Privacy Policy

Last Updated: April 2026

⚠ Attorney Review Notice: This Privacy Policy is provided as a template. AvataCore recommends that this policy be reviewed by a licensed healthcare attorney and a HIPAA compliance officer before deployment. HIPAA requirements vary based on the specific role your organization plays in the healthcare ecosystem.

🔒 HIPAA Commitment: AvataCore is committed to protecting your health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and all applicable state privacy laws. We maintain robust administrative, technical, and physical safeguards for all Protected Health Information (PHI).

Table of Contents

  1. 1. Introduction & Scope
  2. 2. HIPAA & Business Associate Status
  3. 3. Information We Collect
  4. 4. How We Use Your Information
  5. 5. Information Sharing
  6. 6. What We DON'T Do
  7. 7. Data Security
  8. 8. Data Retention
  9. 9. Your Rights Under HIPAA
  10. 10. California & State Privacy Rights (CCPA)
  11. 11. Cookie Policy
  12. 12. Children & Minors
  13. 13. Changes to This Policy
  14. 14. Contact & Privacy Officer

1. Introduction & Scope

AvataCore, LLC ("AvataCore," "we," "our," or "us") operates the website avatacore.com and provides technology-enabled telehealth coordination services. This Privacy Policy describes how we collect, use, share, and protect your personal information and protected health information (PHI) when you:

  • Visit our website at avatacore.com
  • Create an account or register for our services
  • Submit a health intake form or questionnaire
  • Communicate with us via email, phone, or our patient portal
  • Subscribe to any of our telehealth coordination plans

This Policy applies to all information collected through our Services. By using our Services, you agree to the collection and use of information as described in this Policy. This Policy should be read alongside our Terms of Service.

AvataCore acts as a technology and care coordination platform. Independent licensed healthcare providers who serve our patients are covered entities under HIPAA and maintain their own Notice of Privacy Practices. AvataCore serves as a Business Associate to those covered entities, as described below.

2. HIPAA & Business Associate Status

Business Associate Agreements (BAAs)

Under HIPAA, AvataCore functions as a Business Associate to the independent licensed healthcare providers (Covered Entities) who use our platform to deliver care to patients. In this capacity:

  • We have executed HIPAA-compliant Business Associate Agreements with all covered entities whose PHI we handle
  • We are bound by HIPAA's Privacy Rule and Security Rule requirements as they apply to Business Associates
  • We use and disclose PHI only as permitted by our BAAs and applicable law
  • We have implemented the required administrative, technical, and physical safeguards under the HIPAA Security Rule
  • We require all our downstream subcontractors who access PHI to execute sub-BAAs

The independent healthcare providers serving you through our platform are covered entities under HIPAA and maintain their own Notice of Privacy Practices. Please request a copy from your provider directly.

In addition to HIPAA, we comply with applicable state telehealth and privacy laws, including but not limited to California's Confidentiality of Medical Information Act (CMIA), and other state-specific medical privacy statutes.

3. Information We Collect

3.1 Personal Identifying Information

We collect the following personal information when you register or interact with our Services:

  • Full legal name and date of birth
  • Email address and phone number
  • Mailing and shipping address (must be a valid US address)
  • State of residence (for provider licensing compliance)
  • Account credentials (username, hashed password, authentication tokens)

3.2 Payment & Financial Information

  • Credit/debit card type and last four digits (we do not store full card numbers)
  • Billing address
  • Payment processor transaction identifiers
  • Subscription history and billing records

Payment processing is handled by PCI-DSS compliant third-party processors. Full payment card data is transmitted directly to and stored by those processors.

3.3 Protected Health Information (PHI)

As part of providing telehealth coordination services, we collect and maintain the following PHI:

  • Medical history, pre-existing conditions, and diagnoses
  • Current and past medications, supplements, and allergies
  • Height, weight, body mass index (BMI), and vital measurements
  • Responses to health intake questionnaires and screening tools
  • Provider consultation notes, clinical assessments, and treatment plans
  • Prescription records and dosing information
  • Pharmacy dispensing and shipping records
  • Progress check-ins, symptom reports, and follow-up communications
  • Photographs submitted for clinical evaluation (when applicable)

3.4 Technical & Usage Information

We automatically collect certain technical data when you use our Services:

  • IP address and approximate geographic location (country/state level)
  • Browser type, version, and operating system
  • Device type and identifiers
  • Pages visited, links clicked, and time spent on pages
  • Referring URLs and exit pages
  • Error logs and crash reports

4. How We Use Your Information

We use your information for the following purposes, which are consistent with HIPAA's permitted uses and disclosures:

  • Treatment Coordination: Facilitating connections between you and independent licensed healthcare providers; transmitting your health information to providers for clinical evaluation; coordinating prescription transmission to dispensing pharmacies.
  • Payment Processing: Processing your subscription payments; managing billing, refunds, and subscription changes; maintaining financial records for tax and legal compliance.
  • Healthcare Operations: Quality improvement activities; clinical protocol development; compliance monitoring; staff training; ensuring appropriate patient safety oversight.
  • Communications: Sending intake confirmations, prescription updates, shipment tracking, and care instructions; responding to your inquiries and support requests; sending important account and service notifications.
  • Legal & Regulatory Compliance: Meeting obligations under HIPAA, HITECH, state telehealth laws, DEA regulations, state pharmacy regulations, and other applicable laws.
  • Fraud Prevention & Security: Detecting, investigating, and preventing fraudulent or unauthorized account activity; protecting the integrity of our platform and patient safety.
  • Service Improvement: Analyzing aggregate, de-identified usage data to improve our platform, user experience, and clinical workflows.

5. Information Sharing

We share your information only in the following circumstances and only to the extent necessary for each purpose:

  • Independent Healthcare Providers:Your health information is shared with the licensed telehealth providers (facilitated through OpenLoop Health's provider network) who evaluate your eligibility and provide clinical services. These providers are covered entities under HIPAA and are bound by their own privacy obligations.
  • Compounding Pharmacies: Prescription and relevant health information is shared with licensed 503B compounding pharmacies to fulfill your prescription order. These pharmacies are also bound by applicable HIPAA and state pharmacy privacy laws.
  • Payment Processors: Billing and payment information is shared with PCI-DSS compliant payment processors (such as Stripe) to process transactions. These processors are bound by their own privacy and security obligations.
  • Technology Service Providers (Business Associates): We use third-party services for EHR functionality, secure messaging, cloud hosting, and analytics. All vendors who access PHI are required to execute HIPAA Business Associate Agreements and implement appropriate safeguards.
  • Legal Requirements: We may disclose information when required by law, court order, subpoena, or government regulation; to law enforcement in connection with a valid legal process; or when necessary to protect the rights, property, or safety of AvataCore, our patients, or the public.
  • Emergency Situations: We may disclose PHI to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, as permitted by HIPAA.
  • Business Transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred. You will be notified via email or a prominent notice on our website, and you will have rights with respect to that transfer as required by applicable law.
  • With Your Consent: In any other circumstance, we will obtain your explicit prior written consent before sharing your PHI.

6. What We DON'T Do

AvataCore commits to never doing the following:

  • Sell, rent, or lease your personal information or protected health information to any third party
  • Share your information with advertisers, ad networks, or data brokers
  • Use your health information for non-treatment commercial purposes
  • Use your PHI for targeted advertising or marketing without your explicit consent
  • Share your data with employers, insurance companies, or government agencies except as required by law
  • Use de-identified data in ways that could reasonably re-identify you
  • Contact you with unsolicited marketing messages unrelated to your care (you may opt out of non-clinical communications at any time)
  • Share your prescription history with any party not involved in your care

7. Data Security

We implement comprehensive administrative, technical, and physical safeguards to protect your information:

Encryption at Rest

AES-256 encryption for all stored data, including PHI and personal information

Encryption in Transit

TLS 1.3 encryption for all data transmitted between your device and our servers

Access Controls

Role-based access controls ensuring PHI is accessible only to authorized personnel with a legitimate need

Multi-Factor Authentication

Required for all staff and provider access to systems containing PHI

Security Audits

Regular third-party security assessments and penetration testing

HIPAA-Compliant Infrastructure

Hosted on SOC 2 Type II certified cloud infrastructure with HIPAA compliance controls

Employee Training

Ongoing HIPAA training for all personnel who handle PHI

Breach Response Plan

Documented incident response procedures including HIPAA Breach Notification Rule compliance

Despite our best efforts, no security system is impenetrable. In the event of a data breach affecting your PHI, we will notify you as required by the HIPAA Breach Notification Rule (within 60 days of discovery) and applicable state breach notification laws.

8. Data Retention

Data TypeRetention PeriodBasis
Medical records & PHIMinimum 7 years from last date of serviceHIPAA; state medical records laws (may vary)
Prescription recordsMinimum 7 yearsState pharmacy & DEA regulations
Personal account dataDuration of account + 2 years after closureBusiness necessity; legal compliance
Payment & billing records7 yearsIRS & tax regulations
Technical/usage logs90 days (security logs: 1 year)Security & fraud prevention
Marketing communications dataUntil opt-out + 30 daysCAN-SPAM; consent records

After applicable retention periods expire, data is securely deleted using NIST-compliant data destruction methods. Some data may be retained longer if required by applicable law, pending litigation, or regulatory investigation.

9. Your Rights Under HIPAA

Under HIPAA and applicable state laws, you have the following rights with respect to your protected health information:

Right to Access

You have the right to inspect and receive a copy of your PHI that is in our possession. We will provide access within 30 days of a written request (or 60 days if an extension is needed, with notice). We may charge a reasonable cost-based fee for copies.

Right to Amendment (Correction)

You have the right to request that we correct inaccurate or incomplete PHI. We will respond within 60 days. We may deny the request with written explanation in certain circumstances (e.g., if the record was not created by us).

Right to Accounting of Disclosures

You have the right to receive a list of disclosures we have made of your PHI, other than disclosures for treatment, payment, or healthcare operations. We will provide this list for the 6 years prior to your request.

Right to Restriction

You have the right to request restrictions on certain uses and disclosures of your PHI. We are not required to agree to all requested restrictions, but we must comply if you request we not disclose PHI to a health plan for payment purposes and you have paid out-of-pocket in full.

Right to Confidential Communications

You have the right to request that we communicate with you through alternative means or at alternative locations (e.g., email rather than phone). We will accommodate reasonable requests.

Right to Deletion

You may request deletion of your non-PHI personal data. Note that PHI in medical records must be retained for the periods required by applicable law, even upon your request for deletion.

Right to File a Complaint

If you believe we have violated your privacy rights, you have the right to file a complaint with us (without fear of retaliation) or directly with the U.S. Department of Health and Human Services, Office for Civil Rights.

To exercise any of these rights, submit a written request to: admin@avatacore.com

To file a complaint with HHS: hhs.gov/hipaa/filing-a-complaint

10. California & State Privacy Rights (CCPA)

California Residents: The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides California residents with additional rights regarding their personal information.

Note: Health information regulated under HIPAA or California's Confidentiality of Medical Information Act (CMIA) is generally exempt from CCPA. The CCPA rights described below apply to personal information not covered by HIPAA or CMIA.

CCPA Rights

  • Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You have the right to request deletion of personal information we have collected, subject to certain exceptions (e.g., information needed to complete transactions or comply with legal obligations).
  • Right to Opt-Out of Sale or Sharing: AvataCore does not sell your personal information and does not share it for cross-context behavioral advertising. You have the right to opt out if this practice were ever to change.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights (e.g., by denying services or charging different prices).
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Limit Use of Sensitive Personal Information: To the extent we collect sensitive personal information (such as health data not covered by HIPAA), you have the right to limit its use to purposes necessary to perform the Services.

Other State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other states with comprehensive privacy laws may have similar rights to those described above. We are committed to honoring applicable state privacy rights. Contact us at admin@avatacore.com to exercise any state privacy rights.

Authorized Agents:California residents may designate an authorized agent to submit requests on their behalf. We will require verification of both the agent's authorization and the consumer's identity.

Verification: We will verify your identity before processing deletion or access requests to protect your privacy and security.

11. Cookie Policy

Our website uses cookies and similar tracking technologies (such as web beacons and pixel tags) to enhance your experience and understand how our Services are used.

Strictly Necessary Cookies

Required for the website to function. These cannot be disabled. They include cookies for authentication, session management, and security. They do not collect information that could be used for marketing.

Analytics Cookies

We use Google Analytics (with IP anonymization enabled) and similar tools to understand how visitors use our site. This helps us improve performance and user experience. These cookies collect aggregate, anonymized data.

Functional Cookies

These cookies remember your preferences (such as language and region) to provide a more personalized experience.

Marketing Cookies

We may use limited marketing cookies on non-health pages to understand the effectiveness of our advertising. We do not place advertising or tracking cookies on any page where you enter personal health information or PHI.

Managing Cookies: Most web browsers allow you to control cookies through their settings. You can also opt out of Google Analytics at tools.google.com/dlpage/gaoptout. Disabling certain cookies may affect the functionality of our Services.

We do not honor Do Not Track (DNT) signals at this time as there is no industry-standard interpretation of DNT. However, you may use browser extensions or settings to limit tracking.

12. Children & Minors

Our Services are intended solely for individuals 18 years of age and older. We do not knowingly collect personal information from individuals under 18. If we become aware that we have inadvertently collected information from a minor, we will promptly delete such information and terminate the associated account.

If you believe a minor has provided us with personal information, please contact us immediately at admin@avatacore.com.

13. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Sending an email to your registered address at least 14 days before the change takes effect
  • Posting a prominent notice on our website
  • Updating the "Last Updated" date at the top of this page

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you must stop using our Services and may request account closure.

14. Contact & Privacy Officer

For privacy-related questions, to exercise your rights, or to report a privacy concern, contact our Privacy Officer:

Privacy Officer

AvataCore, LLC

Email: admin@avatacore.com

Website: avatacore.com

We will respond to all privacy rights requests within the timeframes required by applicable law (typically 30–45 days).

To file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights: hhs.gov/hipaa/filing-a-complaint

Back to Top