Privacy Policy

1. Introduction

Medkive, LLC (“Medkive,” “we,” “our,” or “us”) operates the website located at medkive.com (the “Site”) and the Medkive Vault, a credential management and packet-building application available to registered users (the “Vault”). Together, the Site and the Vault are referred to in this Policy as the “Services.”

This Privacy Policy explains what information we collect when you use our Services, how we use and protect that information, your rights with respect to your information, and how to contact us with questions or requests.

By accessing or using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Services.

Who this Policy covers. The Services are intended exclusively for licensed physicians and other credentialed healthcare professionals who are 18 years of age or older and located in the United States. We do not knowingly collect information from individuals outside the United States or from minors.

2. Information We Collect

We collect information in three ways: information you provide directly, information collected automatically, and information from third parties.

2.1 Information You Provide Directly

Account registration and profile. When you create a Vault account, we collect your name, email address, password (stored in hashed form), medical degree (MD/DO), and National Provider Identifier (NPI).

Professional credential information. The core purpose of the Vault is to help you manage your professional credentials. To use the Vault, you may provide the following categories of information:

• State medical license details (state, license number, issue and expiration dates, renewal fees, board portal information, status)
• DEA registration details (DEA number, associated state license, expiration date, schedules, status)
• Controlled substance registration details (state, registration number, expiration date, status)
• CME records (course title, provider, completion date, credit hours, category, certificate)
• Board certification details (specialty, certifying board, certification and expiration dates, status)
• Malpractice insurance details (carrier, policy number, coverage dates, coverage amounts)
• Life support certification details (certification type, issuing organization, expiration date)
• Reminder preferences (credential type, days-before-expiration trigger, delivery method)

Reference files and other documents. You may upload documents to the Vault, including but not limited to: medical school diploma, transcripts, USMLE/COMLEX scores, residency and fellowship certificates, ECFMG certificate, curriculum vitae, government-issued photo identification, AMA Physician Profile, background check results, immunization records, NPDB self-query, IRS Form W-9, OIG and SAM exclusion checks, malpractice claims history, and jurisprudence exam results. You may also upload additional documents you designate as “Other Files.”

Packet builder information. When using the Vault’s credentialing packet builder, you may provide packet names, target states, packet types (e.g., new state license application, hospital privileges, insurance credentialing), and any cover sheet or supplemental information you choose to include.

CAQH ProFile ID. You may optionally provide your CAQH ProFile ID for use in credentialing packets.

Communications. When you contact us via the contact form on the Site or by email, we collect your name, email address, phone number (if provided), and the content of your message.

Early access requests. If you submit an early access request through the Site, we collect your name, email address, NPI, and the number of states for which you require licensure.

2.2 Information Collected Automatically

When you visit the Site or use the Vault, we and our service providers may automatically collect:

• Log data: IP address, browser type and version, operating system, referring and exit pages, date and time of access, pages viewed, and clickstream data
• Device information: device type, unique device identifiers, and general geographic location inferred from IP address (city/state level only)
• Usage data: features accessed, actions taken within the Vault, session duration, and error reports
• Cookies and similar technologies: see Section 5 for details

2.3 Information from Third Parties

We use Supabase for authentication and database services. If you authenticate through Supabase’s authentication flow, we receive the information you provide during that process. We do not currently offer social login (e.g., Google, Apple). We do not purchase or obtain data about you from data brokers or other third-party commercial sources.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Services, including creating and managing your Vault account, storing your credential data, generating credentialing packets, and sending expiration reminders
• To process and fulfill early access requests and communicate with you about your account
• To respond to your inquiries and support requests
• To improve and develop the Services, including analyzing usage patterns and diagnosing technical issues
• To send transactional and operational communications, such as credential expiration reminders, account notifications, and service updates (you may manage reminder preferences within the Vault)
• To send marketing communications about Medkive’s products and services, where permitted by law and subject to your opt-out rights described in Section 8
• To detect, prevent, and respond to fraud, security incidents, abuse, and violations of our Terms of Service
• To comply with applicable law, legal process, and regulatory requirements
• To enforce our agreements and protect the rights, property, and safety of Medkive, our users, and the public

No sale of your data. We do not sell your personal information to third parties.

No use of credential data for advertising. We do not use the professional credential information you store in the Vault to serve you targeted advertising, nor do we share it with advertising networks.

4. How We Share Your Information

We share your information only in the limited circumstances described below.

4.1 Service Providers

We share information with vendors and service providers that help us deliver the Services, including:

• Supabase, Inc. — database hosting, authentication, and file storage (United States)
• Vercel, Inc. — application hosting and deployment (United States)
• Resend — transactional email delivery (United States)

These providers are contractually required to use your information only as directed by us and in accordance with this Policy, and to maintain appropriate security measures. We do not authorize them to use your information for their own independent purposes.

4.2 Legal Obligations and Protection of Rights

We may disclose your information if we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or enforceable governmental request; (b) enforce our Terms of Service; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Medkive, our users, or the public.

4.3 Business Transfers

If Medkive is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, your information may be transferred as part of that transaction. We will notify you by updating this Policy and, where required by law, by direct notice before your information is transferred and becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information with third parties when you have given us your explicit consent to do so.

4.5 Aggregated or De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you. For example, we may publish statistics about platform usage or professional credentialing trends. We commit not to re-identify such data.

5. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Services.

• Essential cookies: Required for authentication, session management, and basic site functionality. You cannot opt out of these without disabling the Services.
• Analytics cookies: Used to understand how visitors interact with the Site and Vault (e.g., pages visited, features used, errors encountered). Where analytics tools are used, they are configured to minimize data collection.

You can control cookies through your browser settings. Please note that disabling cookies may affect the functionality of the Services. We do not currently respond to Do Not Track (DNT) browser signals, as no uniform standard for DNT has been adopted.

California residents may have additional rights under the CCPA regarding cookies used for cross-context behavioral advertising. See Section 8 for details.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Services. Specifically:

• Vault account data and credential records are retained for the duration of your account and for a reasonable period after account deletion to allow for recovery of inadvertently deleted accounts (typically 30 days)
• Uploaded documents (reference files and other files) are deleted from our storage systems within 30 days of account deletion or within 30 days of your deletion of the individual file, whichever comes first
• Log and usage data are retained for up to 12 months
• Communication records (contact form submissions, support emails) are retained for up to 3 years

You may request deletion of your account and associated data at any time as described in Section 8. We may retain certain information for longer periods where required by law or for legitimate business purposes such as fraud prevention, dispute resolution, or enforcement of our agreements.

7. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information against unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit using TLS/HTTPS
• Encryption of data at rest on our database and storage platforms
• Row-level security policies that ensure each user can access only their own data
• Hashed storage of passwords (we never store passwords in plaintext)
• Access controls limiting Medkive personnel access to user data

No method of data transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at privacy@medkive.com.

In the event of a data breach that affects your information and requires notification under applicable law, we will notify you in accordance with applicable state breach notification statutes.

8. Your Rights and Choices

Depending on your state of residence, you may have certain rights with respect to your personal information. We honor these rights for all U.S. users regardless of state, as described below.

8.1 Access and Portability

You have the right to request a copy of the personal information we hold about you. You can export your credential data directly from the Vault at any time. For a full account data export, contact us at privacy@medkive.com.

8.2 Correction

You can update or correct most of your account and credential information directly within the Vault. If you need assistance correcting information you cannot update yourself, contact us at privacy@medkive.com.

8.3 Deletion

You have the right to request deletion of your personal information. You can delete your account from within the Vault settings. Upon account deletion, we will delete or anonymize your personal information as described in Section 6, subject to exceptions for legal obligations or legitimate business purposes.

8.4 Opt-Out of Marketing Communications

You may opt out of marketing emails at any time by clicking the “Unsubscribe” link in any marketing email or by contacting us at privacy@medkive.com. Transactional and operational communications (such as credential expiration reminders and account security notices) are not subject to opt-out as they are necessary to provide the Services.

8.5 Opt-Out of Sale or Sharing of Personal Information (California)

Medkive does not sell personal information as defined under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). We do not share personal information for cross-context behavioral advertising. California residents therefore have no sale or sharing to opt out of at this time.

8.6 Limit Use of Sensitive Personal Information (California)

Under California law, certain categories of information are classified as “sensitive personal information.” Government-issued identification numbers (such as NPI) and professional credentials may fall within this category. We use such information solely to provide the Services and do not use it for any purpose that would require us to offer a “Limit the Use of My Sensitive Personal Information” opt-out under CPRA.

8.7 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not deny you access to the Services, charge you different prices, or provide a different level of service because you exercised a right described in this section.

8.8 Submitting a Rights Request

To exercise any of the rights described above, contact us at:

• Email: privacy@medkive.com

We will respond to verifiable requests within 45 days of receipt. If we need additional time (up to 90 days total), we will notify you of the extension and the reason. We may ask you to verify your identity before fulfilling a request. You may designate an authorized agent to submit requests on your behalf; we may require written authorization and identity verification.

We will not charge a fee for responding to requests unless they are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or decline the request.

9. State-Specific Privacy Disclosures

In addition to the rights described in Section 8, residents of certain states have additional rights under state privacy law. This section provides disclosures required under those laws.

9.1 California Residents (CCPA / CPRA)

Categories of personal information collected in the past 12 months: Identifiers (name, email, IP address, NPI); professional or employment-related information (medical licenses, DEA registrations, board certifications, CME records); education information (medical school, residency, fellowship details); documents and files you upload; internet or other electronic network activity information (log data, usage data); and geolocation data (city/state level, inferred from IP address).

Business or commercial purposes for collection: As described in Section 3.

Categories of third parties with whom we share personal information: Service providers (Supabase, Vercel, Resend) as described in Section 4.1.

No sale or sharing: We do not sell personal information and do not share it for cross-context behavioral advertising.

Sensitive personal information: We collect government ID numbers (NPI) and professional credential information that may qualify as sensitive personal information. We use this information solely to provide the Services.

Retention periods: As described in Section 6.

Right to know, delete, correct, and opt out: Described in Section 8.

Shine the Light (Cal. Civ. Code § 1798.83): We do not disclose personal information to third parties for their direct marketing purposes. California residents may request information about any disclosures made to third parties for direct marketing purposes by contacting privacy@medkive.com.

Authorized agent: California residents may designate an authorized agent to submit requests. We may require proof of authorization and verify your identity directly.

9.2 Colorado, Connecticut, Virginia, Texas, and Other State Privacy Laws

If you are a resident of Colorado, Connecticut, Virginia, Texas, or another state that has enacted a comprehensive consumer privacy law, you may have rights to access, correct, delete, and obtain a portable copy of your personal information, and to opt out of certain processing activities. We extend these rights to all U.S. users as described in Section 8. To submit a request, contact privacy@medkive.com.

If you believe we have not fulfilled a privacy request, you may have the right to appeal by contacting us at privacy@medkive.com with the subject line “Privacy Request Appeal.” We will respond within 60 days.

9.3 Nevada Residents

Nevada law (SB 220) permits Nevada residents to opt out of the sale of covered personal information. We do not sell personal information as defined under Nevada law. For inquiries, contact privacy@medkive.com.

10. Minors

The Services are intended exclusively for licensed physicians and other credentialed healthcare professionals who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have collected personal information from a minor without verification of parental consent, we will take steps to delete that information as quickly as possible.

11. Third-Party Links and Services

The Site may contain links to third-party websites, including state medical board websites and other resources. This Policy does not apply to those third-party sites, and we are not responsible for their privacy practices. We encourage you to review the privacy policy of any third-party site you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the “Last Updated” date at the top of this Policy and, where required by law or where we deem appropriate, by sending you an email notice. Your continued use of the Services after the effective date of an updated Policy constitutes your acceptance of the changes.

For material changes that affect how we use your existing credential or identity information, we will provide at least 30 days’ advance notice before the changes take effect.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Medkive, LLC
Email: privacy@medkive.com

We will respond to privacy-related inquiries within 45 days.