Privacy Policy

This Privacy Policy explains how Innovo Ventures LLC d/b/a BioSync IQ (referred to in this Privacy Policy as "BioSync IQ," "we," "us," or "our") collects, uses, discloses, retains, protects, and otherwise processes information when individuals, patients, providers, healthcare organizations, and other users access or use BioSync IQ websites, mobile applications, software, dashboards, remote therapeutic monitoring tools, artificial intelligence-enabled features, analytics tools, communications, and related services (collectively, the "Services").

This Privacy Policy applies to personal information, consumer health data, account information, usage data, device data, communications data, and other information processed through the Services. Where we process Protected Health Information ("PHI") on behalf of a healthcare provider or other covered entity, our use and disclosure of PHI is also governed by HIPAA, any applicable business associate agreement, and the provider's Notice of Privacy Practices.

This Privacy Policy should be read together with the applicable BioSync IQ Terms of Service, any provider agreement, business associate agreement, consent forms, and other notices provided at the time information is collected.

For purposes of this Privacy Policy:

• "Personal information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an individual or household.
• "Consumer health data" means personal information that is linked or reasonably linkable to an individual and that identifies past, present, or future physical or mental health status, as defined by applicable law.
• "Protected Health Information" or "PHI" has the meaning assigned under HIPAA and generally includes individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate.
• "De-identified data" means data that has been de-identified in accordance with applicable law, including, where applicable, HIPAA de-identification standards, so that it does not identify and cannot reasonably be used to identify an individual.
• "Aggregated data" means data combined with other data so that it does not identify a particular individual, patient, provider, or organization unless otherwise disclosed.

The information we collect depends on how you interact with the Services, the products and features you use, your relationship with us, your privacy settings, your organization's configuration, your device permissions, your location, and applicable law.

• Account registration information, such as name, email address, phone number, username, password or authentication credentials, organization, role, and related profile information.
• Patient enrollment information, such as provider name, clinic affiliation, patient identifiers, contact information, diagnosis or program information, consent status, and remote therapeutic monitoring enrollment details.
• Health-related information, such as symptoms, diagnoses, conditions, medications, treatment plans, adherence information, activity-of-daily-living responses, biometric or device-generated data, care-management information, surveys, questionnaires, patient-reported outcomes, and other information submitted through the Services.
• Communications with us, providers, care teams, support personnel, or automated tools, including messages, support tickets, chat content, call notes, feedback, files, and other content you provide.
• Billing and payment-related information, where applicable, such as transaction details, subscription information, patient or member counts, payment method details handled by our payment processors, invoices, and payment status.

• Device and usage data, including IP address, device identifiers, browser type, operating system, mobile device information, application version, pages or screens viewed, clicks, access times, referring URLs, session activity, crash logs, diagnostic data, and performance data.
• App, portal, and feature usage information, including log-in activity, monitoring activity, notification activity, reminders, workflow usage, dashboard activity, and user preferences.
• Approximate location information derived from IP address and, only where enabled and permitted, more precise location information from device permissions.
• Cookies, pixels, SDKs, local storage, and similar technologies used to operate the Services, authenticate users, remember preferences, secure accounts, analyze performance, and improve the Services.

• Healthcare providers, clinics, pharmacies, care managers, employers, benefit programs, or other organizations that enroll or authorize users to access the Services.
• EHR, pharmacy, claims, scheduling, billing, remote monitoring, wearable, device, and other integrated systems, where enabled by the user, provider, or organization.
• Service providers and business partners, such as hosting providers, analytics providers, communication vendors, payment processors, identity-verification services, customer support providers, and implementation partners.
• Publicly available sources, regulatory sources, or business contact databases where permitted by law and relevant to business operations.

Some of the information collected through the Services may be considered consumer health data under applicable federal or state consumer health privacy laws. Examples may include:

• Information about health-related conditions, symptoms, status, diagnoses, testing, treatment, medications, remote therapeutic monitoring, care-management activities, procedures, interventions, or outcomes.
• Information that may identify or relate to a person's attempt to seek, receive, measure, assess, improve, or learn about healthcare services or health-related information.
• Information generated by surveys, questionnaires, monitoring workflows, mobile applications, connected devices, activity trackers, wearables, or other health-related tools.
• Precise or approximate location information that could reasonably indicate an attempt to acquire or receive health services or supplies, if such information is collected or enabled.
• Information used to infer, derive, or predict health-related characteristics, risks, preferences, needs, or engagement patterns.

We may use information, including personal information, consumer health data, and PHI where permitted, for the following purposes:

• Provide, operate, maintain, configure, secure, and support the Services.
• Enroll users, authenticate accounts, manage access, administer provider-practice accounts, and deliver user support.
• Enable remote therapeutic monitoring, patient engagement, adherence support, reminders, patient-reported outcomes, care-team workflows, documentation support, and provider dashboards.
• Communicate with users, providers, care teams, and organizations about the Services, service notifications, security alerts, support matters, billing, training, operational updates, and administrative notices.
• Process subscriptions, invoices, payments, member or patient counts, and related financial transactions.
• Analyze usage, performance, quality, reliability, security, and effectiveness of the Services.
• Develop, test, train, improve, validate, and deploy software, workflows, analytics, algorithms, artificial intelligence, machine learning, and automation features, subject to applicable law and contractual restrictions.
• Create de-identified, aggregated, or statistical data and related insights.
• Conduct research and development, quality improvement, product improvement, benchmarking, population-level analytics, and operational analysis.
• Comply with applicable legal, regulatory, contractual, accounting, audit, and compliance obligations.
• Protect the rights, safety, security, and integrity of users, patients, providers, BioSync IQ, our affiliates, and the Services.
• Enforce our agreements, policies, and terms; prevent fraud, misuse, unauthorized access, security incidents, and unlawful activity.

BioSync IQ may use artificial intelligence, machine learning, automation, natural language processing, predictive analytics, generative AI, rules-based workflows, and similar technologies to support the Services. These features may assist with patient engagement, monitoring workflows, documentation support, trend identification, risk stratification, message drafting, operational analysis, workflow automation, and other product features.

AI-generated or AI-assisted outputs may be incomplete, inaccurate, delayed, or inappropriate for a particular situation. The Services are not intended to replace professional medical judgment, emergency care, clinical decision-making, or the independent judgment of licensed healthcare professionals. Providers and other authorized users are responsible for reviewing, validating, and exercising independent judgment before relying on AI-assisted outputs for clinical, billing, administrative, or operational purposes.

We may use information to develop, test, train, improve, validate, monitor, and secure AI-enabled features, subject to applicable law, HIPAA where applicable, business associate agreements, contractual restrictions, and any required consent. Only de-identified data, sufficiently aggregated data, statistical outputs, derived insights, or AI-generated outputs that do not identify and cannot reasonably be used to identify an individual are made available to pharmaceutical manufacturers, life sciences companies, medical device companies, research organizations, payers, or other commercial partners, unless a separate HIPAA-compliant authorization, data use agreement, IRB/research pathway, business associate agreement, or other lawful basis exists. Recipients of such data or outputs are prohibited from attempting to re-identify individuals, combining the data with other information for re-identification, contacting individuals based on the data, or using the data to make eligibility, coverage, underwriting, employment, credit, housing, or healthcare-access decisions about any individual.

We may create, use, disclose, license, commercialize, sell, or otherwise monetize de-identified, aggregated, statistical, or derived data and insights, including for product development, benchmarking, research, analytics, commercial partnerships, payer or provider insights, artificial intelligence development, population health analysis, publications, investor materials, and other lawful business purposes.

We will not knowingly sell identifiable PHI in violation of HIPAA. When data is subject to HIPAA, de-identification will be performed in accordance with HIPAA de-identification standards unless another lawful basis applies. We do not attempt to re-identify de-identified data except as permitted by law, such as to test whether de-identification is effective.

Where applicable law requires consent or authorization before using or disclosing identifiable consumer health data, PHI, or other personal information for certain purposes, we will seek such consent or authorization or rely on another permitted legal basis.

BioSync IQ may make de-identified, aggregated, statistical, or derived datasets and insights available through secure dashboards, portals, APIs, reports, artificial intelligence-enabled query tools, analytics environments, or other commercial data products for authorized third parties, including life sciences companies, pharmaceutical manufacturers, medical device companies, payers, research organizations, providers, and other commercial partners, provided that such data does not identify and cannot reasonably be used to identify an individual patient.

Third parties receiving or accessing such data are prohibited from attempting to re-identify individuals, contacting patients based on de-identified data, combining the data with other information for re-identification, or using the data for unlawful discrimination, eligibility, underwriting, employment, or similar adverse decision-making purposes.

We may disclose information, including personal information, consumer health data, and PHI where permitted, with the following categories of recipients:

• Healthcare providers and care teams. We may share information with the provider, practice, pharmacy, care team, or organization that enrolled or manages a user's account or uses the Services to provide care, support, monitoring, or administrative services.
• Organizations that provide access. If an account is created, sponsored, or administered by a provider practice, employer, plan, covered entity, or other organization, that organization may access and process account information, patient information, usage information, communications, files, and other information associated with that account, subject to applicable law and agreements.
• Service providers and vendors. We may share information with vendors, processors, contractors, and agents that support hosting, security, analytics, customer support, communications, implementation, payment processing, identity management, infrastructure, AI tools, and other business operations.
• Business partners and integration partners. We may share information with partners where needed to operate co-branded services, integrations, referral workflows, data connections, or other functionality requested or authorized by a user or organization.
• Affiliates and related companies. We may share information with subsidiaries, affiliates, parent entities, commonly controlled entities, or related companies for the purposes described in this Privacy Policy.
• Payment processors and financial institutions. We may share transaction and payment data as needed to process payments, manage subscriptions, prevent fraud, and comply with financial requirements.
• Parties to corporate transactions. We may disclose information in connection with a merger, acquisition, financing, reorganization, bankruptcy, due diligence review, sale of assets, joint venture, or similar transaction.
• Government agencies, regulators, courts, and law enforcement. We may disclose information when we believe disclosure is required or permitted by law, subpoena, court order, legal process, regulatory request, or to protect rights, safety, and security.
• Other users or recipients at your direction. We may share information when you or your organization direct us to do so, such as when using communication, sharing, referral, or integration features.
• Other third parties with consent or as permitted by law. We may share information with other third parties where consent has been obtained or where disclosure is otherwise permitted by applicable law.

In some contexts, BioSync IQ may act as a business associate of a covered entity, such as a healthcare provider, and information processed through the Services may be PHI. In those contexts, our use and disclosure of PHI is governed by HIPAA, the applicable business associate agreement, and the instructions of the covered entity, in addition to this Privacy Policy.

If there is a conflict between this Privacy Policy and a valid business associate agreement regarding PHI, the business associate agreement will control with respect to that PHI. This Privacy Policy is not a healthcare provider's Notice of Privacy Practices and does not replace any Notice of Privacy Practices provided by a healthcare provider or other covered entity.

Requests to access, amend, restrict, or obtain an accounting of disclosures of PHI may need to be directed to the healthcare provider or covered entity responsible for the information. We may assist covered entities with such requests as required by applicable agreements and law.

The Services may support remote therapeutic monitoring, patient engagement, medication adherence, care coordination, and related workflows. Providers and organizations are responsible for determining whether use of the Services is appropriate for their patients, obtaining any required patient consent, verifying patient eligibility, ensuring appropriate documentation, and complying with applicable billing, coding, reimbursement, licensure, supervision, and clinical requirements.

Patients may have copays, coinsurance, deductibles, or other financial responsibility for services furnished or billed by their healthcare provider. BioSync IQ does not control a provider's billing determinations, payer coverage decisions, or patient cost-sharing obligations unless expressly stated in a separate agreement.

We may use cookies, pixels, SDKs, local storage, log files, analytics tools, and similar technologies to operate the Services, secure accounts, remember preferences, understand usage, improve performance, troubleshoot errors, measure engagement, and support business operations. Users may be able to control certain cookies or device permissions through browser, device, or app settings. Disabling certain technologies may affect the functionality of the Services.

We may send administrative, service-related, transactional, security, billing, support, and operational communications through email, SMS/text message, phone, in-app message, push notification, portal notification, or other available channels. Message and data rates may apply. Users may opt out of certain promotional communications, but we may continue to send non-promotional communications necessary to provide the Services, maintain accounts, comply with law, or protect security.

If SMS, email, or similar communications are used for health-related messaging, users acknowledge that such communication methods may involve risks, including interception, misdelivery, delay, or disclosure to individuals with access to the user's device or account. Providers and organizations are responsible for determining whether their communication workflows comply with applicable law and patient consent requirements.

We use administrative, technical, and physical safeguards designed to protect information from unauthorized access, use, disclosure, alteration, or destruction. Safeguards may include access controls, authentication, encryption, monitoring, logging, backup procedures, vendor diligence, security testing, and workforce training. No technology platform, transmission method, or storage system is completely secure, and we cannot guarantee absolute security.

Users are responsible for maintaining the confidentiality of account credentials, using strong passwords, limiting access to authorized personnel, promptly revoking access for terminated or unauthorized users, and notifying us of suspected unauthorized access or security incidents.

We retain information for as long as reasonably necessary to provide the Services, maintain accounts, support providers and users, comply with legal and contractual obligations, resolve disputes, conduct audits, enforce agreements, maintain backups, improve the Services, and operate our business. Retention periods may vary based on the type of information, the context of collection, applicable law, provider instructions, backup schedules, and business needs.

We may retain de-identified, aggregated, statistical, or derived data for longer periods, subject to applicable law and contractual restrictions.

Depending on your location, relationship with us, and applicable law, you may have rights to request access, correction, deletion, portability, restriction, withdrawal of consent, or other controls regarding certain personal information or consumer health data. Some requests may be subject to exceptions, identity verification, legal limitations, provider instructions, or HIPAA requirements.

If your information is maintained by BioSync IQ on behalf of a healthcare provider or other covered entity, we may need to refer your request to that provider or covered entity. If a request is denied, you may have a right to appeal or lodge a complaint with the applicable regulator, state attorney general, or other authority depending on applicable law.

To exercise privacy rights, contact us using the information in the Contact Us section below. We may need to verify your identity before fulfilling a request.

The Services are not intended for children under 13 unless made available through a healthcare provider, parent, guardian, or organization with appropriate consent or authorization. We do not knowingly collect personal information from children under 13 except as permitted by law and as necessary to provide the Services. Where applicable law requires parental or guardian consent for minors, the provider, parent, guardian, or organization is responsible for obtaining and documenting such consent unless otherwise agreed in writing.

The Services are operated primarily from the United States. If information is accessed from outside the United States, it may be transferred to, stored in, or processed in the United States or other jurisdictions where we or our service providers operate. These jurisdictions may have data protection laws different from those in the user's location.

We may update this Privacy Policy from time to time. When we make material changes, we will provide notice through the Services, by email, through a provider or organization, or by other reasonable means as required by law. Continued use of the Services after an updated Privacy Policy becomes effective means the updated Privacy Policy applies to future use of the Services.

This section is intended to provide additional information for individuals whose consumer health data is subject to state consumer health privacy laws. The categories of consumer health data we may collect, sources of consumer health data, purposes for collection and use, categories of third parties with whom consumer health data may be shared, and rights available to individuals are described throughout this Privacy Policy.

We may collect and use consumer health data as reasonably necessary to provide products or services requested or authorized by a user, patient, provider, or organization; to operate and secure the Services; to support monitoring, engagement, care coordination, analytics, and communications; to comply with law; and for other purposes described in this Privacy Policy. Where required by law, we will obtain consent before collecting, using, or sharing consumer health data for certain purposes.