Privacy Policy

KiteMD, Inc. (“KiteMD,” “we,” “us”) is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use the KiteMD platform at kitemd.com. This policy applies to all users including patients, healthcare providers, business partners, and visitors.

Information you provide

• Account information: email address, phone number, name, and authentication credentials (managed via Supabase Auth)
• Patient health information: demographic data, health history, current medications, allergies, photos, and consent records submitted during the intake process
• Provider information: name, NPI number, specialty, licensed states, and credential documents
• Partner information: business name, type, contact details, and proposed pricing
• Messages: content of secure messages between patients and providers
• Payment information: processed by Stripe; we do not store credit card numbers on our servers

Information collected automatically

• Usage data: pages visited, features used, and interaction patterns
• Device information: browser type, operating system, and user agent
• IP-derived data: we hash IP addresses with a daily salt for rate limiting and scan attribution; raw IP addresses are not stored
• QR scan events: when a visitor scans a partner's QR code, we record the source, hashed IP, and user agent for attribution

• To provide and operate the Platform, including clinical intake, provider review, and subscription management
• To facilitate communication between patients and providers
• To process payments and manage subscriptions via Stripe
• To send transactional emails and SMS (OTP codes, appointment confirmations, clinical decisions)
• To generate partner dashboards and revenue reporting (using aggregated, non-PHI data)
• To maintain security, prevent fraud, and enforce our Terms of Service
• To comply with legal obligations and respond to lawful requests

We implement multiple layers of security to protect your information:

• Encryption at rest: all Protected Health Information (PHI) is encrypted using column-level encryption (pgp_sym_encrypt) with keys stored in Supabase Vault
• Encryption in transit: all data is transmitted over TLS 1.2 or higher
• Row-Level Security: database-enforced access controls ensure users can only access data they are authorized to see
• Audit logging: all access to PHI, clinical decisions, and security events are recorded in an append-only audit log
• Signed URLs: patient photos are accessible only via time-limited signed URLs that expire within 7 days
• Session management: provider and admin sessions expire after 30 minutes of inactivity

We do not sell your personal information. We share information only in the following circumstances:

• With healthcare providers: patient intake data is shared with the assigned licensed physician for clinical review
• With business partners: partners see aggregated subscription data (initials, masked identifiers, track, status) but never patient PHI (full names, health history, photos, messages)
• Service providers: we use Stripe (payments), Resend (email), Twilio (SMS), Supabase (database and auth), and Vercel (hosting) to operate the Platform. Each provider processes data under their own privacy policies and, where applicable, Business Associate Agreements
• Legal requirements: we may disclose information when required by law, subpoena, or court order

• Patient data: retained for the duration of active subscriptions plus 6 years for compliance purposes
• Audit logs: retained for a minimum of 6 years in append-only storage
• Soft-deleted data: when a patient account is soft-deleted, PHI is redacted after 30 days; audit log entries are preserved
• Application data: partner and provider applications are retained indefinitely for operational purposes

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and associated data (subject to legal retention requirements)
• Opt out of non-essential communications
• Receive a copy of your data in a portable format

To exercise these rights, contact us at hello@kitemd.com.

KiteMD uses essential cookies for authentication session management and user preferences. We do not use third-party advertising cookies or tracking pixels. The kite_pending cookie stores the selected wellness track during the onboarding flow and is cleared after account creation.

The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If we learn that we have collected information from a person under 18, we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “Last updated” date at the top of this page indicates when the policy was most recently revised.

For privacy-related questions or requests, contact us at hello@kitemd.com or write to: KiteMD, Inc., Privacy Team.