Medlio
AI-powered healthcare communication
Ambient AI · Privacy-first
Privacy Policy · Version 1.0

Privacy by design for ambient clinical documentation.

This Privacy Policy describes how Quantumed Global Pvt. Ltd. (“Medlio”) collects, uses, shares, and protects personal and sensitive personal data across the Medlio Platform and related services.

Effective date: 1 January 2026 Jurisdiction: Mumbai, India

1. Introduction

Quantumed Global Pvt. Ltd. operates the Medlio Platform, an ambient AI clinical documentation and practice management solution that transforms real-world healthcare consultations into structured clinical records and workflow automation.[file:2]

This Privacy Policy explains how Medlio handles personal data and sensitive personal data for Healthcare Providers, Practice Administrators, Patients, and visitors to www.medlio.ai, and outlines key regulatory frameworks including the Digital Personal Data Protection Act, 2023 and ISO/IEC 27001:2022.[file:2]

By using Medlio Services or providing information, users acknowledge and agree to the practices described in this Privacy Policy and are advised not to use the Services if they do not agree with these terms.[file:2]

2. Scope and application

This Policy applies to all registered users of the Medlio Platform, including healthcare providers, administrative staff, billing personnel, and patients whose consultations are recorded, processed, or managed through the system.[file:2]

It also covers practice management operations such as scheduling, billing, inventory, reporting, and data processed via Medlio web and mobile applications, along with casual visitors to the Medlio website.[file:2]

3. Key definitions

Personal Data and Sensitive Personal Data are defined in line with the DPDP Act, 2023, and include identifiers, health data, biometric data such as voice, and financial information.[file:2]

The Policy distinguishes the roles of Data Principal, Data Fiduciary, and Data Processor, and identifies Clinical Data and Practice Management Data as core categories processed on the platform.[file:2]

4. Information we collect

4.1 Healthcare providers and staff

Medlio collects professional identification, license and credential details, voice recordings of consultations, AI-generated clinical notes, practice scheduling data, billing and transactional information, and relevant contact details to deliver the Services.[file:2]

4.2 Patients

For patients, Medlio processes voice recordings captured through ambient listening, demographic information, insurance and billing data, appointment records, and medical history shared during consultations.[file:2]

4.3 Technical and visitor data

The platform logs device and network identifiers, application logs, cookies, and usage analytics for security, reliability, and performance optimization, and similar information is collected from casual website visitors.[file:2]

5. Purpose of data processing

Data is processed for clinical documentation, practice management, service delivery, quality improvement, security and compliance, communication, and anonymized research and development activities.[file:2]

7. Data security measures

Medlio implements AES-256 encryption for data at rest, TLS 1.3 for data in transit, role-based access controls, MFA, network security controls, and secure development practices aligned with OWASP guidance.[file:2]

Organizational safeguards include ISO 27001-aligned information security management, appointment of a Data Protection Officer, privacy training, defined incident response playbooks, and physically secure data centers.[file:2]

8. Data sharing and disclosure

Clinical documentation is shared with treating healthcare providers and authorized practice administrators based on role-based permissions, while third-party processors such as cloud, AI, and payment providers operate under DPDP-compliant contracts.[file:2]

Data may also be disclosed to regulators or courts where legally required, to protect rights and safety, and in the context of business transfers such as mergers or acquisitions.[file:2]

Cross-border transfers are limited, with primary storage in India and Middle Eastern regions, and any international transfers follow DPDP Act requirements and appropriate safeguards.[file:2]

9. Cookies and tracking

Medlio uses cookies and similar technologies to improve user experience, analyze usage, remember preferences, and provide personalized features, while allowing users to control cookie settings through their browsers.[file:2]

10. Data principal rights

Data Principals have rights to access and confirmation, correction and erasure, grievance redressal, and nomination of another individual, with requests handled via designated Medlio contact channels.[file:2]

11. Data retention and deletion

Clinical records, financial records, voice recordings, system logs, and account data are retained for defined periods aligned with medical and financial regulations, with cryptographic erasure and certified destruction for deleted data.[file:2]

12. Special provisions

Ambient voice processing features pseudonymization, strict separation of clinical content from biometric characteristics, enhanced encryption, multilingual support safeguards, and specific protections for children’s data.[file:2]

13. Breach notification

Medlio maintains internal breach procedures with rapid response and containment timelines, and provides regulatory and data principal notifications within mandated windows when high risk is identified.[file:2]

14. Policy updates

The Privacy Policy may be updated periodically, with material changes communicated through website notices, email, and in-product notifications, and continued use indicating acceptance of the revised terms.[file:2]

15–17. Contact information and jurisdiction

The Policy lists dedicated contact details for the Data Protection Officer, Grievance Officer, and general privacy inquiries, and confirms that primary jurisdiction lies with courts in Mumbai, India with additional Middle East compliance sections.[file:2]