Marvix | Privacy Policy

Marvix AI Privacy Policy

Version: 3.1
Last Updated: May 25^th, 2026

1. Overview

This Privacy Policy explains how Marvix AI, Inc., its subsidiaries and affiliates (“Marvix,” “Company”, “we,” “us,” or “our”) collects, uses, discloses, retains, and protects user and patient (“you”, “your”) information through our websites, mobile applications, web applications, desktop applications, APIs, integrations, and related products and services (collectively, the “Services”).

Marvix provides AI-powered clinical documentation software for healthcare organizations. References to AI may include machine learning (“ML”) and large language model (“LLM”) technologies interchangeably, and other related technologies where applicable. Our Services are intended for use by healthcare professionals and healthcare organizations, not by patients directly.

This Privacy Policy applies to information we process through the Services and our public websites, including information about website visitors, prospective customers, customer personnel and users, business contacts, and individuals whose information is submitted to or processed by the Services by or on behalf of a Customer. It is subject to any applicable Cloud Services Agreement, Terms of Service, Terms of Use, Business Associate Agreement (“BAA”), Data Retention Policy, customer settings, and customer-specific written configuration. If there is a conflict between this Privacy Policy and an applicable BAA with respect to Protected Health Information (“PHI”), the BAA controls.

This Privacy Policy is not a HIPAA (“Health Insurance Portability and Accountability Act”) Notice of Privacy Practices. Patients should contact their healthcare provider for questions about their medical records, HIPAA rights, or provider privacy practices.

“Customer” means the healthcare organization, medical practice, hospital, health plan, business associate, or other organization that subscribes to or otherwise uses the Services.
‍
2. HIPAA, PHI, and Our Role
‍
‍When Marvix receives or processes PHI on behalf of a healthcare provider, health plan, or another HIPAA-regulated entity, we generally act as a Business Associate under HIPAA and process PHI in accordance with the applicable BAA and customer instructions.

Our healthcare customers are responsible for obtaining any required patient notices, consents, authorizations, and opt-outs before recording, uploading, transmitting, or otherwise making information available through the Services, including where required under recording, biometric privacy, consumer privacy, or health privacy laws. Customers and users represent that they have the rights, permissions, authorizations, consents, and legal basis required to submit, record, upload, transmit, or otherwise make information available through the Services. Customers are responsible for their own privacy notices and privacy practices.

For patient requests to access, amend, delete, restrict, or receive an accounting of PHI, patients should contact their healthcare provider. Where required by an applicable BAA, Marvix will assist the customer in responding to such requests.

3. Information We Collect

We may collect the following categories of information, depending on how you interact with the Services:
‍

Category	Examples
Account and user information	Name, email address, phone number, organization, role, specialty, login credentials, settings, preferences, and support communications.
Customer and billing information	Business contact information, subscription details, invoices, payment-related information, order forms, contracts, and customer relationship records.
Clinical and product content	Audio recordings, transcripts, uploaded files, copy-pasted or manually entered patient data, EHR-pulled content, CCDAs, XML/HTML files, labs, imaging documents, generated notes, letters, patient recaps, coding-related outputs, and intermediate processing files.
Integration data	EHR, practice management, RCM, scheduling, patient demographic, appointment, clinical document, note insertion, and API integration data.
Usage, device, and log data	IP address, browser type, device identifiers, operating system, pages viewed, app events, feature usage, timestamps, system logs, diagnostic data, referring/exit pages and clickstream data, audit logs, and integration logs.
Website and marketing data	Website analytics, cookie data, prospect and lead information, event attendance, form submissions, communications preferences, and marketing engagement.
De-identified and aggregated data	Information processed so that it does not identify an individual and is retained or used in accordance with applicable law and our agreements.

We may also maintain audit logs identifying users who access, create, modify, export, transmit, or delete patient-related information through the Services.

Audio recordings are created only when an authorized user initiates recording or dictation in the Services. Marvix does not use audio recordings to identify or authenticate individuals by voice print unless expressly agreed or disclosed separately.
‍
4. Sources of Information
‍

Information you or other authorized users provide directly, including account, support, uploaded, dictated, recorded, or manually entered content.
Information retrieved from third-party systems at the customer’s direction, including EHR, practice management, RCM, scheduling, and other healthcare systems.
Information generated by the Services, including transcripts, intermediate processing files, generated outputs, audit logs, metadata, and usage data.
Information from service providers, business partners, analytics providers, marketing tools, app stores, EHR marketplaces, and public or commercially available sources.

5. How We Use Information
‍
We use information for the following purposes:
‍

Provide, operate, maintain, secure, troubleshoot, and support the Services.
Record, transcribe, summarize, structure, and generate clinical documentation and related outputs at the direction of authorized users.
Authenticate users, administer accounts, manage subscriptions, process payments, and communicate about the Services.
Integrate with EHR, practice management, RCM, scheduling, and other third-party systems at the customer’s direction.
Provide customer support, onboarding, training, implementation, technical assistance, and service communications.
Monitor security, prevent fraud, investigate misuse, enforce our agreements, and comply with legal obligations.
Perform analytics, quality assurance, LLM evaluation and model improvement, service improvement, and product development, including using de-identified or aggregated data where permitted by applicable law and agreement.
Send marketing, educational, and product communications where permitted; recipients may opt out of marketing communications.

6. AI-Generated Outputs and Human Review
‍
The Services may generate AI-assisted clinical documentation, summaries, coding-related outputs, and other draft content. AI-generated outputs are produced as drafts intended for clinician review. They may be inaccurate, incomplete, or otherwise unsuitable for their intended purpose, and are designed to require review, validation, and affirmative acceptance by a licensed healthcare professional before they are used clinically, used to support billing or coding submissions, or disclosed to any third party.

Marvix does not automate the signing, locking, or finalization of clinical notes through the Services.

Customer responsibility for downstream workflows. Once an AI-generated draft is delivered to a Customer's EHR or other system of record, the Customer is responsible for the configuration, workflows, and downstream behavior of that system. This includes any auto-signature, auto-finalization, auto-billing, claim submission, propagation to other systems (such as health information exchanges, referral networks, or patient portals), or other automated processing that the Customer or its EHR vendor has configured. Marvix does not control, and is not responsible for, EHR-side configurations or actions taken after delivery of a draft into the Customer's environment.

Marvix does not provide medical advice, diagnosis, treatment recommendations, or reimbursement guarantees. The licensed healthcare professional is responsible for the accuracy, completeness, and appropriateness of any clinical documentation, coding, or other output adopted from the Services.
‍

7. De-Identified and Aggregated Data

Marvix may create, retain, use, and disclose de-identified or aggregated data in accordance with applicable agreements, customer settings, retention configurations, and our Data Retention Policy for analytics, quality assurance, LLM evaluation and model improvement, service improvement, security, benchmarking, and other lawful business purposes, subject to applicable law and agreements. Where applicable, Marvix’s de-identification process is designed to meet the HIPAA Safe Harbor de-identification requirements under 45 CFR §164.514(b)(2), including removal of direct identifiers and measures designed to prevent Marvix from reasonably re-identifying individuals from the retained service-improvement dataset.

‍
8. How We Disclose Information
‍
We may disclose information as follows:
‍

To a customer and its authorized users, administrators, affiliates, and personnel.
To service providers, subprocessors, contractors, and vendors that support hosting, infrastructure, transcription, AI processing, analytics, customer support, security, billing, communications, and product operations.
To EHRs, practice management systems, RCM systems, app marketplaces, and integration partners at the customer’s direction or as needed to provide integrations.
To professional advisors, auditors, insurers, and compliance reviewers.
To comply with law, legal process, contractual obligations, security requirements, or to protect rights, safety, and property.
In connection with a financing, merger, acquisition, reorganization, sale of assets, corporate transaction, or similar event.
With consent or at the direction of the customer or authorized user.

Do Not Sell or Share. We do not sell PHI. We do not use PHI for targeted advertising. We do not sell personal information for monetary or other valuable consideration. If our website analytics or advertising technologies are deemed a “sale”, “sharing”, or targeted advertising under applicable privacy laws, you may opt out by using the “Your Privacy Choices” link on our website or by contacting us as below.

Global Privacy Controls. Where required by applicable law, we will treat recognized browser-based opt-out preference signals, such as Global Privacy Control, as a request to opt out of sale, sharing, or targeted advertising for the browser or device sending the signal.

‍
9. Cookies, Analytics, and Similar Technologies
‍
Our websites and Services may use cookies, pixels, tags, SDKs, local storage, analytics tools, and similar technologies to operate the Services, authenticate users, remember preferences, analyze usage, improve performance, secure the Services, and support marketing. You can manage your preferences through our cookie consent banner or by clicking “Your Privacy Choices” in our website footer – this opens the CookieYes preference center. You may also be able to control cookies through browser settings. Disabling cookies may affect functionality.
‍

Specific tools we use on our public website:

CookieYes - a consent management platform provided by Hashout Technologies Pvt. Ltd., to display our cookie banner, capture your preferences, and maintain consent records for compliance purposes. CookieYes processes a limited set of data (including IP address, consent ID, and consent choices) to record proof of your preferences. CookieYes's privacy notice is available at https://www.cookieyes.com/privacy-policy/. Through our banner you can accept or reject cookies by category: Strictly Necessary, Functional, Analytics, and Marketing.

Google Analytics 4 (GA4) - Provided by Google LLC. We use GA4 to understand aggregate website traffic, page performance, and how visitors navigate our site. GA4 collects information including IP address (anonymized), device and browser type, pages viewed, time on site, and referring URL. We have disabled Google Signals and advertising features for GA4. Data retention is configured to 14 months. Google’s privacy practices: https://policies.google.com/privacy

Microsoft Clarity - Provided by Microsoft Corporation. Clarity captures website usage information including how visitors interact with pages (clicks, scrolls, mouse movements) and session recordings of website visits. We have configured Clarity to mask all text content and form fields by default to protect visitor privacy, and we exclude pages addressing specific medical conditions or specialties from Clarity recording entirely. Microsoft’s privacy practices: https://privacy.microsoft.com

Google Tag Manager (GTM) - Provided by Google LLC. GTM is a tag management system that enables us to deploy and manage the analytics tools listed above. GTM itself does not collect personal information; it loads other tags based on consent state.

Important: Our customer portal and authenticated areas do not use these analytics tools. The technologies described in this section apply only to our public marketing website.

Your choices. You can accept, reject, or customize your cookie preferences through our consent banner that appears on first visit, or anytime via the “Your Privacy Choices” link in our website footer. Rejecting cookies will prevent the analytics tools above from loading. Disabling cookies may affect website functionality.

Do Not Track and Global Privacy Control. Some browsers offer “Do Not Track” signals. Because there is no uniform industry standard for such signals, we may not respond to them unless required by law. We do honor Global Privacy Control (GPC) signals from supported browsers as an opt-out of sale/sharing where required by applicable law.

‍
10. Retention, Deletion, and Backups
‍
Marvix retains information in accordance with its Data Retention Policy, applicable agreements, customer settings, and legal, security, operational, support, and compliance needs. Customers may configure supported retention periods through Marvix settings or written request, subject to product, deployment, backup, legal, and customer-specific limitations.
‍

We retain information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide and secure the Services, comply with legal obligations, resolve disputes, prevent fraud or abuse, support account recovery, enforce agreements, and maintain business records, unless a different period is required by law, an applicable agreement, customer settings, or a written customer-specific configuration.

Deletion from the user interface may not immediately delete all copies from Marvix systems. Deleted data may remain in encrypted rolling backups and limited system logs until expiration through ordinary backup rotation. Marvix does not generally perform record-level deletion from immutable or rolling backups unless required by law or agreed in writing.

Specific retention periods. Where specific periods are not described elsewhere in our agreements, the following apply:
‍

Website analytics data (Google Analytics, Microsoft Clarity): up to 14 months.
Marketing contact information: until you unsubscribe or 5 years of inactivity, whichever is shorter.
Account information: duration of your account plus up to 7 years after closure (for legal, audit, and tax purposes).
Customer Clinical Content (including PHI): as governed by the applicable customer agreement, BAA, and Data Retention Policy.
System logs and audit logs: up to 6 years, longer where required by law or security need.

Additional retention details may be made available to customers under their applicable customer agreement, customer settings, written retention configuration, or customer-facing data retention materials provided by Marvix.

‍
11. Data Location and Cross-Border Processing
‍
Marvix stores production data in the United States. Support, engineering, configuration, security, administrative, and service operations may involve access or processing from locations outside the customer’s jurisdiction, subject to applicable safeguards, agreements, and legal requirements. Customers are responsible for providing any notices and obtaining any consents required for their use of the Services in the jurisdictions where they operate.

‍
12. European Economic Area, United Kingdom, and Switzerland
‍
Marvix's Services are offered to healthcare organizations and personnel located in the United States. We do not market the Services to, or knowingly contract with, organizations or individuals in the European Economic Area, United Kingdom, or Switzerland. If you are accessing our public website from outside the United States, please be aware that any information you submit will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the website you acknowledge this transfer.

‍
13. Security
‍
Marvix uses administrative, technical, and organizational safeguards designed to protect information processed through the Services. These safeguards include encryption of data at rest and in transit, encrypted rolling backups, access controls, logging, monitoring, and security processes maintained in alignment with Marvix’s HIPAA obligations and SOC 2 control environment. No system, network, or transmission is completely secure, and we cannot guarantee absolute security.

Email and internet transmissions may not always be secure. Users should not send PHI or other sensitive information to Marvix by email unless the email is encrypted and HIPAA-compliant or the email is sent through a secure, HIPAA-appropriate method approved by the User’s organization or Marvix. By sending PHI or sensitive information by email, the sender represents that they are authorized to do so and have used an appropriate transmission method.

If Marvix becomes aware of a Security Incident or breach affecting Customer information, Marvix will notify the affected Customer in accordance with the applicable Business Associate Agreement and applicable law.

‍
14. Privacy Rights and Choices
‍
Depending on your location and relationship with Marvix, you may have rights to access, correct, delete, receive, restrict, object to, or opt out of certain processing of personal information. To exercise rights regarding account or business contact information, contact us using the information below.

If your request concerns PHI or patient records processed by Marvix on behalf of a healthcare provider or other customer, please contact the applicable healthcare provider or customer directly. Marvix will support the customer as required by the applicable BAA.

California and other U.S. state privacy laws may provide additional rights, including rights to know, access, correct, delete, receive a copy of personal information, opt out of certain sales, sharing, targeted advertising, or profiling, and limit certain uses of sensitive personal information, where applicable. For details specific to California, see Section 15. For other U.S. state privacy laws, see Section 16. You may exercise applicable opt-out rights through our “Your Privacy Choices” link or by contacting us as below.

We do not discriminate against individuals for exercising applicable privacy rights.

‍
15. California Privacy Rights (CCPA / CPRA)

This section applies to California residents and supplements the rest of this Privacy Policy as required by the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”).

Categories of personal information collected. In the preceding 12 months, we have collected the categories of personal information identified in Section 3 of this Privacy Policy, which include: identifiers (name, email, IP address, geolocation - general, derived from IP); customer records (contact and billing information); commercial information; internet or network activity (browsing, device, and usage data); professional information (role, specialty, organization); and inferences drawn from the above for analytics purposes. We may also process sensitive personal information limited to account login credentials and, where submitted by authorized users of our Services, health information (which is governed primarily by HIPAA and the applicable BAA, not by CCPA).

Sources of personal information. As described in Section 4 of this Privacy Policy.

Purposes of collection and use. As described in Section 5 of this Privacy Policy.

Categories of third parties to whom we disclose personal information. For business purposes as described in Section 8, including: hosting and infrastructure providers; AI/ML processing providers; analytics providers (Google, Microsoft); customer support and communications providers; payment processors; security and fraud prevention providers; professional advisors; and integration partners at customer direction.

Sale and sharing of personal information. We do not sell personal information in exchange for monetary or other valuable consideration. We do not sell or share PHI for any purpose. We do not use personal information for cross-context behavioral advertising. To the extent any use of analytics cookies on our public website is deemed “sharing” under CPRA, California residents may opt out via our cookie consent banner or the “Your Privacy Choices” link in our website footer.

Sensitive personal information. We do not use or disclose sensitive personal information for purposes other than those permitted under California Civil Code Section 1798.121, and accordingly the “right to limit” does not apply to most of our processing. Where the right applies, California residents may exercise it by contacting privacy@marvix.ai.

Your California rights. California residents have the following rights:
‍

Right to know what personal information we collect, use, disclose, and (where applicable) sell or share.
Right to access and obtain a copy of personal information.
Right to correct inaccurate personal information.
Right to delete personal information, subject to legal exceptions.
Right to opt out of sale or sharing of personal information.
Right to limit use and disclosure of sensitive personal information.
Right to non-discrimination for exercising your rights.

How to exercise your rights. Submit a request to privacy@marvix.ai with the subject line “California Privacy Request” and specify which right you wish to exercise. You may also use any webform we make available for this purpose.

Verification. We will verify your identity before fulfilling rights requests. For most requests, we will ask you to confirm information we already have on file (such as your account email). For requests involving sensitive data, additional verification may be required.

Response timeline. We will acknowledge receipt of your request within 10 business days and respond substantively within 45 calendar days. We may extend this period by an additional 45 days when reasonably necessary, and we will notify you of any extension.

Authorized agents. You may designate an authorized agent to make a request on your behalf. The agent must provide written permission from you, and we may require you to verify your identity directly with us or confirm the agent’s authority.

Notice at collection. This Privacy Policy serves as our notice at collection of personal information for California residents.

Requests about PHI or patient records. If your request concerns PHI or patient records processed by Marvix on behalf of a healthcare provider, please contact the relevant healthcare provider directly, as described in Section 2.

‍
16. Other U.S. State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have rights similar to those described above for California, including the right to access, correct, delete, and opt out of certain processing, subject to the specific requirements of each state’s law. To exercise rights, contact privacy@marvix.ai and indicate your state of residence.

Washington My Health My Data Act notice. Marvix processes health-related information primarily on behalf of healthcare providers as a Business Associate under HIPAA, and such information is generally exempt from the Washington My Health My Data Act under its HIPAA exemption. Marketing-related information collected via our public website is governed by this Privacy Policy and applicable state law.

Profiling and automated decision-making. Where state privacy laws grant a right to opt out of profiling that produces legal or similarly significant effects, the Services are designed so that AI-assisted outputs require affirmative review, validation, and acceptance by a licensed healthcare professional before any clinical, billing, or disclosure use, and Marvix does not automate the signing, locking, or finalization of such outputs (see Section 6). Accordingly, Marvix's AI-assisted outputs do not, in themselves, constitute solely automated decision-making producing legal or similarly significant effects.

‍
17. Communications Preferences

You may opt out of marketing emails by using the unsubscribe link in those emails or contacting us. We may still send transactional, security, legal, product, support, or administrative communications.

‍
18. Children

The Services are intended for use by healthcare professionals and organizations and are not directed to children under 13. We do not knowingly collect personal information directly from children under 13 through our websites or apps. Clinical information about minors may be processed when submitted by authorized healthcare professionals or customers as part of the Services and governed by the applicable customer agreement and BAA.

‍
19. Third-Party Services and Links

The Services may link to or integrate with third-party websites, EHRs, app marketplaces, identity providers, communication tools, analytics tools, and other services. Their privacy practices are governed by their own policies. Marvix is not responsible for third-party privacy practices.

Our websites or communications may include links, social media features, pixels, SDKs, app-store links, marketplace listings, or other third-party integrations. Third parties may collect information independently when you interact with those features or leave our Services, and their practices are governed by their own privacy policies and terms.

‍
20. Feedback

If you submit feedback, suggestions, ideas, including through interactions with Marvix personnel, support channels, sales processes, or product interfaces, or any unsolicited information through any channel, we may use it for any lawful purpose without obligation to you, subject to any confidentiality obligations in an applicable written agreement.

‍
21. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, operations, legal requirements, or privacy practices. The updated version will be indicated by an updated “Last Updated” date. Material changes will be communicated in accordance with applicable law, customer agreements, or our standard notification practices.

‍
22. Contact Us

Questions or requests about this Privacy Policy may be sent to:

Marvix AI, Inc. 25
Morrissey Blvd #1438
Boston, MA 02125
United States
General Inquiries: contact@marvix.ai

For privacy rights requests (California, other state laws, or general privacy inquiries):

Email: privacy@marvix.ai

Please contact your healthcare provider, who can route appropriate requests to us as their Business Associate, as described in Section 2.

‍
23. App Store Disclosures

For mobile applications, this Privacy Policy applies together with the privacy disclosures displayed in the applicable app store. If an app-store disclosure and this Privacy Policy differ, this Privacy Policy and the applicable customer agreement and BAA govern to the extent permitted by law.