Last Updated: April 28, 2026
At Mira Health, protecting patient data is foundational to everything we build. As a healthcare technology company processing Protected Health Information (PHI), we hold ourselves to the highest standards of data privacy and security. This Privacy Policy describes how we collect, use, store, and protect information when you use our platform.
Audio recordings of patient encounters, AI-generated transcripts, SOAP notes, operative reports, and associated clinical documentation created through your use of the platform.
Name, email address, professional credentials, NPI number, practice name, and billing information provided during registration and account management.
Platform interaction data such as feature usage patterns, session duration, and performance metrics. This data is anonymized and never linked to patient information.
Device type, browser version, IP address, and similar technical information collected automatically to ensure platform security and performance.
Processing clinical encounters, generating documentation, suggesting CPT/ICD-10 codes, and providing revenue cycle management intelligence.
Analyzing anonymized, de-identified usage patterns to improve platform reliability, accuracy, and feature development. We do NOT use your patient data to train AI models.
Sending service notifications, security alerts, and product updates relevant to your account. You can manage communication preferences in your account settings.
Maintaining audit logs, detecting unauthorized access, and fulfilling legal and regulatory obligations.
Mira Health operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We execute a Business Associate Agreement (BAA) with every covered entity before any PHI is processed. Our HIPAA compliance program includes administrative, physical, and technical safeguards; workforce training and access management; incident response and breach notification procedures; and regular risk assessments and policy reviews.
All data is encrypted at rest using AES-256 and in transit using TLS 1.3.
Data is stored in US-based AWS data centers within private Virtual Private Clouds (VPCs) with network-level isolation.
Role-based access control (RBAC), multi-factor authentication, and principle of least privilege across all systems.
Continuous security monitoring, intrusion detection, and automated alerting for anomalous activity. SOC 2 Type II audited.
We retain your data only as long as necessary to provide our services and meet legal obligations. Clinical data retention periods are configurable based on your organizational policies and applicable state regulations. Upon account termination, you have 30 days to export your data, after which it is permanently and irrecoverably deleted from all systems, including backups. To request account or data deletion, email [email protected].
To provide our services, we share data with trusted third-party providers. Each provider operates under a signed Business Associate Agreement (BAA) where applicable, and maintains data protection standards equivalent to or greater than our own. We do not sell, rent, or trade your personal information or patient data. For a complete list, see our Subprocessor List at mirahealth.care/subprocessors.
Deepgram: Audio recordings are streamed during clinical encounters for real-time speech-to-text transcription. Anthropic (via AWS Bedrock): Transcript text is sent to generate clinical notes (SOAP, H&P, progress notes). Audio and transcripts are deleted from third-party servers after processing. Your data is never used to train AI models.
PostHog: Product usage events tied to user accounts are collected for platform improvement and performance monitoring. No patient information is included in analytics events.
Amazon Web Services (AWS): Hosting, storage, and compute infrastructure in US-only data regions. Google Firebase: User authentication and identity management.
All third-party providers with whom we share user or patient data have executed Business Associate Agreements with Mira and maintain SOC 2 and/or HIPAA-compliant security infrastructure. Mira contractually requires that all such providers offer data protection equivalent to or greater than the standards described in this policy.
Your data is never used to train AI models. Our third-party AI providers (Deepgram and Anthropic) process your data for inference only and do not retain it for model training purposes.
You have the right to access, correct, or request deletion of your personal information. For patient data, access and amendment requests should be directed through the covered entity (your healthcare provider). To exercise any of these rights, contact us at the address below. We respond to all verified requests within 30 days.
Our marketing site uses PostHog for privacy-friendly analytics. We do not use Google Analytics. Within the clinical platform, we collect only the minimum usage telemetry necessary for service reliability. We do not use third-party advertising trackers or sell data to advertisers.
Mira Health services are intended for use by licensed healthcare professionals. We do not knowingly collect personal information from individuals under 18. The platform may process pediatric patient data only as directed by an authorized healthcare provider under a valid BAA.
We may update this Privacy Policy from time to time. We will provide at least 30 days notice of material changes via email. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the services after changes take effect constitutes acceptance.
If you have questions about this Privacy Policy or our data practices, please contact us at [email protected] .