Vinyl Health — Privacy Policy

Effective Date: April 29, 2026 

Last Updated: April 29, 2026

Vinyl Health, Inc. ("Vinyl Health," "we," "us," or "our") operates the Vinyl Health mobile application and web platform (collectively, the "Service"). This Privacy Policy describes how we collect, use, share, and protect your personal information when you use our Service.

By using Vinyl Health, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Who We Are

Vinyl Health is a digital health platform that helps patients manage their healthcare journey — including clinical encounters, care plans, medications, action items, and communication with their care team. We are committed to protecting your privacy and handling your health information with the highest standard of care.

Contact: Vinyl Health, Inc.

Email: privacy@vinylhealth.ai

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, date of birth, gender, phone number when you register or update your profile.

  • Health Information: Medical conditions, medications, allergies, symptoms, mood logs, questions for your care team, and other health data you enter into the app.

  • Clinical Encounter Recordings: Audio recordings of your medical appointments that you initiate and control. You decide when to start and stop recording.

  • Baseline Narratives: Free-text descriptions of your health goals, daily experiences, and wellness baseline ("My Story").

  • Care Team Information: Names, roles, and contact information of healthcare providers and caregivers you add to your care team.

  • Communications: Messages, notes, and updates you exchange with your care team through the platform.

2.2 Information We Generate

  • AI-Generated Summaries: After you record a clinical encounter, our AI generates a patient-friendly visit summary, action items, and care recommendations based on the recording. These are derived from your encounter data and are stored as part of your health record.

  • Extracted Clinical Facts: Structured health insights extracted from your narratives and encounter recordings to support your care plan.

  • Motivational Profiles: Goals, barriers, and health behavior assessments generated from your self-reported narratives.

2.3 Information Collected Automatically

  • Device Information: Device type, operating system, app version, unique device identifiers (for push notifications only — not used for tracking or advertising).

  • Usage Data: Feature usage patterns, session duration, and interaction data to improve the Service. This data is aggregated and not linked to your health information.

  • Crash Reports and Diagnostics: Technical error information to maintain app stability.

2.4 Information We Do NOT Collect

  • We do not collect precise location data.

  • We do not access your device contacts, photos, or files unless you explicitly initiate an upload.

  • We do not collect financial information — payment processing for subscriptions is handled entirely by Stripe, Inc., and we never see or store your credit card number.

  • We do not use cookies or tracking pixels in the mobile app.

  • We do not sell your data. Ever.

3. How We Use Your Information

Purpose Data Used Legal Basis

Provide the Service. Account info, health data, recordings. Performance; your explicit consent for health data.

Generate AI summaries and action items. Encounter recordings, clinical facts. Performance; legitimate interest in care quality.

Send reminders and notifications. Device token, dates, action item due dates. Performance; your notification preferences.

Facilitate care team communication. Messages, care team membership. Performance; consent.

Improve the Service. Aggregated usage data, crash reports. Legitimate interest.

Comply with legal obligations. As required. Legal obligation.

Respond to your support requests. Account info, correspondence. Performance.

We process health information only to provide the Service to you. We do not use your health data for advertising, marketing to third parties, or any purpose unrelated to your care.

4. AI Processing and Third-Party Services

4.1 Corti (Clinical AI)

We use Corti (Corti ApS, Copenhagen, Denmark) to process encounter recordings and generate clinical summaries and action items. Corti acts as a data processor under our direction.

What Corti receives: Encounter transcripts and preprocessed clinical facts — only the data necessary to generate your visit summary and action items.

What Corti does NOT receive: Your name, date of birth, contact information, insurance details, or any direct identifiers. Transcripts are attributed by speaker role (e.g., "Doctor," "Patient"), not by name.

Corti's compliance posture:

  • HIPAA compliant

  • GDPR compliant

  • SOC 2/3 audited

  • ISO 27001, 27017, 27018 certified

  • ISO 42001 (AI management systems)

  • Data hosted in the United States (for US patients) with no cross-border transfer

  • FIPS-compliant AES encryption at rest, TLS 1.2+ in transit

  • Per-customer encryption keys

  • All data deleted 30 days after agreement termination

  • Corti does not use your data to train general-purpose AI models

For more information: Corti Security & Compliance

4.2 Azure OpenAI

We use Microsoft Azure OpenAI Service for certain AI features (baseline narrative analysis, goal extraction). Azure OpenAI is deployed in our private Azure subscription with the following protections:

  • Your data is not used to train, retrain, or improve Azure OpenAI models

  • Processing occurs within our Azure tenant — data does not leave our subscription

  • Microsoft's data privacy commitments for Azure OpenAI apply

4.3 Stripe (Payments)

Subscription payments are processed by Stripe, Inc. We send Stripe your user ID and selected plan — never your health data. Stripe handles all credit card processing under their own PCI DSS Level 1 compliance. We never see, transmit, or store your payment card details.

4.4 Auth0 (Authentication)

User authentication is handled by Auth0 (Okta, Inc.). Auth0 receives your email address and authentication credentials to verify your identity. Auth0 does not have access to your health data.

4.5 Azure Notification Hubs (Push Notifications)

Push notifications are delivered via Microsoft Azure Notification Hubs using Apple Push Notification service (APNs) for iOS. Notification content is limited to non-specific alerts (e.g., "Encounter Ready," "My Story Ready") — notification payloads never contain clinical details, diagnoses, or PHI.

5. How We Share Your Information

5.1 With Your Care Team

You control who sees your health data. When you invite a caregiver, provider, or care navigator to your care team, they can access your data according to the permission tier you assign:

  • Guardian: Full read-write access to most health categories

  • Provider: Clinical read-write, limited personal categories

  • Care Navigator: Coordination-focused access

  • Partner: Read-only access to most categories

  • Supporter: Summary-level only — no clinical detail

  • Custom: Per-category permissions you configure

You can revoke access at any time. Revocation takes effect within 60 seconds. All access is logged in an immutable audit trail.

5.2 With Service Providers

We share data with the third-party processors listed in Section 4 (Corti, Azure, Stripe, Auth0) solely to operate the Service. Each processor operates under a data processing agreement or business associate agreement that requires them to protect your data to the same standard we do.

5.3 We Do NOT Share Your Data With

  • Advertisers or ad networks

  • Data brokers

  • Employers or insurers (unless you explicitly direct us to)

  • Any party for purposes unrelated to your healthcare

5.4 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or to protect the safety of any person. We will notify you of such disclosures unless legally prohibited from doing so.

6. Data Security

We implement comprehensive security controls to protect your information:

  • Encryption: AES-256 encryption at rest (Azure Transparent Data Encryption), TLS 1.2+ for all data in transit

  • Patient Isolation: Every database query is filtered by patient identity at the database layer — even a software bug cannot return another patient's data

  • Access Control: Role-based access with OpenFGA authorization, 4-layer consent enforcement pipeline

  • Audit Logging: Immutable, append-only audit trail for all data access, with 6-year retention for HIPAA compliance

  • Infrastructure: Hosted on Microsoft Azure (US East region) with SOC 2 and HIPAA BAA coverage

  • Penetration Testing: Regular security assessments and adversarial code review

  • Secret Management: Azure Key Vault for all secrets and credentials; no secrets in source code

7. HIPAA Compliance

Vinyl Health is designed and operated as a HIPAA-compliant platform:

  • We maintain administrative, physical, and technical safeguards as required by the HIPAA Security Rule

  • We enter into Business Associate Agreements (BAAs) with all third-party processors who handle protected health information (PHI)

  • We provide patients with access to their health records and the right to request amendments

  • We maintain an immutable audit trail of all PHI access for a minimum of 6 years

  • Workforce members receive HIPAA training and are bound by confidentiality agreements

  • We maintain an incident response plan for potential data breaches, including the required breach notification procedures

8. GDPR Compliance

For users in the European Economic Area (EEA), United Kingdom, or Switzerland:

  • Legal Basis: We process health data based on your explicit consent (Article 9(2)(a) GDPR) and contract performance (Article 6(1)(b))

  • Data Controller: Vinyl Health, Inc. is the data controller for your personal data

  • Data Transfers: Data is processed in the United States. We rely on Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework for lawful transfers. Corti participates in the EU-U.S. Data Privacy Framework.

  • Your Rights: You have the right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data. To exercise these rights, contact privacy@vinylhealth.ai.

  • Data Protection Officer: Contact us at dpo@vinylhealth.ai

  • Supervisory Authority: You have the right to lodge a complaint with your local data protection authority

9. Your Rights and Choices

Regardless of where you are located, you have the following rights:

Right - How to Exercise

Access your data - View your complete health record in the app, or request a data export

Correct your data - Edit your profile and health information in the app, or contact us

Delete your data - Request account deletion via the app or by contacting us. We will delete your data within 30 days, except where retention is required by law.

Export your data - Download your health data in standard formats (FHIR, PDF) via the app

Revoke care team access - Remove any caregiver, provider, or navigator from your care team at any time

Control notifications - Manage push, email, and SMS notification preferences in Settings

Opt out of AI processing - Contact us to opt out of AI-generated summaries. Core functionality may be limited.

Withdraw consent - You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

10. Data Retention

Data Type - Retention Period

Account information. - Until you delete your account + 30 days

Health records and encounter data. - Until you delete your account + 30 days, or as required by applicable healthcare record retention laws

Audit logs. - 6 years (HIPAA minimum)

AI-processed data at Corti. - Deleted 30 days after processing

Payment data at Stripe. - Per Stripe's retention policy; we do not store payment data

Crash reports and diagnostics. - 90 days

11. Children's Privacy

Vinyl Health is not intended for use by children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If a parent or guardian manages a minor's health data through a Guardian proxy relationship, the parent or guardian is the account holder and controls all data access.

If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@vinylhealth.ai and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the app or by email before the changes take effect. The "Last Updated" date at the top of this policy indicates when it was most recently revised.

13. Contact Us

If you have questions about this Privacy Policy or our data practices:

Vinyl Health, Inc. 

Email: privacy@vinylhealth.ai , Data Protection: dpo@vinylhealth.ai

For HIPAA-related inquiries or to report a potential privacy concern: Email: hipaa@vinylhealth.ai

Website: https://www.vinylhealth.ai