1,433,786
Humans Served
1,433,786
Humans Served
CodyMD
Last Updated: Apr 30, 2026
Applies to all users of the Platform. Effective upon access to or use of the Platform.
When you create an account or use the Platform, we may collect:
Identity and contact information. Your name, email address, phone number, date of birth, gender, username and password, and general profile information.
Health-related information. The content of messages, questions, and feedback you provide, including conversations with our AI Tools, and any health-related information you share with the AI Tools.
Identity verification information. When you elect to receive Clinical Services, you may be asked to provide a valid government-issued photo identification (such as a driver's license, state ID, or passport), an image of yourself, and other identifying information for the purpose of identity and location verification.
Payment information. Payment information is collected and processed by Stripe; CodyMD does not store full payment credentials.
Communications. The content of any messages or feedback you send to CodyMD support, including support@cody.md, help@cody.md, privacy@cody.md, and any other CodyMD address.
Important: General health questions you ask through informational services (the AI Tools) before electing to receive Clinical Services are not Protected Health Information ("PHI") under HIPAA. They are Personal Information governed by this Part A. If you transition to Clinical Services, information collected during clinical encounters becomes PHI governed by Part B (HIPAA Notice of Privacy Practices).
We automatically collect:
IP address, browser type, operating system, device identifiers
Pages visited, dates and times of access, referring URLs, clickstream data
Approximate geographic location based on IP address and, where you grant permission, more precise geolocation data used to verify your physical location for Clinical Services eligibility
Session identifiers and analytics data
We collect this information through cookies, web beacons, pixels, and similar technologies as described in Section A4.
We may receive information from:
Analytics providers
Identity verification services that confirm the validity of identification documents you provide
Address verification services
Social media platforms, if you link your account
Healthcare providers, pharmacies, and laboratories acting on your behalf or with your authorization
We use Personal Information to:
Provide, maintain, and improve the Platform.
Process account registration and manage your account.
Operate the AI Tools and respond to your inputs.
Verify your identity and physical location for Clinical Services eligibility, including comparing identification documents you provide against third-party verification databases.
Process and authorize payments (including authorization holds via Stripe, with capture occurring only after a Provider accepts your case for Clinical Services).
Respond to inquiries and provide support.
Personalize your experience and show relevant content.
Communicate about the Platform, including updates and promotions (with consent where required).
Detect and address fraud, security issues, and technical problems.
Comply with legal obligations and enforce our Terms of Use.
Conduct research and analytics using aggregated or de-identified data.
CodyMD does not sell your Personal Information. CodyMD does not use your Personal Information for targeted advertising. CodyMD does not use individually identifiable health information from your AI Tool conversations to train third-party artificial intelligence models. See Section A14 for additional information about AI processing.
CodyMD does not sell your Personal Information. We share Personal Information only as follows:
Service providers. Third parties performing services on our behalf, including hosting, analytics, payment processing (Stripe), identity verification, address verification, and customer support. These providers are bound by confidentiality and data protection obligations.
Identity verification providers. When you elect to receive Clinical Services, identifying information you provide is shared with third-party identity verification services solely for the purpose of verifying your identity and location. These providers operate under contractual obligations consistent with this Privacy Policy and, where they handle PHI, under Business Associate Agreements as required by HIPAA.
Affiliated medical group and Providers. When you elect to receive Clinical Services, relevant information is shared with MD Integrations (an independent medical group with which CodyMD contracts) and with the licensed Provider who delivers your care. CodyMD maintains Business Associate Agreements with MD Integrations and with each Provider as required by HIPAA. Sharing for Clinical Services is governed by Part B (HIPAA Notice of Privacy Practices).
Pharmacies. When a Provider prescribes medication, prescription information is electronically transmitted to the pharmacy of your choice or a partnered pharmacy.
Legal requirements. When required by law, court order, subpoena, or other legal process. We will, where lawful and feasible, notify you of such legal requests.
Business transfers. In connection with a merger, acquisition, or sale of assets, with notice to you to the extent legally required.
Public health, safety, and emergencies. Where permitted by law to address public health, safety, abuse reporting, or to avert serious threats to health or safety.
With your consent. When you explicitly authorize sharing.
The Platform uses:
Essential cookies required for Platform functionality, including authentication and session management.
Analytics cookies that help us understand usage patterns. Analytics data is processed by service providers under contractual obligations.
Preference cookies that remember your settings.
You can control cookies through your browser settings. Disabling cookies may affect Platform functionality. We do not respond to "Do Not Track" browser signals at this time.
We do not use cookies, pixels, or other tracking technologies to share PHI with third-party advertising networks.
Subject to applicable law, you have the right to:
Access: Request access to your Personal Information.
Correction: Request correction of inaccurate Personal Information.
Deletion: Request deletion of Personal Information, subject to legal retention requirements (including HIPAA medical records retention obligations described in Part B).
Object/Restrict: Object to or restrict processing in certain circumstances.
Portability: Request a copy of your Personal Information in a structured, commonly used, machine-readable format.
Withdraw consent: Withdraw consent where processing is based on consent.
Non-discrimination: We will not discriminate against you for exercising these rights.
To exercise any right, contact privacy@cody.md. We respond within 45 days or as required by applicable law. We may need to verify your identity before fulfilling certain requests.
California residents have additional rights including the right to know, delete, correct, and opt out of the sale or sharing of personal information. CodyMD does not sell or share Personal Information for cross-context behavioral advertising. California residents may exercise rights by contacting privacy@cody.md. California residents may also report complaints to the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210.
If you are a Washington resident, the Washington My Health My Data Act ("MHMDA") provides you with additional rights regarding your "consumer health data," which is broader than HIPAA's definition of PHI and may include data collected through informational services as well as Clinical Services.
Under MHMDA, you have the right to:
Confirm whether CodyMD is collecting, sharing, or selling your consumer health data.
Access the consumer health data CodyMD has collected from you.
Withdraw consent to collection, sharing, or selling of your consumer health data.
Request deletion of your consumer health data.
Receive notice if your consumer health data is sold (CodyMD does not sell consumer health data).
To exercise these rights, contact privacy@cody.md. We will respond within 45 days. CodyMD will not retaliate against you for exercising MHMDA rights.
CodyMD obtains your consent before collecting or sharing consumer health data beyond what is strictly necessary to provide the Platform services you have requested. CodyMD does not sell consumer health data.
Oregon residents may have additional rights under Oregon law, including the Oregon Consumer Privacy Act (effective July 1, 2024). To exercise rights or report concerns, contact privacy@cody.md.
Residents of Colorado, Connecticut, Virginia, Texas, and other states with comprehensive privacy laws may have additional rights. Contact privacy@cody.md to exercise applicable rights.
We implement administrative, physical, and technical safeguards to protect your information, including encryption in transit and at rest, access controls, audit logging, and security monitoring. CodyMD's infrastructure is described in more detail in Part B Section B5. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
We retain Personal Information as follows:
Account information. Retained while your account is active, plus a reasonable period after closure for legal, audit, and security purposes.
Usage data. Up to 24 months in identifiable form, then aggregated or de-identified.
Conversation data with the AI Tools. Retained to support service continuity, improve the Platform, and meet audit obligations. AI conversation data may be retained for up to 24 months in identifiable form, then aggregated or de-identified, except where longer retention is required for clinical, legal, or audit purposes. CodyMD does not use individually identifiable AI conversation data to train third-party artificial intelligence models. See Section A14.
Identity verification data. Retained as long as necessary to support Clinical Services eligibility, prevent fraud, and meet legal obligations. Government-issued ID images are stored on encrypted infrastructure and access-controlled.
Medical records (PHI). Retained per Part B Section B6.
Billing records. Retained per Part B Section B6.
You may request deletion of Personal Information by contacting privacy@cody.md, subject to applicable retention requirements (including HIPAA records retention).
The Platform is not directed to or intended for individuals under 18 years of age. We do not knowingly collect Personal Information from children under 13, and we do not knowingly provide Clinical Services to individuals under 18. If you believe we have inadvertently collected information from a child under 13, contact privacy@cody.md and we will promptly delete the information.
The Platform is operated from the United States. If you access the Platform from outside the United States, your information may be transferred to and processed in the United States. Clinical Services are not available to individuals outside the United States. International users are responsible for compliance with applicable local privacy and healthcare laws.
The Platform may link to third-party websites or services. This Privacy Policy does not apply to those third parties. Review their privacy policies before providing them with information.
We may update this Privacy Policy from time to time. Material changes will be noted with an updated effective date and, where required by law, additional notice (including via email for users with active accounts). Continued use of the Platform after the effective date of changes constitutes your acceptance of the updated Privacy Policy.
Awesome Studios, LLC d/b/a CodyMD 2442 NW Westover Road, Suite 201, Portland, OR 97210 Privacy: privacy@cody.md | General: info@cody.md
CodyMD operates AI-powered tools (the "AI Tools") that provide general health information and education. Information you share with the AI Tools is treated as follows:
Inference. AI inference (the generation of responses to your inputs) is performed using third-party AI model providers under contractual obligations consistent with this Privacy Policy. To the extent third-party AI providers process AI Tool inputs, they do so as service providers and are contractually prohibited from using your data for their own purposes, including model training, except as expressly permitted by this Privacy Policy.
Model training. CodyMD does not provide individually identifiable AI conversation data to third-party AI model providers for the purpose of training their models. Aggregated or de-identified data may be used for service improvement, analytics, and research. Where third-party AI model providers' standard offerings would include AI conversation data in their training corpus by default, CodyMD has elected service tiers or configurations that exclude such use.
Internal improvement. CodyMD may use AI conversation data internally to improve the Platform, monitor for safety and abuse, evaluate AI Tool performance, and conduct research. Internal use does not include sharing identifiable conversation data with third parties for their own purposes.
Boundary with PHI. AI Tool conversations occurring before you elect to receive Clinical Services are Personal Information under this Part A, not PHI under HIPAA. Once you elect Clinical Services, information collected as part of clinical care is PHI governed by Part B.
Retention. AI conversation data is retained per Section A8.
If you have questions about AI processing, contact privacy@cody.md.
Applies when you receive Clinical Services through CodyMD. Effective upon your electronic acceptance of the Telehealth Informed Consent and the Clinical Services Addendum (Part B of the Terms of Use).
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Part B applies to Protected Health Information ("PHI") created, received, maintained, or transmitted in connection with Clinical Services through the CodyMD platform. It supplements Part A, which governs Personal Information from informational services. CodyMD operates as a Business Associate under HIPAA with respect to PHI handled on behalf of independent licensed Providers and contracted medical groups, including MD Integrations. CodyMD maintains Business Associate Agreements as required by HIPAA with MD Integrations, with each Provider, and with all sub-processors who handle PHI.
PHI is individually identifiable health information created or received in connection with Clinical Services, including medical history, symptoms, diagnoses, treatment plans, prescriptions, laboratory results, clinical notes, identity verification information collected as part of Clinical Services, and billing information related to clinical care.
General health questions asked through informational services (Part A) are not PHI under HIPAA. Once you elect Clinical Services and information becomes linked to your clinical encounter, that information is PHI governed by this Part B.
We use and disclose PHI only as permitted by HIPAA, the HITECH Act, and applicable state law:
Treatment. To facilitate care by your Provider, coordinate care among Providers and pharmacies, and transmit prescriptions. This includes sharing PHI with MD Integrations and with the licensed Provider who delivers your care.
Payment. To process payments, billing, and fee collection. This includes payment authorization holds and payment capture as described in the Telehealth Informed Consent Section 8 and the Terms of Use Section B6.3.
Healthcare operations. Quality assessment, credentialing, training, compliance, audits, and similar operations.
Required by law. To comply with laws, court orders, subpoenas, administrative requests, or other legal process.
Public health and safety. Disease reporting, abuse reporting, FDA reporting where applicable, and disclosures to avert serious threats to health or safety.
Identity verification. PHI may be shared with third-party identity verification providers as necessary to verify your identity for the purpose of receiving Clinical Services. Identity verification providers are bound by Business Associate Agreements where they handle PHI.
With your authorization. For any other purpose, with your signed written authorization.
The following uses and disclosures require your written authorization:
Marketing communications that involve direct or indirect remuneration to CodyMD from a third party.
Sale of PHI.
Most uses and disclosures of psychotherapy notes (CodyMD does not provide mental health services and does not generate psychotherapy notes).
You may revoke any authorization in writing at any time, except to the extent CodyMD has already acted in reliance on the authorization.
We may de-identify PHI using HIPAA's safe harbor or expert determination methods. De-identified data is not subject to this Notice and may be used for research, analytics, service improvement, and product development.
You have the following rights regarding your PHI:
You have the right to inspect and obtain copies of your PHI. We will provide PHI in your requested format if producible. Reasonable, cost-based fees may apply. Contact records@cody.md.
You have the right to request corrections or amendments to your PHI. We may deny amendment requests under certain circumstances and will provide a written explanation if we do.
You have the right to request an accounting of certain disclosures of your PHI made in the prior six years, excluding disclosures for treatment, payment, healthcare operations, and disclosures made pursuant to your authorization.
You have the right to request restrictions on certain uses and disclosures of your PHI. We are not required to agree to all such requests, but we must agree to restrict disclosures to a health plan for services you paid out of pocket in full. (Note: All Clinical Services through CodyMD are paid out of pocket, so disclosures to health plans are not made absent your authorization.)
You have the right to request that we communicate with you about PHI by alternative means or at alternative locations. We will accommodate reasonable requests.
You have the right to obtain a paper copy of this Notice at any time, even if you previously received an electronic copy.
You have the right to be notified following a breach of unsecured PHI, as described in Section B7.
Uses and disclosures not described in this Notice or otherwise permitted by law require your written authorization, which you may revoke in writing at any time.
To exercise any HIPAA right, contact privacy@cody.md. We will respond within 30 days.
Washington residents have additional rights under the Washington My Health My Data Act ("MHMDA") with respect to "consumer health data," which is defined more broadly than HIPAA PHI. Your MHMDA rights are described in Part A Section A6.2.
For consumer health data that is not PHI under HIPAA but is subject to MHMDA, CodyMD obtains your consent before collection, sharing, or selling, and honors withdrawal and deletion requests as required by MHMDA. CodyMD does not sell consumer health data.
Oregon law, including the Oregon Consumer Privacy Act and applicable state medical records laws, may provide additional rights and protections. Where state law provides greater protections than HIPAA, CodyMD complies with the more protective standard.
Where state law provides greater protections than HIPAA, CodyMD complies with the more protective standard. Contact privacy@cody.md for state-specific rights inquiries.
CodyMD implements administrative, physical, and technical safeguards as required by HIPAA, the HITECH Act, and applicable state law:
Encryption. All PHI is encrypted in transit and at rest using industry-standard encryption.
Access controls. Role-based access controls limit PHI access to authorized personnel with a business need. Multi-factor authentication is required for personnel with PHI access.
Audit logging. Access to PHI is logged and monitored.
Workforce training. CodyMD personnel receive HIPAA training and are bound by confidentiality obligations.
Incident response. CodyMD maintains incident response and breach notification procedures.
Security assessments. CodyMD conducts regular security assessments and risk analyses.
HIPAA-compliant infrastructure. PHI is stored on Amazon Web Services HIPAA-eligible infrastructure under a Business Associate Agreement with AWS. Database storage is provided by MongoDB Atlas under a Business Associate Agreement with MongoDB.
Vendor management. All third-party service providers, sub-processors, and partners that handle PHI are bound by Business Associate Agreements requiring them to implement administrative, physical, and technical safeguards equivalent to or stronger than CodyMD's. CodyMD conducts due diligence on vendor security practices before sharing PHI and on an ongoing basis.
CodyMD retains PHI as follows:
Medical records. Minimum seven (7) years from the date of last encounter, or longer where required by state law or applicable to minor patients (some states require retention until the patient reaches a specified age plus a statute-of-limitations period).
Billing records. Minimum seven (7) years for tax, financial reporting, and audit purposes.
Audit logs. Retained as long as necessary for security, compliance, and legal purposes.
PHI no longer required to be retained is securely destroyed or de-identified.
In the event of a breach of unsecured PHI, CodyMD will notify affected individuals, the U.S. Department of Health and Human Services, and (where required) the media, in accordance with HIPAA, the HITECH Act, and applicable state law.
Notifications will include:
A description of what happened and when (to the extent known).
The types of PHI involved.
Steps you can take to protect yourself.
Actions CodyMD is taking to address the breach.
Contact information for further inquiries.
CodyMD will make notifications without unreasonable delay and within the timeframes required by applicable law.
Service providers that access PHI are bound by Business Associate Agreements as required by HIPAA. Categories of service providers and sub-processors include:
Cloud infrastructure providers. Amazon Web Services (HIPAA-eligible infrastructure), MongoDB Atlas (database storage).
Payment processing. Stripe (payment authorization and capture; Stripe receives limited information necessary to process payments and does not receive clinical PHI).
Identity verification providers. Third-party services used to verify your identity for Clinical Services eligibility. Where these providers handle PHI, they are bound by Business Associate Agreements.
Communication infrastructure. Email, SMS, and other communication providers used for treatment-related and operational communications, where applicable.
Affiliated medical group. MD Integrations, an independent medical group with which CodyMD contracts to make Clinical Services available, under a Business Associate Agreement.
Pharmacies and laboratories. Independent entities with their own HIPAA obligations. PHI is shared with pharmacies and laboratories only as necessary to fulfill prescriptions and process laboratory orders authorized by your Provider.
If you believe your privacy rights have been violated, you may file a complaint with CodyMD or with the U.S. Department of Health and Human Services. CodyMD will not retaliate against you for filing a complaint.
With CodyMD: CodyMD Privacy Officer Awesome Studios, LLC d/b/a CodyMD 2442 NW Westover Road, Suite 201, Portland, OR 97210 privacy@cody.md
With HHS: U.S. Department of Health and Human Services, Office for Civil Rights https://www.hhs.gov/hipaa/filing-a-complaint 1-800-368-1019
CodyMD reserves the right to change this Notice. Material changes will be noted with an updated effective date. The revised Notice will apply to all PHI we maintain, including PHI created or received before the effective date of the revised Notice. Notices of material changes will be communicated to active patients via email or other reasonable means as required by HIPAA.
Awesome Studios, LLC d/b/a CodyMD 2442 NW Westover Road, Suite 201, Portland, OR 97210 Privacy/HIPAA: privacy@cody.md | Records: records@cody.md | General: info@cody.md
CodyMD's AI Tools provide health information and education. AI Tools are not used to deliver Clinical Services. Clinical Services are delivered exclusively by independent licensed Providers as described in the Telehealth Informed Consent and the Terms of Use.
To the extent AI processing occurs in connection with Clinical Services (for example, where information you have shared with the AI Tools is later reviewed by your Provider as part of your clinical encounter, or where AI-assisted tools are used by Providers for documentation, summarization, or similar administrative purposes), the following applies:
No PHI to third-party AI training corpora. CodyMD does not provide individually identifiable PHI to third-party AI model providers for the purpose of training their models. Where third-party AI providers' standard offerings would include data in their training corpus by default, CodyMD has elected service tiers or configurations that exclude such use.
Service-provider relationships. Third-party AI model providers that process PHI on CodyMD's behalf operate as Business Associates under HIPAA and are bound by Business Associate Agreements that require them to safeguard PHI and to use it only for the purposes specified in the BAA.
Provider judgment. AI-assisted output is not a substitute for clinical judgment. Your Provider exercises independent professional judgment in all clinical decisions and is not bound by AI-assisted output.
De-identified data. Aggregated or de-identified data may be used for service improvement, analytics, and research consistent with HIPAA's de-identification standards.
If you have questions about how AI processing applies to your PHI, contact privacy@cody.md.
Humans Served
Humans Served
CodyMD
Last Updated: Apr 30, 2026
Applies to all users of the Platform. Effective upon access to or use of the Platform.
When you create an account or use the Platform, we may collect:
Identity and contact information. Your name, email address, phone number, date of birth, gender, username and password, and general profile information.
Health-related information. The content of messages, questions, and feedback you provide, including conversations with our AI Tools, and any health-related information you share with the AI Tools.
Identity verification information. When you elect to receive Clinical Services, you may be asked to provide a valid government-issued photo identification (such as a driver's license, state ID, or passport), an image of yourself, and other identifying information for the purpose of identity and location verification.
Payment information. Payment information is collected and processed by Stripe; CodyMD does not store full payment credentials.
Communications. The content of any messages or feedback you send to CodyMD support, including support@cody.md, help@cody.md, privacy@cody.md, and any other CodyMD address.
Important: General health questions you ask through informational services (the AI Tools) before electing to receive Clinical Services are not Protected Health Information ("PHI") under HIPAA. They are Personal Information governed by this Part A. If you transition to Clinical Services, information collected during clinical encounters becomes PHI governed by Part B (HIPAA Notice of Privacy Practices).
We automatically collect:
IP address, browser type, operating system, device identifiers
Pages visited, dates and times of access, referring URLs, clickstream data
Approximate geographic location based on IP address and, where you grant permission, more precise geolocation data used to verify your physical location for Clinical Services eligibility
Session identifiers and analytics data
We collect this information through cookies, web beacons, pixels, and similar technologies as described in Section A4.
We may receive information from:
Analytics providers
Identity verification services that confirm the validity of identification documents you provide
Address verification services
Social media platforms, if you link your account
Healthcare providers, pharmacies, and laboratories acting on your behalf or with your authorization
We use Personal Information to:
Provide, maintain, and improve the Platform.
Process account registration and manage your account.
Operate the AI Tools and respond to your inputs.
Verify your identity and physical location for Clinical Services eligibility, including comparing identification documents you provide against third-party verification databases.
Process and authorize payments (including authorization holds via Stripe, with capture occurring only after a Provider accepts your case for Clinical Services).
Respond to inquiries and provide support.
Personalize your experience and show relevant content.
Communicate about the Platform, including updates and promotions (with consent where required).
Detect and address fraud, security issues, and technical problems.
Comply with legal obligations and enforce our Terms of Use.
Conduct research and analytics using aggregated or de-identified data.
CodyMD does not sell your Personal Information. CodyMD does not use your Personal Information for targeted advertising. CodyMD does not use individually identifiable health information from your AI Tool conversations to train third-party artificial intelligence models. See Section A14 for additional information about AI processing.
CodyMD does not sell your Personal Information. We share Personal Information only as follows:
Service providers. Third parties performing services on our behalf, including hosting, analytics, payment processing (Stripe), identity verification, address verification, and customer support. These providers are bound by confidentiality and data protection obligations.
Identity verification providers. When you elect to receive Clinical Services, identifying information you provide is shared with third-party identity verification services solely for the purpose of verifying your identity and location. These providers operate under contractual obligations consistent with this Privacy Policy and, where they handle PHI, under Business Associate Agreements as required by HIPAA.
Affiliated medical group and Providers. When you elect to receive Clinical Services, relevant information is shared with MD Integrations (an independent medical group with which CodyMD contracts) and with the licensed Provider who delivers your care. CodyMD maintains Business Associate Agreements with MD Integrations and with each Provider as required by HIPAA. Sharing for Clinical Services is governed by Part B (HIPAA Notice of Privacy Practices).
Pharmacies. When a Provider prescribes medication, prescription information is electronically transmitted to the pharmacy of your choice or a partnered pharmacy.
Legal requirements. When required by law, court order, subpoena, or other legal process. We will, where lawful and feasible, notify you of such legal requests.
Business transfers. In connection with a merger, acquisition, or sale of assets, with notice to you to the extent legally required.
Public health, safety, and emergencies. Where permitted by law to address public health, safety, abuse reporting, or to avert serious threats to health or safety.
With your consent. When you explicitly authorize sharing.
The Platform uses:
Essential cookies required for Platform functionality, including authentication and session management.
Analytics cookies that help us understand usage patterns. Analytics data is processed by service providers under contractual obligations.
Preference cookies that remember your settings.
You can control cookies through your browser settings. Disabling cookies may affect Platform functionality. We do not respond to "Do Not Track" browser signals at this time.
We do not use cookies, pixels, or other tracking technologies to share PHI with third-party advertising networks.
Subject to applicable law, you have the right to:
Access: Request access to your Personal Information.
Correction: Request correction of inaccurate Personal Information.
Deletion: Request deletion of Personal Information, subject to legal retention requirements (including HIPAA medical records retention obligations described in Part B).
Object/Restrict: Object to or restrict processing in certain circumstances.
Portability: Request a copy of your Personal Information in a structured, commonly used, machine-readable format.
Withdraw consent: Withdraw consent where processing is based on consent.
Non-discrimination: We will not discriminate against you for exercising these rights.
To exercise any right, contact privacy@cody.md. We respond within 45 days or as required by applicable law. We may need to verify your identity before fulfilling certain requests.
California residents have additional rights including the right to know, delete, correct, and opt out of the sale or sharing of personal information. CodyMD does not sell or share Personal Information for cross-context behavioral advertising. California residents may exercise rights by contacting privacy@cody.md. California residents may also report complaints to the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210.
If you are a Washington resident, the Washington My Health My Data Act ("MHMDA") provides you with additional rights regarding your "consumer health data," which is broader than HIPAA's definition of PHI and may include data collected through informational services as well as Clinical Services.
Under MHMDA, you have the right to:
Confirm whether CodyMD is collecting, sharing, or selling your consumer health data.
Access the consumer health data CodyMD has collected from you.
Withdraw consent to collection, sharing, or selling of your consumer health data.
Request deletion of your consumer health data.
Receive notice if your consumer health data is sold (CodyMD does not sell consumer health data).
To exercise these rights, contact privacy@cody.md. We will respond within 45 days. CodyMD will not retaliate against you for exercising MHMDA rights.
CodyMD obtains your consent before collecting or sharing consumer health data beyond what is strictly necessary to provide the Platform services you have requested. CodyMD does not sell consumer health data.
Oregon residents may have additional rights under Oregon law, including the Oregon Consumer Privacy Act (effective July 1, 2024). To exercise rights or report concerns, contact privacy@cody.md.
Residents of Colorado, Connecticut, Virginia, Texas, and other states with comprehensive privacy laws may have additional rights. Contact privacy@cody.md to exercise applicable rights.
We implement administrative, physical, and technical safeguards to protect your information, including encryption in transit and at rest, access controls, audit logging, and security monitoring. CodyMD's infrastructure is described in more detail in Part B Section B5. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
We retain Personal Information as follows:
Account information. Retained while your account is active, plus a reasonable period after closure for legal, audit, and security purposes.
Usage data. Up to 24 months in identifiable form, then aggregated or de-identified.
Conversation data with the AI Tools. Retained to support service continuity, improve the Platform, and meet audit obligations. AI conversation data may be retained for up to 24 months in identifiable form, then aggregated or de-identified, except where longer retention is required for clinical, legal, or audit purposes. CodyMD does not use individually identifiable AI conversation data to train third-party artificial intelligence models. See Section A14.
Identity verification data. Retained as long as necessary to support Clinical Services eligibility, prevent fraud, and meet legal obligations. Government-issued ID images are stored on encrypted infrastructure and access-controlled.
Medical records (PHI). Retained per Part B Section B6.
Billing records. Retained per Part B Section B6.
You may request deletion of Personal Information by contacting privacy@cody.md, subject to applicable retention requirements (including HIPAA records retention).
The Platform is not directed to or intended for individuals under 18 years of age. We do not knowingly collect Personal Information from children under 13, and we do not knowingly provide Clinical Services to individuals under 18. If you believe we have inadvertently collected information from a child under 13, contact privacy@cody.md and we will promptly delete the information.
The Platform is operated from the United States. If you access the Platform from outside the United States, your information may be transferred to and processed in the United States. Clinical Services are not available to individuals outside the United States. International users are responsible for compliance with applicable local privacy and healthcare laws.
The Platform may link to third-party websites or services. This Privacy Policy does not apply to those third parties. Review their privacy policies before providing them with information.
We may update this Privacy Policy from time to time. Material changes will be noted with an updated effective date and, where required by law, additional notice (including via email for users with active accounts). Continued use of the Platform after the effective date of changes constitutes your acceptance of the updated Privacy Policy.
Awesome Studios, LLC d/b/a CodyMD 2442 NW Westover Road, Suite 201, Portland, OR 97210 Privacy: privacy@cody.md | General: info@cody.md
CodyMD operates AI-powered tools (the "AI Tools") that provide general health information and education. Information you share with the AI Tools is treated as follows:
Inference. AI inference (the generation of responses to your inputs) is performed using third-party AI model providers under contractual obligations consistent with this Privacy Policy. To the extent third-party AI providers process AI Tool inputs, they do so as service providers and are contractually prohibited from using your data for their own purposes, including model training, except as expressly permitted by this Privacy Policy.
Model training. CodyMD does not provide individually identifiable AI conversation data to third-party AI model providers for the purpose of training their models. Aggregated or de-identified data may be used for service improvement, analytics, and research. Where third-party AI model providers' standard offerings would include AI conversation data in their training corpus by default, CodyMD has elected service tiers or configurations that exclude such use.
Internal improvement. CodyMD may use AI conversation data internally to improve the Platform, monitor for safety and abuse, evaluate AI Tool performance, and conduct research. Internal use does not include sharing identifiable conversation data with third parties for their own purposes.
Boundary with PHI. AI Tool conversations occurring before you elect to receive Clinical Services are Personal Information under this Part A, not PHI under HIPAA. Once you elect Clinical Services, information collected as part of clinical care is PHI governed by Part B.
Retention. AI conversation data is retained per Section A8.
If you have questions about AI processing, contact privacy@cody.md.
Applies when you receive Clinical Services through CodyMD. Effective upon your electronic acceptance of the Telehealth Informed Consent and the Clinical Services Addendum (Part B of the Terms of Use).
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Part B applies to Protected Health Information ("PHI") created, received, maintained, or transmitted in connection with Clinical Services through the CodyMD platform. It supplements Part A, which governs Personal Information from informational services. CodyMD operates as a Business Associate under HIPAA with respect to PHI handled on behalf of independent licensed Providers and contracted medical groups, including MD Integrations. CodyMD maintains Business Associate Agreements as required by HIPAA with MD Integrations, with each Provider, and with all sub-processors who handle PHI.
PHI is individually identifiable health information created or received in connection with Clinical Services, including medical history, symptoms, diagnoses, treatment plans, prescriptions, laboratory results, clinical notes, identity verification information collected as part of Clinical Services, and billing information related to clinical care.
General health questions asked through informational services (Part A) are not PHI under HIPAA. Once you elect Clinical Services and information becomes linked to your clinical encounter, that information is PHI governed by this Part B.
We use and disclose PHI only as permitted by HIPAA, the HITECH Act, and applicable state law:
Treatment. To facilitate care by your Provider, coordinate care among Providers and pharmacies, and transmit prescriptions. This includes sharing PHI with MD Integrations and with the licensed Provider who delivers your care.
Payment. To process payments, billing, and fee collection. This includes payment authorization holds and payment capture as described in the Telehealth Informed Consent Section 8 and the Terms of Use Section B6.3.
Healthcare operations. Quality assessment, credentialing, training, compliance, audits, and similar operations.
Required by law. To comply with laws, court orders, subpoenas, administrative requests, or other legal process.
Public health and safety. Disease reporting, abuse reporting, FDA reporting where applicable, and disclosures to avert serious threats to health or safety.
Identity verification. PHI may be shared with third-party identity verification providers as necessary to verify your identity for the purpose of receiving Clinical Services. Identity verification providers are bound by Business Associate Agreements where they handle PHI.
With your authorization. For any other purpose, with your signed written authorization.
The following uses and disclosures require your written authorization:
Marketing communications that involve direct or indirect remuneration to CodyMD from a third party.
Sale of PHI.
Most uses and disclosures of psychotherapy notes (CodyMD does not provide mental health services and does not generate psychotherapy notes).
You may revoke any authorization in writing at any time, except to the extent CodyMD has already acted in reliance on the authorization.
We may de-identify PHI using HIPAA's safe harbor or expert determination methods. De-identified data is not subject to this Notice and may be used for research, analytics, service improvement, and product development.
You have the following rights regarding your PHI:
You have the right to inspect and obtain copies of your PHI. We will provide PHI in your requested format if producible. Reasonable, cost-based fees may apply. Contact records@cody.md.
You have the right to request corrections or amendments to your PHI. We may deny amendment requests under certain circumstances and will provide a written explanation if we do.
You have the right to request an accounting of certain disclosures of your PHI made in the prior six years, excluding disclosures for treatment, payment, healthcare operations, and disclosures made pursuant to your authorization.
You have the right to request restrictions on certain uses and disclosures of your PHI. We are not required to agree to all such requests, but we must agree to restrict disclosures to a health plan for services you paid out of pocket in full. (Note: All Clinical Services through CodyMD are paid out of pocket, so disclosures to health plans are not made absent your authorization.)
You have the right to request that we communicate with you about PHI by alternative means or at alternative locations. We will accommodate reasonable requests.
You have the right to obtain a paper copy of this Notice at any time, even if you previously received an electronic copy.
You have the right to be notified following a breach of unsecured PHI, as described in Section B7.
Uses and disclosures not described in this Notice or otherwise permitted by law require your written authorization, which you may revoke in writing at any time.
To exercise any HIPAA right, contact privacy@cody.md. We will respond within 30 days.
Washington residents have additional rights under the Washington My Health My Data Act ("MHMDA") with respect to "consumer health data," which is defined more broadly than HIPAA PHI. Your MHMDA rights are described in Part A Section A6.2.
For consumer health data that is not PHI under HIPAA but is subject to MHMDA, CodyMD obtains your consent before collection, sharing, or selling, and honors withdrawal and deletion requests as required by MHMDA. CodyMD does not sell consumer health data.
Oregon law, including the Oregon Consumer Privacy Act and applicable state medical records laws, may provide additional rights and protections. Where state law provides greater protections than HIPAA, CodyMD complies with the more protective standard.
Where state law provides greater protections than HIPAA, CodyMD complies with the more protective standard. Contact privacy@cody.md for state-specific rights inquiries.
CodyMD implements administrative, physical, and technical safeguards as required by HIPAA, the HITECH Act, and applicable state law:
Encryption. All PHI is encrypted in transit and at rest using industry-standard encryption.
Access controls. Role-based access controls limit PHI access to authorized personnel with a business need. Multi-factor authentication is required for personnel with PHI access.
Audit logging. Access to PHI is logged and monitored.
Workforce training. CodyMD personnel receive HIPAA training and are bound by confidentiality obligations.
Incident response. CodyMD maintains incident response and breach notification procedures.
Security assessments. CodyMD conducts regular security assessments and risk analyses.
HIPAA-compliant infrastructure. PHI is stored on Amazon Web Services HIPAA-eligible infrastructure under a Business Associate Agreement with AWS. Database storage is provided by MongoDB Atlas under a Business Associate Agreement with MongoDB.
Vendor management. All third-party service providers, sub-processors, and partners that handle PHI are bound by Business Associate Agreements requiring them to implement administrative, physical, and technical safeguards equivalent to or stronger than CodyMD's. CodyMD conducts due diligence on vendor security practices before sharing PHI and on an ongoing basis.
CodyMD retains PHI as follows:
Medical records. Minimum seven (7) years from the date of last encounter, or longer where required by state law or applicable to minor patients (some states require retention until the patient reaches a specified age plus a statute-of-limitations period).
Billing records. Minimum seven (7) years for tax, financial reporting, and audit purposes.
Audit logs. Retained as long as necessary for security, compliance, and legal purposes.
PHI no longer required to be retained is securely destroyed or de-identified.
In the event of a breach of unsecured PHI, CodyMD will notify affected individuals, the U.S. Department of Health and Human Services, and (where required) the media, in accordance with HIPAA, the HITECH Act, and applicable state law.
Notifications will include:
A description of what happened and when (to the extent known).
The types of PHI involved.
Steps you can take to protect yourself.
Actions CodyMD is taking to address the breach.
Contact information for further inquiries.
CodyMD will make notifications without unreasonable delay and within the timeframes required by applicable law.
Service providers that access PHI are bound by Business Associate Agreements as required by HIPAA. Categories of service providers and sub-processors include:
Cloud infrastructure providers. Amazon Web Services (HIPAA-eligible infrastructure), MongoDB Atlas (database storage).
Payment processing. Stripe (payment authorization and capture; Stripe receives limited information necessary to process payments and does not receive clinical PHI).
Identity verification providers. Third-party services used to verify your identity for Clinical Services eligibility. Where these providers handle PHI, they are bound by Business Associate Agreements.
Communication infrastructure. Email, SMS, and other communication providers used for treatment-related and operational communications, where applicable.
Affiliated medical group. MD Integrations, an independent medical group with which CodyMD contracts to make Clinical Services available, under a Business Associate Agreement.
Pharmacies and laboratories. Independent entities with their own HIPAA obligations. PHI is shared with pharmacies and laboratories only as necessary to fulfill prescriptions and process laboratory orders authorized by your Provider.
If you believe your privacy rights have been violated, you may file a complaint with CodyMD or with the U.S. Department of Health and Human Services. CodyMD will not retaliate against you for filing a complaint.
With CodyMD: CodyMD Privacy Officer Awesome Studios, LLC d/b/a CodyMD 2442 NW Westover Road, Suite 201, Portland, OR 97210 privacy@cody.md
With HHS: U.S. Department of Health and Human Services, Office for Civil Rights https://www.hhs.gov/hipaa/filing-a-complaint 1-800-368-1019
CodyMD reserves the right to change this Notice. Material changes will be noted with an updated effective date. The revised Notice will apply to all PHI we maintain, including PHI created or received before the effective date of the revised Notice. Notices of material changes will be communicated to active patients via email or other reasonable means as required by HIPAA.
Awesome Studios, LLC d/b/a CodyMD 2442 NW Westover Road, Suite 201, Portland, OR 97210 Privacy/HIPAA: privacy@cody.md | Records: records@cody.md | General: info@cody.md
CodyMD's AI Tools provide health information and education. AI Tools are not used to deliver Clinical Services. Clinical Services are delivered exclusively by independent licensed Providers as described in the Telehealth Informed Consent and the Terms of Use.
To the extent AI processing occurs in connection with Clinical Services (for example, where information you have shared with the AI Tools is later reviewed by your Provider as part of your clinical encounter, or where AI-assisted tools are used by Providers for documentation, summarization, or similar administrative purposes), the following applies:
No PHI to third-party AI training corpora. CodyMD does not provide individually identifiable PHI to third-party AI model providers for the purpose of training their models. Where third-party AI providers' standard offerings would include data in their training corpus by default, CodyMD has elected service tiers or configurations that exclude such use.
Service-provider relationships. Third-party AI model providers that process PHI on CodyMD's behalf operate as Business Associates under HIPAA and are bound by Business Associate Agreements that require them to safeguard PHI and to use it only for the purposes specified in the BAA.
Provider judgment. AI-assisted output is not a substitute for clinical judgment. Your Provider exercises independent professional judgment in all clinical decisions and is not bound by AI-assisted output.
De-identified data. Aggregated or de-identified data may be used for service improvement, analytics, and research consistent with HIPAA's de-identification standards.
If you have questions about how AI processing applies to your PHI, contact privacy@cody.md.