Privacy Policy

1. Scope

This Privacy Policy applies to information collected through:

• Our websites at atulya.health and related domains.
• Our mobile applications, including iOS and Android applications distributed through the Apple App Store and Google Play.
• Our hosted web applications used by clinicians and administrative staff.
• Communications, support interactions, and demonstrations.

This Policy does not apply to third-party websites, applications, or services we do not control, even if they link to or from the Services.

2. Our Role and Users

Atulya provides software for clinicians and administrative staff at hospice organizations and other healthcare customers ("Customer Organizations") to support hospice eligibility assessment. Two distinct groups of individuals are relevant to the Services:

• Users. Clinicians, administrators, and other workforce members of Customer Organizations who access the Services to perform their jobs.
• Patients. Individuals receiving care from Customer Organizations. Patients are not direct users of the Services. Information about Patients, including protected health information ("PHI"), is provided to Atulya by Customer Organizations and processed on their behalf.

When Atulya processes PHI on behalf of a Customer Organization, Atulya acts as a Business Associate under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and is bound by a Business Associate Agreement ("BAA") with that Customer Organization. The BAA, together with the Customer Organization's own privacy notices, authorizations, and instructions, governs Atulya's handling of PHI. To the extent any term of this Privacy Policy conflicts with the applicable BAA with respect to PHI, the BAA controls.

Patients seeking information about how their health information is collected, used, or disclosed should contact their hospice or healthcare provider directly. Atulya does not have a direct relationship with Patients and cannot respond to Patient requests except as directed by the Customer Organization.

3. Information We Collect

We collect the following categories of information.

3.1 Information You Provide Directly

• Account and contact information: name, work email address, phone number, organization name, professional role and credentials, and account username.
• Authentication information: passwords, security questions, multi-factor authentication factors, and session tokens.
• Communications: information you provide in support requests, surveys, demonstration requests, or other communications with us.
• User-generated content: notes, comments, narrative text, and other content you create or submit through the Services in the course of your work.

3.2 Information Provided by Customer Organizations

Customer Organizations provide information to Atulya to enable the Services, which may include:

• Workforce data about Users (including employment role, license information, and access permissions).
• Patient data, which may include PHI such as name, date of birth, contact information, medical record number, demographics, diagnoses (including ICD-10 codes), medications, vital signs, performance status assessments, activities of daily living assessments, clinical narratives, care preferences, and other clinical information necessary for hospice eligibility evaluation.

Atulya processes Patient data only as directed by the Customer Organization and in accordance with the BAA.

3.3 Information Collected Automatically

• Device and technical data: IP address, browser type and version, operating system, device identifiers, mobile network information, and approximate geolocation derived from IP address.
• Usage data: pages and features accessed, actions taken, timestamps, referring URLs, and audit trail information.
• Log data: server logs, error reports, and diagnostic information.
• Cookies and similar technologies: see Section 11.

3.4 Information from Third Parties

• Identity providers: if you sign in through a single sign-on (SSO) provider, we receive authentication information from that provider.
• Service providers: information from hosting, security, and infrastructure providers necessary to operate the Services.

We do not purchase any personal information from data brokers, and we never use information collected through the Services for advertising purposes.

4. How We Use Information

We use information for the following purposes:

• Provide Services. Authenticate Users, deliver application functionality, support hospice eligibility workflows, and enable AI-assisted features.
• Operate and secure the Services. Monitor performance, prevent fraud and abuse, investigate security incidents, enforce access controls, and maintain audit trails required by HIPAA and other applicable law.
• Communicate with you. Respond to inquiries, deliver service notices, and provide product updates and policy changes.
• Improve the Services. Analyze usage patterns, develop new features, and improve existing functionality.
• Comply with legal and contractual obligations. Including HIPAA, applicable state law, and BAA obligations.

5. AI and Automated Processing

The Services use artificial intelligence ("AI") features to support clinical documentation and eligibility evaluation, including assistance with hospice certification narrative generation and admissions workflows.

• PHI is not transmitted to AI models. Before any data is sent to AI processing, Atulya removes protected health information using de-identification techniques consistent with the HIPAA Privacy Rule. AI models receive only de-identified clinical context necessary to generate the requested output. Re-identification to associate AI output with a specific patient record occurs within Atulya's HIPAA-compliant systems and not within the AI model's environment.
• AI infrastructure is HIPAA-aligned. Atulya's AI processing is performed on infrastructure covered by Business Associate Agreements (including AWS for Amazon Bedrock), with private network connectivity, encryption in transit and at rest, and no logging of inputs or outputs by the AI provider for training purposes.
• No training on customer data. Atulya does not use customer data, including de-identified data derived from PHI, to train general-purpose AI models, and our AI subprocessors are contractually prohibited from doing so.
• Clinician judgment is authoritative. AI features are designed to support, not replace, clinician judgment. Clinical decisions, eligibility determinations, and physician certifications remain the responsibility of qualified clinicians and Customer Organizations.

6. How We Share Information

We do not sell or share personal information as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"). We do not engage in cross-context behavioral advertising.

We disclose information only as follows:

• Customer Organizations. Information collected through a Customer Organization's instance of the Services is made available to that Customer Organization, including for administration of User accounts and review of audit trails.
• Subprocessors and service providers. We engage third parties to provide hosting, infrastructure, AI processing, security, monitoring, communications, and analytics services. See Section 7.
• Professional advisors. Auditors, accountants, attorneys, and other advisors as needed to operate our business.
• Compliance and legal process. Regulators, law enforcement, or other parties when required by applicable law, subpoena, court order, or other legal process; to enforce our agreements; to protect the rights, safety, or property of Atulya, our customers, or others; or to investigate suspected fraud or wrongdoing.
• Corporate transactions. A successor or acquirer in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to confidentiality and continued protection of information consistent with this Policy.
• With your direction. Other parties at your direction or with your consent.

PHI is disclosed only as permitted by the applicable BAA and HIPAA.

7. Subprocessors

Atulya engages third-party subprocessors ("Subprocessors") to support hosting, infrastructure, AI processing, security, and communications. Where Subprocessors process PHI, Atulya enters into Business Associate Agreements or equivalent contractual protections with them.

A current list of Subprocessors is available upon request by contacting support@atulya.health. Customer Organizations subject to a BAA with Atulya will receive notice of material changes to Subprocessors as specified in their respective agreement.

8. Data Security

We maintain administrative, technical, and physical safeguards designed to protect information from unauthorized access, disclosure, alteration, and destruction. Our security program is designed to comply with HIPAA Security Rule requirements and includes:

• Encryption of data in transit using TLS and at rest using industry-standard cryptography.
• Role-based access controls and least-privilege access principles.
• Multi-factor authentication for administrative access as well as other user roles.
• Logging, monitoring, and audit trails for access to PHI.
• Periodic security reviews, vulnerability assessments, and penetration testing.
• Workforce training and access management procedures.

We cannot guarantee absolute security, but we work continuously to maintain and improve our safeguards.

Security Incident Notification

In the event of a security incident affecting information protected by this Policy, Atulya will provide notification to affected Customer Organizations, individuals, and regulators as required by applicable law and contractual obligations, including HIPAA's breach notification requirements where applicable.

9. Data Retention

We retain information for as long as necessary to provide the Services, satisfy contractual and legal obligations, resolve disputes, and enforce our agreements. Retention periods vary based on the type of information and the applicable legal and contractual requirements.

Retention of PHI is governed by the applicable Business Associate Agreement and the instructions of the Customer Organization, not by Atulya's independent discretion. Upon termination of the Customer Organization's agreement with Atulya, Atulya will return or destroy PHI as required by the BAA.

When information is no longer needed, we delete it or render it de-identified in a manner consistent with applicable law.

10. Your Rights and Choices

10.1 General Rights

Depending on your location and the applicable law, you may have rights to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete personal information.
• Delete your personal information, subject to legal exceptions.
• Restrict or object to certain processing.
• Receive a copy of your personal information in a portable format.
• Withdraw consent where consent is the legal basis for processing.
• Lodge a complaint with a supervisory authority.

To exercise these rights, contact us at support@atulya.health. We will respond within the timeframes required by applicable law. We may need to verify your identity before responding.

10.2 Patient Requests

If you are a Patient seeking to exercise rights regarding your health information, please contact your hospice or healthcare provider directly. They are responsible for fulfilling Patient requests under HIPAA and applicable state law. Atulya will assist Customer Organizations in responding to such requests as required by the applicable BAA.

10.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the rights described above, as well as the right to:

• Know the categories and specific pieces of personal information we have collected about you.
• Know the categories of sources from which personal information was collected.
• Know the business or commercial purposes for collecting personal information.
• Know the categories of third parties with whom we share personal information.
• Limit the use of sensitive personal information (where applicable).
• Be free from discrimination for exercising your rights.

We do not sell or share personal information, and we do not use sensitive personal information for purposes that require an opt-out under CCPA/CPRA.

You may designate an authorized agent to make a request on your behalf. We will require verification of the agent's authority.

Note: information processed by Atulya in its role as a Business Associate (i.e., PHI processed on behalf of Customer Organizations) is generally exempt from CCPA/CPRA under the medical information exemption and is governed by HIPAA.

11. Cookies and Similar Technologies

We use cookies and similar technologies to support authentication, remember preferences, secure sessions, and analyze aggregate traffic on our marketing website.

We do not use third-party advertising cookies, and we do not use cross-site tracking technologies on the authenticated portions of the Services.

You can adjust browser settings to manage cookies, but certain features may not function as intended if cookies are disabled.

12. International Data Transfers

Atulya is based in the United States, and information we process is generally stored and processed in the United States. Where information is transferred from outside the United States, we use appropriate safeguards as required by applicable law, including standard contractual clauses where applicable.

13. Children's Privacy

Children as Users

The Services are intended for use by professional clinicians and administrative staff at Customer Organizations. The Services are not directed to children, and Atulya does not knowingly create User accounts for, or collect personal information directly from, children under 13 (or under the applicable age in your jurisdiction) as Users. The Children's Online Privacy Protection Act ("COPPA") and similar laws governing online collection of information from children apply to this category of data.

Children as Patients

The Services are used in hospice and end-of-life care, which may include the care of pediatric patients. Information about pediatric Patients — including infants, children, and adolescents — may be processed through the Services on behalf of Customer Organizations. This information is provided by clinicians at the Customer Organization in the course of patient care and is not collected directly from the child.

Patient information about minors is:

• Governed by HIPAA and applicable state law, not by COPPA. HIPAA's framework for the health information of minors recognizes the role of parents and guardians as personal representatives and is administered by the Customer Organization as the covered entity.
• Subject to the same protections as all other PHI processed by Atulya, including encryption, access controls, audit logging, and the terms of the applicable Business Associate Agreement.
• Controlled by the Customer Organization. Parents, guardians, or other personal representatives seeking to exercise rights regarding a minor patient's health information should contact the hospice or healthcare provider directly, not Atulya.

14. Mobile Application Privacy

This section provides additional disclosures for our mobile applications.

14.1 Permissions

Our mobile applications may request the following device permissions:

• Network access: required to communicate with Atulya servers.
• Biometric authentication (Face ID / Touch ID / fingerprint): offered as an alternative to password entry; biometric data does not leave your device.

We request permissions only when needed to deliver requested functionality. You can manage permissions through your device settings.

14.2 Data Collected by the Mobile Application

The mobile application collects and processes the same categories of information described in Section 3. We do not use mobile advertising identifiers (IDFA, AAID) and do not engage in cross-app tracking.

14.3 App Store Privacy Disclosures

Information disclosed in our App Store and Google Play privacy labels is consistent with this Policy. Where labels use category-based terminology mandated by the platform, this Policy provides additional detail.

15. Do Not Track

Some browsers offer a "Do Not Track" signal. Because no consistent industry standard exists, we do not currently respond to Do Not Track signals. We describe our actual data practices in this Policy.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. For material changes, we will provide additional notice as appropriate, which may include email notice or in-product notice. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

17. Contact Us

For questions about this Privacy Policy or our privacy practices, or to exercise your rights:

Atulya Health
support@atulya.health