Privacy Policy

1. Who We Are

VitaAI is a healthcare AI platform operated by Altnetix, LLC ("Altnetix," "we," "us," or "our"). We provide AI-assisted clinical documentation, patient communication, care coordination, and EHR integration services to healthcare organizations and their patients.

Altnetix, LLC serves as a Business Associate under HIPAA when processing Protected Health Information (PHI) on behalf of covered entity clients. Our privacy and security practices are governed by applicable HIPAA/HITECH requirements, this Privacy Policy, and the Business Associate Agreement executed with each covered entity client.

2. Information We Collect

We collect information in the following categories depending on your relationship with VitaAI:

Clinical Users (Providers / Clinical Staff):

• Name, email address, and professional credentials provided at account creation
• Authentication identifiers (Azure Entra ID object ID, internal user ID)
• Access logs: timestamps, IP addresses, device identifiers, and actions performed
• Content created within the platform (clinical notes, encounter records, messages)

Patients:

• Name, date of birth, contact information, and medical record number (MRN)
• Clinical encounter records, diagnoses, medications, lab results, vitals, and allergies
• Secure messages sent through the patient portal
• Authentication information (email address used for login; no passwords stored in plaintext)
• Device identifiers and access timestamps for security audit purposes

Trust Site Visitors:

• No personal information is collected through this trust site beyond what you voluntarily provide (e.g., email via a contact link)
• No tracking cookies, advertising pixels, or analytics tools are deployed on this site

3. How We Use Information

• To provide clinical documentation, patient communication, and care coordination services to your organization
• To fulfill obligations under the Business Associate Agreement with your covered entity
• To maintain the security, integrity, and availability of the platform
• To generate tamper-evident audit logs required by HIPAA §164.312(b)
• To authenticate users and prevent unauthorized access
• To respond to security incidents and fulfill breach notification obligations
• For the proper management and administration of our business associate functions, as permitted under 45 CFR §164.504(e)

We do not sell PHI or personal information. We do not use PHI for marketing purposes. We do not use PHI to train AI models without explicit written authorization from the covered entity.

4. Legal Basis for Processing

• HIPAA / HITECH: Processing of PHI is authorized under the Business Associate Agreement with each covered entity client, consistent with 45 CFR §164.504(e)
• Contract: Processing necessary to fulfill our service obligations under the Master Service Agreement
• Legitimate Interest: Security monitoring, fraud prevention, and platform integrity
• Legal Obligation: Compliance with applicable federal and state healthcare privacy laws

5. How We Protect Your Information

• Encryption at rest: All PHI strings encrypted with AES-256-GCM before database storage; per-client encryption keys managed by Azure Key Vault (FIPS 140-2 Level 2 HSM)
• Encryption in transit: TLS 1.2 minimum on all connections; HTTP Strict Transport Security (HSTS) with 1-year max-age and preload
• Access controls: Role-based access control enforced at the API layer; multi-factor authentication required for all clinical staff via Azure Entra ID
• Audit logging: Every access to PHI is logged in a tamper-evident, hash-chained audit trail archived for 6 years in Azure Blob Storage with WORM immutability
• Infrastructure: Deployed exclusively on Microsoft Azure — ISO 27001 and SOC 2 Type II certified infrastructure; Microsoft Azure Business Associate Agreement executed
• PHI redaction: Application monitoring systems automatically strip PHI identifiers before telemetry transmission

6. Data Sharing and Disclosure

We disclose PHI only as permitted under the BAA and applicable law:

• To the covered entity on whose behalf we are processing the PHI
• To Microsoft Azure, our primary infrastructure subprocessor (Azure BAA executed)
• As required by law, court order, or regulatory demand — with notice to the covered entity where legally permissible
• In connection with a merger, acquisition, or asset sale — subject to the same BAA protections

We do not share PHI with advertising networks, data brokers, or any third party for commercial purposes.

7. Data Retention

• PHI and audit logs: Retained for 6 years from the date of creation or last effective date, per HIPAA minimum retention requirements
• Authentication tokens: Session tokens expire after 60 minutes; revoked tokens pruned from the blocklist after natural expiry; refresh tokens pruned after 24 hours post-revocation
• Account data: Retained for the duration of the covered entity's active service agreement plus 6 years, then securely deleted or returned per BAA terms
• Security policies and training records: Retained 6 years per HIPAA documentation requirements

8. Your Rights

If you are a patient whose PHI is processed by VitaAI on behalf of a covered entity, your privacy rights (right of access, right to amendment, right to an accounting of disclosures) are exercised through the covered entity, not directly through Altnetix. Please contact your healthcare provider to exercise these rights.

If you are a clinical staff member or covered entity representative, you may contact us directly to:

• Request access to your account data
• Request correction of inaccurate account information
• Request deletion of your account (subject to retention obligations under the BAA)

9. California Residents (CCPA)

PHI subject to HIPAA is exempt from the California Consumer Privacy Act (CCPA) under Civil Code §1798.145(c). For non-PHI personal information about California residents collected through this trust site or contact channels, you have the right to know what information we hold, request deletion, and opt out of sale (we do not sell personal information). To exercise these rights, contact us at the address below.

10. Children's Privacy

VitaAI is a clinical platform intended for use by healthcare professionals and adult patients. We do not knowingly collect personal information directly from children under 13 outside of a clinical context governed by a BAA. Pediatric PHI processed under a BAA is handled in accordance with applicable law and the covered entity's HIPAA privacy practices.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or platform capabilities. Material changes will be communicated to covered entity clients via email and posted on this page with an updated effective date. Continued use of VitaAI following notice of changes constitutes acceptance of the updated policy.

12. Contact Us