Privacy Policy - Moco

Effective Date: October 6, 2025

This Privacy Policy explains how COADIA, Inc. dba Moco collects, uses, shares, and protects information in the Moco platform. If you use Moco, you agree to this Policy.

Scope

This Policy covers the web app and any mobile app for Moco. It applies to both the marketing site and the product, with differences called out where needed. The Platform Terms of Use govern your account. The Business Associate Agreement applies when we handle PHI for a covered entity.

What we collect

We collect information in four groups.

Account data

• Name, email, role or title, clinic or company, settings, and support communications.
• Payment and billing data, which may be handled by a certified payment processor.

Patient recordings and clinical content

• Audio recordings when a clinician turns recording on.
• Transcripts created from audio.
• Content entered into notes such as diagnoses, medications, goals, plans, and billing codes. These items can be PHI when linked to a patient.

Usage and device data

• Device type, browser, IP address, app version, language, and event logs that show how features are used.

Derived and service data

• Features, embeddings, labels, summaries, analytics, and other outputs created as part of running the service.

How we use information

We use information to deliver the product and to meet legal and safety duties.

• To provide the service, including capturing and transcribing audio when recording is on.
• To perform treatment, payment, and health care operations on behalf of the clinic under HIPAA.
• To secure, monitor, and improve reliability and quality.
• To create De-identified Data and Aggregated Data for research, analytics, product improvement, and lawful commercial use.
• To comply with law, respond to legal process, and enforce our terms.

We do not share raw audio outside our system.

De-identified and aggregated use

We create De-identified Data under HIPAA de-identification standards by Expert Determination or Safe Harbor. De-identified Data includes de-identified audio, transcripts, and numerical voice features that cannot reasonably be used to reconstruct a voice. We may use, license, and sell De-identified and Aggregated Data. We will not attempt to re-identify anyone and we require recipients to agree in writing not to re-identify.

Sharing

We do not sell personal information for advertising. We share information only as described below.

Vendors and subprocessors

We use service providers for hosting, storage, email, monitoring, payments, and similar functions. If a vendor can access PHI we sign a BAA or equivalent and require appropriate security.

Legal and safety

We may disclose information to comply with law or a valid legal process, or to protect the safety, rights, or property of users and the public.

Business transfers

If we undergo a merger, acquisition, or asset sale, information may transfer as part of that transaction subject to this Policy.

Patient choices and notices

Recording is optional at the point of care. Patients can decline recording without affecting care. For programs covered by 42 CFR Part 2, separate patient consent is required for any use beyond treatment, payment, and operations. We honor legally required opt-outs and we document how choices are enforced.

Clinic controls

Clinic admins can set defaults for retention and de-identified use.

• Audio retention: Delete on save or 7 or 30 or 90 days or custom.
• Transcript retention: Same options.
• De-identified use: Clinic can allow or disable use of its data in the de-identification pipeline for product improvement and for research or analytics.
• Part 2 safeguard: Clinic can mark sites or programs where Part 2 rules apply.

Retention and deletion

• Audio and transcript retention follow clinic settings. When audio is deleted we schedule deletion of derived features that are not required for security or legal holds.
• Backups expire on a rolling schedule. We do not edit historical backups. Deletions propagate as backups roll forward.
• We keep system and security logs for the period needed to investigate abuse, meet legal duties, and ensure integrity.

Security

We encrypt data in transit and at rest. Audio stores use separate keys. Access to raw audio is role-based and reviewed. We maintain a written security program aligned to industry frameworks, run code review and dependency scanning, and perform periodic penetration testing. Assurance materials are available under NDA.

International transfers

If data is moved across borders we use appropriate safeguards such as standard contractual clauses where required. We disclose storage regions on request.

Your rights

Depending on your location and role you may have rights to access, correct, or delete certain information. Patients should contact their clinic for requests related to medical records or PHI. We support clinics in fulfilling access, amendment, and accounting duties under HIPAA.

Children

Moco is for professional use. It is not directed to children under 18.

Changes and versioning

When we change this Policy we will post a new effective date. For material changes we will notify account owners by email or in-app notice. We keep prior versions for at least six years.

Contact