Last updated: June 5, 2026
This Privacy Policy explains how ElderberryMD ("ElderberryMD," "we," "us," or "our") collects, uses, shares, and protects information in connection with our website at elderberrymd.com, our patient and provider applications (including elderberry.health), and the care-coordination and practice-management services and software we provide (together, the "Services").
1. Our role and how HIPAA applies
ElderberryMD provides services and software to physician practices and offers a free application to the patients those practices serve. When we create, receive, maintain, or transmit protected health information ("PHI") on behalf of a physician practice, we act as a Business Associate under the Health Insurance Portability and Accountability Act ("HIPAA"), and we handle that PHI only as permitted by our Business Associate Agreement ("BAA") with the practice and by law. In that relationship, the practice is the "covered entity" that controls the PHI, and patients exercise their HIPAA rights primarily through their practice.
This Privacy Policy describes our general practices and applies to information we collect directly through the Services. Where a BAA or a practice's own Notice of Privacy Practices governs specific PHI, those terms control for that information.
2. Information we collect
- Information you provide. Details you submit through our contact form, account registration, and profile (such as name, role, practice, and the message or request you send us).
- Health information. For patients and practices using the Services, this may include records, messages, medications, lab results, appointment details, and clinical documentation that you or your care team enter or that we coordinate on a practice's behalf.
- Usage and device information. Standard log and device data (such as IP address, browser type, pages viewed, and timestamps), collected with first-party, privacy-respecting analytics. We do not embed third-party advertising trackers or sell this data.
3. How we use information
- Provide, operate, secure, and improve the Services, and coordinate care for and between patients and their practices.
- Respond to your inquiries and provide customer support through our Care Team.
- Maintain the safety, integrity, and security of the Services, including fraud prevention and access control.
- Comply with legal obligations and enforce our agreements.
- Develop and improve our Services using de-identified or aggregated information that does not identify you.
We never use PHI for advertising, and we never sell personal information or PHI.
4. How we share information
- With your care team. We share information with the practice and clinicians responsible for your care so they can coordinate and deliver it.
- With service providers (subprocessors). We use vetted vendors (for example, hosting, infrastructure, and communications) under contracts that require appropriate safeguards. Where they handle PHI, they sign Business Associate Agreements with us.
- For legal and safety reasons. When required by law, or to protect the rights, safety, and security of patients, practices, the public, or ElderberryMD.
- Business transfers. In connection with a merger, acquisition, or sale of assets, subject to the protections described in this policy.
We do not sell your personal information, and we never share PHI with advertisers or data brokers. No exceptions.
5. AI-assisted features
Some Services use AI tools—such as AskEvidence and our AI Scribe—to help clinicians and our Care Team work more efficiently. These tools assist people; they do not replace clinical judgment. A clinician reviews, edits, and signs clinical documentation, and AI assistance is not medical advice. We process the information needed to provide these features in accordance with this policy and applicable BAAs.
6. Data retention and security
We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit and at rest, role-based access controls, multi-factor authentication for privileged access, and the minimum-necessary principle. We retain information for as long as needed to provide the Services and to meet legal, regulatory, and contractual obligations, after which we delete or de-identify it.
7. Your rights and choices
- Access, correction, and deletion. You may request access to, correction of, or deletion of your information. Patients' HIPAA rights to their PHI are exercised through their practice or through the request process we provide.
- Consent. Where we rely on your consent, you may withdraw it. We honor verified patient requests to withdraw consent promptly.
- Communications. You can opt out of non-essential email at any time using the unsubscribe link.
To make a request, contact us.
8. Cookies and analytics
We use only first-party, privacy-respecting analytics to keep the Services running and secure. We do not use third-party advertising pixels or tracking cookies. See our tracker attestation for details.
9. Children
Our website is not directed to children. Where a practice provides the patient application to a minor, that minor's information is handled under the practice's direction and applicable law.
10. State privacy rights
Depending on where you live, you may have additional rights under laws such as the California Consumer Privacy Act (as amended) and Washington's My Health My Data Act. Where these laws apply, we honor the rights they provide, including rights to access, correct, delete, and limit certain processing. Information governed by HIPAA is generally exempt from these state laws but is protected under HIPAA and our BAAs.
11. Where information is processed
We process and store information in the United States.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, where appropriate, provide additional notice.
13. Contact us
For any privacy question or request, please use our contact form.