Last Updated: April 11, 2026
At Mira Health, protecting patient data is foundational to everything we build. As a healthcare technology company processing Protected Health Information (PHI), we hold ourselves to the highest standards of data privacy and security. This Privacy Policy describes how we collect, use, store, and protect information when you use our platform.
Audio recordings of patient encounters, AI-generated transcripts, SOAP notes, operative reports, and associated clinical documentation created through your use of the platform.
Name, email address, professional credentials, NPI number, practice name, and billing information provided during registration and account management.
Platform interaction data such as feature usage patterns, session duration, and performance metrics. This data is anonymized and never linked to patient information.
Device type, browser version, IP address, and similar technical information collected automatically to ensure platform security and performance.
Processing clinical encounters, generating documentation, suggesting CPT/ICD-10 codes, and providing revenue cycle management intelligence.
Analyzing anonymized, de-identified usage patterns to improve platform reliability, accuracy, and feature development. We do NOT use your patient data to train AI models.
Sending service notifications, security alerts, and product updates relevant to your account. You can manage communication preferences in your account settings.
Maintaining audit logs, detecting unauthorized access, and fulfilling legal and regulatory obligations.
Mira Health operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We execute a Business Associate Agreement (BAA) with every covered entity before any PHI is processed. Our HIPAA compliance program includes administrative, physical, and technical safeguards; workforce training and access management; incident response and breach notification procedures; and regular risk assessments and policy reviews.
All data is encrypted at rest using AES-256 and in transit using TLS 1.3.
Data is stored in US-based AWS data centers within private Virtual Private Clouds (VPCs) with network-level isolation.
Role-based access control (RBAC), multi-factor authentication, and principle of least privilege across all systems.
Continuous security monitoring, intrusion detection, and automated alerting for anomalous activity. SOC 2 Type II audited.
We retain your data only as long as necessary to provide our services and meet legal obligations. Clinical data retention periods are configurable based on your organizational policies and applicable state regulations. Upon account termination, you have 30 days to export your data, after which it is permanently and irrecoverably deleted from all systems, including backups.
We do not sell, rent, or trade your personal information or patient data to any third party. We may share data only with infrastructure sub-processors necessary to operate the platform (all bound by BAAs and equivalent data protection agreements), when required by law or valid legal process, or with your explicit written consent. A current list of sub-processors is available upon request.
You have the right to access, correct, or request deletion of your personal information. For patient data, access and amendment requests should be directed through the covered entity (your healthcare provider). To exercise any of these rights, contact us at the address below. We respond to all verified requests within 30 days.
Our marketing site uses PostHog for privacy-friendly analytics. We do not use Google Analytics. Within the clinical platform, we collect only the minimum usage telemetry necessary for service reliability. We do not use third-party advertising trackers or sell data to advertisers.
Mira Health services are intended for use by licensed healthcare professionals. We do not knowingly collect personal information from individuals under 18. The platform may process pediatric patient data only as directed by an authorized healthcare provider under a valid BAA.
We may update this Privacy Policy from time to time. We will provide at least 30 days notice of material changes via email. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the services after changes take effect constitutes acceptance.
If you have questions about this Privacy Policy or our data practices, please contact us at [email protected] .