Privacy Policy

Effective Date: May 7, 2026 · Last Updated: June 2, 2026

Protecting your health information and respecting your privacy choices is foundational to Prisma. This Privacy Policy explains what we collect, how we use and protect it, who we share it with, and the choices and rights available to you - including your rights under HIPAA. Please read this carefully alongside our Terms and Conditions.

Table of Contents

  1. Who We Are and Who This Policy Covers
  2. HIPAA and Our Role
  3. Information We Collect
  4. How We Use Your Information
  5. How We Share Your Information
  6. Your Rights Over Your Data
  7. Your HIPAA Rights
  8. Data Security
  9. Data Retention
  10. Cookies and Tracking
  11. Changes to This Policy
  12. Contact Us and How to File a Complaint

1. Who We Are and Who This Policy Covers

Aurelis Insights, Inc. ("we," "us," or "our") operates Prisma, a health data platform for patients and patient communities. This Privacy Policy applies to all users of the App and related services.

If you are a patient who uses this App or whose health records are accessed or processed through the App, this Policy applies to you. If you are accessing the App as a caregiver or legal representative of another individual, this Policy applies to your use on their behalf.

2. HIPAA and Our Role

Some or all of the health information we handle may constitute Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) - as such we treat all health information you provide with the highest standards of privacy and security.

3. Information We Collect

Health Records

With your explicit authorization, we retrieve health records from your healthcare providers and health plans. This may include diagnoses, medications, lab results, vitals, visit notes, and insurance claims data.

Self-Reported Information

We collect health information you enter directly through surveys, questionnaires, and symptom or lifestyle trackers within the App. This may include your symptoms, health goals, medications you self-report, lifestyle information, and responses to health assessments.

Account Information

Name, date of birth, email address, and credentials you use to create and access your account.

Usage and Technical Data

We collect information about how you interact with the App, including features accessed, session duration, device type, operating system, App version, IP address, and access timestamps. This data is used to maintain and improve the App and will not be used to build advertising profiles.

Communications

If you contact our support team, we retain records of those communications.

We do not sell, rent, or trade any of your identifiable personal or health information to third parties for their own marketing or commercial purposes.

4. How We Use Your Information

We use the information we collect to:

  • Deliver the App's core features, including retrieving and displaying your health records, generating personal health summaries, and powering comparative insights;
  • Personalize your experience, such as tailoring surveys and insights to your health profile;
  • Generate comparative analytics, by de-identifying and aggregating data from users with similar health profiles to produce the peer comparison features described in our Terms;
  • Communicate with you, including transactional messages, support responses, and - where you have consented - optional notifications about relevant features or research opportunities;
  • Maintain security and integrity, including detecting unauthorized access, preventing fraud, and ensuring the technical performance of the App;
  • Comply with legal obligations, including HIPAA requirements, court orders, and applicable federal and state law; and
  • Improve and develop the App, using only de-identified and aggregated data for this purpose - never identifiable health information.

We will not use your identifiable health information to train AI or machine learning models, or for any purpose materially inconsistent with this Policy, without your separate, explicit consent.

5. How We Share Your Information

We do not sell your identifiable personal or health information. We share your information only as follows:

Service Providers (Business Associates). We engage vendors and contractors who process health information on our behalf - including cloud infrastructure providers, analytics vendors, and customer support tools. Where these vendors handle PHI, we enter into HIPAA-compliant Business Associate Agreements with them.

Third-Party Artificial Intelligence (AI) Services. When you interact with our AI-powered Chat feature, we share certain information with our third-party AI infrastructure provider, Amazon Web Services, Inc. (AWS), to process your requests and generate responses.

  • What Data Is Sent: The text prompts and questions you type into the Chat interface, along with contextually relevant data from your Personal Health Summaries.
  • Purpose: To power real-time conversational responses and health data navigation assistance.
  • Data Protection & Equal Safeguards: We access these AI services strictly through private, enterprise-grade APIs under a HIPAA-compliant Business Associate Agreement (BAA). The third-party provider is contractually required to maintain the same or equal levels of data privacy and security protections as outlined in this policy. They are strictly prohibited from storing, retaining, or using your data to train their public AI models or for any purpose outside of generating the immediate response.

Health Data Intermediaries. Where we use a third-party intermediary to facilitate EHR connections, we share data with that intermediary solely to enable your authorized data connections. Their use of your data is governed by their privacy terms.

Research Partners. With your separate, explicit consent, we may share de-identified or identified data with research partners, patient advocacy organizations, or life sciences companies. We will always describe the scope of any such sharing clearly before asking for your consent, and you will never be required to participate as a condition of using the App.

Legal Compliance. We may disclose your information when required by law, court order, regulatory authority, or government request. We will scrutinize all such requests and disclose only what is legally required. Where permitted, we will notify you before complying.

Business Transfers. In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to a successor entity. We will notify you of any such change and any choices you may have regarding your data.

With Your Consent. We may share information for other purposes with your explicit prior consent.

6. Your Rights Over Your Data

You have the following rights regarding your information, which you may exercise by contacting us at privacy@ourprisma.com:

  • Access: You may request a copy of the personal information we hold about you.
  • Correction: You may request that we correct inaccurate account or self-reported information. For inaccuracies in your health records, please contact the originating provider directly.
  • Deletion: You may request deletion of your account and associated data. We will honor deletion requests subject to our legal retention obligations and the terms of our Privacy Policy. Note that de-identified data derived from your information prior to deletion is no longer attributable to you and cannot be deleted from aggregate datasets.
  • Data Portability: You may request a copy of your data.
  • Withdrawal of EHR Authorization: You may disconnect any EHR data source at any time through your account settings. This stops future collection but does not automatically delete previously retrieved records.
  • Opt-Out of Trial Matching: If you have previously consented to research sharing, you may withdraw that consent at any time without affecting your ability to use the App's core features.

We will process your requests within 30 days. We will never retaliate against you for exercising any of these rights.

7. Your HIPAA Rights

Where your information constitutes PHI, you have additional rights under HIPAA, including:

  • Right to Access: To inspect and obtain a copy of your PHI we maintain;
  • Right to Amend: To request correction of inaccurate or incomplete PHI;
  • Right to an Accounting of Disclosures: To receive a list of certain disclosures of your PHI;
  • Right to Restrict Uses and Disclosures: To request restrictions on how we use or share your PHI (we are not always required to agree, but will evaluate all requests);
  • Right to Confidential Communications: To request we contact you through a specific channel or at a specific location;
  • Right to Revoke Authorization: To withdraw any authorization for specific uses or disclosures of your PHI in writing at any time (revocation is not retroactive).

8. Data Security

We implement strict administrative, technical, and physical safeguards designed to protect your health information consistent with the HIPAA Security Rule and industry best practices. Our measures include:

  • Encryption of data in transit and at rest;
  • Role-based access controls and least-privilege access policies;
  • Multi-factor authentication for internal systems;
  • Regular third-party security assessments and penetration testing; and
  • Employee privacy and security training.

No system is completely secure. In the event of a breach affecting your PHI, we will notify you in accordance with the HIPAA Breach Notification Rule and applicable state breach notification laws.

9. Data Retention

We retain your personal and health information for as long as your account is active, as needed to provide the services, or as required by law.

When your data is no longer needed, we securely delete or de-identify it consistent with our data retention schedule. De-identified data may be retained indefinitely as part of aggregate analytical datasets.

10. Cookies and Tracking

We use cookies and similar technologies to maintain your login session, remember your preferences, and understand how users engage with the App.

We do not use cookies or tracking technologies to build advertising profiles or share your activity with ad networks. You may be able to control cookie settings through your browser or device settings, though some features may not function correctly if you disable certain cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or prominent in-App notice before the changes take effect. The "Last Updated" date at the top of this Policy will always reflect the most recent revision. Your continued use of the App after changes take effect constitutes your acceptance of the updated Policy.

12. Contact Us and How to File a Complaint

For questions, requests, or concerns about this Privacy Policy or our privacy practices, please contact:

Aurelis Insights, Inc. - Privacy Officer
Email: privacy@ourprisma.com

If you believe your privacy rights have been violated, you have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) at hhs.gov/ocr, by phone at 1-800-368-1019, or by mail. You will not be penalized or retaliated against for filing a complaint.