Privacy Policy
Effective date: April 13, 2026
At Hekavor, we take your privacy seriously.
Hekavor processes your information on behalf of your Health Care Provider who is our customer and a 'Covered Entity' under the Health Insurance Portability and Accountability Act of 1996 as amended by the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (the "HITECH Act"), and related regulations promulgated by the Secretary (together HIPPA). Hekavor may also separately use limited, de-identified information to provide, improve and maintain its Services.
We share a commitment with Covered Entities (such as your Health Care Provider) to protect the privacy and confidentiality of Protected Health Information (PHI) that we obtain subject to the terms of a Business Associate Agreement (BAA).
Currently, Hekavor Services are intended for use by residents of the State of California in the United States, and this Privacy Policy is designed to comply with applicable California privacy laws. Our Privacy Policy is printable.
By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use and share your information as described in this Privacy Policy. Remember that your use of Hekavor Services is at all times subject to our Terms of Service (hekavor.com/termsofservice), which incorporates this Privacy Policy. Any terms we use in this Policy without defining them have the definitions given to them in the Terms of Service.
Our Services are session-based and are intended for use in connection with the services provided by your Health Care Provider. We are constantly improving our Services, and we may need to change this Privacy Policy from time to time. You are required to review and accept the then-current version of this Privacy Policy each time you access or use our Services. Your acceptance at the time of use will govern that session.
Privacy Policy Table of Contents
- What this Privacy Policy Covers
- Personal Data
- Categories of Personal Data We Collect
- Use and disclosure of PHI
- Our Commercial or Business Purposes for Collecting Personal Data
- Other Permitted Purposes for Processing Personal Data
- Categories of Sources of Personal Data
- How We Disclose Your Personal Data
- Tracking Tools
- Data Security
- Data Retention
- Personal Data of Children
- U.S. State Privacy Rights
- Contact Information
What this Privacy Policy Covers
Our role in relation to your Personal Data depends on the context in which it is processed. Where we provide our Services to Health Care Providers, we process Personal Data on their behalf. In certain limited circumstances, we may also process Personal Data independently such as where we use de-identified or aggregated data to improve and maintain our Services, or where permitted by applicable law. This Privacy Policy does not apply to the practices of third parties, including Health Care Providers, that we do not own or control.
Personal Data
"Personal Data" means any information that identifies or relates to a particular individual and also includes information referred to as "personally identifiable information" or "personal information" or "sensitive personal information" under applicable data privacy laws, rules or regulations.
Categories of Personal Data We Collect
This chart details the categories of Personal Data that we collect and have collected over the past 12 months:
| Category of Personal Data (and Examples) | Business or Commercial Purpose(s) for Collection | Categories of Third Parties With Whom We Disclose this Personal Data |
|---|---|---|
| Health Data such as medical conditions, weight, height, health or exercise activity monitoring, genetic data, or any information concerning a patient's health, including information about a mental or physical health condition or diagnosis. |
|
|
| Consumer Demographic Data such as age and/or date of birth, gender, race, ethnicity, and sex life or sexual orientation. |
|
|
| Device/IP Data such as IP address, device ID, domain server, mobile related data, and type of device/ operating system/ browser used to access the Services. |
|
|
| Web Analytics such as web page interactions, referring webpage/source through which you accessed the Services, non-identifiable request IDs, and statistics associated with the interaction between device or browser and the Services. |
|
|
| Geolocation Data such as IP-address-based location information, and GPS data. |
|
|
Categories of Data Considered "Sensitive" Under California State Privacy Laws such as:
|
|
|
| Other Identifying Information that You Voluntarily Choose to Provide such as emails, letters, texts, or other communications you send us. |
|
|
Use and disclosure of PHI
- Your PHI and certain contact information such as name, email, phone number may be shared between your Health Care Provider and Hekavor for us to fulfil our service obligations to them. PHI includes health data such as such as medical conditions, weight, height, health or exercise activity monitoring, genetic data, or any information concerning a patient's health, including information about a mental or physical health condition or diagnosis.
- We may use PHI for providing, improving, customizing and maintaining Services to the Health Care Provider, and on a de-identified basis for data aggregation, and for legal obligations, to the extent such use of PHI is permitted or required by the BAA and not prohibited by law. We may use the contact information for corresponding with you.
- We do not collect PHI or contact information for the purpose of inferring characteristics about you or for marketing the Services.
Our Commercial or Business Purposes for Collecting Personal Data
- Providing, Customizing, Improving and Maintaining the Services
- Meeting or fulfilling the purpose for which you provided the information, namely to facilitate health intake, record symptoms, and assist Health Care Providers by generating potential diagnostic insights when you use our clinical assistant.
- Providing support, maintenance and assistance for the Services.
- Improving and customizing the Services, including testing, research, internal analytics and product development.
- Doing fraud protection, security and debugging.
- Carrying out other business purposes stated when collecting your Personal Data or as otherwise set forth in applicable data privacy laws, such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020.
- We use automated processing technologies on your Personal Data (which may include PHI) to operate our clinical assistant features. This processing analyses information you provide, such as symptoms, medical history, and other inputs, to generate health-related insights and potential diagnostic support for your Health Care Provider. Such processing is used to support clinical decision-making and care coordination and may involve analyses that could be considered significant to your care. Because automated processing is integral to the functioning of the clinical assistant, there is no full opt-out from such processing while continuing to use this feature. If you wish to opt-out of such use of your PHI, please do not use the clinical assistant feature or contact your Health Care Provider for assistance. Please note that opting out may prevent your ability to access or use certain features of the Services. Our Services provide decision-support tools only and do not replace professional medical judgment. All diagnoses and treatment decisions are made by your Health Care Provider.
- Corresponding with You
- Responding to correspondence that we receive from you, contacting you when necessary or requested, and sending you information about Hekavor or the Services.
Other Permitted Purposes for Processing Personal Data
In addition, each of the above referenced categories of Personal Data may be collected, used, and disclosed with the government, including law enforcement, or other parties to meet certain legal requirements and enforcing legal terms including: fulfilling our legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities; protecting the rights, property or safety of you, Hekavor or another party; enforcing any agreements with you; responding to claims that any posting or other content violates third-party rights; and resolving disputes.
We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated or incompatible purposes without providing you notice or obtaining your consent.
Categories of Sources of Personal Data
We collect Personal Data about you from the following categories of sources:
- You
- When you provide such information directly to us.
- When you use our AI-assisted clinical assistant (hereinafter "clinical assistant") and Services.
- When you voluntarily provide information in free-form text boxes through the Services or through responses to conversations with the clinical assistant, surveys or questionnaires.
- When you send us an email or otherwise contact us.
- When you use the Services and such information is collected automatically.
- Through Cookies (see section below).
- If you use a location-enabled browser, we may receive information about your location and device, as applicable.
- When you provide such information directly to us.
- Third Parties
- Health Care Providers
- Some of your contact information, Consumer Demographic Data, contact information, Health Data and Sensitive Data collected by your Health Care Provider may be transmitted to us.
- Vendors
- We may use analytics providers to analyze how you interact and engage with the Services, or third parties may help us provide you with customer support.
- Health Care Providers
How We Disclose Your Personal Data
We disclose your Personal Data to the categories of business partners and service providers and other parties listed in this section:
- Business Partners. Your Health Care Provider on behalf on whom we process your Personal Data.
- Service Providers. These parties help us provide the Services or perform business functions on our behalf. They include:
- Hosting, technology and communication providers.
- Analytics providers for web traffic or usage of our Services.
- Security and fraud prevention consultants.
- Support and customer service vendors.
Legal Obligations
We may disclose any Personal Data that we collect with third parties in conjunction with any of the activities set forth under "Other Permitted Purposes for Processing Personal Data" section above.
Business Transfers
All of your Personal Data that we collect may be transferred to a third party if we undergo a merger, acquisition, bankruptcy or other transaction in which that third party assumes control of our business (in whole or in part).
Data that is Not Personal Data
We may create aggregated, de-identified or anonymized data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user. We may use such aggregated, de-identified or anonymized data and disclose it with third parties for our lawful business purposes, including to analyze, build, train and improve the Services and promote our business, provided that we will not disclose such data in a manner that could identify you.
Tracking Tools
The Services use cookies and similar technologies such as pixel tags, web beacons, clear GIFs and JavaScript (collectively, "Cookies") to enable our servers to recognize your web browser, tell us how and when you visit and use our Services, analyze trends, learn about our user base and operate and improve our Services. Cookies are small pieces of data- usually text files - placed on your computer, tablet, phone or similar device when you use that device to access our Services. We may also supplement the information we collect from you with information received from third parties, including third parties that have placed their own Cookies on your device(s).
Please note that because of our use of Cookies, the Services do not support "Do Not Track" requests sent from a browser at this time.
We use the following types of Cookies:
- Essential Cookies. Essential Cookies are required for providing you with features or services that you have requested. For example, certain Cookies enable you to log into secure areas of our Services. Disabling these Cookies may make certain features and services unavailable.
- Functional Cookies. Functional Cookies are used to record your choices and settings regarding our Services, maintain your preferences over time and recognize you when you return to our Services. These Cookies help us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
You can decide whether or not to accept Cookies through your internet browser's settings. Most browsers have an option for turning off the Cookie feature, which will prevent your browser from accepting new Cookies, as well as (depending on the sophistication of your browser software) allow you to decide on acceptance of each new Cookie in a variety of ways. You can also delete all Cookies that are already on your device. If you do this, however, you may have to manually adjust some preferences every time you visit our website and some of the Services and functionalities may not work. To find out more information about Cookies generally, including information about how to manage and delete Cookies, please visit http://www.allaboutcookies.org/
Data Security
We seek to protect your Personal Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Personal Data and how we are processing that data. You should also help protect your data by keeping your secure access link which is sent to you from your Health Care Provider via Hekavor private and confidential; keeping your conversation with the clinical assistant private and confidential; and limiting access to your computer or device and browser. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely secure.
Data Retention
We retain Personal Data about you for as long as necessary to provide you with our Services or to perform our business or commercial purposes for collecting your Personal Data. When establishing a retention period for specific categories of data, we consider who we collected the data from, our need for the Personal Data, why we collected the Personal Data, and the sensitivity of the Personal Data. In some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally.
Personal Data of Children
As noted in the Terms of Service, our Services are intended solely for individuals who are at least 18 years of age. We do not knowingly collect or solicit Personal Data from minors/children under 18 years of age; if you are a minor/child under the age of 18, please do not attempt to register for or otherwise use the Services or send us any Personal Data. If we learn we have collected Personal Data from a minor/child under 18 years of age, we will delete that information as quickly as possible. If you believe that a minor/child under 18 years of age may have provided Personal Data to us, please contact us at contact@hekavor.com.
U.S. State Privacy Rights
As a California resident, you have certain rights in relation to your Personal Data under applicable California privacy laws, including the California Consumer Privacy Act, as amended. Please note that your rights may be subject to certain conditions or exceptions in accordance applicable laws.
Please note that we may process Personal Data of our customers' end users in connection with our provision of certain services for our customers. We are processing your Personal Data as a service provider and you should contact your Health Care Provider in the first instance to address your rights including the right to opt-out of certain uses with respect to such data. If you have any questions about this section, please contact us at contact@hekavor.com.
As provided in the BAA, we will make available to your Health Care Provider, information necessary for them to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations. Upon request, we will make our internal practices, books, and records including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by us on behalf of a Health Care Provider available to the Health Care Provider or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BAA and HIPAA regulations.
Incident reporting: In the event of a data breach or security incident affecting Personal Data/PHI, we will notify you and cooperate with you in accordance with our incident response procedures and applicable law.
"Selling," "Sharing," or "Targeted Advertising"
We do not sell, share, or process your Personal Data for the purposes of targeted advertising, and have not done so over the last 12 months. To our knowledge, we do not sell or share the Personal Data of minors under 18 years of age.
Processing of Sensitive Personal Data
As per applicable California privacy laws, please note that our use and disclosure of Sensitive Data are limited to the permitted uses as per applicable California privacy laws and CCPA regulations, including: 1) performing the services or providing the goods reasonably expected, 2) preventing, detecting, and investigating security incidents, 3) resisting malicious, deceptive, fraudulent, or illegal actions, 4) ensuring physical safety of natural persons, 5) for short-term transient use, 6) performing services on behalf of the business, 7) verifying or maintaining quality or safety of a product or service, and 8) collecting or processing Sensitive Personal Data but not for the purpose of inferring characteristics. We do not offer the right to limit the use and disclosure of sensitive data because we only use sensitive data for permitted purposes. Further, to the best of our knowledge we do not collect sensitive data from a known child under 18 years of age.
Anti-Discrimination
We will not discriminate against you for exercising your rights under applicable privacy laws. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under applicable privacy laws.
State-Specific Privacy Rights
Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to contact us to prevent disclosure of Personal Data to third parties for such third parties' direct marketing purposes; in order to submit such a request, please contact us at contact@hekavor.com.
Contact Information
If you have any questions or comments about this Privacy Policy, the ways in which we collect and use your Personal Data or your choices and rights regarding such collection and use, please do not hesitate to contact us at contact@hekavor.com.