← Back to Virtual MDHIPAA-Aware Application

Privacy Policy

Virtual MD · ISD Logic LLC · Effective April 22, 2026 · Version 1.0

🔒 Virtual MD is a patient-facing clinical decision support tool. We take the privacy of your health information seriously. This policy explains exactly what we collect, how we use it, and your rights.

1. Who We Are

Virtual MD is a clinical decision support application developed under US Patent US10410308B2 (System, Method, and Device for Personal Medical Care, Intelligent Analysis, and Diagnosis). The application uses a patented fuzzy logic inference engine to analyze personal health data and provide real-time wellness insights. Virtual MD is operated by ISD Logic LLC, based in Virginia, United States.

2. Information We Collect

Health Data via FHIR API

When you connect your CareFirst BlueCross BlueShield account, Virtual MD retrieves your personal health information through the CareFirst FHIR R4 Patient Access API, as permitted under the CMS Interoperability and Patient Access Rule. This may include vital signs, lab results, active conditions, medications, allergies, and coverage information.

Authentication Tokens

OAuth 2.0 access tokens issued by CareFirst are stored server-side in an encrypted database. These tokens are never transmitted to your browser or stored in cookies. Tokens expire automatically and are only refreshed with your active authorization.

Usage and Audit Data

We maintain a server-side audit log of analysis events (e.g., "analysis run," "alert generated") for security and compliance purposes. We do not collect advertising identifiers, browsing history, or location data.

3. How We Use Your Information

Your health data is used exclusively to:

Run the Virtual MD fuzzy logic clinical analysis engine (Patent US10410308B2)
Generate medication interaction alerts using FDA drug interaction data
Check compliance with ACC/AHA clinical guidelines
Identify overdue or missing laboratory tests
Display results to you within the Virtual MD interface

We do not sell, license, or share your health data with any third party for commercial purposes.

4. Data Storage and Security

All health data and authentication tokens are stored in a secured Supabase PostgreSQL database with Row-Level Security (RLS) enforced. Server-side token storage uses service-role access only — your tokens are never accessible via anonymous or public API keys. Data in transit is encrypted via TLS 1.2 or higher. Our backend infrastructure runs on Railway (US-East region).

5. Data Retention

FHIR access tokens are retained only for the duration of your active session and invalidated upon expiration. Health data retrieved from CareFirst is used in real-time for analysis and is not permanently stored in Virtual MD's database. Audit log entries are retained for 90 days for security purposes.

6. Your Rights

You have the right to:

Revoke Virtual MD's access to your CareFirst data at any time via the CareFirst member portal
Request deletion of your audit log entries by contacting sam@isdlogic.com
Request a copy of any data we hold associated with your account

Virtual MD does not make clinical diagnoses. All output is informational and should be reviewed with a qualified healthcare provider.

7. Third-Party Services

Virtual MD integrates with the following services:

CareFirst BlueCross BlueShield — FHIR R4 Patient Access API
Supabase — Encrypted database and RLS infrastructure
Railway — Backend API hosting (US-East)
Vercel — Frontend hosting

8. HIPAA Notice

Virtual MD is designed with HIPAA-aware practices. As a patient-directed application operating under the CMS Interoperability and Patient Access Rule, Virtual MD accesses your health data only with your explicit OAuth 2.0 authorization consent. Data access is patient-directed and patient-controlled at all times.

9. Contact Us

For privacy-related questions or data requests:

ISD Logic LLC

Email: sam@isdlogic.com

App: virtualmd-poc.vercel.app