Privacy Policy

A. Business Associate (Hospital or Clinic-Integrated Use)

When your healthcare provider (a hospital, clinic, or other covered entity under HIPAA) has deployed POP and shares your discharge instructions or health information with us, POP acts as a Business Associate under HIPAA. In this context:

• Our processing of your protected health information (“PHI”) is governed by the BAA between POP and your provider, and by HIPAA.
• Your provider is responsible for its own privacy notices and for your primary rights under HIPAA.
• Requests regarding your PHI in this context should be directed to your healthcare provider.

B. Direct Service Provider (Independent Patient Use)

When you independently create a POP account and upload your own discharge documents or recovery information — without your healthcare provider deploying POP — POP acts as a direct service provider. In this context:

• This Privacy Policy governs our collection and use of your information.
• You are in direct control of your account, your data, and the rights described in Section 8 of this Policy.
• You may choose to share your care plan with caregivers or providers, which is your choice and your responsibility.

C. Hybrid Deployments

Some users may be enrolled by a hospital and also use POP independently. In such cases, hospital-provided PHI remains governed by the BAA, while any information you voluntarily add to your account is governed by this Privacy Policy. We maintain appropriate technical separation between these data streams.

What AI is Used For

• Parsing and structuring surgical discharge instructions you upload or your provider shares.
• Generating personalized, step-by-step recovery schedules and care reminders.
• Surfacing relevant recovery information in response to your questions.
• Improving the accuracy and relevance of our Services over time.

AI and Your Health Information — Our Commitments

• We do not use protected health information (PHI) to train publicly available or commercially distributed AI models.
• Any use of de-identified or aggregated data to improve our AI systems follows HIPAA de-identification standards (see Section 6).
• Third-party AI service providers (such as large language model providers) who process data on our behalf do so under binding contractual confidentiality, security, and data processing obligations. They are not permitted to use your data for their own model training.
• We do not retain individual conversation prompts or health queries beyond what is necessary to deliver the Service to you, unless you have consented or we are required by law.
• We conduct ongoing reviews of our AI systems to identify and mitigate potential bias in recovery guidance.

If you have questions about a specific AI decision affecting your care plan, contact us at contact@pophealth.ai.

A. Personal Information You Provide to Us

B. Personal Information Collected Automatically

We may automatically collect certain technical and usage information when you interact with our Services, including:

• Internet protocol (IP) address and approximate location (derived from IP)
• Browser type, device type, and operating system
• Cookie identifiers and session data
• Pages visited, features used, links clicked, and frequency and duration of activity
• Referring URLs and search terms used within the Services

C. Personal Information from Other Sources

We may obtain personal information from public sources, third-party service providers, or organizations through co-sponsored events or shared content channels. We combine this information with other data we hold only where permitted by law.

A. Providing Our Services

• Managing your account and providing access to your personalized care plan
• Parsing and structuring discharge instructions using AI (see Section 3)
• Sending recovery reminders, check-in prompts, and health-related communications you have requested
• Answering customer and technical support requests
• Communicating with you about your account and material policy changes

B. Improving and Developing Our Services

• Assessing performance, identifying bugs, and improving platform reliability
• Developing new features, workflows, and recovery programs
• Conducting internal research and analytics on aggregated, de-identified data
• Training and evaluating our AI systems using de-identified data only (see Section 3)

C. Service-Related Communications

We may contact you about product updates, new features, research participation invitations, and clinical program opportunities. We do not use your health information for general advertising or third-party marketing. You may opt out of non-essential communications at any time (see Section 8).

D. Legal, Safety, and Compliance

• Authenticating and verifying your identity
• Detecting, preventing, and responding to fraud, security incidents, and abuse
• Complying with our legal and regulatory obligations
• Enforcing our agreements and policies
• Processing job applications

E. De-identified and Aggregated Information

We may de-identify or aggregate personal information so that it can no longer reasonably be used to identify an individual. Where our Services involve PHI, de-identification follows the Expert Determination or Safe Harbor methods under HIPAA. We prohibit re-identification of de-identified data and contractually require the same of our partners. De-identified or aggregated information may be used for product improvement, research publications, academic collaboration, and clinical program validation — including randomized controlled trials and academic partnerships.

A. Disclosures to Provide Our Services

C. Disclosures to Protect Us or Others

We may disclose information where we, in good faith, believe it is necessary to comply with law or legal process; protect the rights, property, or safety of POP, our users, or the public; enforce our agreements; or assist with the investigation of suspected illegal activity.

D. Business Transactions

If POP is involved in a merger, acquisition, financing, reorganization, or transition of service, your information may be transferred as part of that transaction, subject to applicable law and contractual protections. We will notify you of any material change in data controller as required.

Our Security Measures Include:

• Encryption of data in transit using TLS 1.2 or higher, and encryption of data at rest.
• Role-based access controls that restrict access to personal and health information to authorized personnel on a need-to-know basis.
• Audit logging to track access to sensitive health information, with logs reviewed regularly for anomalies.
• Routine security assessments, vulnerability scanning, and penetration testing.
• Incident response procedures to detect, contain, and notify affected parties in the event of a data breach, consistent with applicable law.
• Business Associate Agreements with all subprocessors who access PHI.

A. Your Privacy Choices

B. Your Privacy Rights

Depending on your location and applicable law, you may have the right to:

To exercise these rights, contact us at contact@pophealth.ai. We will respond within the timeframe required by applicable law and will not discriminate against you for exercising your privacy rights.

Categories of Personal Information We Collect

• Identifiers (name, email address, account log-in identifiers)
• Personal information listed in California Customer Records statute (Cal. Civ. Code § 1798.80(e))
• Health and medical information (recovery notes, symptom reports, discharge documents)
• Commercial information (transaction records)
• Internet or electronic network activity (IP addresses, website usage data)
• Geolocation data (approximate location from IP address)
• Professional or employment-related information (job applicants)

Categories of Third Parties We Disclose to for a Business Purpose

• POP corporate affiliates
• Service providers (IT, hosting, AI infrastructure, payment processing)
• Healthcare provider customers (as permitted by applicable law and BAAs)
• Business partners (for jointly offered services or programs)

Sale or Sharing of Personal Information

POP does not sell or share protected health information. POP does not share any personal information with third parties for cross-context behavioral advertising. California residents have the right not to receive discriminatory treatment for exercising their CCPA rights.

Canadian Users

For users in Canada, including those at Quebec-based institutions, we comply with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and, where applicable, Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (“Law 25,” Bill 64). This includes:

• Maintaining a Privacy Officer responsible for compliance.
• Conducting Privacy Impact Assessments (PIAs) for high-risk processing activities, as required under Law 25.
• Implementing data minimization and purpose limitation principles consistent with PIPEDA and Law 25.
• Providing Quebec residents with the right to data portability and the right to de-indexation (erasure) where applicable under Law 25.
• Ensuring that any transfer of personal information outside Quebec meets the requirements of Law 25, including documented risk assessments and contractual safeguards.

Users in Quebec and other Canadian provinces may direct privacy inquiries to our Privacy Officer at contact@pophealth.ai.

European and UK Users

If personal information originating from the European Economic Area (EEA), Switzerland, or the United Kingdom is transferred to a country without an adequate level of data protection, we use EU Standard Contractual Clauses or other appropriate safeguards, as required by applicable law.

Data Residency

POP currently uses cloud infrastructure hosted primarily in the United States and Canada. If you require specific data residency commitments (e.g., Canadian-only data storage for hospital procurement), please contact contact@pophealth.ai to discuss enterprise options.

Third-Party Websites and Applications

Our Services may contain links to third-party websites or applications not controlled by POP. We encourage you to review the privacy policies of each service you interact with. POP is not responsible for the privacy practices of third-party services.

Health Information and HIPAA

Where our Services involve the processing of PHI, such processing is governed by HIPAA and the applicable BAA with your healthcare provider, in addition to this Privacy Policy.

No Sale of PHI

Consistent with HIPAA and our values, POP does not sell protected health information. This commitment applies regardless of the mechanism, platform, or legal framework through which data might otherwise be transferred.

Do Not Track

Some browsers transmit Do Not Track (“DNT”) signals. Because there is no uniform industry standard for responding to DNT signals, we do not currently alter our data practices in response to DNT. However, you may opt out of non-essential tracking through cookie settings, GPC, or by contacting us directly.