Introduction

Sova Health Systems Innovation Systems ("we," "us," or "our") operates the SovaCare Platform and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information about you when you use the Service.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, do not use the Service.

1. Information We Collect

Clinician and staff data

When you create an account or use the Service, we collect:

• Name, email, phone, clinic name, license number
• Login credentials and authentication data
• Usage data (features used, login times, session duration)
• Payment information (processed securely via Stripe)

Patient data

Via FHIR API or data import from your EHR, we collect:

• Patient demographics (name, DOB, contact)
• Medical records (encounters, diagnoses, medications, allergies, labs)
• Consent and access logs

Automatic data collection

We automatically collect:

• IP address, browser type, device information
• Cookies and similar tracking technologies
• Usage analytics and error logs

2. How We Use Your Information

We use collected information to:

• Provide and improve the Service
• Process payments and billing
• Authenticate users and secure accounts
• Send service updates and support communications
• Comply with legal and regulatory requirements (HIPAA, GDPR, etc.)
• Detect and prevent fraud and security incidents
• Analyze usage for product improvements

3. Sharing Your Information

We do not sell patient data. We share information only as necessary:

• Service providers: Payment processors (Stripe), cloud infrastructure (AWS), analytics (GA4)
• With patient consent: When a patient grants access via consent management
• Legal requirements: Court orders, lawful government requests
• Business transfers: In case of acquisition or merger

4. Data Retention

We retain data as follows:

• Active patient records: Retained during and after active care (per your retention policy)
• Audit logs: Retained for 7 years (HIPAA requirement)
• Usage analytics: Retained for 12 months
• Account data: Deleted upon request or account termination (with legal holds applied)

5. Data Security

We implement industry-standard security measures:

• Encryption in transit (TLS 1.2+)
• Encryption at rest (AES-256 for patient data)
• Role-based access control (RBAC)
• Regular security audits and penetration testing
• Employee training on data protection

However, no security system is 100% secure. We cannot guarantee absolute security.

6. Your Privacy Rights

HIPAA rights (for patients)

• Right to access your medical records
• Right to request amendments
• Right to request an accounting of disclosures
• Right to request restrictions on uses and disclosures

GDPR/CCPA rights (for EU/CA users)

• Right to access your data
• Right to deletion ("right to be forgotten")
• Right to data portability
• Right to opt-out of processing

To exercise these rights, contact admin@sovacare.health

7. Cookies and Tracking

We use cookies for:

• Session management and authentication
• Analytics and usage tracking (GA4)
• Remembering preferences

You can control cookies via your browser settings. Disabling cookies may affect Service functionality.

8. Third-party links

The Service may contain links to third-party websites. We are not responsible for their privacy practices. Please review their privacy policies before sharing information.

9. Children's Privacy

The Service is not intended for children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect data from children. If we become aware of such collection, we will delete it promptly.

10. Changes to this Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or by posting a notice on the Service. Your continued use of the Service after changes constitutes acceptance.

11. Contact Us

For questions or requests regarding this Privacy Policy, contact: