How Mekori handles information on the Service

1. Who We Are

Mekori LLC ("Mekori," "we," "us," or "our") is a limited liability company organized under the laws of the United States. We operate the website mekori.health and the Mekori health navigation service (collectively, the "Service").

Contact for privacy matters:
Email: team@mekori.health
Mailing address: 8865 Stanford Blvd, Suite #202, Columbia, MD 21045

2. Scope of This Policy

This Policy applies to all users of mekori.health, including visitors who access the Service without entering any personal information. It governs all information collected through the Service, including information you provide directly, information collected automatically, and information processed on your behalf when you use the AI-powered health navigation feature.

This Policy does not apply to third-party websites linked from the Service. We are not responsible for the privacy practices of those sites.

3. HIPAA Notice

Mekori is not a healthcare provider, health plan, healthcare clearinghouse, or business associate acting on behalf of a covered entity in connection with the Services described in this Privacy Policy. Accordingly, information submitted directly by users through the Service is not protected by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and users do not have HIPAA rights with respect to information submitted through the Service.

Although HIPAA does not apply, Mekori applies administrative, technical, and organizational safeguards designed to protect health-related information submitted through the Service, as described in Section 9.

4. Information We Collect

Mekori seeks to collect only the information reasonably necessary to provide, secure, maintain, and improve the Service.

4.1 Information You Provide

The Service is designed to function without user registration or account creation. However, you may voluntarily provide the following:

• Home country and host city selection when you enter the Service. These are used solely to personalize the health information displayed to you.
• AI query content: any text you enter into the "Ask Mekori" feature, which is transmitted to our AI service provider to generate a response.

The emergency card feature (name, medical conditions, allergies, medications, blood type, emergency contact, insurance details) is completed and stored entirely within your browser. This information is never transmitted to our servers and we have no access to it.

4.2 Information Collected Automatically

When you access the Service, our infrastructure provider automatically records certain technical information associated with each request, which may include:

• Your IP address
• Browser type and version
• Operating system
• Date and time of access
• Pages or features accessed

This information is collected as a standard function of operating a web service. We do not use it to build individual profiles or for advertising purposes.

4.3 Query Logs

Every query submitted to the AI feature is logged in our database along with the AI-generated response, a session identifier, and a timestamp. This log does not include your name, email address, phone number, or any account credentials because the Service does not require registration.

The query log serves two purposes: operational monitoring of the accuracy and safety of AI responses, and aggregate analysis to improve the Service and identify gaps in our health content.

Session identifiers are used to associate queries within a single visit. They are not used to track you across visits or devices.

5. How We Use Information

We use the information described above for the following purposes:

• Service delivery: to provide personalized health navigation content based on your selected country and city.
• AI response generation: to transmit your query to our AI service provider and return a response to you.
• Safety and quality monitoring: to review AI responses for clinical accuracy and to identify content that requires physician review or correction.
• Service improvement: to analyze aggregate query patterns and improve the scope and accuracy of our health content.
• Legal compliance: to comply with applicable law, respond to lawful requests from authorities, and protect the rights of Mekori and its users.

We do not use your information for advertising, behavioral profiling, or sale to third parties. We do not use health-related queries to make decisions that produce legal effects or otherwise significantly affect you.

Mekori does not use automated processing or profiling to make decisions that produce legal effects or similarly significant effects concerning users.

6. Sensitive Health Information

You may choose to include health-related information in your queries. We endeavor to apply heightened safeguards to health-related information and other sensitive information processed through the Service.

Certain information submitted through the Service may constitute sensitive personal information under applicable law, including the California Privacy Rights Act. Mekori uses such information solely for the purposes described in this Policy and not for purposes requiring a right to limit use under applicable law.

Certain information submitted through the Service may also constitute consumer health data under applicable state laws, including Washington's My Health My Data Act and Nevada's Consumer Health Data Privacy Law. Mekori collects, uses, and discloses such information only as described in this Privacy Policy and does not sell consumer health data.

We do not sell, license, or share health-related query content with insurers, employers, government agencies (except as required by law), data brokers, or any commercial third party for purposes other than operating the Service.

7. AI Processing and Limitations

7.1 OpenAI

The "Ask Mekori" feature is powered by the OpenAI API. When you submit a query, the text of that query is transmitted to OpenAI's servers for processing. OpenAI returns a generated response, which we display to you. By using the AI feature, you acknowledge that your query text is processed by OpenAI in accordance with OpenAI's API usage policies and data processing terms. Under OpenAI's current API terms, content submitted via the API is not used to train OpenAI's models by default.

We strongly recommend that you do not include your full name, date of birth, national identification numbers, or other directly identifying personal information in queries. The Service is designed so that clinically useful responses can be obtained without providing identifying information.

7.2 AI Limitations and Human Oversight

AI-generated responses may be inaccurate, incomplete, outdated, or inappropriate for a user's particular circumstances. Mekori periodically reviews anonymized or pseudonymized query logs to evaluate system performance, identify safety concerns, and improve response quality. Users should independently verify important medical information with qualified healthcare professionals.

The AI health navigation feature is for general health information only. It is not a substitute for professional medical advice, diagnosis, or treatment. In any emergency, call 911.

8. Disclosure of Information

We do not sell your information. We share information only in the following limited circumstances:

8.1 Service Providers

We currently use service providers including OpenAI (AI processing) and Supabase (database and infrastructure). We may engage additional service providers that perform hosting, security, infrastructure, analytics, customer support, or other operational functions. Such providers will be contractually required to process information only on our instructions and for authorized purposes, and receive only the minimum information necessary to provide their respective services.

8.2 Legal Requirements

We may disclose information if required to do so by applicable law, court order, or valid governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of Mekori, our users, or the public.

8.3 Business Transfers

If Mekori LLC is involved in a merger, acquisition, or sale of assets, user information held by us may be transferred as part of that transaction. We will notify users of any such transfer by updating this Policy and, where practicable, by a prominent notice on the Service.

8.4 Aggregate and De-identified Data

We may share aggregate, de-identified, or anonymized information that cannot reasonably be used to identify an individual user with partners, in publications, or publicly. Such data does not identify any individual user.

9. Data Storage and Security

Your data is stored on servers operated by Supabase. Mekori maintains administrative, technical, and organizational safeguards designed to protect personal information, including encryption in transit, encryption at rest where supported by service providers, access controls, authentication mechanisms, logging, monitoring, and vendor security assessments.

No method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

In the event of a data breach, we will notify affected individuals and regulators where required by applicable law.

10. Data Retention

Query logs (query text, AI response, session ID, timestamp) are retained for a period of 24 months from the date of collection, after which they are deleted or irreversibly anonymized.

Country and city selections associated with a session are retained for the same period as the query log for that session.

Server access logs are retained for 12 months in accordance with our infrastructure provider's standard practices.

Emergency card data is never transmitted to or stored by Mekori and is therefore not subject to our retention practices.

11. International Users and GDPR

Mekori LLC is a United States company. If you access the Service from outside the United States, including from the European Economic Area (EEA), the United Kingdom, or Switzerland, your information will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

For users located in the EEA or UK, we note the following:

11.1 Legal Basis for Processing

• Legitimate interests (Article 6(1)(f)): processing query logs for service quality, safety monitoring, and clinical improvement, where these interests are not overridden by your rights.
• Contract performance (Article 6(1)(b)): processing country and city selections to deliver the personalized service you requested.
• Legal obligation (Article 6(1)(c)): where processing is required by applicable law.

For health-related information voluntarily submitted by users, Mekori relies on Article 9(2)(a) GDPR (explicit consent) and processes such information solely for the purposes described in this Policy. By voluntarily submitting health-related query content after being informed of this Policy, you provide that consent.

11.2 International Data Transfers

Where required by applicable law, Mekori relies on appropriate safeguards for international transfers of personal data, including the European Commission's Standard Contractual Clauses (SCCs) and comparable UK transfer mechanisms, as implemented by our service providers.

11.3 Your Rights Under GDPR

If you are located in the EEA or UK, you have the following rights with respect to your personal data:

• Right of access: to request a copy of personal data we hold about you.
• Right to rectification: to request correction of inaccurate data.
• Right to erasure: to request deletion of your data in certain circumstances.
• Right to restriction of processing: to request that we limit processing in certain circumstances.
• Right to data portability: to receive your data in a structured, machine-readable format.
• Right to object: to object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.

To exercise these rights, please contact us at team@mekori.health. We will respond within 30 days. Because Mekori does not require user accounts, we may be unable to identify or associate historical query records with a specific individual in certain circumstances. Where we cannot reasonably verify identity or locate responsive records, we may be unable to fulfill a request.

You also have the right to lodge a complaint with your local supervisory authority. In the EEA, this is your national data protection authority. In the UK, this is the Information Commissioner's Office (ICO).

11.4 EU/UK Representative

Mekori LLC does not currently have a designated representative in the EU or UK within the meaning of Article 27 GDPR or UK GDPR. We are in the process of designating one and will update this Policy when that appointment is made. In the meantime, all privacy inquiries from EEA and UK users should be directed to team@mekori.health.

12. Users in Other Jurisdictions

12.1 California (CCPA/CPRA)

California residents have the right to know what personal information we collect, the right to delete personal information, the right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising), the right to limit use of sensitive personal information, and the right to non-discrimination for exercising these rights. To submit a California privacy request, contact team@mekori.health.

12.2 Other US States

Users in Virginia, Colorado, Connecticut, Washington, Nevada, and other states with comprehensive or consumer health data privacy laws have rights with respect to their personal information, including health data rights under Washington's My Health My Data Act and Nevada's Consumer Health Data Privacy Law. Contact us at team@mekori.health to exercise any applicable rights.

12.3 Other International Users

We acknowledge that many users of this Service are international travelers from jurisdictions with data protection laws of their own, including Brazil's LGPD, Canada's PIPEDA, South Africa's POPIA, and Nigeria's NDPR. We endeavor to handle all user data with the standard of care described in this Policy regardless of jurisdiction. Contact us at team@mekori.health for jurisdiction-specific inquiries.

13. Children's Privacy

The Service is intended for use by adults and by parents or legal guardians acting on behalf of their minor children. The Service is not directed at children under the age of 13 as independent users.

We do not knowingly collect personal information directly from children under 13. If a parent or guardian uses the Service to obtain health navigation information on behalf of a child, any health information provided in queries is governed by this Policy and is treated as information provided by the parent or guardian.

If you believe that a child under 13 has independently submitted personal information to the Service, please contact us at team@mekori.health and we will take steps to delete that information.

14. Cookies and Tracking

The Service does not use advertising cookies, third-party analytics cookies, or behavioral tracking technologies. We do not serve advertisements and do not allow advertising networks to collect data through the Service.

We may use essential session cookies or local browser storage strictly necessary for the functioning of the Service. These do not track you across other websites.

15. Links to Third-Party Services

The Service may contain links to third-party resources including telemedicine providers, urgent care facilities, and pharmacies. Clicking such a link will take you to a third-party website governed by its own privacy policy. Mekori has no control over and is not responsible for the data practices of third-party sites.

16. Not Medical Advice

The Service provides general health information to help international travelers understand their options in the US health system. It does not provide medical advice, diagnosis, or treatment recommendations. No physician-patient relationship is formed through use of the Service.

All content on the Service, including AI-generated responses, is for informational purposes only. Always seek the advice of a qualified healthcare provider for any medical questions or conditions. In any emergency, call 911.

17. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this Policy and, where the change materially affects how we handle your information, we will provide a prominent notice on the Service.

Your continued use of the Service after any update constitutes your acceptance of the revised Policy. If you do not agree to the updated Policy, you should discontinue use of the Service.