Privacy policy

1. Introduction

Plya Med, Inc. ("Plya Med," "we," "us," or "our") operates the platform at plyamed.com and related applications (collectively, the "Services"). This privacy policy describes how we collect, use, share, and protect information about you when you use our Services.

Plya Med operates as a HIPAA-compliant healthcare technology provider. When we process Protected Health Information (PHI) on behalf of a covered entity, we do so under a Business Associate Agreement (BAA) with that entity, and the covered entity's privacy practices govern that PHI in addition to this policy.

2. Information we collect

Account information. Name, email address, phone number, organization, role, and password (stored hashed).

Communication preferences. Your opt-in choices for email and SMS notifications.

Usage data. Pages visited, features used, timestamps, IP address, browser, device type.

Order and transaction data. Products ordered, shipping addresses, payment method tokens (full payment card numbers are processed by our PCI-compliant payment processor and not stored by Plya Med).

PHI. When you use Plya Med to manage patient encounters, schedules, or clinical records, we process PHI on behalf of your organization as a Business Associate under HIPAA.

3. How we use information

• Provide, operate, and maintain the Services
• Process orders, payments, and shipments
• Send transactional emails and SMS (order updates, password reset codes, account alerts) — only when you have opted in
• Verify your identity, authenticate logins, and detect fraud or abuse
• Respond to support requests
• Comply with legal obligations and protect rights and safety
• Improve our Services through aggregated, de-identified analytics

We do not use PHI for marketing or product analytics.

4. SMS communications

We send SMS only to phone numbers that have explicitly opted in via the consent checkbox during account signup or other express opt-in mechanism. SMS use is strictly transactional: order notifications and account security codes. We do not send promotional or marketing SMS. Details and opt-out instructions are at plyamed.com/sms-opt-out.

Message and data rates may apply. Reply STOP to any Plya Med message to unsubscribe. Reply HELP for help.

5. How we share information

Service providers. We share information with vendors that help us operate the Services, under contracts that require them to use the information only for the purposes we direct. Current providers include Twilio (SMS), SendGrid (email), Google Cloud Platform (hosting + storage), Daily.co (telehealth video), Anthropic (AI features), and standard analytics tools (in de-identified form where possible).

HIPAA Business Associates. Where any provider has access to PHI, we have a Business Associate Agreement (BAA) in place.

Legal. We may disclose information to comply with applicable law, valid legal process, or to protect the rights, property, or safety of Plya Med, our users, or the public.

Business transfers. If Plya Med is involved in a merger, acquisition, or asset sale, information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

We do not sell personal information. We do not share mobile numbers or consent data with third parties for marketing purposes.

6. Data security

We use industry-standard administrative, technical, and physical safeguards: TLS 1.2+ in transit, AES-256 at rest for sensitive fields, role-based access controls, audit logging, and 15-minute idle-session timeouts on PHI-accessing sessions. No system is impervious; you are responsible for keeping your account credentials confidential.

7. Your rights

Depending on your jurisdiction (including residents of California, Colorado, Connecticut, Virginia, and Utah), you may have rights to: access your data, correct inaccuracies, delete data, port data, opt out of certain processing, and lodge a complaint with a supervisory authority. To exercise these rights, contact privacy@plyamed.com.

For PHI specifically, your rights are governed by HIPAA and the privacy practices of the covered entity that controls the data. Contact your healthcare provider directly to exercise HIPAA rights.

8. Retention

We retain account information for as long as your account is active and as needed to provide the Services. Transactional records (orders, payments) are retained for at least seven years to meet tax and regulatory requirements. PHI is retained according to the HIPAA-compliant retention policy of the covered entity (typically a minimum of seven years from the date of last entry per Minnesota state law).

9. Children

The Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it.

10. Changes

We may update this policy. When we do, we will update the "last updated" date at the top of this page. Material changes will be communicated by email or in-app notice before taking effect.

11. Contact

Questions or requests: privacy@plyamed.com. General support: joshua@eloramedical.net.