
We retain information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide and secure the Services, comply with legal obligations, resolve disputes, prevent fraud or abuse, support account recovery, enforce agreements, and maintain business records, unless a different period is required by law, an applicable agreement, customer settings, or a written customer-specific configuration.
Deletion from the user interface may not immediately delete all copies from Marvix systems. Deleted data may remain in encrypted rolling backups and limited system logs until expiration through ordinary backup rotation. Marvix does not generally perform record-level deletion from immutable or rolling backups unless required by law or agreed in writing.
Additional retention details may be made available to customers under their applicable customer agreement, customer settings, written retention configuration, or customer-facing data retention materials provided by Marvix.
11. Data Location and Cross-Border Processing
Marvix stores production data in the United States. Support, engineering, configuration, security, administrative, and service operations may involve access or processing from locations outside the customer’s jurisdiction, subject to applicable safeguards, agreements, and legal requirements. Customers are responsible for providing any notices and obtaining any consents required for their use of the Services in the jurisdictions where they operate.
12. Security
Marvix uses administrative, technical, and organizational safeguards designed to protect information processed through the Services. These safeguards include encryption of data at rest and in transit, encrypted rolling backups, access controls, logging, monitoring, and security processes maintained in alignment with Marvix’s HIPAA obligations and SOC 2 control environment. No system, network, or transmission is completely secure, and we cannot guarantee absolute security.
Email and internet transmissions may not always be secure. Users should not send PHI or other sensitive information to Marvix by email unless the email is encrypted and HIPAA-compliant or the email is sent through a secure, HIPAA-appropriate method approved by the User’s organization or
Marvix. By sending PHI or sensitive information by email, the sender represents that they are authorized to do so and have used an appropriate transmission method.
13. Privacy Rights and Choices
Depending on your location and relationship with Marvix, you may have rights to access, correct, delete, receive, restrict, object to, or opt out of certain processing of personal information. To exercise rights regarding account or business contact information, contact us using the information below.
If your request concerns PHI or patient records processed by Marvix on behalf of a healthcare provider or other customer, please contact the applicable healthcare provider or customer directly. Marvix will support the customer as required by the applicable BAA.
California and other U.S. state privacy laws may provide additional rights, including rights to know, access, correct, delete, receive a copy of personal information, opt out of certain sales, sharing, targeted advertising, or profiling, and limit certain uses of sensitive personal information, where applicable. You may exercise applicable opt-out rights through our “Do Not Sell or Share My Personal Information” link or by contacting us as below.
We do not discriminate against individuals for exercising applicable privacy rights.
14. Communications Preferences
You may opt out of marketing emails by using the unsubscribe link in those emails or contacting us. We may still send transactional, security, legal, product, support, or administrative communications.
15. Children
The Services are intended for use by healthcare professionals and organizations and are not directed to children under 13. We do not knowingly collect personal information directly from children under 13 through our websites or apps. Clinical information about minors may be processed when submitted by authorized healthcare professionals or customers as part of the Services and governed by the applicable customer agreement and BAA.
16. Third-Party Services and Links
The Services may link to or integrate with third-party websites, EHRs, app marketplaces, identity providers, communication tools, analytics tools, and other services. Their privacy practices are governed by their own policies. Marvix is not responsible for third-party privacy practices.
Our websites or communications may include links, social media features, pixels, SDKs, app-store links, marketplace listings, or other third-party integrations. Third parties may collect information independently when you interact with those features or leave our Services, and their practices are
governed by their own privacy policies and terms.
17. Feedback
If you submit feedback, suggestions, ideas, including through interactions with Marvix personnel, support channels, sales processes, or product interfaces, or any unsolicited information through any channel, we may use it for any lawful purpose without obligation to you, subject to any confidentiality obligations in an applicable written agreement.
18. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our Services, operations, legal requirements, or privacy practices. The updated version will be indicated by an updated “Last Updated” date. Material changes will be communicated in accordance with applicable law, customer agreements, or our standard notification practices.
19. Contact Us
Questions or requests about this Privacy Policy may be sent to:
Marvix AI, Inc.
25 Morrissey Blvd #1438
Boston, MA 02125
United States
Email: contact@marvix.ai
20. App Store Disclosures
For mobile applications, this Privacy Policy applies together with the privacy disclosures displayed in the applicable app store. If an app-store disclosure and this Privacy Policy differ, this Privacy Policy and the applicable customer agreement and BAA govern to the extent permitted by law.
.png)
