Privacy Policy

Pneuma Health, LLC (“Pneuma Health,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our telehealth platform, website, and services (the “Platform”).

We comply with the Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act, and applicable state privacy laws, including the Colorado Privacy Act.

1. Information We Collect

a. Personal Information

When you register for an account or use our services, we collect:

• Full name, date of birth, email address, phone number
• Mailing address (for device shipping)
• Account credentials (password, MFA settings)

b. Protected Health Information (PHI)

In the course of providing telehealth services, we collect:

• Health screening responses (STOP-BANG, Epworth Sleepiness Scale)
• Medical history, comorbidities, and current medications
• Home sleep apnea test (HSAT) results (AHI, ODI, SpO2, sleep staging data)
• Physician notes, diagnoses, and treatment plans
• Prescription information and DME fulfillment records
• Insurance information (if applicable)

c. Technical & Usage Information

• Device type, browser, operating system, and IP address
• Pages visited, features used, and interaction patterns
• Cookies and similar tracking technologies (see Section 7)

d. Payment Information

Payment card details are collected and processed directly by our payment processor, Stripe. Pneuma Health does not store your full credit card number on our servers.

2. How We Use Your Information

We use your information to:

• Provide and coordinate your telehealth care, including HSAT ordering and prescription fulfillment
• Communicate with you about your care (appointment reminders, test results, treatment updates)
• Verify your identity and secure your account
• Process payments and manage billing
• Improve the Platform’s functionality and user experience
• Comply with legal and regulatory requirements
• Conduct internal quality assurance and clinical audits

3. How We Share Your Information

We do not sell your personal information or PHI. We may share your information only in the following circumstances:

a. For Treatment, Payment, and Healthcare Operations

• Treating Physicians: Licensed physicians reviewing your screening results, HSAT data, and medical history to make clinical decisions.
• DME Partners: Contracted durable medical equipment providers (e.g., for CPAP/APAP fulfillment) receive only the information necessary to process your prescription and ship your device.
• HSAT Device Manufacturer: Itamar Medical receives limited information necessary to facilitate your home sleep test.

b. Service Providers

• Stripe: Payment processing
• SendGrid: Transactional email delivery
• Twilio: SMS-based multi-factor authentication
• Vercel Analytics: Anonymous usage analytics (no PHI)

All service providers are bound by data processing agreements and, where applicable, Business Associate Agreements (BAAs) as required under HIPAA.

c. Legal Requirements

We may disclose information when required by law, regulation, legal process, or governmental request, or when necessary to protect the rights, safety, or property of Pneuma Health, our users, or the public.

4. Data Security

We implement robust technical and administrative safeguards to protect your information:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
• Encryption at rest: Sensitive PHI fields (phone number, date of birth, address) are encrypted using AES-256-GCM before storage.
• Access controls: Role-based access ensures that only authorized personnel can access patient data.
• Multi-factor authentication: Required for all patient accounts.
• Audit logging: All access to PHI is logged for security monitoring and compliance.
• Secure infrastructure: Our servers are hosted on SOC 2-compliant cloud infrastructure.

5. Your Rights

Under HIPAA and applicable state law, you have the right to:

• Access: Request a copy of your health records and personal data.
• Amendment: Request correction of inaccurate health information.
• Accounting of Disclosures: Request a list of certain disclosures of your PHI.
• Restriction: Request restrictions on certain uses or disclosures of your PHI.
• Confidential Communications: Request that we communicate with you through specific channels.
• Data Portability: Receive your data in a structured, commonly used format.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.

To exercise any of these rights, contact us at privacy@sleepvault.ai. We will respond within 30 days.

6. Data Retention

We retain your personal information and medical records for the minimum period required by applicable law. In Colorado, medical records must be retained for a minimum of seven (7) years from the date of last treatment. After the retention period, data is securely deleted or de-identified.

7. Cookies & Tracking

We use the following types of cookies and tracking technologies:

• Essential cookies: Required for authentication, session management, and security (e.g., JWT tokens).
• Analytics cookies: Vercel Analytics collects anonymous usage data to help us improve the Platform. No PHI is included.
• Affiliate tracking: If you arrive via a referral link, a cookie may be set to attribute your registration to the referring partner. No health information is shared with affiliate partners.

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Platform.

8. Children’s Privacy

The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

9. State-Specific Rights

Colorado Privacy Act

Colorado residents have additional rights under the Colorado Privacy Act (CPA), including the right to opt out of targeted advertising, profiling, and the sale of personal data. Pneuma Health does not sell personal data or engage in targeted advertising based on health information.

California (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. Note that HIPAA-covered health information is exempt from CCPA. For non-health data inquiries, contact us at the address below.

10. Changes to This Policy

We may update this Privacy Policy periodically. If we make material changes, we will notify you by email or through a prominent notice on the Platform. Your continued use after notification constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy concern, contact us at:

Pneuma Health, LLC
Privacy Officer
Email: privacy@sleepvault.ai
General: support@sleepvault.ai

12. HIPAA Notice

This Privacy Policy supplements, but does not replace, our Notice of Privacy Practices (NPP) as required under HIPAA. The NPP describes in detail how your medical information may be used and disclosed. You will receive the NPP during the onboarding process.

13. Additional Disclosures for California Residents

This section provides additional information required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), for California residents.

Categories of Personal Information Collected

• Identifiers: Name, email, phone number, mailing address, IP address, account ID.
• Personal information (Cal. Civ. Code 1798.80): Date of birth, insurance information, payment card details (processed by Stripe).
• Protected health information: Sleep test results (AHI scores, oxygen levels, sleep staging), screening scores (STOP-BANG, Epworth), prescriptions, CPAP compliance data, clinical notes, telehealth visit records.
• Internet or network activity: Browsing history, pages visited, feature interactions (only with your consent via analytics cookies).
• Geolocation data: Approximate location derived from IP address (not precise GPS).

Sensitive Personal Information

We collect the following categories of sensitive personal information as defined under CCPA § 1798.140(ae):

• Health data (sleep study results, medical diagnoses, treatment information)

This information is collected and processed solely for providing medical services, as permitted under CCPA § 1798.121(d). You have the right to limit the use of your sensitive personal information to what is necessary for providing our services. You can exercise this right in your account privacy settings.

Purposes for Collection

• Providing sleep apnea diagnosis and treatment services
• Processing payments and insurance verification
• Communicating with you about your care
• Improving our services (with your consent)
• Complying with legal obligations (HIPAA, state regulations)
• Detecting security incidents and fraud prevention

Sale and Sharing of Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes. We share personal information with service providers solely for the purposes described in this policy, under written contracts that prohibit them from retaining, using, or disclosing your information except as necessary to perform services for us.

Your Rights Under CCPA

As a California resident, you have the right to:

• Know what personal information we collect, use, and disclose about you.
• Delete your personal information (subject to certain exceptions).
• Correct inaccurate personal information.
• Opt out of the sale or sharing of your personal information (we do not sell or share your data).
• Limit the use of your sensitive personal information to what is necessary for providing services.
• Non-discrimination for exercising any of these rights.

How to Exercise Your Rights

• Limit sensitive data use: Visit your privacy settings and enable “Limit use of my health data.”
• Opt out via GPC: We honor the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we automatically apply your opt-out preference.
• Delete your account: Visit your profile settings and select “Delete Account.”
• Other requests: Email privacy@pneumahealth.com with your request. We will respond within 45 days.

Retention

We retain your health information for a minimum of 7 years as required by applicable medical record retention laws. Other personal information is retained for as long as your account is active or as needed to provide services, comply with legal obligations, and resolve disputes.