Privacy Policy

Introduction

GenomOncology, LLC ("Company," "we," "us," or "our") is committed to protecting the privacy and security of your personal information, including Protected Health Information ("PHI") as defined by the Health Insurance Portability and Accountability Act ("HIPAA"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you, as a user of the Advocate mobile application, access or use our Advocate mobile application and related services (collectively, the "Service").

For purposes of this Privacy Policy, "User," "you," or "your" refers to an individual who creates an account and uses the Service, including caregivers, advocates, family members, or other authorized adults ("Advocates"). A User may use the Service to manage, enter, or access information about themselves or about another individual receiving care (a "Patient"). Unless otherwise stated, this Privacy Policy governs information associated with both Users and Patients as applicable.

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this policy, please do not access or use our Service.

Our Commitment: We Do Not Sell Your Data

We believe your health information belongs to you. Unlike many technology companies, we do not monetize your data through advertising, data brokerage, or any form of data sales. Our business model is based solely on providing valuable healthcare coordination services, not exploiting your personal information.

Information We Collect

Personal Information You Provide

We collect information that you provide directly to us, including:

• Account Information:
  • Name, email address, and phone number
  • Password (stored in encrypted form only)
  • Profile photo (optional)
• Profile Information:
  • Your role (Primary Advocate, Hospital Advocate, Remote Advocate, Therapist)
  • Relationship to patients you are caring for
  • Language preferences
• Communication Data:
  • Messages, notes, and other communications sent through the Service to authorized participants, including members of a Patient's care team, family members, friends, caregivers, advocates, and healthcare providers, as designated by the User through role-based permissions
  • Support requests, help desk communications, and correspondence with GenomOncology

Protected Health Information (PHI)

With explicit consent, we collect and process Protected Health Information ("PHI") to provide our care coordination services.

For purposes of this Privacy Policy, consent may be provided:

• By the Patient, when the Patient is the User of the Service; or
• By an authorized User acting on behalf of the Patient, such as a caregiver, advocate, or legally authorized representative, who represents that they have the authority to enter and manage PHI for the Patient.

Users are responsible for ensuring that they have obtained all required permissions, authorizations, or consents before entering or managing PHI about another individual.

• Patient Demographics:
  • Patient name, date of birth, gender
  • Medical record numbers (if provided)
  • Emergency contact information
• Medical Information:
  • Diagnoses, medical conditions, and treatment plans
  • Medications including dosages, schedules, and administration logs
  • Allergies and adverse reactions
  • Healthcare provider information
• Vital Signs & Health Metrics:
  • Blood pressure, heart rate, temperature
  • Oxygen saturation (SpO2), respiratory rate
  • Weight, blood glucose levels
• Care Activities:
  • Food and fluid intake tracking
  • Bathroom activity logs
  • Catheter care records
  • Physical and occupational therapy exercises
  • Daily observations and care notes
• Mental Health Data:
  • Mood tracking and anxiety assessments
  • Behavioral observations
  • Therapy appointment records
• Scheduling Information:
  • Medical appointments and care schedules
  • Care shift assignments
  • Medication reminders

Automatically Collected Information

When you use our Service, we automatically collect:

• Device Information: Device type, operating system version, unique device identifiers, and mobile network information
• Usage Data: Features accessed, time spent in app, interaction patterns, and error reports
• Log Data: Access times, IP addresses (anonymized), error logs, and system activity for security and debugging purposes

We do NOT collect or access your device contacts, photos (except those you explicitly upload), location data, or other personal files without your explicit permission.

How We Use Your Information

To Provide Our Services

• Create and manage your account
• Facilitate care coordination between care team members
• Enable health tracking features (medications, vitals, nutrition, etc.)
• Send medication reminders and care alerts
• Generate health summaries and reports
• Process voice commands and transcriptions
• Provide AI-powered drug interaction checking

To Improve Our Services

• Analyze usage patterns to improve features
• Debug issues and fix errors
• Develop new features based on user needs
• Conduct internal research and analytics (using aggregated, de-identified data only)

To Communicate With You

• Respond to support requests
• Send service-related notifications and push notifications
• Send medication reminders and care alerts
• Notify you of important updates or changes to our policies

Push Notifications: We use push notification services to deliver alerts to your mobile device. Push notifications may contain limited information such as reminder titles or alert types. We design notifications to minimize the inclusion of sensitive health information; however, some contextual information may be visible on your device's lock screen. You can control notification settings and visibility through your device's settings.

To Ensure Security and Compliance

• Verify your identity and prevent fraud
• Monitor for security threats and unauthorized access
• Maintain audit logs for HIPAA compliance
• Comply with legal obligations

Optional: Anonymous Research Participation

If you choose to opt in, we may use fully de-identified, aggregated data to:

• Identify trends in medication usage and effectiveness
• Understand common care patterns for specific conditions
• Develop insights that may help healthcare providers improve patient care
• Contribute to healthcare research initiatives

How we protect your anonymity:

• All identifying information is permanently removed before any analysis
• Data is aggregated with thousands of other records
• Individual users can never be re-identified from research data
• You can withdraw from research participation at any time

Research data may be shared with healthcare providers, researchers, and institutions solely for the purpose of improving patient care and advancing medical knowledge. Even in these cases, your identity is never disclosed.

State-Specific Consent Requirements: In certain jurisdictions, including Washington and Nevada, applicable consumer health data laws may require separate, explicit consent before health data — including de-identified or aggregated data — may be used for research or analytics purposes. Where required by law, we will obtain such consent in addition to any general research opt-in, and Users may decline without any impact on their access to or use of the Service.

Information Sharing and Disclosure

We share your information only in the following limited circumstances:

With Your Care Team

Information is shared with individuals designated by the User based on the permissions the User configures within the Service.

The Primary Advocate represents and warrants that they have the authority, consent, or legal right to enter, manage, and share Patient information, including Protected Health Information ("PHI"), for the purpose of providing care coordination services through the Service. This authority includes granting access to PHI to care team members, family members, friends, caregivers, advocates, and healthcare providers, as designated through the Service's role-based permission system.

GenomOncology relies on these representations and does not independently verify a User's authority to act on behalf of a Patient.

With Healthcare Providers

With your explicit consent, we may share health summaries and reports with healthcare providers for:

• Treatment and care coordination purposes
• Second opinion consultations
• Medical record integration (where supported)

With Service Providers

We work with carefully selected third-party service providers who assist us in operating our services:

• Cloud Infrastructure: Secure, HIPAA-compliant data hosting and processing
• AI Services: Voice transcription, natural language processing, and drug interaction databases
• Communication Services: Push notifications and email delivery

All service providers are:

• Bound by strict confidentiality agreements
• Required to sign HIPAA Business Associate Agreements (BAAs) where applicable
• Prohibited from using your data for any purpose other than providing services to us
• Subject to regular security assessments

Important Notice: AI Services and HIPAA

By using AI-powered features, you acknowledge and consent to the following:

• Data Transmission: When you use voice commands, request AI-generated summaries, or utilize other AI features, relevant data (which may include PHI) is transmitted to our private AI services for processing
• Security Measures: Although not HIPAA compliant, our AI services include:
  • Enterprise-grade encryption in transit (TLS 1.2+)
  • Private network deployment (no public internet exposure)
  • Data processing in secure, SOC 2 Type II compliant data centers
  • No data retention for model training purposes
  • U.S.-based data processing
• Optional Features: AI-powered features are optional. You may choose not to use voice transcription, AI summaries, or other AI features if you prefer that your data not be processed by non-HIPAA-compliant services
• Minimized Data: We transmit only the minimum data necessary for AI processing and do not store AI-processed data beyond what is needed for the Service

We continuously evaluate HIPAA-compliant AI alternatives and will update our infrastructure as compliant options become available.

For Legal Requirements

We may disclose information when required by law, including:

• Response to valid court orders, subpoenas, or legal processes
• Compliance with government investigations or regulatory inquiries
• Protection of our legal rights or defense against legal claims
• Prevention of imminent harm to individuals or property
• Reporting as required by mandatory reporting laws (e.g., child abuse, elder abuse)

We will notify you of legal requests unless prohibited by law or court order.

Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a different privacy policy.

Information We Never Share

Data Security

We implement comprehensive security measures that meet or exceed HIPAA requirements:

Encryption

• Data at Rest: Sensitive data including health summaries is encrypted at rest
• Data in Transit: TLS encryption for all network communications
• Message Security: Messages between care team members are transmitted over encrypted connections and stored in our secure, access-controlled database

Access Controls

• Authentication: Strong password requirements (minimum 12 characters with complexity) and optional multi-factor authentication via authenticator app or SMS
• Biometric Security: The mobile app supports device-level biometric authentication (Face ID, Touch ID) where available on your device. Biometric data is processed entirely on your device and is never transmitted to our servers.
• Role-Based Access: Users only see information they're authorized to view based on their assigned role
• Session Management: Automatic session timeout after 15 minutes of inactivity
• Account Protection: Account lockout after 5 failed login attempts

Monitoring and Auditing

• Audit Logging: All access to PHI is logged with timestamps and user identification
• Security Monitoring: Automated monitoring for suspicious activity and security threats
• Regular Assessments: Periodic security audits and penetration testing

Data Retention

We retain your information as follows:

• Account Information: Retained while your account is active and for a reasonable period thereafter for legal and business purposes
• Health Records: Retained in accordance with applicable medical record retention laws (typically 6-10 years depending on jurisdiction)
• Audit Logs: Retained in accordance with HIPAA requirements
• De-identified Research Data: May be retained indefinitely as it contains no personal information

You may request deletion of your account and associated data at any time, subject to legal retention requirements.

Your Rights and Choices

Access and Portability

• Request a copy of all personal information we hold about you
• Export health data where export functionality is available within the app
• Request a comprehensive data export by contacting our Privacy Officer (manual processing may be required for certain data types)
• Receive your data within 30 days of request

Correction

• Request correction of inaccurate or incomplete information
• Add supplemental information to your records

Deletion

You may request deletion of your account and associated personal data at any time by:

• Using the account deletion feature available within the Service (Settings > Account > Delete Account), or
• Contacting our Privacy Officer using the contact information provided below.

Deletion requests are processed manually and may take up to 30 days to complete. Certain information may be retained as required by law, for legitimate business purposes, or to comply with applicable medical record retention requirements.

Restriction and Objection

• Limit how we use your information
• Object to certain processing activities
• Opt out of research participation at any time

Withdraw Consent

• Revoke consent for data processing at any time
• Note: Withdrawal does not affect prior lawful processing

To exercise any of these rights, contact our Privacy Officer at the address below.

HIPAA Rights

Under HIPAA, you have additional rights regarding your Protected Health Information:

• Right to Access: Obtain copies of your health records
• Right to Amend: Request corrections to your health records
• Right to Accounting: Receive a list of disclosures of your PHI
• Right to Restrict: Request restrictions on how we use or disclose your PHI
• Right to Confidential Communications: Request communications through alternative means
• Right to File a Complaint: File a complaint with us or the HHS Office for Civil Rights

See our HIPAA Compliance page for complete details.

Children's Privacy

Advocate is designed for adult caregivers (users must be 18 years or older). We do not knowingly collect personal information from children under 13. The Service may be used to coordinate care for minor patients, but such data is entered and managed by adult caregivers.

If you believe a child under 13 has provided us with personal information directly, please contact us immediately at the address below, and we will delete such information.

International Data Transfers

Your information may be transferred to and processed in the United States or other countries where our service providers operate. We ensure appropriate safeguards are in place through:

• Standard Contractual Clauses approved by relevant authorities
• Data Processing Agreements with all processors
• Compliance with applicable international data transfer requirements

California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: What personal information we collect, use, and share
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: We do not sell personal information, so there is nothing to opt out of
• Right to Non-Discrimination: Equal service regardless of exercising privacy rights
• Right to Correct: Request correction of inaccurate information
• Right to Limit: Limit use of sensitive personal information

To exercise any of the rights described in this Privacy Policy, you may contact us at the address below or submit a request through the Service, where available. These request mechanisms are available to all Users, regardless of residency, and additional rights may apply depending on your jurisdiction.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will post the updated policy on this page
• We will update the "Last updated" date at the top
• We will notify you via email or in-app notification for significant changes
• We may request renewed consent for material changes affecting PHI

Your continued use of the Service after changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about our privacy practices, please contact us:

For HIPAA-related inquiries or to exercise your rights regarding PHI, please contact our HIPAA Privacy Officer at the same address.

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated.