← Back to Home

HealthAgg Privacy Policy

Last Updated: June 14, 2025
Version: 2.2

1. Introduction

HealthAgg is a health data aggregation platform that helps you collect, organize, and understand your health information from multiple sources. We are committed to protecting your privacy and giving you control over your health data.

This Privacy Policy applies to all users of the HealthAgg platform, including veterans accessing their health records through the Department of Veterans Affairs (VA) integration.

2. Information We Collect

2.1 Personal Information

We collect the following types of personal information:

• Contact Information: Name, email address, phone number
• Account Information: Username, password, account preferences
• Health Information: Medical records, lab results, vital signs, medication data
• Activity Data: Exercise records, sleep patterns, nutrition information
• Device Data: Information from connected health devices and wearables
• Location Data: General location for weather-related health insights (optional)
• Usage Information: How you interact with our platform and features
• Financial Information: Billing and payment information for subscriptions

2.2 Health Information Sources

We collect health information from sources you authorize, including:

• Veterans Affairs (VA): Medical records, lab results, prescription data, appointment history
• Medicare: Claims data, coverage information, provider records
• Electronic Health Records (EHRs): Epic, Cerner, and other healthcare systems
• Apple Health (iOS): HealthKit data, activity metrics, vital signs, health records
• Google Health Connect (Android): Fitness data, sleep patterns, nutrition information
• Fitness Apps: Strava (activities, routes), Garmin (biometrics, workouts), Peloton (exercise data)
• Wearable Devices: Oura (sleep, recovery), Whoop (strain, recovery), smartwatches
• Medical Devices: FDA-approved health devices and glucose monitoring systems
• Lab Testing Services: Quest Diagnostics, LabCorp, and other laboratory partners
• Manual Entry: Self-reported symptoms, medications, vital signs
• Document Uploads: Medical reports, lab results, insurance documents

2.3 Automatic Data Collection

We may automatically collect certain information when you use our app:

• Device Information: Operating system, app version, device identifiers
• Usage Analytics: Features used, time spent in app, interaction patterns
• Performance Data: Crash reports, error logs, response times
• Location Data: General location (city/state) for weather-related insights (optional)

3. How We Use Your Information

3.1 Primary Uses

We use your information to:

• Provide personalized health dashboards and insights
• Generate health recommendations and tracking to help you meet your goals
• Create comprehensive health reports
• Enable you to share your data with your healthcare provider
• Improve our platform and develop new features
• Provide customer support and technical assistance

3.2 Communication

We may use your contact information to:

• Send account notifications and security alerts
• Provide customer support responses
• Send important updates about our services
• Share optional health tips and educational content

4. Data Sharing and Third Parties

4.1 When We Share Data

We only share your information in these specific circumstances:

• With Your Consent: When you explicitly authorize data sharing
• Healthcare Providers: When you choose to share reports with your doctors
• Service Providers: With trusted vendors who help operate our platform
• Legal Requirements: When required by law or to protect rights and safety
• Emergency Situations: To prevent serious harm to health or safety

4.2 Third-Party Vendors and Partners

We work with these specific types of service providers:

• Cloud Infrastructure: Google Cloud Platform (data storage, computing)
• Authentication: Firebase Authentication (Google/Alphabet Inc.)
• Database: Google Firestore (health data storage)
• Analytics: Google Analytics (usage patterns, performance monitoring)
• Payment Processing: Stripe (subscription billing and payments)
• Health Data APIs:
  • Apple HealthKit (iOS health data integration)
  • Google Health Connect (Android health data integration)
  • Strava API (fitness activity data)
  • Garmin Connect IQ (device and activity data)
  • Oura Cloud API (sleep and recovery data)
  • VA FHIR API (veterans health records)
  • Medicare (via Blue Button 2.0 API) (Medicare claims data)
• Customer Support: Zendesk (support ticket management)

4.3 Data Processing Locations

Your data is processed in the following locations:

• Primary: United States (Google Cloud Platform - US regions)
• Backup: Encrypted backups stored in multiple US data centers
• Third-Party APIs: Data retrieved from health platforms may be processed in their respective data centers

Vendor Commitments: All third-party vendors and contractors are bound to the same privacy commitments regarding your data. They cannot use or disclose your information except as necessary to provide services to HealthAgg.

4.4 No Targeted Advertising

We do not use your health information for targeted advertising or marketing purposes. We do not share your data with advertisers or marketing companies.

5. Data Security and Protection

5.1 Security Measures

We protect your information using:

• End-to-end encryption for data transmission
• AES-256 encryption for data storage
• Multi-factor authentication options
• Regular security audits and assessments
• Access controls and activity monitoring
• Secure cloud infrastructure with Google Cloud Platform

5.2 Data Breach Notification

If a data breach occurs that may affect your personal information, we will:

• Notify you within 72 hours of discovering the breach
• Explain what information was involved
• Describe what we are doing to address the breach
• Provide specific steps you can take to protect yourself
• Offer free credit monitoring if financial information was involved

6. Data Retention and Deletion

6.1 How Long We Keep Your Data

We retain your information as follows:

• Active Accounts: Data retained while your account is active
• Dormant Accounts: If your account is inactive for 3 years, we will contact you about data retention
• Closed Accounts: Data deleted within 45 days of account closure
• Legal Requirements: Some data may be retained longer if required by law

6.2 Your Right to Data Deletion

How to Request Data Deletion:

• Log into your account and go to Settings > Privacy
• Click "Delete My Account and Data"

What Happens When You Request Deletion:

• We will permanently delete 100% of your data, including all health information
• This includes data from all connected sources and services
• Deletion will be completed within 45 days of your request
• We will send you confirmation when deletion is complete
• Some anonymized usage statistics may be retained for platform improvement

7. Your Privacy Rights and Controls

7.1 Access and Control

You have the right to:

• Access all personal information we have about you
• Update or correct your personal information
• Download a copy of your data in a standard format
• Control which data sources are connected to your account
• Choose what information to share with healthcare providers
• Opt out of non-essential communications

7.2 Consent Management

You can manage your privacy preferences by:

• Reviewing and updating consent settings in your account
• Disconnecting data sources you no longer want to use
• Controlling who can access your shared health reports
• Setting communication preferences

8. Children's Privacy

HealthAgg is not designed for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover we have collected information from a child under 13, we will delete it immediately.

For users between 13-17 years old, parental consent may be required depending on state laws.

9. Business Changes and Data Transfer

9.1 Ownership Transfer

If HealthAgg is acquired, merged, or sold, your options will include:

• Secure Data Transfer: Download and securely transfer your health information
• Policy Consistency: New owners must maintain privacy policies consistent with this policy
• Account Closure: Close your account and delete your data before the transfer

We will notify you at least 30 days before any ownership change and provide clear instructions for your options.

9.2 Service Discontinuation

If we discontinue HealthAgg services, we will:

• Provide 90 days advance notice
• Offer tools to download all your data
• Assist in transferring data to alternative platforms
• Securely delete all remaining data after the transition period

10. International Users

HealthAgg operates primarily in the United States. If you access our services from outside the US, your information may be transferred to and stored in the United States. By using our services, you consent to this transfer.

11. HIPAA Compliance and Security

11.1 HIPAA Compliance

HealthAgg operates as a HIPAA-covered entity and implements all required safeguards:

• Administrative Safeguards: Privacy officers, workforce training, access management, and incident response procedures
• Physical Safeguards: Secure data centers, workstation controls, device and media controls
• Technical Safeguards: Access controls, audit logs, integrity controls, transmission security
• Business Associate Agreements: All third-party vendors sign BAAs and comply with HIPAA standards

11.2 Security Standards

We maintain industry-leading security certifications and practices:

• SOC 2 Type II Compliance: Annual audits of security controls
• Encryption Standards: AES-256 for data at rest, TLS 1.3 for data in transit
• Infrastructure Security: Google Cloud Platform with 99.9% uptime SLA
• Penetration Testing: Quarterly security assessments by third-party firms
• Zero Trust Architecture: Multi-factor authentication and principle of least privilege

12. State Privacy Rights

12.1 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act:

• Right to Know: Request categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information with certain exceptions
• Right to Opt-Out: We do not sell personal information, but you can opt-out of certain data uses
• Right to Non-Discrimination: Equal service regardless of exercising privacy rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use: Limit use of sensitive personal information

To exercise these rights, contact privacy@healthagg.com or call 1-800-HEALTHAGG.

12.2 Other State Privacy Laws

We comply with privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states. Residents of these states have similar rights to access, correct, delete, and port their data.

13. International Data Transfers

13.1 Data Location

Your data is primarily stored in the United States. If you access HealthAgg from outside the US:

• Your data may be transferred to and processed in the United States
• We use Standard Contractual Clauses for international transfers
• We comply with applicable data protection laws in your jurisdiction

13.2 Regional Compliance

• GDPR (European Union): Full compliance with data subject rights, lawful basis for processing, and data protection principles
• PIPEDA (Canada): Compliance with Canadian privacy principles and consent requirements
• LGPD (Brazil): Compliance with Brazilian data protection requirements

14. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make changes:

• We will notify all users via email and in-app notifications
• We will post the updated policy with a new "Last Updated" date
• Material changes will be highlighted and explained
• You will have 30 days to review changes before they take effect
• Continued use of our services after the effective date constitutes acceptance

15. Contact Information

16. Mobile App Store Compliance

16.1 Google Play Store Health Apps Declaration

In compliance with Google Play Store policies, we declare that HealthAgg:

• App Category: Health & Fitness
• Health Features: Health data aggregation, fitness tracking integration, health metrics visualization
• Medical Claims: Makes no medical diagnosis, treatment, or cure claims
• Target Users: General consumers seeking to organize their health information
• Data Collection: Collects health and fitness data with explicit user consent
• Research Activities: Does not conduct human subject research
• Medical Device Status: Not a medical device, not FDA-regulated

16.2 Apple App Store Health Information

For iOS users accessing HealthKit data:

• All HealthKit data access requires explicit user permission
• Data is used solely for the stated purpose of health data aggregation
• HealthKit data is not shared with third parties without additional consent
• Users can revoke HealthKit permissions at any time in iOS Settings

17. Regulatory Compliance

HealthAgg complies with:

• Health Insurance Portability and Accountability Act (HIPAA)
• Department of Veterans Affairs privacy requirements
• Medicare and CMS privacy requirements
• State and federal health information privacy laws
• International data protection regulations (GDPR, PIPEDA, LGPD)
• Google Play Store developer policies
• Apple App Store Review Guidelines

© 2025 HealthAgg. All rights reserved.