Privacy Policy

Last updated: April 25, 2026

My Ada LLC ("Ada," "we," "us," or "our") operates the Ada mobile application and the website at meetmyada.com (together, the "Service"). This Privacy Policy explains what information we collect, how we use it, when we share it, and the rights you have over it. By using the Service, you agree to this Policy.

Quick summary. Ada is built around your personal health information. We treat that data with care, encrypt it in transit and at rest, and never sell information that identifies you. We may share de-identified and aggregated information with third parties for research, product improvement, and analytics, as described below.

1. Who we are

My Ada LLC is a Georgia limited liability company. You can reach us at [email protected].

2. Information we collect

Information you provide

Account information — name, email, password, and date of birth.
Health information you upload or import — medical records, lab results, imaging reports, prescriptions, diagnoses, allergies, immunizations, clinical notes, and other documents you choose to add. This may include information imported from electronic health record systems (such as MyChart / Epic via FHIR) when you authorize the connection.
Communications — messages you send to support, feedback, and survey responses.
Waitlist sign-ups — email addresses submitted on our website.

Information collected automatically

Device and usage data — device model, operating system, app version, crash logs, and feature usage patterns.
Approximate location — derived from IP address; we do not collect precise GPS location.
Cookies and similar technologies — used on our website for basic analytics and to remember preferences.

3. How we use your information

Provide, operate, and improve the Service, including organizing and analyzing your records and generating insights.
Authenticate you and secure your account.
Respond to questions and provide support.
Send service-related notifications (security alerts, changes to terms).
Detect, prevent, and address fraud, abuse, and security incidents.
Comply with legal obligations.

4. HIPAA and how it applies to Ada

The Health Insurance Portability and Accountability Act ("HIPAA") generally regulates "covered entities" (such as healthcare providers and health plans) and their "business associates." When you use Ada as a consumer to manage your own personal health record, Ada typically acts as a personal health record application and is not itself a HIPAA covered entity. Even where HIPAA does not directly apply to us, we apply HIPAA-aligned administrative, physical, and technical safeguards to protected health information you store with us, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
Role-based access controls and audit logging.
Minimum-necessary access by personnel.
Vendor due diligence and Business Associate Agreements (BAAs) with subprocessors who handle identifiable health information on our behalf, where required.

If you connect Ada to a healthcare provider that is a covered entity (for example, through a patient portal), the provider's own HIPAA Notice of Privacy Practices governs information they disclose to us at your direction. Once that information is in Ada at your request, this Policy governs how we handle it.

We also comply with the Federal Trade Commission's Health Breach Notification Rule, which requires us to notify you and the FTC if there is a breach of unsecured identifiable health information.

5. State privacy laws

Depending on where you live, you may have additional rights under state law. We honor those rights regardless of where you live.

California (CCPA / CPRA)

California residents have the right to know what personal information we collect, request deletion, request correction, opt out of "sale" or "sharing" of personal information, and limit use of sensitive personal information. We do not sell personal information that identifies you, and we do not share it for cross-context behavioral advertising. Health information is treated as sensitive personal information and is used only to provide the Service.

Washington (My Health My Data Act)

Washington residents have the right to confirm whether we are processing their consumer health data, access that data, request deletion, and withdraw consent. We obtain your affirmative consent before collecting or sharing consumer health data beyond what is necessary to provide the Service you requested.

Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws

Residents of these states may have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale of personal data, and certain profiling. We do not engage in targeted advertising or sale of personal data.

Georgia

Georgia residents are protected by Georgia's identity-theft, data-breach notification, and consumer-protection laws. We will notify affected Georgia residents of any breach of personal information in accordance with the Georgia Personal Identity Protection Act.

How to exercise your rights

Email [email protected] with your request and the state you reside in. We will verify your identity before acting on the request and respond within the timeframes required by applicable law (generally 45 days). You will not be discriminated against for exercising any privacy right.

6. When we share information

Identifiable information — only in limited cases

We share information that identifies you only as follows:

Service providers we use to run the Service — for example, cloud hosting (AWS), error monitoring, customer support tools, and analytics — bound by contract to use the information only for us and to protect it.
At your direction — for example, when you choose to share a record with a clinician or family member.
Legal compliance — when required by valid legal process, to enforce our terms, or to protect the rights, safety, or property of Ada, our users, or the public.
Business transfers — in connection with a merger, acquisition, financing, or sale of assets, with notice to you and continued protection of your information.

We do not sell information that identifies you, and we do not use your identifiable health information for advertising.

De-identified and aggregated information — may be shared with third parties

We may share de-identified and aggregated information with third parties — including research partners, analytics providers, healthcare researchers, and commercial partners — to improve the Service, advance medical research, and support our business. De-identification is performed using methods consistent with the HIPAA Safe Harbor standard (45 CFR § 164.514(b)(2)) or Expert Determination, meaning that direct identifiers are removed and the remaining information cannot reasonably be used to identify you. Aggregated information combines data from many users so individuals cannot be singled out.

You acknowledge and agree that we may use and share de-identified and aggregated information for any lawful purpose, including for commercial purposes, without further notice or compensation to you.

7. AI processing and our use of Anthropic's Claude

Ada uses large language models, including Anthropic's Claude, to generate summaries, insights, and other analyses of your medical records. When you use AI-powered features, the relevant content from Your Content (for example, the records being summarized) is sent to Anthropic, PBC ("Anthropic") for processing on our behalf.

Our use of Anthropic's Claude is governed by Anthropic's Commercial Terms of Service and Usage Policy, available at anthropic.com/legal/commercial-terms and anthropic.com/legal/aup. Under those terms, as currently applied to API customers like Ada:

Anthropic processes inputs and outputs only to provide the service to us, not to train its general-purpose models.
Anthropic retains inputs and outputs for a limited period for trust-and-safety purposes, after which they are deleted in accordance with Anthropic's data retention practices.
Anthropic acts as our service provider / sub-processor and is bound by confidentiality and security obligations.

You acknowledge that AI-generated content may be incomplete or inaccurate and should not be relied on as medical advice. You also agree to comply with Anthropic's Usage Policy when interacting with AI features (for example, by not attempting to misuse the model or extract its prompts). If you do not want a particular record processed by AI, do not enable AI features for that record.

8. Data retention

We retain your information for as long as your account is active or as needed to provide the Service. If you delete your account, we delete your identifiable health information within 30 days, except where retention is required by law (for example, certain audit logs) or where information has been de-identified.

9. Security

We use industry-standard administrative, technical, and physical safeguards to protect your information. No system is perfectly secure, however, and we cannot guarantee absolute security. If we discover a breach affecting your information, we will notify you as required by applicable law.

10. Children

The Service is intended for users 18 and older. We do not knowingly collect personal information from children under 13. A parent or legal guardian may use Ada to manage records for a minor child, in which case the guardian is responsible for the information added.

11. International users and cross-border transfers

Ada is operated from the United States, and your information will be transferred to, stored, and processed in the U.S. and other countries where we or our service providers operate. Data protection laws in those countries may differ from the laws of your country. By using the Service, you understand that your information may be transferred to jurisdictions that may not provide the same level of protection as your home country, and you consent to that transfer where consent is the lawful basis.

European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR / Swiss FADP)

If you are in the EEA, the United Kingdom, or Switzerland, the General Data Protection Regulation, the UK GDPR, or the Swiss Federal Act on Data Protection applies to our processing of your personal data.

Controller. My Ada LLC is the controller of personal data processed through the Service.
Legal bases. We process personal data on the bases of (a) performance of a contract with you (providing the Service), (b) your explicit consent (for processing of health data, which is a special category of data under Article 9 GDPR), (c) compliance with legal obligations, and (d) our legitimate interests in operating and improving the Service, balanced against your rights.
Your rights. You have the right to access, rectify, erase, restrict processing of, port, and object to processing of your personal data, and to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. You also have the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office; in Switzerland, the Federal Data Protection and Information Commissioner).
International transfers. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and the EU-U.S. Data Privacy Framework where applicable.
Retention. We retain personal data only as long as necessary for the purposes described in this Policy or as required by law.

Canada (PIPEDA and provincial laws)

If you are in Canada, the Personal Information Protection and Electronic Documents Act and applicable provincial laws (such as Quebec's Law 25, BC PIPA, and Alberta PIPA) apply. You may request access to and correction of your personal information and may withdraw consent subject to legal or contractual restrictions. Complaints may be directed to the Office of the Privacy Commissioner of Canada or the relevant provincial commissioner.

Brazil (LGPD)

If you are in Brazil, the Lei Geral de Proteção de Dados grants rights to confirmation of processing, access, correction, anonymization or deletion, portability, information about sharing, and revocation of consent. Health data is treated as sensitive personal data and is processed only with your specific consent or another lawful basis under Article 11 LGPD.

Australia, New Zealand, and other jurisdictions

If you are in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles apply. If you are in New Zealand, the Privacy Act 2020 applies. Residents of other jurisdictions may have additional rights under local data protection law; contact us using the details below to exercise them.

How to exercise international rights

Email [email protected]. We will verify your identity, respond within the timeframes required by applicable law, and act on your request without charge except where permitted by law.

12. Changes to this Policy

We may update this Policy from time to time. We will post the updated version here and, for material changes, give you additional notice (such as an in-app notification or email). Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

13. Contact us

Questions, requests, or complaints? Email [email protected] or write to:
My Ada LLC
Attn: Privacy
Georgia, USA