Concierge Pediatrics Parent Application – Privacy Policy

1. Scope

This Privacy Policy applies to:

• The Parent App (web or mobile interfaces)
• Related APIs and administrative portals
• Communications (email/SMS) sent in connection with the Parent App

It does not apply to third-party websites or services that are not controlled by us (e.g., external links).

2. Information We Collect

We collect the following categories of information:

2.1 Account & Identity Information

• Parent: name, email address, phone number, multifactor authentication data
• Child: name, date of birth, gender, relationship to the parent
• Authentication credentials (hashed passwords), session tokens

2.2 Medical & Health Information (PHI)

• Medical history, diagnoses, lab results, immunizations, vitals, medications, developmental notes
• Appointment history, provider notes, AI second-opinion prompts and generated outputs
• Messages with doctors, specialists, or admin staff
• Specialist referrals, treatment plans, care team assignments

2.3 Insurance & Billing

• Insurance provider, policy and group numbers, claim status
• Subscription type (monthly/annual), invoices, payment history, add-on charges
• Credit card tokens (stored by a PCI-compliant payment processor; we do not store full card numbers)

2.4 AI Interaction Data

• Prompt text and contextual patient data submitted to produce AI second opinions
• AI output (“unvetted” and doctor-review metadata: accuracy scores, comments)

2.5 Communications & Support

• Messages/questions posted to patient overview pages and FAQ interactions
• Callback and appointment requests

2.6 Device & Usage Data

• Log files (IP address, browser type, device identifiers), timestamps, session duration
• Audit logs of access to PHI (required under HIPAA)

2.7 Automatically Generated Data

• Session timeout status (auto-logout after 10 minutes)
• Aggregated analytics (non-personal or de-identified usage metrics for internal improvement)

2.8 Children’s Information

Children may access their profiles using the same email/password/MFA flow established by the parent. We obtain verifiable parental consent during account creation. We do not knowingly collect additional personal information directly from a child beyond what is necessary to provide the Services.

3. How We Use Information

We use the information described above to:

1. Deliver Core Services: Create and maintain parent/child accounts; schedule appointments; administer doctor availability; process urgent requests.
2. Provide Medical Care: Maintain permanent medical records, support consultations, enable provider notes, facilitate secure sharing through the admin team.
3. AI Second Opinions: Generate AI outputs using patient data; mark results as “unvetted”; allow doctors to review and rate accuracy.
4. Billing & Insurance: Process subscriptions, specialist charges, diagnostics, and insurance claims.
5. Notifications: Send email/SMS alerts for messages and appointments (parents/children may configure channel preference). We do not send notifications for AI results, health reminders, or billing updates.
6. Security & Compliance: Enforce MFA, session timeouts, encryption, audit logging, fraud prevention, regulatory compliance.
7. Support & Triage: Enable admin responses to questions, creation of FAQ content, and record-sharing requests.
8. Legal Obligations: Respond to subpoenas, regulatory inquiries, or enforce our Terms.

We do not sell or rent PHI or personal information.

4. Legal Bases (Where Applicable)

For users in jurisdictions requiring disclosure of legal bases (e.g., GDPR), processing is based on:

• Performance of a contract (providing the Services)
• Compliance with legal obligations (HIPAA, record retention)
• Legitimate interests (platform security, improvement)
• Consent (parental consent for child access, AI processing where required)

5. How We Share Information

We share information only as necessary:

• Care Team & Admin Staff: Doctors, specialists, nurses, and authorized admin personnel access PHI to provide or coordinate care.
• Service Providers: Payment processors, secure messaging/SMS vendors, cloud hosting, AI model providers (where feasible, AI data may be de-identified or minimized).
• Insurance Entities: To process claims and verify coverage.
• Regulatory & Legal: Government authorities or law enforcement if required by law.
• Business Transfers: In a merger, acquisition, or asset sale, subject to confidentiality and continued protection of PHI.

All vendors handling PHI must sign appropriate Business Associate Agreements or equivalent contractual safeguards.

6. AI Processing Practices

AI second opinions use available patient data to generate advisory content. Outputs are stored permanently, labeled “unvetted,” and later reviewed by licensed physicians. AI outputs do not replace professional medical judgment. We log prompts and responses for quality assurance. Doctors’ accuracy ratings are aggregated for transparency.

7. Data Retention

• Medical Records & AI Outputs: Stored permanently to ensure continuity of care and meet legal/clinical retention requirements.
• Account & Billing Data: Retained for the duration of the subscription plus any legally required retention period.
• Audit Logs: Retained per HIPAA and internal compliance policies.

When permissible, non-essential data may be de-identified or aggregated. We generally do not honor deletion requests for medical records where prohibited by healthcare regulations.

8. Your Choices & Rights

Parents and (where allowed) children may:

• View medical records and AI results through the app.
• Update account information (parent only).
• Configure notification channel (email or SMS) for messages/appointments.

To request record sharing, corrections, or insurance updates, parents may contact the admin team. Some rights (e.g., deletion) may be limited due to healthcare laws.

If you are a resident of a state with additional privacy rights (e.g., California), you may contact us to exercise applicable rights. We do not discriminate for exercising privacy rights.

9. Children’s Privacy (COPPA Notice)

We obtain parental consent before creating child profiles. Children’s access is limited to viewing their own records and appointments; they cannot independently manage payment or administrative settings. Parents may revoke a child’s access by contacting support.

10. Security Measures

We implement reasonable and appropriate safeguards:

• Encryption in transit (TLS) and at rest
• Multi-factor authentication
• Automatic logout after 10 minutes of inactivity
• Role-based access controls and restricted administrative privileges
• Continuous audit logging of PHI access

No method of transmission or storage is 100% secure; however, we follow industry and HIPAA standards to reduce risk.

11. International Data Transfers

Data is stored and processed in the United States. If you access the Services from outside the U.S., you consent to the transfer and processing of your information in the U.S. under this Privacy Policy.

12. Third-Party Links

The Parent App may reference third-party resources (e.g., external FAQ materials). We are not responsible for third-party privacy practices. Review their policies before engaging.

13. Changes to This Policy

We may update this Privacy Policy periodically. The “Last Updated” date reflects the latest revision. Material changes will be communicated via the Parent App or email.

14. Contact Us

For questions, requests, or complaints about this Privacy Policy or our privacy practices, please contact:

Concierge Pediatrics Privacy Officer
Email: privacy@olliepediatrics.com
Address: 6620 SW 57th Ave Suite 221 Miami, FL, 33143
Phone: (305) 845-9559

If you believe your HIPAA privacy rights have been violated, you may also file a complaint with the U.S. Department of Health & Human Services, Office for Civil Rights.