Privacy Policy

OnePATH Health (“OnePATH,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the OnePATH platform, application, and related services (the “Services”).

By using the Services, you agree to the practices described in this Privacy Policy. Please read it carefully. If you do not agree, please do not use the Services.

We collect information in the following ways:

We use the information we collect to:

• Create and manage your account and provide the Services
• Display your health records, documents, and history
• Enable communication between you, your providers, and authorized care team members
• Power AI-driven health guidance, document analysis, and personalized recommendations
• Manage appointments, reminders, and calendar events
• Process payments and manage your subscription
• Send transactional notifications (appointment reminders, security alerts, system updates)
• Detect and prevent fraud, unauthorized access, and security incidents
• Comply with legal obligations, including applicable HIPAA requirements
• Improve and develop the Services through aggregated, de-identified analytics

We do not use your health information for advertising or sell it to data brokers.

We do not sell, rent, or trade your personal or health information. We share information only in the following circumstances:

• At Your Direction: When you share records or grant access to providers, family members, or other authorized users through the platform's sharing features
• Service Providers: With trusted vendors who process data on our behalf (cloud hosting, payment processing, email delivery), under strict data processing agreements
• Healthcare Providers: With providers you have connected with on the platform, limited to information necessary to support your care
• Legal Requirements: When required by law, court order, or governmental authority, or to protect the rights, property, or safety of OnePATH or others
• Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case user data may be transferred with appropriate notice to you
• With Your Consent: In any other circumstance with your explicit consent

Certain information you store in OnePATH may constitute Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). To the extent OnePATH acts as a Business Associate in providing services to covered healthcare entities, we comply with applicable HIPAA Privacy and Security Rules.

As a personal health record platform, OnePATH also enables you to maintain your own health records as an individual. Health records you store for personal use are managed and controlled by you. We encourage you to be thoughtful about what information you store and with whom you share it.

We implement industry-standard technical and organizational measures to protect your information:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS
• Encryption at Rest: Health documents and sensitive data are encrypted at rest in Azure Blob Storage and Azure FHIR-compliant data stores
• Access Controls: Role-based access controls limit which personnel can access user data, and all access is audit-logged
• Authentication: Secure JWT-based authentication with session management
• Audit Logging: Sensitive operations (document access, record sharing, account changes) are logged for security review
• Infrastructure: Hosted on Microsoft Azure with SOC 2-compliant cloud infrastructure

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If you suspect unauthorized access to your account, please contact us immediately.

We retain your information for as long as your account is active and as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

• Account and profile information is retained while your account is active
• Health records and documents are retained at your direction; you may delete them at any time
• Audit logs are retained for a minimum of 6 years to meet applicable healthcare recordkeeping requirements
• Upon account deletion, we will remove your personal information within 90 days, except where retention is legally required

Depending on your location and applicable law, you may have the following rights:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your account and associated personal data
• Data Portability: Request export of your health data in a standard format
• Withdraw Consent: Revoke permissions for data sharing or third-party integrations at any time through your account settings
• Opt-Out of Marketing: Unsubscribe from non-essential communications at any time

To exercise these rights, visit your Account Settings or contact us at talaimo@onepathhealth.com. We will respond to verified requests within 30 days.

OnePATH uses cookies and similar technologies to maintain your session, remember your preferences, and analyze platform usage. Specifically:

• Session Cookies: Required for authentication and to maintain your logged-in state
• Preference Cookies: Store your theme and display preferences
• Analytics: We use Vercel Analytics to collect aggregated, anonymous usage data to improve the platform

We do not use third-party advertising trackers or behavioral profiling cookies. You can disable cookies in your browser, but doing so may affect platform functionality.

OnePATH is not intended for direct use by children under 13. Accounts must be created by adults. Parents and legal guardians may manage health information for minor dependents through their own account using the Dependents feature. If you believe a child under 13 has independently created an account, please contact us and we will promptly delete the account.

The Services may contain links to or integrations with third-party services (such as device manufacturers, lab portals, or telehealth providers). This Privacy Policy does not cover the practices of third parties. We encourage you to review the privacy policies of any third-party services you connect to through OnePATH. OnePATH is not responsible for the privacy practices of third-party services.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information. As noted above, we do not sell personal information. To exercise your California privacy rights, contact us at talaimo@onepathhealth.com.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the platform and updating the effective date above. Where required by law, we will seek your consent for material changes. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: