OpenMedica by IntelMedica.ai

Privacy Policy

Last updated: March 27, 2026

OpenMedica is a project of IntelMedica.ai, a company founded by a physician. OpenMedica is the umbrella platform that includes the Open Medical Skills catalog, CLI, and API. We are committed to protecting your privacy and being transparent about our data practices. This Privacy Policy explains exactly what data we collect, how we use it, the technologies involved, and your rights regarding that data.

Our website is available at openmedica.us.

TL;DR — The Short Version

  • We do not sell your data to anyone, ever
  • We do not collect patient data or PHI
  • We use two cookieless analytics tools (Cloudflare Web Analytics and self-hosted Umami) that collect no PII and require no consent
  • We use Mautic (self-hosted) for optional email marketing — this is the only service that sets tracking cookies and collects PII (your email), and it requires your explicit opt-in
  • GitHub OAuth is used only for skill submissions — your token stays in your browser
  • Your theme preference lives in localStorage on your device — it never leaves your browser
  • We are physicians, not advertisers. Your privacy is safe with us.

1. What Data We Collect

OpenMedica is primarily a static directory website — we catalog medical AI skills and plugins. You do not need an account, login, or any personally identifiable information (PII) to browse the directory. However, certain features and services do involve data collection as described below.

1.1 Data We Do NOT Collect

Let us be clear about what we do not collect:

  • Payment or financial information
  • Patient data, medical records, or Protected Health Information (PHI)
  • Biometric data, health data, or genetic information
  • Social Security numbers or government-issued IDs
  • Browser fingerprints or advertising identifiers
  • Keystroke logs, session recordings, or mouse tracking data
  • Cross-site tracking data or third-party advertising cookies

1.2 Cloudflare Web Analytics (Cookieless, No PII)

We use Cloudflare Web Analytics, a privacy-focused, cookieless analytics service built into Cloudflare. It collects:

  • Page views
  • Referral sources
  • Device types
  • Country-level geographic data

Cloudflare Web Analytics does not use cookies, does not collect PII, and does not track users across sites. It is compliant with GDPR without requiring cookie consent because no cookies or personal data are involved.

1.3 Umami Analytics (Self-Hosted, Cookieless, No PII)

We use Umami (umami.is), an open-source web analytics platform that we self-host on our own infrastructure. It collects:

  • Page views and referral sources
  • Device types and screen sizes
  • Operating system and browser family
  • Country-level geographic data

Umami does not use cookies, does not collect PII, and does not track users across sites. All analytics data stays on our infrastructure and is never shared with third parties. It is GDPR-compliant without requiring cookie consent.

1.4 Mautic Marketing Automation (Self-Hosted, Opt-In Only)

We use Mautic (mautic.org), an open-source marketing automation platform that we self-host on our own infrastructure. This is the only service on our site that sets tracking cookies and collects PII.

Mautic is used for:

  • Email marketing campaigns (requires your explicit opt-in)
  • Contact management (stores: your email address, name if you provide it, and engagement history such as email opens and link clicks)
  • Website visitor tracking via a Mautic tracking pixel/JavaScript snippet (sets cookies on your device)
  • Lead scoring and segmentation to send you relevant content

Mautic tracking cookies are only activated after you provide explicit consent via our cookie consent banner. If you do not consent to marketing cookies, no Mautic cookies are set and no visitor tracking occurs. Email marketing also requires your explicit opt-in (e.g., subscribing to a newsletter). All Mautic data stays on our self-hosted infrastructure.

1.5 GitHub OAuth (Skill Submissions)

If you use our web-based skill submission form, you may authenticate via GitHub OAuth. This process collects:

  • Your GitHub username
  • Your GitHub avatar URL
  • Your public GitHub profile information

Your GitHub OAuth token and user information are stored only in your browser's localStorage. They are never stored on our servers. The token is used solely to create pull requests on your behalf. GitHub's own data handling is governed by GitHub's Privacy Statement.

1.6 Theme and Consent Preferences (Local Storage Only)

Your dark mode / light mode preference and cookie consent choice are stored in your browser's localStorage. This data never leaves your device, is not transmitted to any server, and cannot be read by us or anyone else.

2. Cookies and Tracking Technologies

Below is our complete list of cookies, localStorage items, and tracking technologies used on this site:

Technology Type Purpose Duration PII? Consent Required?
theme localStorage Dark/light mode preference Persistent No No (functional)
oms-cookie-consent localStorage Cookie consent preferences Persistent No No (functional)
oms_github_token localStorage GitHub auth token for submissions Persistent Yes (token) No (functional)
oms_github_user localStorage GitHub user info (username, avatar) Persistent Yes (username) No (functional)
__cf_bm Cookie Cloudflare bot management 30 minutes No No (strictly necessary)
mautic_device_id Cookie Mautic visitor tracking 1 year No directly Yes (marketing)
mtc_id Cookie Mautic contact identification 1 year Yes (linked to email) Yes (marketing)
mtc_sid Cookie Mautic session tracking Session No Yes (marketing)

Mautic cookies (highlighted above) are only set after you provide explicit consent via our cookie consent banner. All other items are either strictly necessary for site functionality or stored exclusively in your browser's localStorage.

You can disable cookies in your browser settings or clear localStorage at any time. Blocking marketing cookies will not affect your ability to browse the directory. You can also withdraw your marketing cookie consent at any time through the cookie settings on our site.

3. Third-Party Services

We rely on the following third-party services. Where we self-host a service, data stays on our infrastructure and is not shared externally.

  • Cloudflare Pages + Workers: Our website is hosted on Cloudflare's CDN as a static site, with edge functions (Workers) handling API operations such as skill submissions and search. Cloudflare may log IP addresses and timestamps for DDoS protection and security purposes, subject to Cloudflare's Privacy Policy.
  • Cloudflare Web Analytics: Privacy-focused, cookieless analytics built into Cloudflare. No PII collected. No cookies set. No cross-site tracking.
  • Umami Analytics (self-hosted): Open-source, cookieless web analytics hosted on our own infrastructure. No PII collected. No cookies set. Data never leaves our servers.
  • Mautic (self-hosted): Open-source marketing automation hosted on our own infrastructure. Collects email addresses and engagement data only with your explicit opt-in. Sets tracking cookies only with your consent. Data stays on our infrastructure.
  • GitHub: Skill submissions and pull requests are hosted on GitHub. If you authenticate via GitHub OAuth, your public profile information is accessed. GitHub Actions run validation on submissions. GitHub's Privacy Statement applies.
  • Google Fonts: We load the Inter and JetBrains Mono typefaces from Google's CDN. Google may log basic request metadata (IP address, user agent) when your browser fetches the font files. No cookies are set by Google Fonts. Google Fonts Privacy FAQ.

We do not use: Google Analytics, Facebook/Meta SDKs, Hotjar, Mixpanel, Segment, Amplitude, or any other invasive user behavior tracking service.

4. Data Storage and Retention

OpenMedica is primarily a static website served via Cloudflare's CDN. For most visitors who simply browse the directory, we have no server-side database storing your personal data.

Data retention by service:

  • Cloudflare Web Analytics: Aggregated metrics retained by Cloudflare per their data retention policies. No individual user data is stored.
  • Umami Analytics (self-hosted): Aggregated page view data retained on our infrastructure. No individual user data is stored.
  • Mautic (self-hosted): If you opt in to email marketing, your contact record (email address, name, engagement history) is retained until you unsubscribe or request deletion. You can unsubscribe at any time via the link in every marketing email or by contacting us.
  • GitHub OAuth data: Stored only in your browser's localStorage. We do not retain your GitHub token or profile on any server. Clear your browser storage at any time to remove it.
  • Cloudflare security logs: IP addresses and request metadata may be retained by Cloudflare for security purposes per their retention schedule.

If we introduce user accounts or new data collection in the future, we will update this policy before collecting any new data and will require fresh consent where applicable.

5. Data Sharing and Selling

We Do Not Sell Your Data. Period.

We do not sell, rent, lease, trade, or otherwise transfer any user data to third parties for any reason — commercial, marketing, analytics, or otherwise. This includes data collected through Mautic. Your email address, if you provide it for marketing, is used solely to send you communications from IntelMedica.ai and is never shared with or sold to third parties.

We may share limited data with the following categories of service providers, solely to operate our platform:

  • Cloudflare — hosting and security (necessary for site operation)
  • GitHub — only when you initiate a skill submission via OAuth
  • Google Fonts — font delivery (request metadata only)

Umami and Mautic are self-hosted on our own infrastructure and do not involve any third-party data sharing.

6. Patient Data and Protected Health Information (PHI)

OpenMedica is a directory of research tools — we do not collect, process, store, transmit, or have access to any patient data or Protected Health Information (PHI). We are not a covered entity and not a business associate under HIPAA.

The tools listed in our catalog are independent third-party projects, each classified as research tools with their own data handling practices. You are solely responsible for reviewing the privacy policy, data handling practices, and compliance posture of any skill or plugin before deploying it in a clinical, research, or production environment.

We strongly recommend that healthcare professionals and organizations:

  • Conduct independent security and privacy assessments before deploying any tool with patient data
  • Ensure any skill handling PHI has a valid Business Associate Agreement (BAA) with the skill provider
  • Follow your organization's data governance and information security policies
  • Comply with HIPAA, HITECH, state privacy laws, and institutional review board (IRB) requirements where applicable

7. Medical Disclaimer

Important Medical Disclaimer

OpenMedica is a directory of research tools — it does not provide medical advice, diagnosis, or treatment. The skills and plugins listed here are third-party software tools intended to assist healthcare professionals in research contexts. They are not medical devices and are not clinical decision support systems. They do not replace clinical judgment, medical training, or the physician-patient relationship. Always consult a qualified healthcare professional for medical decisions.

8. HIPAA Compliance Stance

OpenMedica is a publicly accessible directory website. We are not a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA). We do not handle PHI and do not enter into Business Associate Agreements (BAAs) for the directory service itself.

No part of our platform — including the website, API, CLI, analytics, or marketing systems — collects, processes, or stores Protected Health Information.

If you deploy a skill from this directory in a HIPAA-regulated environment, you are responsible for ensuring that the skill's author has appropriate compliance measures in place and that you execute any necessary BAAs with the skill provider directly.

9. Your Privacy Rights

Depending on your location, you may have specific rights under applicable data protection laws.

9.1 European Union (GDPR)

If you are in the European Economic Area (EEA), the General Data Protection Regulation (GDPR) grants you the following rights with respect to any personal data we process:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate personal data
  • Right to erasure ("right to be forgotten") — request deletion of your personal data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to restrict processing — request that we limit how we use your data
  • Right to object — object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent — withdraw consent at any time for consent-based processing (e.g., Mautic marketing)

Legal bases for processing: Our cookieless analytics (Cloudflare Web Analytics, Umami) process no personal data and require no legal basis. Mautic marketing operates on your explicit consent (opt-in). Cloudflare's security cookies are processed under legitimate interest (strictly necessary for security). GitHub OAuth data is processed based on your consent when you initiate authentication.

Data Protection Authority contact: privacy@intelmedica.ai

9.2 California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:

  • Right to know — request disclosure of what personal information we collect, use, and share
  • Right to delete — request deletion of your personal information
  • Right to opt-out of sale or sharing — we do not sell or share your personal information as defined by the CCPA/CPRA
  • Right to non-discrimination — we will not discriminate against you for exercising your rights
  • Right to correct — request correction of inaccurate personal information
  • Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CPRA

Because we do not sell personal information, there is no need to opt out of sale. If you have subscribed to Mautic marketing emails, you can unsubscribe at any time or contact us to have your data deleted.

9.3 ePrivacy Directive (Cookie Law)

In compliance with the EU ePrivacy Directive, we obtain explicit consent before setting any non-essential cookies on your device. The only non-essential cookies on our site are Mautic tracking cookies (mautic_device_id, mtc_id, mtc_sid), which are only set after you provide affirmative consent via our cookie banner. Cloudflare's __cf_bm cookie is classified as strictly necessary for security and does not require consent.

9.4 Exercising Your Rights

To exercise any of the rights described above, contact us at privacy@intelmedica.ai. We will respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA/CPRA). We do not charge a fee to process legitimate requests.

10. Children's Privacy

OpenMedica is not directed at children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe a child has submitted information to us (e.g., via Mautic marketing opt-in or GitHub OAuth), please contact us immediately at privacy@intelmedica.ai and we will promptly delete such information.

11. International Users

OpenMedica is operated from the United States and is accessible worldwide. If you access the site from outside the United States, please be aware that:

  • Cloudflare serves content from edge locations globally and may process request data in various jurisdictions
  • GitHub data (for submissions) is processed in the United States per GitHub's policies
  • Google Fonts requests may be processed in jurisdictions where Google operates CDN infrastructure
  • Umami analytics and Mautic marketing data are stored on our self-hosted infrastructure in the United States

By using our site, you acknowledge that data may be processed in the United States or other jurisdictions where our service providers operate, which may have different data protection laws than your country of residence.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. Updates will be posted on this page with a new "Last updated" date.

If we make material changes — such as introducing new data collection, new cookies, or new third-party services — we will provide prominent notice on the site and, where required, request fresh consent before any new processing begins.

Your continued use of the site after non-material changes are posted constitutes acceptance of the updated policy.

13. Contact Information

If you have questions or concerns about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact:

IntelMedica.ai

Privacy inquiries: privacy@intelmedica.ai

Website: openmedica.us

GitHub: Open-Medica

OpenMedica is a project of IntelMedica.ai, founded by a physician. We are committed to transparency, privacy, and building tools that serve the healthcare community responsibly.