Medora

Medora · Legal

Privacy Policy

Last updated: May 23, 2026

This Privacy Policy describes how Medora, Inc. (“Medora,” “we,” “us,” or “our”) collects, uses, and shares information when you visit meetmedora.com, when your pharmacy uses our products and services (the “Services”), or when you otherwise interact with us. It applies to information that identifies a person (“Personal Information”). It does not apply to information that has been de-identified or aggregated in a way that no longer identifies a person.

Medora builds AI agents for retail pharmacies. We are designed for deployment by licensed pharmacy organizations, not for direct use by consumers. When we handle protected health information (“PHI”) on behalf of a pharmacy customer (a HIPAA covered entity), we do so as a Business Associateunder a signed Business Associate Agreement (“BAA”), and the terms of that BAA — together with HIPAA — control how that PHI is handled.

1. Information we collect

We collect three categories of information.

Information you give us directly

  • Your work email address when you fill out the “Book a demo” form, contact us, or sign up for product updates.
  • Account information when your pharmacy creates an account: name, work email, role, employer pharmacy, and authentication credentials.
  • Content you submit through chat, support, or sales conversations.

Information collected automatically

  • Standard server logs from your visit (IP address, browser type, referring URL, pages viewed, timestamps).
  • Limited analytics about how the marketing site is used so we can improve it. We do not currently use ad-tracking pixels or sell visitor data.
  • Product usage data once your pharmacy is using the Services — for example, which dashboards you open, which agent scripts you edit, and audit-grade logs of agent activity.

Information we receive on behalf of a pharmacy customer

  • PHI accessed through your pharmacy management system (“PMS”) or telephony provider strictly to deliver the Services your pharmacy has hired us to perform — for example, to place outbound vaccine-eligibility calls, write outcomes back to the PMS, or warm-transfer a clinical question to a pharmacist on your team.
  • Call recordings, transcripts, and metadata generated by Medora's voice agent when interacting with patients on behalf of the pharmacy.

All PHI handled in this way is governed by the BAA between Medora and your pharmacy. We do not use PHI for advertising and we do not sell PHI.

2. How we use information

  • To provide, operate, secure, and improve the Services.
  • To respond to demo requests, sales questions, and support tickets.
  • To send transactional emails (account notices, agent activity reports, security alerts) and, where you have asked for them, product updates.
  • To detect and prevent fraud, abuse, and security incidents on the Services.
  • To comply with our legal obligations, enforce our Terms of Service, and protect the rights of Medora, our customers, and the public.
  • For aggregated or de-identified analysis — for example, computing how many calls Dora answered across all customers — provided the result cannot be re-associated with an individual.

We do not use customer PHI to train or fine-tune foundation models without the customer's express, written permission. Where our Services rely on third-party models, requests are sent in transit with zero-data-retention configuration where available, and we record which model handled each request in the customer's audit log.

3. How we share information

We share information only as described below.

  • Subprocessors. We use a small set of vendors to deliver the Services. The current list includes:
    • Amazon Web Services — cloud hosting, storage, and database (US regions).
    • Twilio — telephony for outbound and inbound calls and SMS.
    • ElevenLabs — voice synthesis and speech-to-text for the voice agent.
    • Resend — transactional email delivery (e.g. demo-request notifications).
    • OpenAI and Anthropic — large-language-model inference for agent reasoning, configured for zero retention where the provider supports it.
    Each subprocessor is bound to confidentiality and security terms at least as protective as those described in our BAA where PHI may be involved. We update this list as our infrastructure evolves.
  • With your pharmacy. If you interact with a Medora-powered phone line as a patient, the resulting call data is shared with the pharmacy that engaged Medora.
  • Legal and safety. We may disclose information when we believe in good faith that disclosure is required by law, court order, or government request, or is necessary to investigate or prevent harm, fraud, or violations of our terms.
  • Corporate transactions. If Medora is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to the terms of this Privacy Policy.

We do not sell Personal Information and we do not share it with third parties for their independent marketing.

4. Security

We use administrative, technical, and physical safeguards designed to protect information against loss, theft, and unauthorized access. All data is encrypted in transit (TLS 1.2+) and at rest. Access to customer data is restricted by role and audited. We follow a least-privilege model and require multi-factor authentication on all privileged accounts.

No method of transmission or storage is 100% secure. If we learn of a security incident affecting your information, we will notify the affected pharmacy and, where required by law, the relevant individuals and authorities.

5. Data retention

We retain Personal Information only as long as needed to deliver the Services, satisfy our legal obligations, resolve disputes, and enforce our agreements. Call recordings and transcripts are retained for the period specified in your pharmacy's agreement with Medora, and can be deleted on request subject to legal hold. Marketing-site logs are retained for up to 12 months.

6. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict our use of your Personal Information, or to object to certain processing. To exercise these rights, email privacy@meetmedora.com.

For information about a specific patient that Medora processed on behalf of a pharmacy, contact the pharmacy directly — they are the covered entity under HIPAA and the data controller for that information. We will assist them in responding.

California residents

If you are a California resident, the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”) give you the right to know what Personal Information we collect about you, to request deletion or correction, and to opt out of the “sale” or “sharing” of Personal Information. We do not sell or share Personal Information as those terms are defined under California law.

Residents of the EEA, UK, and Switzerland

If you are in the European Economic Area, United Kingdom, or Switzerland, the legal bases on which we process your Personal Information are (a) performance of a contract with you or your employer, (b) compliance with a legal obligation, (c) our legitimate interests (delivering, securing, and improving the Services), and (d) your consent, where applicable. You may lodge a complaint with your local data protection authority.

7. Children

The Services are not directed to children under 18, and we do not knowingly collect Personal Information from children. If you believe a child has provided us with information, please contact us and we will delete it.

8. International transfers

Medora is based in the United States and processes information in the United States. If you access the Services from outside the United States, you understand and consent to the transfer and processing of your information in the United States, where data protection laws may differ from those of your country.

9. Cookies and tracking

meetmedora.com uses a small number of first-party cookies and similar technologies to operate the site and remember your preferences. We do not use third-party advertising cookies. Most browsers let you block cookies through their settings; blocking them may affect site functionality.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top and, if the changes are material, provide additional notice (for example, an email to account administrators). Continued use of the Services after a change takes effect means you accept the revised policy.

11. Contact us

Questions about this Privacy Policy, our handling of your information, or requests to exercise your rights:

Medora, Inc.
privacy@meetmedora.com