How we handle data at Innovate Health AI.

1. Who we are

InnovateCare LLC d/b/a Innovate Health AI ("Innovate Health AI," "InnovateHealth," "we," "our," or "us") is a healthcare operations company that helps clinics manage operational workflows such as patient calls, scheduling support, intake, reminders, handoffs, and follow-up.

We do not provide medical advice, diagnosis, prescribing, emergency services, or clinical decision-making. Clinics and licensed healthcare professionals remain responsible for patient care and clinical judgment.

2. Scope of this policy

This Privacy Policy applies to information collected through our public website, contact forms, demo requests, business communications, and services we provide to clinic customers.

This policy is separate from any Notice of Privacy Practices provided by a healthcare provider. If you are a patient, your clinic or healthcare provider is responsible for explaining how it uses and discloses your medical information.

Please do not submit sensitive medical information, emergency requests, or detailed patient information through our public website forms. If you have a medical emergency, call 911 or contact local emergency services.

3. Information we collect

Website and contact form data

When you contact us, request a demo, or submit a business inquiry, we may collect your name, work email, phone number, clinic or company name, role, message content, and related business details.

Demo request and business inquiry data

We may collect information about your clinic operations, workflow needs, preferred contact method, and scheduling availability so we can respond to your request and evaluate whether our services are a fit.

Communication data

If you communicate with us by email, phone, SMS, web form, or other channels, we may process the contents of those communications and related metadata such as date, time, sender, recipient, and contact preferences.

Device, browser, and usage data

Like most websites, our servers or service providers may collect IP address, browser type, device type, pages viewed, referring pages, and similar technical information used to operate and protect the website.

Clinic/customer data processed on behalf of customers

When we provide services to clinic customers, we may process patient, appointment, communication, intake, reminder, or workflow information on behalf of that customer. Depending on the context, some of this information may be protected health information (PHI) or electronic protected health information (ePHI).

4. How we use information

• Respond to demo requests, contact submissions, and business inquiries.
• Provide, operate, maintain, and improve our healthcare operations services.
• Support clinic workflows such as communication routing, scheduling support, intake, reminders, and operational handoffs.
• Communicate with clinics, users, vendors, and partners about service updates, support, and administrative matters.
• Protect our website, systems, customers, users, and business from misuse, fraud, security incidents, and legal risk.
• Comply with contracts, legal obligations, regulatory obligations, and applicable healthcare privacy requirements.

5. HIPAA / PHI handling

Website visitor data is not automatically PHI simply because our business operates in healthcare. For example, a business email submitted through a demo form is generally handled as business contact information unless the context makes it subject to specific healthcare privacy obligations.

When we process PHI or ePHI on behalf of a covered entity or business associate, we do so as a service provider/business associate where applicable, under the relevant Business Associate Agreement (BAA), customer instructions, and applicable law.

We use administrative, technical, and physical safeguards designed to protect PHI and ePHI where applicable. We also execute BAAs with applicable vendors and subprocessors that create, receive, maintain, transmit, or otherwise handle PHI/ePHI within the scope of services they provide to us.

We currently use Microsoft Azure for certain infrastructure components and rely on Microsoft BAA coverage for HIPAA-eligible Azure services used within the applicable scope. We also use third-party vendors and subprocessors to support infrastructure, voice workflows, communications, security, and related operations. Where a vendor creates, receives, maintains, or transmits PHI/ePHI on our behalf, we use appropriate contractual protections, including Business Associate Agreements where applicable. Vendor coverage depends on the specific service, configuration, contract, and use case.

We do not claim to be "HIPAA certified." HIPAA does not create a single official certification that proves a company or cloud service is compliant in all contexts. Compliance depends on the specific services used, safeguards implemented, contracts in place, customer configuration, and ongoing operational practices.

6. SMS and communications

Where applicable, Innovate Health AI may support operational or informational communications by phone, SMS, email, or similar channels on behalf of clinic customers or in response to business inquiries.

• Messages may include appointment reminders, scheduling follow-up, intake reminders, callback coordination, demo scheduling, or support communications.
• Message frequency varies based on the workflow, clinic, and user interaction.
• Message and data rates may apply, depending on your mobile carrier and plan.
• Where supported, you may reply STOP to opt out of text messages and HELP for help.
• Consent to receive marketing text messages is not a condition of purchase.
• We do not sell SMS consent data, mobile numbers, or opt-in information to third parties for marketing or promotional purposes.

Standard SMS is not always appropriate for sensitive health information. We design operational communications to limit unnecessary sensitive content and may direct patients to contact their clinic or use a secure channel for detailed clinical information.

7. Sharing and disclosure

We do not sell personal information or PHI. We may share information in the following limited circumstances:

• Service providers and subprocessors: vendors that help us host, operate, secure, communicate, support, analyze, or improve our services, subject to appropriate contractual obligations and BAAs where applicable.
• Clinic customers: information processed on behalf of a clinic may be made available to that clinic according to our agreement with the clinic.
• Legal obligations: when required by law, subpoena, court order, regulatory request, or to protect rights, safety, security, and integrity.
• Business transfers: in connection with a merger, financing, acquisition, reorganization, or sale of assets, subject to appropriate protections.
• With consent: when you direct us or authorize us to share information.

8. Data retention

We retain information for as long as reasonably necessary to provide services, respond to inquiries, maintain business records, comply with legal and contractual obligations, resolve disputes, protect security, and support audit or compliance needs.

For customer data processed on behalf of clinics, retention may be governed by the applicable customer agreement, BAA, legal requirements, and customer instructions.

9. Data security practices

We use safeguards designed to protect information we process, including where applicable:

• Access controls and role-based access practices.
• Encryption in transit and at rest where appropriate for the service and data type.
• Vendor and subprocessor review for systems that may handle PHI/ePHI.
• Administrative policies, workforce access limitations, and confidentiality obligations.
• Logging, monitoring, and incident response practices appropriate to the stage and scope of our business.
• Physical safeguards through reputable infrastructure and workplace practices.

No method of transmission, storage, or processing is completely secure. We avoid inflated security promises and continue to improve our safeguards as the platform matures.

10. Your choices and rights

You may contact us to request access, correction, deletion, or restriction of personal information we maintain about you, subject to applicable law, identity verification, and any contractual or legal retention requirements.

If you are a patient seeking access to, correction of, or deletion of medical records held by your healthcare provider, please contact that provider directly. We may not be able to fulfill patient record requests except through the applicable clinic customer.

11. Cookies and analytics

Our website may use basic cookies, browser storage, server logs, or similar technologies needed to operate, secure, and improve the site. If we add analytics, advertising, or tracking technologies in the future, we will update this policy as appropriate.

You can usually adjust your browser settings to block or delete cookies, but some website features may not work as intended.

12. Children's privacy

Our website and business-facing services are not directed to children under 13. We do not knowingly collect personal information from children through our public website. Patient-related information, where applicable, is processed on behalf of clinic customers and subject to their instructions and applicable law.

13. International transfers

We are based in the United States and may work with personnel, vendors, or infrastructure in different locations. Where information is processed across borders, we use appropriate safeguards and contractual obligations for the data type and service context.

14. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the effective or last updated date. Material changes may be communicated through additional notice where appropriate.

15. Contact us

For privacy, security, or legal questions, contact:

InnovateCare LLC d/b/a Innovate Health AI
Texas, United States
Email: hello@innovatehealth.ai