Privacy Policy
Effective Date: May 12, 2025 · Last Updated: May 12, 2026
Aurea Health, Inc. ("Aurea Health," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application ("Aurea Health App"), our website at aureahealth.ai, and related services (collectively, the "Services").
By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Services.
1. Information We Collect
1.1 Information You Provide Directly
- Account Information: Name, email address, date of birth, phone number, and password when you create an account.
- Health Information: Medical history, symptoms, medications, allergies, and other clinical data you provide during intake, consultations, or messaging with your care team.
- Insurance Information: Insurance carrier, policy number, and related billing information.
- Communications: Messages you send through our in-app secure messaging system.
- Identity Documents: Photos of insurance cards or identification documents you upload.
1.2 Information Collected Automatically
- Device Data from Apple Health / HealthKit: With your explicit permission, we read health data including heart rate, heart rate variability (HRV), sleep analysis, step count, blood oxygen (SpO2), respiratory rate, and body temperature from Apple HealthKit. We never sell HealthKit data or use it for advertising purposes.
- Wearable Device Data: If you connect a wearable device (e.g., Oura Ring) via our platform, we receive sleep, activity, readiness, and biometric data through their API.
- Usage Data: App interaction logs, feature usage patterns, and error reports (no PHI is included in crash logs).
- Device Information: Device type, operating system version, and unique device identifiers for push notification delivery.
1.3 Information We Do Not Collect
- We do not collect precise geolocation data.
- We do not access your contacts, calendars, or microphone.
- We do not use tracking technologies (advertising IDs, cross-app tracking, or third-party analytics SDKs).
2. How We Use Your Information
- Clinical Care: Providing telehealth consultations, processing prescriptions, ordering lab work, and coordinating with your care team.
- Health Dashboard: Displaying your biometric trends, sleep analysis, and AI-generated health insights within the app.
- Personalized Recommendations: Generating data-driven health recommendations based on your biometric data (deterministic algorithms, not sold to third parties).
- Appointment Management: Scheduling, reminders, and follow-up coordination.
- Secure Messaging: Enabling communication between you and your care team.
- Service Improvement: Aggregated, de-identified data may be used to improve clinical workflows and app performance.
3. How We Share Your Information
We do not sell your personal information or health data. We share information only in the following circumstances:
- Your Care Team: Clinicians, physicians, and staff members assigned to your care within the Aurea Health platform.
- Service Providers: HIPAA-compliant vendors who assist with infrastructure (hosting, databases, payment processing). All such vendors are bound by Business Associate Agreements (BAAs).
- Labs & Pharmacies: When you authorize lab orders or prescriptions, we transmit the minimum necessary information to fulfill those orders.
- Legal Requirements: When required by law, subpoena, or valid legal process, or to protect the safety of individuals.
4. Data Storage & Security
- All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
- Authentication credentials are stored in the iOS Keychain using hardware-backed encryption.
- Access to the app is protected by biometric authentication (Face ID / Touch ID).
- All access to Protected Health Information (PHI) is logged in an immutable, append-only audit ledger in compliance with HIPAA requirements.
- We conduct regular security assessments and maintain documented incident response procedures.
5. Apple HealthKit Data
Our use of Apple HealthKit data complies with Apple's HealthKit guidelines:
- HealthKit data is used solely for providing health insights to you and your care team.
- HealthKit data is never used for advertising, marketing, or data mining.
- HealthKit data is never sold to third parties, including data brokers or information resellers.
- HealthKit data is never shared with third parties for their own purposes without your explicit authorization.
- You can revoke HealthKit access at any time through iOS Settings → Privacy → Health → Aurea Health.
6. Your Rights
- Access & Portability: You can request a copy of your personal data and health records at any time through the app or by contacting us.
- Correction: You can request correction of inaccurate personal information.
- Deletion: You can request deletion of your account and associated data, subject to legal retention requirements (see our Data Retention Policy).
- Opt-Out: You can revoke permissions for HealthKit, wearable device connections, and push notifications at any time.
7. Data Retention
Clinical records are retained for a minimum of 7 years as required by HIPAA and applicable state medical records laws. Account data is deleted within 30 days of a verified deletion request, unless subject to legal retention requirements. For full details, see our HIPAA Notice of Privacy Practices.
8. Children's Privacy
Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete it.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notification or email. Continued use of the Services after changes constitutes acceptance.
10. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
- Email: hello@aureahealth.ai
- Mail: Aurea Health, Inc. — Attn: Privacy Officer