MedID Terms of Service
Last Updated: December 21, 2025
IMPORTANT: These Terms of Service ("Terms") govern your use of the MedID mobile application. By creating an account or using MedID, you agree to be bound by these Terms. If you do not agree to these Terms, do not use MedID.
1. Acceptance of Terms
By accessing, downloading, installing, or using the MedID application ("App," "Service," "MedID"), you agree to be bound by these Terms of Service and our Privacy Policy. These Terms apply to all users, including personal users (patients) and medical professionals.
2. Description of Service
MedID is a mobile application that allows:
- Personal Users: To create and maintain a digital medical identification profile containing their medical information, conditions, medications, and emergency contacts
- Medical Professionals: To scan QR codes or NFC tags and access personal users' medical information for emergency medical care and treatment
MEDICAL DISCLAIMER - PLEASE READ CAREFULLY
MEDID IS NOT A MEDICAL DEVICE. MedID is NOT a substitute for professional medical advice, diagnosis, or treatment. It is a tool for sharing medical information in emergency situations.
ALWAYS seek the advice of qualified healthcare providers with any questions regarding medical conditions. Never disregard professional medical advice or delay seeking it because of information stored in or accessed through MedID.
3. Eligibility
To use MedID, you must:
- Be at least 13 years of age (we do not knowingly collect information from children under 13)
- Have the legal capacity to enter into binding contracts
- For medical professional accounts: Be affiliated with a medical organization and possess a valid organizational access code
4. Account Registration and Security
4.1 Account Creation
- You must provide accurate, current, and complete information during registration
- You must select the appropriate account type (personal user or medical professional)
- You are responsible for maintaining the confidentiality of your account credentials
- You are responsible for all activities that occur under your account
4.2 Medical Professional Accounts
By creating a medical professional account, you represent that:
- You are affiliated with a medical organization and have obtained a valid organizational access code
- You will only use patient access features for legitimate medical purposes
- Misrepresenting yourself as a medical professional is strictly prohibited and may result in legal action
Enhanced Security Requirements for Medical Professionals:
- Two-Factor Authentication (2FA): Mandatory for all medical professional accounts. You must complete email-based 2FA verification to access patient information.
- Biometric Authentication: If your device supports biometric authentication (Face ID, fingerprint, etc.), you must enable it. This requirement cannot be disabled for medical professional accounts.
- Automatic Session Lock: Your session will lock after 15 minutes of inactivity, requiring biometric re-authentication to continue.
- Audit Logging: All access to patient information is logged with your user ID, timestamp, and device information for HIPAA compliance.
Note: MedID validates organizational access codes but does not independently verify individual medical licensure. Medical organizations are responsible for managing their own access codes.
4.3 Account Security
You agree to:
- Use a strong, unique password for your MedID account (minimum 12 characters with uppercase, lowercase, numbers, and special characters)
- Never share your account credentials with others
- Notify us immediately if you suspect unauthorized access to your account
- Enable device security features (passcode, screen lock)
- Enable two-factor authentication when prompted (mandatory for medical professionals)
- Enable biometric authentication when available for enhanced security
- Be aware that the app automatically locks after periods of inactivity (30 minutes for personal users, 15 minutes for medical professionals), requiring biometric re-authentication
Security Features:
- Rate Limiting: Failed login and 2FA attempts are rate-limited to prevent brute-force attacks. After 5 failed 2FA attempts, your account will be locked for 24 hours.
- Encrypted Storage: Sensitive medical data is encrypted on your device using platform-native encryption (AES-256-GCM on Android, Keychain on iOS).
- Firebase App Check: All API requests are verified to ensure they originate from the genuine MedID application.
- Device Security Detection: MedID checks if your device is rooted (Android) or jailbroken (iOS) and will warn you about potential security risks. For optimal security of your medical data, we recommend using MedID only on unmodified devices.
5. User Responsibilities
5.1 Personal Users (Patients)
As a personal user, you agree to:
- Accuracy: Provide accurate and up-to-date medical information
- Updates: Keep your profile current, especially regarding medications and conditions
- Emergency Contacts: Ensure emergency contact information is correct and current
- Consent: Understand that medical professionals can access your full profile when they scan your QR/NFC code
- Physical Security: Protect your QR code and NFC tag from unauthorized access
CRITICAL RESPONSIBILITY: Inaccurate medical information could result in improper medical treatment in an emergency. You are solely responsible for ensuring the accuracy of all information in your MedID profile.
5.2 Medical Professionals
As a medical professional user, you agree to:
- Professional Use Only: Access patient information only for legitimate medical purposes
- HIPAA Compliance: Follow all applicable HIPAA and privacy regulations
- Verification: Verify critical medical information with patients or official medical records when possible
- Confidentiality: Maintain the confidentiality of accessed patient information
- No Misuse: Never access patient information for personal curiosity, stalking, or non-medical purposes
- Accurate Recording: If you document care based on MedID information, verify its accuracy
6. Prohibited Uses
You may NOT use MedID to:
- Provide false, inaccurate, or misleading information
- Impersonate another person or entity
- Create a medical professional account without proper authorization
- Access patient information for non-medical purposes
- Share, sell, or distribute patient information obtained through MedID
- Attempt to gain unauthorized access to other users' accounts
- Reverse engineer, decompile, or disassemble the App
- Use automated systems (bots, scrapers) to access the Service
- Interfere with or disrupt the Service or servers
- Violate any applicable local, state, national, or international law
- Transmit any viruses, malware, or harmful code
7. Medical Information and Disclaimers
7.1 Not Professional Medical Advice
MedID provides a platform for storing and sharing medical information. It does NOT:
- Provide medical advice, diagnosis, or treatment
- Replace consultation with qualified healthcare providers
- Guarantee accuracy of user-provided information
- Verify medical information entered by users
7.2 Emergency Use
EMERGENCY DISCLAIMER:
- MedID is designed to assist in emergency medical situations but should not be the sole source of medical information
- In emergencies, always call 911 or local emergency services first
- Medical professionals should verify critical information when possible
- MedID is not responsible for medical treatment decisions made based on app information
7.3 Information Accuracy
- Users are solely responsible for the accuracy of information they provide
- MedID does not verify, validate, or confirm medical information
- Medical professionals should use MedID information as supplemental, not primary, medical records
8. Privacy and Data Protection
Our collection, use, and protection of your personal and medical information is governed by our Privacy Policy, which is incorporated into these Terms by reference.
Key points:
- Personal users consent to medical professionals accessing their profiles when their QR code or NFC tag is scanned
- Data is stored in Firebase/Google Cloud Platform with encryption at rest
- Sensitive medical data is encrypted on your device using platform-native secure storage (AES-256-GCM on Android, Keychain on iOS)
- Digital ID QR codes use server-side AES-256-GCM encryption to protect your user identifier; encryption keys never leave our servers
- Physical MedID device QR codes contain serial numbers (not patient IDs) that are used to look up linked accounts
- All access to patient data is logged in immutable audit logs for HIPAA compliance
- Firebase App Check ensures only the genuine MedID app can access our backend services
9. Intellectual Property
9.1 MedID Ownership
MedID and all related trademarks, logos, service marks, and intellectual property are owned by us. You may not use our intellectual property without prior written permission.
9.2 User Content
You retain ownership of the medical information and content you provide to MedID. By using the Service, you grant us a limited license to:
- Store your information in our databases
- Display your information to you within the app
- Share your information with medical professionals who scan your QR/NFC code
- Back up your information for service reliability
9.3 Medical Conditions Database
The medical conditions database provided in MedID is for informational purposes. The conditions list is compiled from public medical resources and is provided "as is."
10. Third-Party Services
MedID uses third-party services including:
- Firebase/Google Cloud Platform: Data storage, authentication, and hosting
- Firebase Cloud Functions: Server-side processing (medical code validation, 2FA code generation/verification, email sending, server-side encryption/decryption, audit logging)
- Firebase App Check: Device attestation to protect APIs from unauthorized access (DeviceCheck on iOS, Play Integrity on Android)
- Firebase Secrets Manager: Secure server-side storage of encryption keys (keys never transmitted to devices)
- Google Sign-In: OAuth authentication
- Stripe: Payment processing for product purchases
- Gmail (via Nodemailer): Email delivery for account notifications and 2FA codes
Your use of these services is subject to their respective terms of service and privacy policies.
11. Disclaimers of Warranties
DISCLAIMERS OF WARRANTIES
THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED.
TO THE FULLEST EXTENT PERMITTED BY LAW, WE DISCLAIM ALL WARRANTIES, INCLUDING BUT NOT LIMITED TO:
- IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT
- Warranties that the Service will be uninterrupted, error-free, or secure
- Warranties regarding the accuracy, reliability, or completeness of any information
- Warranties that the Service will meet your specific requirements
- Warranties regarding the results obtained from using the Service
YOU USE MEDID AT YOUR OWN RISK. WE DO NOT WARRANT THAT THE APP WILL BE FREE FROM VIRUSES OR OTHER HARMFUL COMPONENTS.
12. Limitation of Liability
LIMITATION OF LIABILITY - IMPORTANT
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:
MEDID, ITS AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, AND LICENSORS SHALL NOT BE LIABLE FOR:
- ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES
- Loss of profits, data, use, goodwill, or other intangible losses
- Medical treatment decisions or outcomes based on information in the App
- Inaccurate, outdated, or incomplete user-provided information
- Unauthorized access to your account or data
- Service interruptions, errors, or security breaches
- Any third-party conduct or content
IN NO EVENT SHALL OUR TOTAL LIABILITY EXCEED ONE HUNDRED DOLLARS ($100 USD) OR THE AMOUNT YOU PAID US IN THE PAST TWELVE (12) MONTHS, WHICHEVER IS GREATER.
13. Indemnification
You agree to indemnify, defend, and hold harmless MedID and its affiliates from any claims, damages, losses, liabilities, and expenses (including attorney's fees) arising from:
- Your use or misuse of the Service
- Your violation of these Terms
- Your violation of any rights of another party
- Inaccurate information you provide
- Medical treatment decisions based on your information (for personal users)
- Improper access to patient information (for medical professionals)
14. Term and Termination
14.1 Term
These Terms remain in effect while you use MedID.
14.2 Termination by You
You may terminate your account at any time by:
- Deleting your account through the app settings (requires password re-authentication)
- Contacting us at support@nurevamedical.com for assistance
14.3 Termination by Us
We may suspend or terminate your access to MedID immediately, without notice, if:
- You violate these Terms
- You provide false information
- You misuse medical professional access
- We are required to do so by law
- We discontinue the Service
14.4 Effect of Termination
- Your right to use the Service immediately ceases
- Your data may be deleted according to our data retention policies
- Sections of these Terms that by their nature should survive termination will survive (including disclaimers, limitations of liability, and indemnification)
15. Changes to Terms
We reserve the right to modify these Terms at any time. When we make changes:
- We will update the "Last Updated" date at the top of these Terms
- The updated Terms will be posted on our website
- Continued use of MedID after changes constitutes acceptance of the updated Terms
We encourage you to review these Terms periodically for any updates.
16. Changes to Service
We reserve the right to:
- Modify or discontinue the Service at any time
- Add or remove features
- Change pricing (if we introduce paid features in the future)
17. Governing Law and Dispute Resolution
17.1 Governing Law
These Terms are governed by the laws of the Commonwealth of Virginia, United States, without regard to conflict of law principles.
17.2 Dispute Resolution
For any dispute arising from these Terms or the Service:
- Informal Resolution: Contact us first to attempt informal resolution at support@nurevamedical.com. You agree to try to resolve any dispute informally for at least 30 days before initiating arbitration.
- Binding Arbitration: If informal resolution fails, disputes will be resolved through binding arbitration administered by the American Arbitration Association (AAA) under its Consumer Arbitration Rules.
CLASS ACTION WAIVER
YOU AND MEDID AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING.
Unless both you and MedID agree otherwise, the arbitrator may not consolidate more than one person's claims and may not otherwise preside over any form of a representative or class proceeding.
17.3 Exceptions
Either party may seek injunctive relief in court for:
- Intellectual property infringement
- Unauthorized access to systems
- Violation of data privacy laws
18. HIPAA Compliance
HIPAA COMPLIANCE NOTICE
MedID has implemented comprehensive technical safeguards aligned with HIPAA Security Rule requirements:
Implemented Security Controls:
- Access Controls: Role-based access, mandatory two-factor authentication for medical professionals, biometric authentication enforcement
- Audit Controls: Comprehensive server-side audit logging of all PHI access with immutable hash chain integrity and 6-year retention
- Integrity Controls: Cryptographic verification of audit logs, tamper-evident design
- Transmission Security: All data encrypted in transit using TLS/HTTPS
- Encryption: PHI encrypted at rest using AES-256-GCM on devices and server-side encryption for patient ID tokens
- Automatic Session Lock: Screen locks after inactivity (15 minutes for medical, 30 minutes for personal), requiring biometric re-authentication
- Authentication: Strong password requirements, rate-limited login attempts, bcrypt-hashed 2FA codes
- Device Security: Root/jailbreak detection to warn users about compromised devices, backup protection to prevent unencrypted PHI exposure
Important Limitations:
- MedID does not currently provide Business Associate Agreements (BAAs) to healthcare organizations
- MedID is designed for patient-controlled emergency information sharing, NOT as a primary electronic health record (EHR) system
- Information from MedID should ALWAYS be verified with official medical records before making treatment decisions
Medical professionals are responsible for ensuring their use of MedID complies with all applicable HIPAA regulations, state privacy laws, and institutional policies.
19. International Users
MedID is operated in the United States. If you access the Service from outside the United States:
- You consent to transfer of your data to the United States
- You are responsible for compliance with local laws
- The Service may not be available in all jurisdictions
20. Severability
If any provision of these Terms is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary, and the remaining provisions will remain in full force and effect.
21. Entire Agreement
These Terms, together with our Privacy Policy, constitute the entire agreement between you and MedID regarding the Service, and supersede any prior agreements.
22. No Waiver
Our failure to enforce any right or provision of these Terms will not be deemed a waiver of such right or provision.
23. Assignment
You may not assign or transfer these Terms or your account without our prior written consent. We may assign these Terms without restriction.
24. Force Majeure
MedID is not liable for any failure or delay in performance due to circumstances beyond our reasonable control, including acts of God, natural disasters, terrorism, pandemics, or failures of third-party services.
25. Contact Information
Acknowledgment
BY CREATING A MEDID ACCOUNT OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THESE TERMS OF SERVICE.
© 2025 MedID. All rights reserved. |
Terms of Service |
Privacy Policy