Privacy Policy:
Your Data Safety on CME Trail

This Privacy Policy (“Privacy Policy”) describes the policies of CME Trail Inc., having its principal place of business at 8 The Green Street STE A, Dover, DE, 19901 (“CME Trail Inc” or “We” or “Our” or “Us”) regarding the collection, use, disclosure and processing of personal information of the users (“Users” or “You” or “Your”) when You access or use any of the Services.

This Privacy Policy is a part of and incorporated with the Terms of Use. Any term not defined herein shall have the same meaning as provided in the Terms of Use.

You are requested to read this Privacy Policy and the Terms of Use carefully before accessing or using any of the Services or submitting your personal information to Us. If You do not agree with the Privacy Policy and/or Terms of Use, please do not use or access any of the Services.

In addition to this general Privacy Policy, CME Trail Inc. is committed to protecting Protected Health Information (PHI) and complying with the Health Insurance Portability and Accountability Act (HIPAA). For users who interact with healthcare services or provide PHI, the HIPAA Privacy Policy governs the collection, use, and disclosure of healthcare-related data.

• When using the Services related to healthcare (e.g., medical consultations, health tracking, etc.), all PHI is handled in compliance with HIPAA standards.
• Where applicable, this Privacy Policy and the HIPAA Privacy Policy should be read together. 

1. Information Collection-What and How?

We collect the following personal information about you:

1.1. Information provided by you:

1.1.1. This category includes any information provided by You to Us when you register with Us by creating Your Account or updating Your Account or by using any of the Services or by purchasing any paid Services including placing an order for any of the Services or communicating with Us through phone or email.

1.1.2. You have the option not to provide certain information to Us if you so desire, however, in such a case, you may not be able to access some of the Services provided by Us.

1.1.3. Information provided by you in this category includes:

1.1.3.1. Identifiers

1.1.3.1.1. Name

1.1.3.1.2. Address details such as city, state, zip code, country

1.1.3.1.3. Email address

1.1.3.1.4. Phone numbers

1.1.3.2. Protected classifications

1.1.3.2.1. Age

1.1.3.2.2. Gender

1.1.3.3. Professional or employment-related information

1.1.3.3.1. Education

1.1.3.3.2. Name of Institution

1.1.3.3.4. Employment history

1.1.3.3.5. Your designation

1.1.3.3.6. Your medical specialty

1.1.3.4. Credit card number, debit card number, or any other financial information,

1.1.3.5. Username, passwords, and other security information related to authentication and access

1.1.3.6. Health and patient-related information (only if you are a healthcare professional inputting data as part of service use)
We may collect and process the following categories of information if voluntarily provided by healthcare professionals in the context of using our Services (e.g., Clinical Practice tools, Learning Center,):

• Patient symptoms, diagnosis, and treatment history
• Clinical notes or observations entered via dictation or manual input
• Laboratory or test results
• Prescriptions or treatment plans
• Patient demographic information (e.g., age, sex, weight)
• Any other PHI inputted or generated during the use of our Services

Note: This data is collected and processed solely to enable healthcare professionals to use our Services and to support clinical decision-making. We act as a Business Associate under HIPAA, and such data is protected accordingly. Access to PHI is limited to authorized users through role-based controls. All user access is logged and monitored, and internal CME Trail staff are restricted from accessing PHI unless explicitly required for security or legal audit under a signed BAA.

1.1.3.7. Usage and Interaction Data Specific to Services:

• Responses and performance in the Clinical Question Bank
• CME tracking data, credits earned, and interaction history
• AI interaction logs (e.g., inputs to dictation tools or clinical prompts)
• Audio inputs and transcriptions submitted via the AI dictation tool, which are processed in real time to generate structured clinical notes. These are not stored after processing, except temporarily and solely for immediate service delivery purposes (e.g., error correction during active use).

You guarantee that the data provided by You is authentic and true and shall update any personal information provided to Us. You will be liable for any false or inaccurate data and any loss or damage caused to CME Trail Inc. or any third parties due to such false or inaccurate data. If you are a healthcare professional providing patient-related information via our Services, you represent and warrant that you have obtained all necessary patient consents and authorizations in accordance with HIPAA or other applicable laws.

We may collect, process, or generate PHI through specific tools offered under the Clinical Practice section of our Services. These tools are designed exclusively for licensed healthcare professionals and may include, without limitation:

• AI-powered dictation and transcription tools,
• Clinical documentation support systems, and
• Generative AI interfaces (e.g., retrieval-augmented generation or medical recommendation engines) designed to offer contextual clinical insights.

Such PHI may include patient demographics, clinical observations, symptoms, diagnoses, treatment plans, prescriptions, and other medical details entered manually or via dictation. These features are integrated to assist in clinical decision-making, documentation, and workflow enhancement.

We process this information solely on behalf of the healthcare provider, under a valid Business Associate Agreement (BAA), and in compliance with the HIPAA. The information is not used for any purpose other than to facilitate the specific clinical task for which it was submitted. PHI is encrypted, stored, and transmitted in accordance with HIPAA security requirements.

‍

1.2. Information automatically collected by Us:

1.2.1. We automatically collect certain information about You through the use of cookies and similar technology. Please see our cookies policy  for more information.

In brief, when you visit or log into our website, we use cookies and similar technologies to collect certain information about your visit. This includes (i) Usage Data (Information about how you use our site, such as pages visited, time spent on pages, and links clicked.) (ii) Device Information (Details about the device you use to access our site, including IP address, browser type, and operating system.) and (iii) Personal Data (If you provide it, we may collect information such as your email address, phone number, or other contact details). We may also combine this information collected automatically with other data we receive from third-party sources, such as data providers and marketing partners, to create a more complete profile of you. We then use this profile to communicate with you, including providing personalized advertising and promotional content based on your interests and browsing behavior. You may opt out of personalized advertising and tracking at any time.

Information automatically collected by Us via cookies and similar technologies is used solely for site analytics, security, and marketing purposes. These tools do not access, track, or process any patient-related information or PHI submitted by healthcare providers through our Services. All PHI is handled in accordance with HIPAA and is subject to appropriate safeguards.

2. Use of information collected

CME Trail Inc. will limit the collection and use of Your personal information to the minimum necessary for Our legitimate business purposes such as:

2.1. To facilitate the creation of Your account and related login processes, and ensure the secure and compliant handling of PHI in accordance with HIPAA

2.2. Providing or delivering any of the Services, including AI-powered tools, clinical decision support, and healthcare-related functionalities, with an explicit focus on the secure processing of PHI in compliance with HIPAA regulations

2.3. To communicate with You for any new services, or any marketing or promotional purpose or updates related to services involving PHI, ensuring full transparency and compliance with HIPAA for any communications that include PHI

2.4. Gather Your feedback, surveys, reviews, opinions

2.5. For supporting You or for any troubleshooting requests

2.6. To notify You regarding any administrative matters such as changes to our Term of Use or any other policies or applicable standards

2.7. Internal record keeping

2.8. Comply with applicable laws or policies or contracts

2.9. Customize or improve Our Services to provide You with a better experience and/or ensuring that PHI is protected and used only for permitted purposes, and complying with all applicable laws, including HIPAA, when enhancing our clinical decision support tools or AI services.

2.10. Display any advertisement based on your interests and preferences except where such advertisements are linked to any PHI that might be part of our services.

2.11 Re-targeting on social media, electronic mail, and/or other paid media channels excluding the use of PHI or any data derived from PHI for advertising purposes.

PHI Usage: In the event that Your information contains or is associated with PHI, CME Trail Inc. will only use such information as necessary to provide the services you have requested and in accordance with HIPAA regulations, including the signing of Business Associate Agreements (BAAs) with healthcare providers.

Consent to Receive Communications

By providing your phone number, you agree to receive text messages (SMS) and phone calls from us regarding our services, promotions, and offers. PHI is never used for marketing, targeting, or advertising. All promotional communications are based on non-clinical profile data (e.g., specialty, usage history). Consent to receive marketing communications is not a condition of purchasing any goods or services. You may opt out of receiving these communications at any time by replying "STOP" to any text message or contacting us directly at support@cmetrail.com. If you have provided PHI as part of your use of our healthcare-related services, please note that we may need to contact you for purposes related to the administration and functionality of our services. These communications may include, but are not limited to, technical updates, troubleshooting notifications, and necessary changes to our services that affect the processing of PHI. Such communications are necessary for the administration and functionality of the services we provide and cannot be opted out of unless you choose to discontinue using our services entirely. 

3. Disclosure

3.1. CME Trail Inc. will not disclose Your data to anyone without Your consent, except when We believe it necessary for the conduct of the business, change in business, fulfillment of any contractual obligations, or where the disclosure is mandated by law or with any third parties engaged by CME Trail Inc. to perform certain services to CME Trail Inc.  who require information to perform their tasks. In such cases, the third parties will be bound by confidentiality agreements and, if applicable, BAAs, ensuring they comply with HIPAA and other applicable privacy and security laws.

3.2. We may provide Your personal information to our affiliates, subsidiaries, agents, service providers, and representatives, who support Us in providing any Services, such as including but not limited to customer service, research, analysis, telemarketing, delivery partners, third-party payment processors, educational professionals, and other relevant services. Any PHI shared with such parties will be strictly limited to the minimum necessary information needed to perform their tasks and will be governed by appropriate BAAs to ensure compliance with HIPAA.

3.3. We do not sell, rent, or lease any of Your personal information to any third parties.

3.4. When making any payments, your personal and financial  information will be accessed by payment gateways and payment transaction processors. You are advised to read their privacy policies to understand how they treat your information. These services operate independently and are governed by their own privacy policies. We do not share any PHI with these providers.

3.5. If you access us through an institution-sponsored subscription(e.g., healthcare provider), your information and certain usage data gathered may be shared with your institution for usage analysis, subscription management, budgeting management, and testing. In such cases, the institution may also be subject to applicable privacy laws, including HIPAA, and we will ensure that all necessary agreements and safeguards are in place to protect your PHI.

4. Information of Children

4.1. Our Services are not intended for use by children under the age of 13.  We do not knowingly collect personal information from children under the age of 13 without verifiable parental consent. No one under the age of 13 should provide any personal information on any of the Services. If any PHI is collected from minors under the age of 18 (with appropriate consent), it will be handled in accordance with HIPAA privacy and security rules. This includes ensuring that PHI is protected and disclosed only as permitted under HIPAA.

5. Security of Your personal information

5.1. We shall take commercially reasonable measures to prevent unauthorized access, loss, destruction, or alteration of Your personal information under Our control by putting in place necessary administrative, security, and technical measures to ensure the confidentiality, integrity, and availability of personal information and PHI, in compliance with applicable laws, including HIPAA. 

Please be aware that, although We attempt to provide stringent security, We cannot guarantee that all potential security breaches can be prevented accordingly You acknowledge and agree that You are submitting personal information to Us at your own risk. In addition to the general security measures, we adhere to HIPAA privacy and security rules to ensure the protection of PHI. This includes safeguarding PHI through secure transmission, encryption, secure storage, and access controls.

6. Retention

6.1. We retain the personal information including PHI we collect about you only for as long as is necessary to fulfill the purposes outlined in this Privacy Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.

Retention Periods for Collected Data

• Personal Information Provided Directly (e.g., Name, Address, Employment Details, Education). We retain this information for as long as your account is active and thereafter for a period necessary to comply with legal, regulatory, and business requirements. Currently, we do not delete such data by default unless required by law or upon a verified user request (where applicable).

• Authentication Data (e.g., Username, Passwords, Security Information): Retained while your account is active and may be retained thereafter for security, legal, or fraud prevention purposes.

• Cookies and Automatically Collected Data (e.g., IP Addresses, Device Identifiers, Browsing Behavior): Retained for up to 12 months unless otherwise required for analytics, compliance, or operational needs.

Retention for PHI

CME Trail retains PHI in the form of modified clinical notes for up to 1 day by default and up to 7 days if the user specifically requests extended retention. No audio recordings or direct speech-to-text transcripts are stored. Only the structured clinical notes generated from the user's customized template are retained.

PHI retained by CME Trail is automatically deleted after the retention period (1 day by default or 7 days if requested). Data deletion is performed using secure methods, including encrypted data removal from all storage systems. Users have the option to manually delete retained clinical notes before the retention period expires through their account dashboard.

PHI is stored exclusively on secure, HIPAA-compliant infrastructure, including AWS and OpenAI services covered under Business Associate Agreements (BAAs). All PHI data is encrypted both at rest (AES-256) and in transit (TLS 1.2 or higher). CME Trail implements industry-standard security practices to protect all user data.

Users can manually delete their clinical notes before the automatic deletion period through the dashboard. The system will prompt users before the end of the default retention period to confirm whether they wish to extend storage for up to 7 days.

This paragraph specifically applies to PHI generated through the AI Dictation System. Other non-PHI data (such as user account information) is managed separately according to our standard data retention practices outlined in the Privacy Policy.

Your Right:
Your Right to Request Deletion: Under applicable laws, you have the right to request the deletion of your personal data. To exercise this right, contact us at support@cmetrail.com or our number at : 646-641-1731. 

Please note that certain data may need to be retained to comply with legal obligations, prevent fraud, or resolve disputes, even after your account is terminated.

7. Opting Out

7.1. When you sign up for the Services, you are opting in to receive emails including marketing communications from Us.  We may send You information about products and services We may think you like.

7.2. You have the option to discontinue receiving any communications from Us for any reason.

7.3. If you want to opt out of such communications, you need to click on the "unsubscribe" instructions in commercial email messages sent by Us. You have the right to opt out of personalized advertising, data sharing, or any other use of your personal information by managing your preferences in your account settings or contacting us at support@cmetrail.com or our number at : 646-641-1731. 

Opt-Out Instructions

If you wish to stop receiving promotional text messages or phone calls from us, you can reply "STOP" to any message you receive or contact our support team at support@cmetrail.com. Your request will be processed within 10 business days. Please note that opting out of marketing communications does not affect your receipt of transactional messages related to your account or our services.

You have the right to opt out of:

Data collection for analytics and personalized advertising: You can disable cookies in your browser settings or use the Cookie Settings tool on our website.

Healthcare-related Communications: For communications related to your healthcare services or PHI, please note that you may still receive important notifications related to the care you are receiving, such as reminders about your healthcare services, updates, and changes in the care we provide. We do not use PHI to generate or target marketing content. All such communications are based on user-provided contact information and may be opted out of without affecting clinical functionality. However, if you wish to limit certain communications, you may contact us at support@cmetrail.com.

Such communications are strictly service-related and pertain to the professional use of our clinical support tools. They are not marketing messages.

To opt out of other data processing activities, please contact us at our contact details stated below. We will ensure your preferences are updated promptly.

‍

8. California Laws

California Consumer Privacy Act of 2018 (CCPA)

8.1. This section applies to personal information collected from individuals residing in California and following the California Consumer Privacy Act 2018 ("CCPA").

8.1.1. We collect the information as provided in Section 1 of this Privacy Policy.

8.1.2. We use the information collected as provided in Section 2 of this Privacy Policy.

8.1.3. We do not sell personal information to others and We have not sold any personal information to third parties for a business or commercial purpose in the preceding 12 months.

8.1.4. We will not discriminate against a User if the User has exercised any of the consumer’s rights under the CCPA.

8.1.5. You have certain rights subject to limitations under CCPA:

8.1.5.1. You have the right to request Us to disclose to You the categories of personal information collected, categories of sources, business or commercial purposes for collecting, categories of third parties with whom the personal information is shared, and specific pieces of personal information collected. You have the right to request a copy of specific pieces of personal information collected about you in a portable and readily usable format.

8.1.5.2. You have the right to request that if We sell Your personal information, or if We disclose for a business purpose, disclose to You the categories of personal information collected, categories of personal information sold, categories of third parties, and the categories of personal information disclosed about You for a business purpose.

8.1.5.3. You have the right to request that We delete any personal information about You that we have collected from You.

8.1.5.4. You have the right to opt-out of the sale of your personal information by Us. As noted above, we do not sell personal information about You.

8.1.6. To exercise any of your rights, please submit your request by any of the following:

8.1.6.1. Email us at support@cmetrail.com or our number at : 646-641-1731. 

We may request additional information to verify your identity, such as a government-issued ID or other documentation, before fulfilling your request.

California Privacy Rights Act

If you are a California resident, you have specific rights under the California Privacy Rights Act (CPRA). These include:

• Right to Know: You have the right to request information about the personal information we collect, use, share, or sell, including the categories of personal information and purposes for which it is processed.
• Right to Access: You can request a copy of the personal information we have collected about you.
• Right to Delete: You may request that we delete the personal information we have collected, subject to certain legal exceptions.
• Right to Correct: You can request correction of inaccurate personal information we hold about you.
• Right to Opt-Out of Sale or Sharing: You can opt out of the sale or sharing of your personal information for targeted advertising or other purposes.
• Right to Limit Use of Sensitive Personal Information (SPI): You may limit the use or disclosure of SPI, such as financial or health information, for non-essential purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, please contact us at our email details below. We will respond to your request within the timeframe required by law.

California residents have the right to limit the use of their Sensitive Personal Information (SPI) under the California Privacy Rights Act (CPRA). SPI includes information such as bank account numbers, credit card numbers, debit card numbers, and other financial data.

How We Use SPI: We collect and use SPI to:  

• Process payments for our services.  
• Prevent fraud and ensure security.  
• Comply with legal and regulatory obligations. 
• Any other purposes as described in this policy. 

In some cases, we may use SPI for additional purposes, such as targeted marketing, data enrichment, or analytics. You have the right to limit these uses.

You can limit the use of your SPI by:  

Contacting us at our email details below.

Once your request is processed, we will ensure that your SPI is no longer used for non-essential purposes. Please note that we may continue to use your SPI for purposes that are essential to providing our services, such as processing payments and preventing fraud.

9. CALIFORNIA ONLINE PRIVACY PROTECTION ACT COMPLIANCE (CalOPPA)

9.1. CalOPPA is the first state law in the United States to require commercial websites and online services to post a privacy policy. The law’s reach stretches well beyond California to require any person or company in the United States (and conceivably the world) that operates websites collecting Personally Identifiable Information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals or companies with whom it is being shared.

9.2. According to CalOPPA, we agree to the following:

9.2.1. Users can visit our site anonymously.

9.2.2. Once this Privacy Policy is created, we will add a link to it on our home page or as a minimum, on the first significant page after entering our website.

9.2.3. Our Privacy Policy link includes the word ‘Privacy’ and can easily be found on the page specified above.

9.2.4. Users can review and request changes to his or their personal data as collected by us by contacting us at support@cmetrail.com

9.2.5. Users will be notified of any Privacy Policy changes on our Privacy Policy Page by the updates being posted directly on this Privacy Policy page. We encourage users to regularly review this page to stay informed about how we are protecting the personal information we collect. Your continued use of the website after any changes to this Privacy Policy will constitute your acknowledgment of the changes and your consent to abide by and be bound by the modified policy.

9.3. Do Not Track Signals:  We participate in practices, such as re-targeting on social media, email, and other paid media channels, that may involve tracking users over time and across third-party websites to provide targeted advertising. As a result, our website does not respond to Do Not Track (DNT) signals sent by browsers. However, you can manage your cookie preferences through your browser settings or opt out of certain types of tracking, including third-party tracking, by using the following tools:  

- Network Advertising Initiative (NAI) Opt-Out (http://optout.networkadvertising.org/)  

- Digital Advertising Alliance (DAA) Opt-Out (http://optout.aboutads.info/)  

- YourAdChoices (https://www.youradchoices.com/)  

You can also contact us at support@cmetrail.com 

9.4. It’s also important to note that we allow third-party behavioral tracking.

10. International Transfers

10.1. If you are located outside of the United States, Your personal information including PHI may be transferred, stored, and processed in and to the United States or other countries that may not provide the same level of protection for Your personal information. By submitting Your personal information to Us, You consent to such transfer, storage, and processing.

10.2. We will transfer Your personal information from the EU to the United States through the use of appropriate safeguards such as standard contractual clauses adopted by the European Commission. We ensure that the transfer complies with HIPAA and GDPR, and the necessary safeguards are in place to protect your data.

11. Your rights

You have the following rights related to Your personal information under applicable laws including Federal Trade Commission (FTC) Act:

11.1. The right to access Your personal information. We may charge You a reasonable fee in certain circumstances.

11.2. The right to rectification. You have the right to have Your inaccurate personal information rectified or complete the same if it is incomplete.

11.3. The right to request for erasing Your personal information under certain conditions.

11.4. The right to restrict processing under certain conditions. That means You have the right to limit the way that We use Your personal information.

11.5. The right to data portability. You have the right to request that We move, copy, or transfer Your personal information from one technology environment to another safely and securely, without affecting its usability.

11.6. The right to object to processing. You have the right to object to Our processing of Your personal information under certain conditions.

11.7  Opt-Out: The right to opt out of receiving marketing communications or certain data processing activities.

11.8 Transparency: The right to know how your personal information is collected, used, shared, and stored.

To exercise any of these rights, please contact us at our contact details below. We will respond to your request within the time frame required by law.

‍

12. FTC

We adhere to the Federal Trade Commission (FTC) guidelines regarding consumer privacy and protection to ensure that your personal information is handled responsibly.

• Fair Information Practices: We follow the principles of fair information practices, including transparency, choice, access, and security, in the collection, use, and disclosure of personal information. Your data will only be used for the purposes described in this Privacy Policy.  We will not sell or share your personal information with third parties without your consent, except as necessary to provide services or comply with legal obligations.

• No Unfair or Deceptive Practices: We do not engage in any unfair or deceptive practices related to the collection, use, or disclosure of your personal information. All information we collect is used in accordance with this Privacy Policy.
• Children's Online Privacy Protection Act (COPPA): We comply with the FTC's COPPA Rule regarding the collection of personal information from children under the age of 13. We do not knowingly collect or solicit personal information from children under the age of 13 without verifiable parental consent. If we discover that we have collected personal information from a child under 13 without consent, we will delete that information promptly.
• We will not discriminate against you for exercising your rights under applicable laws. For example: You will not be denied access to our services. You will not receive a different price or level of service unless permitted by law.

‍

13. Applicability

13.1. This Policy shall only apply to any personal information submitted through the Services.

14. Third-Party Sites

14.1. Our website may contain links to other websites or applications such as including but not limited to Facebook, Twitter, and Instagram ("Third Party Sites''). We shall not be liable for any personal information submitted by You to such Third Party Sites or any personal information collected by such Third Party Sites. We have no control over the policies, procedures, or practices of Third Party Sites.

15. Changes

15.1. We may modify the Privacy Policy from time to time and the changes will be posted on this page. You are requested to frequently check our website for any changes to the Privacy Policy. If there are any material changes, We may promptly notify you by email. To the extent permitted under the applicable law, Your continued use of any of the Services after any change is made in this Privacy Policy will constitute Your acceptance of the such change.

16. Contacting Us

16.1. If You need any further information on the way Your personal information is being handled by Us or have any concerns thereto or would like to exercise any of Your data protection rights, or request, correct, or delete your personal data, You can contact Us as per the details provided below:

Our Address: CME Trail Inc., 8 The Green Street STE A, Dover, DE, 19901 

λ Name of the Data Protection Officer – Rahul Sah 

λ Email: support@cmetrail.com

16.2. If You believe We have not addressed Your concerns, You have the right to complain to Your data supervisory authority