Privacy Policy

Introduction

GenomOncology, LLC ("Company," "we," "us," or "our") is committed to protecting the privacy and security of your personal information, including Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Advocate mobile application and related services (collectively, the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this policy, please do not access or use our Service.

Our Commitment: We Do Not Sell Your Data

We believe your health information belongs to you. Unlike many technology companies, we do not monetize your data through advertising, data brokerage, or any form of data sales. Our business model is based solely on providing valuable healthcare coordination services, not exploiting your personal information.

Information We Collect

Personal Information You Provide

We collect information that you provide directly to us, including:

• Account Information:
  • Name, email address, and phone number
  • Password (stored in encrypted form only)
  • Profile photo (optional)
• Profile Information:
  • Your role (Primary Advocate, Hospital Advocate, Remote Advocate, Therapist)
  • Relationship to patients you are caring for
  • Language preferences
• Communication Data:
  • Messages sent through the app to care team members
  • Support requests and correspondence

Protected Health Information (PHI)

With your explicit consent, we collect and process PHI to provide our care coordination services:

• Patient Demographics:
  • Patient name, date of birth, gender
  • Medical record numbers (if provided)
  • Emergency contact information
• Medical Information:
  • Diagnoses, medical conditions, and treatment plans
  • Medications including dosages, schedules, and administration logs
  • Allergies and adverse reactions
  • Healthcare provider information
• Vital Signs & Health Metrics:
  • Blood pressure, heart rate, temperature
  • Oxygen saturation (SpO2), respiratory rate
  • Weight, blood glucose levels
• Care Activities:
  • Food and fluid intake tracking
  • Bathroom activity logs
  • Catheter care records
  • Physical and occupational therapy exercises
  • Daily observations and care notes
• Mental Health Data:
  • Mood tracking and anxiety assessments
  • Behavioral observations
  • Therapy appointment records
• Scheduling Information:
  • Medical appointments and care schedules
  • Care shift assignments
  • Medication reminders

Automatically Collected Information

When you use our Service, we automatically collect:

• Device Information: Device type, operating system version, unique device identifiers, and mobile network information
• Usage Data: Features accessed, time spent in app, interaction patterns, and error reports
• Log Data: Access times, IP addresses (anonymized), error logs, and system activity for security and debugging purposes

We do NOT collect or access your device contacts, photos (except those you explicitly upload), location data, or other personal files without your explicit permission.

How We Use Your Information

We use the information we collect for the following purposes:

To Provide Our Services

• Create and manage your account
• Facilitate care coordination between team members
• Enable health tracking features (medications, vitals, nutrition, etc.)
• Send medication reminders and care alerts
• Generate health summaries and reports
• Process voice commands and transcriptions
• Provide AI-powered drug interaction checking

To Improve Our Services

• Analyze usage patterns to improve features
• Debug issues and fix errors
• Develop new features based on user needs
• Conduct internal research and analytics (using aggregated, de-identified data only)

To Communicate With You

• Respond to support requests
• Send service-related notifications and push notifications
• Send medication reminders and care alerts
• Notify you of important updates or changes to our policies

Push Notifications: We use push notification services to deliver alerts to your mobile device. Push notifications may contain limited information such as reminder titles or alert types. We design notifications to minimize the inclusion of sensitive health information; however, some contextual information may be visible on your device's lock screen. You can control notification settings and visibility through your device's settings.

To Ensure Security and Compliance

• Verify your identity and prevent fraud
• Monitor for security threats and unauthorized access
• Maintain audit logs for HIPAA compliance
• Comply with legal obligations

Optional: Anonymous Research Participation

If you choose to opt in, we may use fully de-identified, aggregated data to:

• Identify trends in medication usage and effectiveness
• Understand common care patterns for specific conditions
• Develop insights that may help healthcare providers improve patient care
• Contribute to healthcare research initiatives

How we protect your anonymity:

• All identifying information is permanently removed before any analysis
• Data is aggregated with thousands of other records
• Individual users can never be re-identified from research data
• You can withdraw from research participation at any time

Research data may be shared with healthcare providers, researchers, and institutions solely for the purpose of improving patient care and advancing medical knowledge. Even in these cases, your identity is never disclosed.

Information Sharing and Disclosure

We share your information only in the following limited circumstances:

With Your Care Team

Information is shared with members of your designated care team based on the permissions you configure. As the Primary Advocate, you control who can view, edit, and manage patient information through our role-based permission system.

With Healthcare Providers

With your explicit consent, we may share health summaries and reports with healthcare providers for:

• Treatment and care coordination purposes
• Second opinion consultations
• Medical record integration (where supported)

With Service Providers

We work with carefully selected third-party service providers who assist us in operating our services:

• Cloud Infrastructure: Secure, HIPAA-compliant data hosting and processing
• AI Services: Voice transcription, natural language processing, and drug interaction databases
• Communication Services: Push notifications and email delivery

All service providers are:

• Bound by strict confidentiality agreements
• Required to sign HIPAA Business Associate Agreements (BAAs) where applicable
• Prohibited from using your data for any purpose other than providing services to us
• Subject to regular security assessments

Important Notice: AI Services and HIPAA

By using AI-powered features, you acknowledge and consent to the following:

• Data Transmission: When you use voice commands, request AI-generated summaries, or utilize other AI features, relevant data (which may include PHI) is transmitted to our private AI services for processing
• Security Measures: Although not HIPAA compliant, our AI services include:
  • Enterprise-grade encryption in transit (TLS 1.2+)
  • Private network deployment (no public internet exposure)
  • Data processing in secure, SOC 2 Type II compliant data centers
  • No data retention for model training purposes
  • U.S.-based data processing
• Optional Features: AI-powered features are optional. You may choose not to use voice transcription, AI summaries, or other AI features if you prefer that your data not be processed by non-HIPAA-compliant services
• Minimized Data: We transmit only the minimum data necessary for AI processing and do not store AI-processed data beyond what is needed for the Service

We continuously evaluate HIPAA-compliant AI alternatives and will update our infrastructure as compliant options become available.

For Legal Requirements

We may disclose information when required by law, including:

• Response to valid court orders, subpoenas, or legal processes
• Compliance with government investigations or regulatory inquiries
• Protection of our legal rights or defense against legal claims
• Prevention of imminent harm to individuals or property
• Reporting as required by mandatory reporting laws (e.g., child abuse, elder abuse)

We will notify you of legal requests unless prohibited by law or court order.

Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a different privacy policy.

Information We Never Share

Data Security

We implement comprehensive security measures that meet or exceed HIPAA requirements:

Encryption

• Data at Rest: Sensitive data including health summaries is encrypted at rest
• Data in Transit: TLS encryption for all network communications
• Message Security: Messages between care team members are transmitted over encrypted connections and stored in our secure, access-controlled database

Access Controls

• Authentication: Strong password requirements (minimum 12 characters with complexity) and optional multi-factor authentication via authenticator app or SMS
• Biometric Security: The mobile app supports device-level biometric authentication (Face ID, Touch ID) where available on your device. Biometric data is processed entirely on your device and is never transmitted to our servers.
• Role-Based Access: Users only see information they're authorized to view based on their assigned role
• Session Management: Automatic session timeout after 15 minutes of inactivity
• Account Protection: Account lockout after 5 failed login attempts

Monitoring and Auditing

• Audit Logging: All access to PHI is logged with timestamps and user identification
• Security Monitoring: Automated monitoring for suspicious activity and security threats
• Regular Assessments: Periodic security audits and penetration testing

Data Retention

We retain your information as follows:

• Account Information: Retained while your account is active and for a reasonable period thereafter for legal and business purposes
• Health Records: Retained in accordance with applicable medical record retention laws (typically 6-10 years depending on jurisdiction)
• Audit Logs: Retained in accordance with HIPAA requirements
• De-identified Research Data: May be retained indefinitely as it contains no personal information

You may request deletion of your account and associated data at any time, subject to legal retention requirements.

Your Rights and Choices

You have the following rights regarding your information:

Access and Portability

• Request a copy of all personal information we hold about you
• Export health data where export functionality is available within the app
• Request a comprehensive data export by contacting our Privacy Officer (manual processing may be required for certain data types)
• Receive your data within 30 days of request

Correction

• Request correction of inaccurate or incomplete information
• Add supplemental information to your records

Deletion

• Request deletion of your account and personal data by contacting our Privacy Officer at the address below
• Deletion requests are processed manually and may take up to 30 days to complete
• Note: Some data may be retained as required by law, for legitimate business purposes, or to comply with medical record retention requirements

Restriction and Objection

• Limit how we use your information
• Object to certain processing activities
• Opt out of research participation at any time

Withdraw Consent

• Revoke consent for data processing at any time
• Note: Withdrawal does not affect prior lawful processing

To exercise any of these rights, contact our Privacy Officer at the address below.

HIPAA Rights

Under HIPAA, you have additional rights regarding your Protected Health Information:

• Right to Access: Obtain copies of your health records
• Right to Amend: Request corrections to your health records
• Right to Accounting: Receive a list of disclosures of your PHI
• Right to Restrict: Request restrictions on how we use or disclose your PHI
• Right to Confidential Communications: Request communications through alternative means
• Right to File a Complaint: File a complaint with us or the HHS Office for Civil Rights

See our HIPAA Compliance page for complete details.

Children's Privacy

Advocate is designed for adult caregivers (users must be 18 years or older). We do not knowingly collect personal information from children under 13. The Service may be used to coordinate care for minor patients, but such data is entered and managed by adult caregivers.

If you believe a child under 13 has provided us with personal information directly, please contact us immediately at the address below, and we will delete such information.

International Data Transfers

Your information may be transferred to and processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place through:

• Standard Contractual Clauses approved by relevant authorities
• Data Processing Agreements with all processors
• Compliance with applicable international data transfer requirements

California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: What personal information we collect, use, and share
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: We do not sell personal information, so there is nothing to opt out of
• Right to Non-Discrimination: Equal service regardless of exercising privacy rights
• Right to Correct: Request correction of inaccurate information
• Right to Limit: Limit use of sensitive personal information

To exercise these rights, contact us at the address below or submit a request through the app.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will post the updated policy on this page
• We will update the "Last updated" date at the top
• We will notify you via email or in-app notification for significant changes
• We may request renewed consent for material changes affecting PHI

Your continued use of the Service after changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about our privacy practices, please contact us:

For HIPAA-related inquiries or to exercise your rights regarding PHI, please contact our HIPAA Privacy Officer at the same address.

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated.