Meelio - AI Assistant For Integrative & Functional Health Clinics

1. Introduction

This Privacy Policy describes how Meelio AI Ltd. ("we," "us," or "our") collects, uses, discloses, and protects information when you use our Meelio desktop application and related services (collectively, the "Service").

Meelio is a healthcare platform designed for healthcare practitioners, including nutritionists, dietitians, and other healthcare providers. Our Service facilitates patient management, clinical documentation, care planning, and consultation workflows.

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Who We Are

Data Controller:
Meelio AI Ltd.
United Kingdom

Contact for Privacy Inquiries:
Email: privacy at meelio dot ai

For EU/UK data protection matters, you may also contact our designated privacy contact at the email address above.

3. Information We Collect

We collect different categories of information depending on how you interact with our Service.

3.1 Practitioner Account Information

When you create an account and use Meelio as a healthcare practitioner, we collect:

Identity Data: First name, last name, email address, phone number
Professional Data: National Provider Identifier (NPI), medical specialties, taxonomy codes, professional credentials
Organisation Data: Practice or organisation name, organisation type, billing information, tax identification numbers
Authentication Data: Login credentials (passwords are hashed and never stored in plain text)

3.2 Patient Health Information

When you use Meelio to manage patient care, we process patient information on your behalf. This may include:

Demographics: Patient names, email addresses, phone numbers, dates of birth, gender
Health Data: Medical conditions, diagnoses, allergies, medications
Clinical Records: Consultation notes, transcriptions, clinical summaries
Care Plans: Treatment plans, meal plans, dietary recommendations
Biometric Data: Height, weight, activity levels
Behavioural Data: Adherence logs, patient progress notes

Important: As a practitioner, you are responsible for obtaining appropriate consent from your patients before entering their information into Meelio. We process patient data as a data processor on your behalf.

3.3 Data from Third-Party Integrations

If you connect Meelio to external systems, we may receive:

EHR/Practice Management Data: Patient records, appointments, clinical history synced from systems such as Practice Better, Cerbo, or Epic
Calendar Data: Appointment information from Google Calendar

3.4 Technical and Usage Data

We automatically collect certain information when you use the Service:

Device Information: Operating system, application version, device identifiers
Usage Data: Features accessed, actions taken within the application, session duration
Log Data: IP addresses, access times, error logs (stored in audit logs for security and compliance purposes)

3.5 Audio and Transcription Data

When you use our consultation recording features:

Audio Recordings: Consultation recordings captured with your consent
Transcriptions: Text transcriptions generated from audio recordings
AI-Generated Content: Clinical notes and summaries generated from transcriptions

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Provision

Creating and managing your practitioner account
Enabling patient management and clinical documentation
Processing and storing consultation transcriptions
Generating AI-assisted clinical notes and care plans
Synchronising data with connected EHR systems and calendars

4.2 AI-Powered Features

Transcribing consultation audio using speech recognition technology
Generating clinical notes and summaries using large language models
Creating personalised meal plans and care recommendations
Generating recipe images and nutritional content

4.3 Service Improvement

Analysing usage patterns to improve functionality
Identifying and fixing technical issues
Developing new features based on user needs

4.4 Communications

Sending service-related notifications
Providing customer support
Sending important updates about the Service or this Privacy Policy

4.5 Legal and Compliance

Maintaining audit logs for regulatory compliance
Responding to legal requests and preventing fraud
Enforcing our terms of service

5. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR) and EU General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

5.1 Contract Performance

We process practitioner account data as necessary to perform our contract with you and provide the Service.

5.2 Legitimate Interests

We process certain data based on our legitimate interests, including:

Improving and securing our Service
Analysing usage to enhance user experience
Preventing fraud and ensuring platform integrity

We balance these interests against your rights and only process data where our interests do not override your fundamental rights.

5.3 Legal Obligations

We process data as necessary to comply with legal obligations, including:

Maintaining audit logs for healthcare compliance
Responding to lawful requests from authorities
Meeting data retention requirements

5.4 Consent

Where required, we obtain your consent before processing, such as for:

Marketing communications (if applicable)
Optional analytics and tracking

You may withdraw consent at any time by contacting us.

5.5 Processing Patient Data

We process patient health data as a data processor on behalf of practitioners (data controllers). Practitioners are responsible for ensuring they have a valid legal basis (typically explicit consent or performance of a healthcare contract) for processing their patients' data.

6. Data Sharing and Third Parties

We share your information with third parties only as described below.

6.1 Sub-Processors

We use the following categories of service providers to operate Meelio:

Provider	Purpose	Data Processed	Location
Google Cloud Platform	Cloud infrastructure and hosting	All service data	United States
Google Identity Platform	User authentication	Email, authentication credentials	United States
Google Cloud Storage	File and document storage	Uploaded files, generated images	United States
Google Vertex AI	AI features (clinical notes, summaries)	Consultation context, transcriptions	United States
Google Calendar	Calendar integration	Appointment data	United States
Deepgram	Audio transcription	Consultation audio recordings	United States
PostHog	Product analytics	Usage data, anonymised events	Europe
SendGrid	Email communications	Email addresses, names	United States

6.2 EHR and Practice Management Integrations

If you connect Meelio to external EHR systems (such as Practice Better, Cerbo, or Epic), data will be exchanged between Meelio and those systems according to your integration settings. These integrations are initiated and controlled by you.

6.3 Legal Requirements

We may disclose your information if required by law or if we believe disclosure is necessary to:

Comply with legal obligations or valid legal process
Protect our rights, property, or safety
Prevent fraud or other illegal activities

6.4 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

7. International Data Transfers

Meelio AI Ltd. is based in the United Kingdom. Our primary infrastructure is hosted on Google Cloud Platform in the United States.

When we transfer personal data from the UK or European Economic Area (EEA) to the United States or other countries, we ensure appropriate safeguards are in place:

7.1 Transfer Mechanisms

Standard Contractual Clauses (SCCs): We rely on European Commission-approved Standard Contractual Clauses for transfers to our sub-processors.
Data Processing Agreements: We have data processing agreements in place with all sub-processors that include appropriate data protection commitments.
Google Cloud Compliance: Google Cloud Platform maintains comprehensive compliance certifications and commits to SCCs for EU/UK data transfers.

7.2 Your Rights Regarding Transfers

You have the right to request information about the safeguards we have in place for international transfers. Contact us at privacy at meelio dot ai for more information.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

8.1 Retention Periods

Data Category	Retention Period
Practitioner account data	Duration of account plus 2 years after account deletion
Patient health records	7 years from last interaction (UK/US healthcare standard)
Clinical notes and transcriptions	7 years from creation
Audit logs (HIPAA compliance)	6 years from creation
Analytics data	26 months from collection
Email communication records	3 years from sending

8.2 Practitioner Control

As a practitioner, you control the retention of your patients' data within Meelio. You may delete patient records in accordance with your own data retention policies and applicable regulations.

8.3 Account Deletion

When you delete your account, we will:

Delete or anonymise your personal data within 30 days
Retain audit logs as required for compliance purposes
Notify you of any data that must be retained for legal reasons

9. Data Security

We implement appropriate technical and organisational measures to protect your data.

9.1 Technical Measures

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
Encryption at Rest: Sensitive data, including EHR credentials and authentication tokens, is encrypted at rest.
Access Controls: Role-based access controls limit data access to authorised personnel only.
Secure Authentication: We use Google Identity Platform with industry-standard security practices.

9.2 Organisational Measures

Audit Logging: We maintain comprehensive audit logs of data access for compliance and security monitoring.
Employee Training: Personnel with access to personal data receive privacy and security training.
Incident Response: We have procedures in place to detect, report, and respond to data breaches.

9.3 Your Responsibilities

You are responsible for:

Maintaining the security of your account credentials
Ensuring your device meets minimum security requirements
Logging out of shared or public devices
Reporting any suspected security incidents promptly

10. Your Rights

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data:

10.1 Right of Access

You have the right to request a copy of the personal data we hold about you.

10.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data.

10.3 Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.

10.4 Right to Restriction

You have the right to request that we restrict processing of your personal data in certain circumstances.

10.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

10.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

10.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI features assist practitioners but do not make autonomous decisions about patient care.

10.8 Exercising Your Rights

To exercise any of these rights, please contact us at privacy at meelio dot ai. We will respond to your request within one month. In some cases, we may need to verify your identity before processing your request.

10.9 Right to Complain

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom
Website: ico.org.uk

11. HIPAA Compliance

Meelio is designed to support healthcare practitioners in the United States who are subject to the Health Insurance Portability and Accountability Act (HIPAA).

11.1 Our Role

When you use Meelio to process Protected Health Information (PHI) of patients in the United States:

You (the practitioner) are the Covered Entity or Business Associate under HIPAA
We (Meelio) act as a Business Associate on your behalf

11.2 Business Associate Agreements

We are prepared to enter into Business Associate Agreements (BAAs) with covered entities. To request a BAA, please contact us at privacy at meelio dot ai.

11.3 HIPAA Safeguards

We implement safeguards aligned with HIPAA requirements:

Administrative Safeguards: Policies and procedures for handling PHI, workforce training, and access management
Physical Safeguards: Data centre security through Google Cloud Platform's certified facilities
Technical Safeguards: Encryption, access controls, audit logging, and automatic session management

11.4 Audit Logging

We maintain detailed audit logs of access to PHI, including:

User identity and action performed
Date and time of access
Data accessed
Success or failure of the action

These logs are retained for a minimum of 6 years as required by HIPAA.

11.5 Patient Rights Under HIPAA

Patients have rights under HIPAA regarding their PHI, including rights to access, amend, and receive an accounting of disclosures. As the practitioner, you are responsible for responding to patient requests regarding PHI stored in Meelio.

12. Cookies and Tracking Technologies

12.1 What We Use

Meelio is a desktop application that uses the following client-side storage:

Technology	Purpose	Duration
localStorage (auth_token)	Authentication session management	Until logout or token expiry
localStorage (profile-storage)	User preferences and settings	Persistent until cleared
sessionStorage	Temporary application state	Browser session only

12.2 Analytics

We use PostHog for product analytics to understand how the Service is used and to improve functionality. Analytics data includes:

Page views and feature usage
Session duration and navigation patterns
Error tracking for debugging

Analytics data is processed in accordance with our legitimate interests in improving the Service. You may contact us to opt out of analytics tracking.

12.3 No Third-Party Advertising

We do not use cookies or tracking technologies for third-party advertising purposes.

13. Children's Privacy

Meelio is designed for use by healthcare practitioners and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.

If you become aware that a child has provided us with personal data, please contact us at privacy at meelio dot ai, and we will take steps to delete such information.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.

14.1 Notification of Changes

We will notify you of material changes by:

Posting the updated policy on our website
Displaying a notice within the Meelio application
Sending an email to your registered email address (for significant changes)

14.2 Effective Date

Changes will be effective on the date stated at the top of the updated Privacy Policy. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: privacy at meelio dot ai

Postal Address:
Meelio AI Ltd.
United Kingdom

We aim to respond to all enquiries within 30 days.

This Privacy Policy is provided in English. If there is any conflict between the English version and a translated version, the English version shall prevail.