Aorthea Logo
Aorthea

Privacy Policy

Last Updated: 15th of November 2025

Aorthea ("Aorthea," "we," "us," "our") is committed to protecting the privacy, security, and integrity of Personal Data and Protected Health Information (PHI). This Privacy Policy explains how we collect, use, disclose, retain, safeguard, and manage information when users interact with our healthcare, AI, and learning platforms (the "Services").

By using our Services, you agree to the practices described in this Policy. If you do not agree, you must discontinue use of the Services immediately.

1. Scope of This Policy

This Policy applies to:

  • Aorthea websites, mobile applications, and AI-powered platforms
  • Healthcare solutions using HL7/FHIR interoperability
  • Communication channels (email, chat, support, telehealth tools)
  • Data collected from patients, users, practitioners, clients, or visitors

This Policy does not apply to:

  • Independent third-party platforms
  • Providers not under contract with Aorthea
  • External sites linked from our platform

2. Compliance Framework

Aorthea adheres to the highest global data protection and security standards including:

HIPAA (U.S. health information protection)
GDPR (EU/EEA data protection)
ISO 27001 (Information Security Management)
SOC 2 Type II (Security & Privacy)
HL7/FHIR (Healthcare data interoperability)
Local and national privacy laws

3. Information We Collect

3.1 Personal Information

  • Full name, contact information, date of birth
  • Account credentials
  • Identification documents (where legally required)

3.2 Protected Health Information (PHI)

  • Medical records, diagnoses, treatment details
  • Lab results, prescriptions, imaging
  • Care plans and clinician notes
  • Insurance and billing details

3.3 Sensitive Personal Data (GDPR)

  • Health data
  • Biometric information (if used for identity verification)
  • Information about vulnerabilities or risk factors

3.4 Financial Information

  • Payment card data
  • Billing records and transaction history

3.5 Technical Data

  • IP address, device identifiers
  • Geolocation (if enabled)
  • Cookies, analytics, and tracking technologies
  • App usage logs and metadata

3.6 Communications & User-Generated Content

  • Support requests
  • Messages, uploaded files, voice input
  • Feedback and activity history

4. How We Collect Information

We collect information through:

  • Direct input (forms, uploads, clinical data)
  • Automated tracking technologies
  • Healthcare provider systems via HL7/FHIR
  • Cookies, pixels, and analytics tools
  • Identity verification partners
  • Customer support interactions

We may combine information from multiple sources to improve service accuracy and safety.

5. Legal Basis for Processing

Where GDPR applies, we process data under:

  • Contractual necessity (providing Services)
  • Legal obligations (healthcare, compliance, audit)
  • Legitimate interests (security, fraud prevention, service improvement)
  • Vital interests (emergency or life-saving purposes)
  • Public interest in healthcare
  • Consent (where required)

We honor jurisdiction-specific requirements (HIPAA, GDPR, etc.).

6. How We Use Your Information

6.1 Service Delivery

  • Providing medical, digital, educational, and AI services
  • Managing accounts and authentication
  • Generating insights, predictions, or AI-enhanced outputs

6.2 Clinical and Healthcare Operations

  • Coordinating with healthcare providers
  • HL7/FHIR-based interoperability
  • Recording medical history and treatment progress
  • Quality assurance and case reviews

6.3 Business Operations

  • Processing transactions and payments
  • Customer support and technical troubleshooting
  • Monitoring system performance

6.4 Safety, Security & Compliance

  • Access controls and identity verification
  • Fraud, abuse, and security threat detection
  • Incident response and breach notification
  • Compliance with HIPAA, GDPR, ISO 27001, and SOC 2 Type II

6.5 Analytics & Service Improvement

  • De-identified or aggregated data analysis
  • Research and platform optimization
  • Machine learning model training (when permitted)

We do not sell personal information or PHI under any circumstances.

7. Disclosure & Sharing of Information

Aorthea may share information only as permitted by law:

7.1 With Healthcare Providers

  • Treating clinicians
  • Pharmacies, labs, and diagnostic centers

7.2 With Third-Party Service Providers

All third parties must:

  • Sign a Business Associate Agreement (BAA) when handling PHI
  • Maintain SOC 2 or ISO 27001 security controls
  • Limit data use strictly to contracted purposes

Examples:

  • Cloud hosting services
  • EMR/EHR systems
  • Payment processors
  • Communication and support tools

7.3 Legal, Regulatory, or Safety Requirements

  • Responding to subpoenas, court orders, or law enforcement
  • Public health reporting
  • Compliance with government mandates

7.4 Corporate Transactions

In mergers, acquisitions, or reorganizations, data may transfer to the new entity under equal or stronger protections.

8. International Data Transfers

If data is transferred outside your jurisdiction:

  • GDPR safeguards (e.g., SCCs) apply for EU/EEA data
  • HIPAA and required national laws apply to PHI
  • Hosting environments must meet SOC 2 Type II and ISO 27001

9. Data Protection & Security Measures

Aorthea maintains a full Information Security Management System (ISMS) aligned with ISO 27001.

9.1 Technical Safeguards

  • Encryption in transit and at rest
  • Zero-trust access controls
  • Multi-factor authentication
  • Firewalls and intrusion detection
  • Continuous vulnerability monitoring
  • Data loss prevention (DLP) technology

9.2 Administrative Safeguards

  • Annual HIPAA and security training
  • Least privilege access management
  • Continuous audit logging
  • Vendor risk assessments
  • Strict internal policies

9.3 Physical Safeguards

  • Secured data centers
  • Redundant infrastructure
  • Disaster recovery and business continuity planning

10. Data Retention

We retain data only as necessary for:

  • Legal and regulatory requirements
  • Medical record retention laws
  • SOC 2/ISO auditing
  • Service continuity

When no longer needed, data is securely destroyed.

11. Your Rights

Rights vary by jurisdiction.

11.1 Under HIPAA

  • Access to PHI
  • Request corrections
  • Request restrictions
  • Accounting of disclosures
  • Confidential communication preferences

11.2 Under GDPR

  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right to withdraw consent
  • Right to lodge a complaint with your Data Protection Authority

To exercise rights, email: privacy@aorthea.com

12. Cookies & Tracking Technologies

We use cookies for:

  • Authentication
  • Preferences
  • Security
  • Analytics

Users may opt-out or manage preferences depending on jurisdiction (e.g., GDPR Cookie Banner).

13. AI-Specific Data Use

Aorthea uses advanced AI/ML technologies.

We may use de-identified or anonymized data to:

  • Improve AI performance
  • Train models
  • Enhance prediction accuracy
  • Detect safety risks

We do not use identifiable PHI for model training unless:

  • Legally allowed
  • Explicitly authorized
  • Covered by HIPAA-compliant agreements

Our AI does not replace clinical judgment.

14. Children's Privacy

We comply with COPPA and healthcare-specific child data rules.

Children under 18 require parental/legal guardian consent unless permitted under local law.

15. Data Breach Notification

In the event of a breach:

  • Aorthea will notify affected individuals as required by HIPAA, GDPR, and local laws
  • Notifications will be prompt and transparent
  • We will document the incident and mitigation steps

16. Limitation of Liability

To the maximum extent permitted by law:

  • Aorthea is not responsible for misuse caused by user negligence or third-party actions outside our control
  • We disclaim liability for indirect, incidental, or consequential damages
  • Users are responsible for maintaining secure access credentials

Nothing limits rights mandated by applicable law.

17. Changes to This Privacy Policy

We may update this Policy at any time. Updates become effective upon posting unless otherwise required by law.

18. Contact Information

For privacy-related questions, rights requests, or complaints:

Aorthea – Privacy & Compliance Office

Email: privacy@aorthea.com

Address: 28 Geary St STE 650 Suite #425, San Francisco, California 94108, United States

Phone: +1 000 0000

Back to Home