top of page

Privacy Policy & Terms Of Use

Governing the use of HEMI Health, the AI-Powered clinical documentation and decision platform

Effective Date

1 May 2026

Last Update

May 2026

Issuing Entity

MedPlanner Sdn Bhd

Part A - Privacy Policy

How we collect, use, store, and protect your personal data

Section 1

Introduction & Scope

MedPlanner Sdn Bhd ("MedPlanner", "we", "our", "us") is committed to protecting the privacy and security of personal data processed through HEMI Health, our AI-powered clinical documentation and decision-support platform ("the Platform"). This Privacy Policy applies to all users of HEMI Health, including clinicians, healthcare institutions, and administrators.

This Policy is designed to comply with:

PDPA 2010 - Malaysia
UK GDPR / DPA 2018
HIPAA - Aligned Principles
ISO/IEC 27001
MMC Digital Health Guidelines

By accessing or using HEMI Health, you confirm your acceptance of this Privacy Policy. Where you use the Platform on behalf of a healthcare organisation, you represent that you are duly authorised to bind that organisation to these terms.

Section 2

Data Controller

MedPlanner Sdn Bhd acts as the data controller for all personal data processed through HEMI Health.

 

B-09-01, Tower B, Menara UOA Bangsar
5, Jalan Bangsar Utama 1, Bangsar
59000 Kuala Lumpur, Malaysia

Data Protection Contact: contact@medplanner.io

Institutional Agreements

Healthcare organisations deploying HEMI Health should execute a Data Processing Agreement (DPA) with MedPlanner prior to use. Contact contact@medplanner.io to request a DPA.

Section 3

Categories of Data Collected

3.1 Clinician & User Account Data

  • Full name, professional title, and contact details

  • Medical registration / professional licence number

  • Email address and healthcare organisation affiliation

  • Login credentials (stored in encrypted, hashed form — passwords never stored in plain text)

  • Usage patterns, session timestamps, and feature interactions

3.2 Patient-Related Clinical Data


All patient information entered into HEMI Health is provided directly by the treating clinician. HEMI Health does not independently source, collect, or verify patient identity. Clinical data may include:

  • Consultation notes, clinical summaries, referral letters, discharge summaries, MDT reports

  • Voice recordings (processed transiently — not retained beyond session unless explicitly saved)

  • Patient identifiers entered by the clinician (name, date of birth, IC/passport number, MRN)

  • Diagnosis codes, medication lists, and clinical observations

Clinician Responsibility

Clinicians are responsible for ensuring that patient data is entered in accordance with their professional duties, applicable law, and — where required — patient consent.

3.3 Technical & Usage Data

  • Device type, operating system, browser version

  • IP address and approximate geolocation (country/region level)

  • Session logs, error logs, and anonymised feature usage analytics

  • Cookies (hemihealth.ai website only — see Section 11)

Section 4

How We Use Personal Data

✓ Provide, operate, and maintain the HEMI Health Platform and its AI features
✓ Generate AI-assisted clinical documentation based on clinician input
✓ Support clinical decision-making tools and knowledge retrieval
✓ Authenticate users and manage account security
✓ Send service notifications, platform updates, and critical alerts
✓ Conduct anonymised analytics for product improvement
✓ Comply with legal, regulatory, and audit obligations
✓ Investigate and respond to security incidents or misuse

AI Training Commitment

We do NOT use patient clinical data to train AI models without prior explicit written consent from the relevant healthcare institution and applicable data principals.

Section 5

Legal Basis for Processing

  • Consent 

(PDPA / UK GDPR Article 6(1)(a)) — optional features, marketing, AI model improvement

  • Contractual necessity

(PDPA / UK GDPR Article 6(1)(b)) — core Platform functionality

  • Legitimate interests

(PDPA / UK GDPR Article 6(1)(f)) — fraud prevention, security, service improvement

  • Legal obligation

(PDPA / UK GDPR Article 6(1)(c)) — compliance with applicable law

  • Vital interests

— rare patient safety disclosures required by law

For special category data (health data), we rely on UK GDPR Article 9(2)(h) (healthcare provision) and equivalent PDPA 2010 provisions.

Section 6

Data Storage, Security & Architecture

✓ All data encrypted in transit using TLS 1.2 or higher
✓ All data at rest encrypted using AES-256 or equivalent
✓ Voice transcription data processed ephemerally — not retained beyond the active session unless saved by the clinician
✓ Role-based access controls (RBAC) restrict data access to authorised personnel only
✓ Multi-factor authentication (MFA) available and recommended for all accounts
✓ Penetration testing and security audits conducted periodically
✓ Incident response procedures maintained in accordance with PDPA 2010

Data Residency

Malaysian users: data processed within Malaysia or PDPA-compliant jurisdictions. UK users: data processed within the UK or under Standard Contractual Clauses. Contact us for our full Data Residency Statement.

Section 7

Data Retention

  • Clinician account data:
    Duration of active account + 7 years post-closure (audit and legal compliance)
     

  • Patient-related clinical records:
    Minimum 7 years per Malaysian MOH guidelines; UK NHS retention schedules where applicable
     

  • Voice/transcription session data:
    Deleted within 24 hours unless explicitly saved by the clinician
     

  • Technical logs:
    Retained for up to 12 months in rolling cycles
     

  • Anonymised analytics:
    May be retained indefinitely

Clinicians and healthcare institutions may request deletion of specific data, subject to applicable legal and professional retention obligations.

Section 8

Data Retention

We do not sell, rent, or trade personal data. We may disclose data only in the following circumstances:

  • Service providers:
    Cloud infrastructure, AI processing, and security vendors under strict data processing agreements
     

  • Legal compliance:
    Lawful requests from Malaysian authorities, UK regulators, or court orders
     

  • Affiliated platforms:
    AskHEMI (askhemi.ai) and MedPlanner One (medplanner.io), where you have explicitly consented
     

  • Business transfers:
    In the event of merger or acquisition, subject to equivalent privacy protections
     

  • Safety disclosures:
    Where required to prevent serious harm to patients or the public

Any third-party processor engaged by MedPlanner is subject to a binding Data Processing Agreement.

Section 9

Your Rights

9.1 Malaysian Users (PDPA 2010)

✓ Right to access your personal data
✓ Right to correct inaccurate personal data
✓ Right to withdraw consent to processing
✓ Right to submit a complaint to JPDP (aduan.pdp.gov.my)

9.2 UK Users (UK GDPR / DPA 2018)
 

✓ Right of access (Subject Access Request)
✓ Right to rectification
✓ Right to erasure ("Right to be Forgotten") — subject to legal retention obligations
✓ Right to restrict or object to processing
✓ Right to data portability (machine-readable format)
✓ Right to withdraw consent at any time without detriment
✓ Right to lodge a complaint with the ICO (ico.org.uk)

Exercising Your Rights

Email contact@medplanner.io with subject line "Data Rights Request". We will respond within 30 days (Malaysia) or 1 month (UK GDPR), extendable by 2 months for complex requests.

Section 10

Cross-Border Data Transfers

Where data is transferred outside Malaysia or the UK, we implement appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) for UK transfers

  • Adequacy assessments for transfers to third countries

  • Contractual obligations on all sub-processors

Section 11

Cookies & Website Tracking

The HEMI Health website (hemihealth.ai) uses cookies solely for:

  • Essential site functionality (session management, login state)

  • Anonymous analytics (page views, feature popularity — no personal identifiers)

We do not use advertising cookies or third-party marketing trackers. You may manage cookie preferences through your browser settings. The HEMI Health application (app.hemihealth.ai) does not use tracking cookies.

Section 12

Children & Patient Access

HEMI Health is designed exclusively for use by licensed clinicians and healthcare professionals. It is not intended for direct use by patients or persons under 18 years of age. Any patient data entered into the Platform is provided by the treating clinician, who bears full professional responsibility for appropriate consent and handling.

Section 13

Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in law, technology, or our services. Material changes will be communicated via email to registered users and via a notice on hemihealth.ai at least 14 days before taking effect. The "Last Updated" date at the top of this Policy will be revised accordingly. Continued use after the effective date constitutes acceptance.

Part B - Terms of Use

Your rights and obligations when using the HEMI Health Platform

Section 14

Introduction & Agreement

These Terms of Use ("Terms") constitute a legally binding agreement between you and MedPlanner Sdn Bhd governing your access to and use of HEMI Health (the "Platform"), including the web application at app.hemihealth.ai and all associated features, APIs, and services.

By registering for, accessing, or using HEMI Health, you confirm that you have read, understood, and agree to be bound by these Terms. If you are using the Platform on behalf of a healthcare organisation, you represent that you have authority to bind that organisation.

If You Do Not Agree

Please do not access or use the HEMI Health Platform. Contact us at contact@medplanner.io if you have questions before proceeding.
 

Section 15

Eligibility & Permitted Users

HEMI Health is a professional clinical tool. To use the Platform, you must:

✓ Be a licensed healthcare professional, clinician, or authorised clinical staff member
✓ Be of legal age in your jurisdiction (18 years or older)
✓ Be duly authorised to access and handle clinical and patient information under applicable law
✓ Use the Platform only within the scope of your professional duties and applicable regulations

MedPlanner reserves the right to verify professional credentials and may require evidence of registration with a recognised medical or allied health regulatory body as a condition of access.

Section 16

Description of Services

HEMI Health provides AI-powered tools for healthcare professionals, including:

  • Voice-to-text transcription for clinical consultations

  • AI-assisted generation of clinical documents (consultation notes, discharge summaries, referral letters, MDT reports, clinic letters)

  • Clinical knowledge assistance and evidence-informed decision support

  • Integration with AskHEMI and MedPlanner One where enabled

Important Clinical Disclaimer

HEMI Health is a documentation and decision-support tool. It is NOT a substitute for professional clinical judgement. All AI-generated content must be reviewed, verified, and approved by the treating clinician before use. The clinician bears full responsibility for all clinical decisions, diagnoses, treatment plans, and patient care. MedPlanner assumes no liability for clinical outcomes.

Section 17

User Obligations & Acceptable Use

When using HEMI Health, you agree to:

✓ Use the Platform only for lawful clinical purposes in compliance with applicable professional standards
✓ Ensure patient data is entered only where you have authority and, where applicable, patient consent
✓ Review and validate all AI-generated outputs before incorporating them into clinical records
✓ Maintain the confidentiality of your account credentials and not share login access
✓ Notify MedPlanner immediately of any suspected unauthorised account access
✓ Not attempt to circumvent, disable, or reverse-engineer any security feature of the Platform
✓ Not process data in violation of applicable privacy laws or professional codes of conduct
✓ Not submit false, misleading, or fabricated clinical information

Section 18

AI-Generated Content — Responsibilities & Limitations

AI outputs generated by HEMI Health are derived from large language models and clinical knowledge bases. They may contain errors, omissions, or outdated information. By using the Platform, you acknowledge that:

  • AI-generated clinical documents are drafts only
    — they require clinician review and verification before use

​​

  • HEMI Health does not guarantee the accuracy, completeness, or currency of any AI-generated content​
     

  • The Platform's knowledge may not reflect the most recent clinical guidelines, local formularies, or jurisdiction-specific regulations

 

  • You retain full professional and medicolegal responsibility for any document or recommendation generated or influenced by the Platform

MedPlanner provides HEMI Medicolegal Protection as an optional complementary feature. See hemihealth.ai/medicolegal-protection for details

Section 19

Data Privacy

Your use of HEMI Health is subject to our Privacy Policy (Part A of this document), which governs how we collect, use, store, and protect your data. You agree to the terms of the Privacy Policy as a condition of using the Platform.

Section 20

Intellectual Property

All software, algorithms, AI models, trademarks, brand assets, interfaces, and content comprising HEMI Health are owned by or licensed to MedPlanner Sdn Bhd. You are granted a limited, non-exclusive, non-transferable, revocable licence to use the Platform for clinical purposes in accordance with these Terms.

ou may not:

  • Copy, reproduce, distribute, or create derivative works from any part of the Platform

  • Reverse-engineer, decompile, or disassemble the Platform or its underlying models

  • Remove or obscure any proprietary notices or branding'

  • Use HEMI Health's name, logo, or trademarks without prior written permission

Your Clinical Documents

AI-generated clinical documents you create through the Platform are your outputs. MedPlanner asserts no ownership over the content of individual clinical documents you generate.

Section 21

Service Availability & Modifications

We aim to maintain high availability of the Platform but do not guarantee uninterrupted access. We may conduct scheduled maintenance (with advance notice where practicable), perform emergency maintenance without prior notice, and modify or update features at any time.

Where we plan to discontinue a material feature or the Platform entirely, we will provide at least 30 days' written notice to active subscribers.

Section 22

Fees, Subscriptions & Cancellation

  • Free Trial:

Availability, duration, and eligible features are specified at the time of registration
 

  • Cancellation:

May be effected at any time; access continues until the end of the current billing period — no partial refunds unless required by law

  • Price changes:

30 days' written notice provided for any pricing changes
 

  • Institutional billing:

Custom terms available — contact contact@medplanner.io

Section 23

Limitation of Liability

To the maximum extent permitted by applicable law:

  • MedPlanner's total aggregate liability shall not exceed
    the fees paid by you in the 12 months preceding the claim

  • MedPlanner is not liable for any indirect, incidental, consequential, special, or exemplary damages

  • MedPlanner is not liable for clinical decisions made by clinicians using the Platform, or errors in AI-generated content not identified during clinician review

  • Nothing in these Terms limits liability for fraud, wilful misconduct, or liability that cannot be excluded by law

The Platform is provided "as is" and "as available". MedPlanner makes no warranty that the Platform will be error-free, meet your specific clinical requirements, or be uninterrupted.

Section 24

Indemnification

You agree to indemnify, defend, and hold harmless MedPlanner Sdn Bhd, its directors, employees, and affiliates from any claims, damages, penalties, or costs (including reasonable legal fees) arising from:

  • Your breach of these Terms or applicable professional obligations

  • Your misuse of AI-generated content without appropriate clinician review

  • Your unauthorised disclosure of patient data

  • Any claim by a patient or third party arising from your use of the Platform

Section 25

Termination & Suspension

MedPlanner may suspend or terminate your access immediately, without liability, if you breach any provision of these Terms, use the Platform in a manner creating legal or regulatory risk, fail to pay applicable fees, or where required by law.

You may terminate your account at any time by contacting contact@medplanner.io. Upon termination, your data will be handled in accordance with our Privacy Policy and applicable retention obligations.

Section 26

Governing Law & Dispute Resolution

26.1 Malaysian Users


These Terms are governed by the laws of Malaysia. Disputes are subject to the exclusive jurisdiction of the courts of Malaysia. Parties agree to attempt good-faith resolution before initiating formal proceedings.

26.2 UK Users


These Terms are governed by the laws of England and Wales. Disputes are subject to the exclusive jurisdiction of the courts of England and Wales.

 

26.3 Other Jurisdictions


For users in other jurisdictions, Malaysian law governs unless local mandatory consumer or healthcare protection laws provide otherwise.

Section 27

Changes to These Terms

We may update these Terms from time to time. Material changes will be communicated with at least 14 days' advance notice via email and/or an in-app notification. Continued use of the Platform after the effective date constitutes acceptance. If you do not accept the updated Terms, you must cease using the Platform.

Section 28

Contact & Complaints

  • Company

MedPlanner Sdn Bhd

  • Address

B-09-01, Tower B, Menara UOA Bangsar, 5, Jalan Bangsar Utama 1, Bangsar, 59000 Kuala Lumpur, Malaysia

  • General Enquiries

contact@medplanner.io

  • Data Rights Requests

contact@medplanner.io — Subject: "Data Rights Request"

  • HEMI Health Support

contact@hemihealth.ai

  • Website

hemihealth.ai

  • UK ICO (complaints)

ico.org.uk

  • Malaysia JPDP (complaints)

aduan.pdp.gov.my

This document is provided for informational and legal transparency purposes. It does not constitute legal advice. For institutional deployments or specific compliance queries, please consult your legal counsel and contact MedPlanner directly.

bottom of page