Privacy Policy
Effective Date: March 1, 2026Last Updated: March 1, 2026Version: 1.0 (Beta)
This Privacy Policy describes how Autonomy Health, Inc. (“Autonomy,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you use the Autonomy Health website, mobile application, and related services (collectively, the “Service”). It applies to all users of the Service. By using the Service, you agree to the practices described in this Policy.
1. Who We Are
Autonomy Health, Inc. is a Delaware corporation that operates a direct-to-consumer care coordination platform. The Service is designed for families and individual caregivers to capture, organize, and share health-related information for the people they care for. Autonomy is not a healthcare provider, health plan, or healthcare clearinghouse, and we do not provide medical advice, diagnosis, or treatment. Because Autonomy does not act on behalf of a covered entity under the Health Insurance Portability and Accountability Act (“HIPAA”), the information you store with us is generally not “protected health information” under that law. We have nevertheless built the Service to follow the spirit of healthcare privacy best practices.
2. Information We Collect
2.1 Information You Provide
We collect the following categories of information that you submit to the Service:
| Data Type | Examples | Purpose |
|---|---|---|
| Account Info | Email, password (hashed), display name | Authenticate access, send service notifications |
| Profile Info | Family member names, relationships, dates of birth, conditions | Build health profiles for care coordination |
| Audio Recordings | Voice recordings of medical visits | Generate transcripts and visit summaries |
| Documents | Lab results, prescriptions, insurance cards, discharge papers | Centralized document storage and retrieval |
| Task Data | Tasks, assignments, due dates, completion status | Coordinate caregiving responsibilities across family |
| Messages | In-app messages between authorized family members | Family communication within the platform |
| Medication Info | Drug names, dosages, schedules, prescribing physician | Track current medications by family member |
| Survey Responses | Beta feedback forms, support requests | Improve the Service, respond to user needs |
2.2 Information Collected Automatically
When you use the Service, we automatically collect the following technical and usage information:
| Data Type | Examples | Purpose |
|---|---|---|
| Usage Analytics | Feature interactions, session duration, sanitized error events | Improve product reliability and usability |
| Device Information | Device type, OS version, app version, screen size | Diagnose compatibility and performance issues |
| Log Data | IP address, timestamp, request paths, response codes | Security monitoring, abuse prevention |
2.3 Information We Do NOT Collect
We have intentionally excluded the following from our data collection practices:
- Social Security Numbers or other government identifiers
- Biometric identifiers (fingerprints, retina or iris scans, voiceprints used for identification)
- Continuous data feeds from wearable or medical devices
- Precise geolocation beyond the United States state level for compliance purposes
3. How We Use Your Information
We use your information for the purposes described below, and only for those purposes:
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Provide the Service | Performance of contract | Account, profile, audio, documents, tasks, messages, medication info |
| Communicate with you | Performance of contract | Account info, contact preferences |
| Generate transcripts and summaries | Performance of contract | Audio recordings, profile info |
| Improve the Service | Legitimate interest | Sanitized analytics, device info, log data |
| Maintain security and prevent abuse | Legitimate interest, legal obligation | Log data, device info |
| Comply with legal obligations | Legal obligation | As required by applicable law |
4. Audio Recordings & Transcripts
4.1 Recording Consent
You are responsible for obtaining the legally required consent of all participants before recording any conversation, including doctor visits. The Service includes a guided consent flow that you must complete before any recording begins. You agree to use the Service in compliance with all applicable federal and state recording laws. See our Terms of Service for additional obligations.
4.2 Audio Processing
Audio recordings are encrypted in transit using TLS 1.2 or higher and at rest using AES-256. Transcription is performed by automated speech-to-text providers under contractual obligations that prohibit them from storing your audio beyond the time required for processing, using your audio to train their models, or sharing your audio with any third party. No human listens to your recordings under normal operation. In the rare event that diagnostic review is required to investigate a service issue, we will only access your recording with your express prior consent.
4.3 Audio Retention & Deletion
Original audio files are automatically deleted from our systems fourteen (14) days after recording. Transcripts and visit summaries derived from your audio are retained until you delete them or close your account. You may download a copy of your audio file at any time before automatic deletion. Once audio is deleted, it cannot be recovered.
5. How We Share Your Information
5.1 With Your Care Team
We share your data only with the family members, caregivers, or other individuals you explicitly invite and authorize through the Service. You control what each invited person can see, and you may revoke access at any time. Sharing is granular, opt-in, and reversible.
5.2 With Service Providers
We engage trusted third-party service providers (“Subprocessors”) under written agreements that limit their use of your data to providing the contracted service. As of the effective date of this Policy, our Subprocessor categories include:
| Category | Provider Type | Data Shared |
|---|---|---|
| Cloud Hosting | Major US cloud provider, US-based regions | All Service data, encrypted at rest |
| Speech-to-Text | Enterprise STT providers under data processing agreements | Audio recordings during processing only |
| Email / SMS | Transactional email and SMS providers | Email address, phone number, message content |
| Analytics | Privacy-focused analytics provider | Sanitized event data, no PII or PHI |
5.3 As Required by Law
We may disclose your information when required by law, subpoena, court order, or other legal process, or where we have a good-faith belief that disclosure is necessary to comply with a legal obligation, protect our rights, prevent fraud, or protect the safety of our users or the public. Where lawful, we will notify you before producing your data in response to a legal request.
5.4 Business Transfers
If Autonomy is involved in a merger, acquisition, financing due diligence, or sale of assets, your information may be transferred as part of that transaction. We will notify you in writing or by email at least thirty (30) days before any such transfer takes effect, and any acquirer will be bound by the privacy commitments in this Policy.
6. Data Security
We maintain administrative, technical, and physical safeguards designed to protect your information against unauthorized access, alteration, disclosure, or destruction:
- TLS 1.2 or higher for all data in transit
- AES-256 encryption for all data at rest
- Role-based access controls with multi-factor authentication required for all administrative access
- Comprehensive audit logging for all data access and modification
- Encrypted, geographically redundant daily backups
- Documented incident response plan with notification within 72 hours of a confirmed breach
If you become aware of a security issue, please contact us at security@autonomyhealth.app.
7. Your Rights and Choices
You have the following rights with respect to your personal information:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of your personal information | Email privacy@autonomyhealth.app |
| Correction | Update inaccurate information | In-app settings or email |
| Deletion | Request permanent deletion of your data | Account settings or email |
| Data Portability | Receive a structured, machine-readable export | Email privacy@autonomyhealth.app |
| Withdraw Consent | Revoke recording or sharing consents | In-app settings |
| Opt-out of Analytics | Disable usage analytics | Account settings |
| Restrict Sharing | Limit what shared family members can access | Per-member permission controls |
7.1 Account Deletion
When you request account deletion:
- Your account is immediately deactivated and inaccessible.
- Audio recordings are permanently deleted within twenty-four (24) hours.
- Other personal data is permanently deleted within thirty (30) days.
- Encrypted backup copies are purged within ninety (90) days.
After this period, no recoverable copy of your data remains in our systems.
8. Children’s Privacy
The Service is not directed to and is not intended for use by individuals under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it promptly. If you believe a child under 13 has provided us with personal information, contact privacy@autonomyhealth.app.
9. State-Specific Disclosures
9.1 California (CCPA / CPRA)
California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know what categories of personal information we collect and disclose, the right to delete, the right to correct, the right to limit use of sensitive personal information, the right to opt out of the sale or sharing of personal information (we do not sell or share), and the right to be free from retaliation for exercising these rights. To exercise your California rights, contact privacy@autonomyhealth.app.
9.2 Illinois (Eavesdropping Act, BIPA)
The Illinois Eavesdropping Act requires the consent of all parties to a private conversation before it is recorded. The Service includes a guided consent flow to assist users with this requirement, but you remain solely responsible for obtaining the appropriate consent. We do not collect or store biometric identifiers as defined under the Illinois Biometric Information Privacy Act.
9.3 Other States (VCDPA, CPA, CTDPA)
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws have similar rights to access, correction, deletion, and portability of their personal information, as well as the right to opt out of targeted advertising and the sale of personal data. To exercise these rights, contact privacy@autonomyhealth.app.
10. International Users
The Service is operated from the United States. If you access the Service from outside the US, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. Users in the European Economic Area or United Kingdom must affirmatively consent to this transfer before using the Service.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least fourteen (14) days before the changes take effect, and we will update the “Last Updated” date above. Your continued use of the Service after the effective date of the changes constitutes acceptance of the updated Policy.
12. Contact Us
For privacy-related questions or requests:
- Privacy: privacy@autonomyhealth.app
- Security: security@autonomyhealth.app
- Mailing address: [To be added]