Privacy Policy

Last updated: June 5, 2026

This Privacy Policy explains how ElderberryMD ("ElderberryMD," "we," "us," or "our") collects, uses, shares, and protects information in connection with our website at elderberrymd.com, our patient and provider applications (including elderberry.health), and the care-coordination and practice-management services and software we provide (together, the "Services").

1. Our role and how HIPAA applies

ElderberryMD provides services and software to physician practices and offers a free application to the patients those practices serve. When we create, receive, maintain, or transmit protected health information ("PHI") on behalf of a physician practice, we act as a Business Associate under the Health Insurance Portability and Accountability Act ("HIPAA"), and we handle that PHI only as permitted by our Business Associate Agreement ("BAA") with the practice and by law. In that relationship, the practice is the "covered entity" that controls the PHI, and patients exercise their HIPAA rights primarily through their practice.

This Privacy Policy describes our general practices and applies to information we collect directly through the Services. Where a BAA or a practice's own Notice of Privacy Practices governs specific PHI, those terms control for that information.

2. Information we collect

3. How we use information

We never use PHI for advertising, and we never sell personal information or PHI.

4. How we share information

We do not sell your personal information, and we never share PHI with advertisers or data brokers. No exceptions.

5. AI-assisted features

Some Services use AI tools—such as AskEvidence and our AI Scribe—to help clinicians and our Care Team work more efficiently. These tools assist people; they do not replace clinical judgment. A clinician reviews, edits, and signs clinical documentation, and AI assistance is not medical advice. We process the information needed to provide these features in accordance with this policy and applicable BAAs.

6. Data retention and security

We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit and at rest, role-based access controls, multi-factor authentication for privileged access, and the minimum-necessary principle. We retain information for as long as needed to provide the Services and to meet legal, regulatory, and contractual obligations, after which we delete or de-identify it.

7. Your rights and choices

To make a request, contact us.

8. Cookies and analytics

We use only first-party, privacy-respecting analytics to keep the Services running and secure. We do not use third-party advertising pixels or tracking cookies. See our tracker attestation for details.

9. Children

Our website is not directed to children. Where a practice provides the patient application to a minor, that minor's information is handled under the practice's direction and applicable law.

10. State privacy rights

Depending on where you live, you may have additional rights under laws such as the California Consumer Privacy Act (as amended) and Washington's My Health My Data Act. Where these laws apply, we honor the rights they provide, including rights to access, correct, delete, and limit certain processing. Information governed by HIPAA is generally exempt from these state laws but is protected under HIPAA and our BAAs.

11. Where information is processed

We process and store information in the United States.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above and, where appropriate, provide additional notice.

13. Contact us

For any privacy question or request, please use our contact form.

Start free today.

Patients are always free. Providers start on the free plan in minutes — no contract, no credit card. Have a larger practice or health system? Our team will help you plan the rollout.