Suvi Health Privacy Policy

Last Updated: June 22, 2026

Introduction

This Privacy Policy (the “Policy”) describes how Suvi Health, Inc. (“Suvi Health,” “we,” “us,” or “our”) collects, uses, and discloses Personal Information in connection with our public-facing websites, including www.suvi.health, our marketing activities, our mobile applications, our clinician-facing web dashboard available at care.suvi.health, and our recovery and post-discharge support platform (“Platform”) and related services (together, the “Services”).

This Policy applies to individuals who access or use our Services. That includes visitors to our websites, recipients of our marketing communications, clinical and administrative users who access the Services on behalf of a Health System (“Care Team Users”), patients whose care is supported through the Platform (“Patient Users”), individuals who are legally authorized to act on a Patient User’s behalf (“Authorized Representatives”), and family members, friends, or other caregivers who are invited or authorized to support a Patient User through the Platform (“Caregiver Users”). This Policy does not exclusively govern the privacy and confidentiality terms applicable to hospitals, health systems, physician practices, clinics, provider groups, accountable care organizations, and other healthcare organizations that have contracted with Suvi Health to make the Platform available to their patients, caregivers, workforce, and other users (each, a "Health System"); additional terms are set out in the written agreement between Suvi Health and the applicable Health System (the "Health System Agreement"), together with the applicable BAA. 

This Policy explains how we handle Personal Information related to your access and use of the Services, including when information is processed as Health System Data on behalf of  Health System. In the event of any conflict between this Policy and any applicable Health System Agreement, the Health System Agreement governs. Please see Section 1 below for additional information about how Health System Data is handled.

Patient Users and Protected Health Information

Suvi Health provides its Services to Patient Users on behalf of Health Systems. Suvi Health is not a healthcare provider or health plan. When we create, receive, maintain, or transmit protected health information (“PHI”) or other patient data on behalf of a Health System, we do so as a HIPAA Business Associate under a written Business Associate Agreement (“BAA”) with that Health System. We refer to this information as “Health System Data.” Health System Data may include Health System-supplied information, patient-supplied information, audio recordings of care conversations, transcripts derived from those recordings, AI-generated summaries, tasks, in-app messages, and the identifiers needed to associate those records with the applicable Patient User and Health System record. 

If you are a User interacting with Suvi Health because a Health System has enrolled you, invited you, or permitted your access to a program that uses our Services, all information we collect from or about a Patient User on behalf of the Health System is handled as Health System Data and, where applicable, PHI. This is true regardless of where or when the information is collected, including information collected after discharge or outside the physical hospital or clinical setting. We do not treat information we collect from or about a Patient User on behalf of a Health System as separate direct-to-consumer data. To understand how the Health System collects, uses, and shares your health information-including PHI it maintains-please refer to the Health System’s Notice of Privacy Practices. You may exercise rights regarding PHI directly with the Health System, and we will support the Health System in responding to your request as required under our agreements and applicable law.

The remainder of this Policy describes how we handle Personal Information we collect directly from all User types. Where that information is Health System Data, the applicable BAA, Health System Agreement, HIPAA, the Health System Notice of Privacy Practices, and other state laws may impose additional or controlling requirements.

Information 

In this Policy, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information includes the categories of information described in this Section 2. Personal Information does not include information that is aggregated, de-identified, or anonymized such that it cannot reasonably be used to identify an individual, or information that is otherwise excluded from the scope of applicable privacy laws. 

Information We Collect

The information we collect depends on how you interact with Suvi Health, the portions of the Services you use, and the choices you make. We may collect information that you provide directly to us, information generated through your use of the Services, information we receive from Health Systems, identity providers, service providers, and other third-party sources, and information collected automatically when you visit our websites or use our Services. This may include:

Personal, Account, Relationship, and Access Information. This may include name, email address, mobile phone number, account credentials, role, organization affiliation, employer, title, specialty, professional identifiers, Patient User relationship, legal authority or representative status, caregiver invitation and acceptance status, access permissions, communications with us, support requests, in-app messages, chatbot interactions, and other information provided to or collected by the Services. For Care Team Users, this may include identity, role, group, authentication, authorization, and session information received from the applicable Health System or its enterprise identity provider.

Device, Usage, Log, and Security Information. This may include IP address, device identifiers, operating system version, browser type and version, authenticated session data, pages or screens viewed, links clicked, feature usage, error events, server access logs, audit logs, timestamps, and security telemetry (including fraud-prevention and access-control signals), and information collected through cookies, tokens, local storage, analytics tools, and similar technologies.

Location Information. This means approximate location derived from IP address and, where applicable, a one-time precise location reading during mobile app onboarding solely to verify facility presence, Health System eligibility, or access to a Health System-sponsored program. We do not collect precise location on an ongoing basis.

Health Information, Health System-Supplied Data, and Health System Data. This includes Health System-supplied information; User-supplied information regarding Patient Users audio recordings of care conversations; transcripts derived from those recordings; AI-generated summaries; tasks; reminders; assessments; messages; in-app messages; chatbot, Voice Agent, and other automated-feature interactions (where these features are enabled) that contain or relate to health information; information about a Patient User’s admission, condition, medications, discharge plan, recovery, care team, and caregiver invitations; the identifiers needed to associate those records with the applicable Patient User and Health System record; and other data that may identify an individual’s past, present, or future physical or mental health status. When collected or maintained on behalf of a Health System, this information is handled as Health System Data, as described in Section 1.

Audio Recordings, Transcription, and AI Processing. Suvi Health’s Services enable Patient Users, Authorized Representatives, Caregiver Users, and Care Team Users to record care conversations and related voice interactions where the Platform and applicable permissions allow. Audio recordings are processed by a third party speech-to-text provider that transcribes conversations, supports Voice Agent functionality, and provides related voice-processing services. Suvi Health then generates summaries, tasks, reminders, and other care-coordination outputs. Audio recordings may contain PHI, consumer health data, and other sensitive information, and are processed as Health System Data when collected or maintained on behalf of a Health System. These third party providers do not use audio recordings to create voiceprints, voice embeddings, biometric templates, persistent speaker profiles, or voice-authentication profiles, or to uniquely identify or authenticate speakers based on their voice. We retain audio recordings in accordance with the applicable BAA, Health System Agreement, and our Data Management Policy (as described in Section 7). We may create, use, disclose, commercialize, and otherwise exploit de-identified data derived from audio recordings or related information for any lawful purpose, provided that the data is de-identified under HIPAA, where applicable, or otherwise does not identify an individual or Patient User. 

Service-Related Inferences. Such as suggested next-step tasks, flags, preferences for chatbot response style or notification timing, and operational inferences about feature usage, workflow status, access needs, or engagement with Platform features.  

Some of the information described above may be considered sensitive Personal Information, sensitive data, consumer health data, or similar information under applicable law. Where applicable law treats information as sensitive or requires consent or other protections, we handle that information in accordance with applicable law.

Information You Provide

When you engage with Suvi Health, we collect information you choose to provide to us, including:

Information Collected Automatically

When you visit our websites or use the Services, we and our service providers may automatically collect certain information about your device and activity, including your IP address, device and browser type, operating system, language settings, approximate location derived from IP address, referring and exit pages, pages viewed, links clicked, timestamps, authenticated session events, audit logs, security telemetry, and other standard device, log, and security data used for security, debugging, fraud prevention, and operational integrity. In addition, we may use IP-based location information to help verify eligibility and enforce access restrictions, and the mobile app may request a one-time precise location reading during onboarding solely for facility or access verification as described above. We collect this information using cookies, tokens, local storage, log files, and similar technologies, as described below; we do not currently deploy advertising pixels, social media pixels, or advertising IDs.  

Cookies and similar technologies

We use cookies and similar technologies differently depending on the part of the Services you use:

We do not deploy third-party tracking technologies, advertising pixels, or session-replay tools on authenticated product surfaces where users interact with or submit Health System Data.

Marketing Analytics and Opting Out

While we do not deploy third-party tracking technologies or advertising pixels on authenticated product surfaces where users interact with or submit health-related information, we currently use Google Analytics 4 on our marketing website to understand site performance and visitor interactions. To learn more about Google Analytics and the opt-out controls Google makes available, see Google Analytics Help and the Google Analytics Opt-out Browser Add-on.

Information From Third Parties

We may receive Personal Information about you from third parties, including Health Systems, enterprise identity providers, service providers, analytics and security providers, and publicly available sources. For example, a Health System may provide patient demographic and identifier information, admission or eligibility information, care team information, role and access information, and, where enabled, information from EHR or other Health System data feeds. Health System identity providers may provide SAML, OIDC, single sign-on, role, group, and authorization attributes for Care Team Users and administrators. Service providers may provide information back to us in connection with the services they perform, such as transcription, voice-processing, error-monitoring, security, analytics, support, authentication, or operational telemetry.

We use the Personal Information described above to:

Comply with legal obligations, enforce our agreements, protect our rights and the rights of others, and prevent fraud, abuse, or harm.Our processing of Health System Data is limited to the purposes described herein  and in the applicable BAA and Health System Agreement. Except as permitted by those agreements and applicable law, we do not use identifiable Health System Data for product improvement, research, analytics, advertising, or model training.

We disclose Personal Information in the following circumstances:

We do not sell Personal Information for monetary consideration, and we do not share Personal Information for cross-context behavioral advertising.

Marketing emails

You may opt out of Suvi Health marketing emails by following the unsubscribe link in any marketing message or by contacting us at privacy@suvi.health. Even if you opt out of marketing communications, we may still send you transactional or service-related messages.

Cookies and tracking

Most browsers let you refuse or delete cookies through their settings. You can also use browser-based privacy controls, including those that recognize the Global Privacy Control (GPC) signal, to limit tracking where applicable. Blocking cookies may affect your ability to use certain features of our websites.

Do Not Track 

Some browsers include a "Do Not Track" (DNT) setting that can send a signal to the websites you visit indicating you do not wish to be tracked. Unlike the GPC described above, there is not a common understanding of how to interpret the DNT signal; therefore, our websites do not respond to browser DNT signals. Instead, you can use the range of other tools to control data collection and use, including the GPC, cookie controls, and advertising controls described above.

Account information

If you have an account on the Services, you can review and update certain information directly through your account where the Platform makes that functionality available. Where you access the Services through a Health System, that Health System may control your account, role, permissions, and access. You should contact the applicable Health System administrator or care team for changes that are controlled by the Health System.

Depending on the state in which you reside, you may have certain rights regarding the Personal Information we maintain about you. These rights may include the right to confirm whether we are processing your Personal Information, the right to access and obtain a copy, the right to correct inaccurate information, the right to request deletion, the right to opt out of targeted advertising, profiling that produces legal or similarly significant effects, or the sale or sharing of Personal Information, the right to appeal a decision made regarding your data, and the right not to be discriminated against for exercising your rights.

Consumer Health Data Laws (Washington and Nevada)

The Washington My Health My Data Act ("MHMDA") and the Nevada Consumer Health Data Privacy Law (together, the "Consumer Health Data Laws") regulate "consumer health data" that Suvi Health collects and processes as a controller. This section applies only to non-PHI consumer health data that Suvi Health controls directly. It does not apply to protected health information or other information that we create, receive, maintain, or transmit as a HIPAA Business Associate on behalf of a Health System, which is handled as Health System Data under HIPAA, the applicable BAA, and the Health System Agreement, or to information otherwise exempt under the Consumer Health Data Laws.

The categories of consumer health data we may collect directly include health-related information you provide through our public-facing websites, marketing interactions, and mobile app onboarding; approximate location derived from IP address and, in limited cases, a one-time precise location reading used to verify facility presence or eligibility; and other information that identifies or is reasonably linkable to your past, present, or future physical or mental health status. We collect this consumer health data from you, from your device when you use our websites or Services, and, where applicable, from Health Systems and service providers, and we use it to provide, secure, and improve the Services, verify eligibility and access, respond to your requests, and for the other purposes described in this Policy. 

We may share consumer health data with the categories of recipients described in Section 4 (How We Disclose Information), including service providers and processors, Health Systems, professional advisors, and parties to whom you direct or consent to disclosure. We collect and share consumer health data only with your consent or as otherwise permitted by the Consumer Health Data Laws, and Suvi Health does not sell consumer health data.

If you are a Washington or Nevada consumer, you have the right to confirm whether we collect, share, or sell your consumer health data and to access that data, to withdraw your consent to our collection and sharing of your consumer health data, and to request that we delete your consumer health data. We will not discriminate against you for exercising these rights. To exercise these rights with respect to consumer health data that Suvi Health controls directly, contact us at privacy@suvi.health or use the information in the “How to Contact Us” section below; you may appeal a denied request by contacting us at the same address, and if we deny your appeal you may contact the Washington Attorney General or Nevada Attorney General, as applicable. Washington consumers can review additional detail in our separate Washington Consumer Health Data Privacy Policy, accessible through a distinct link on our homepage. To the extent your health information is PHI or Health System Data, your rights are governed by HIPAA and the applicable Health System’s Notice of Privacy Practices, and you may exercise those rights directly with the Health System as described in Section 1.

Data Retention

We retain personal information for as long as we have a legitimate business need to do so, for example to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreement. Health System Data, including recordings, transcripts, summaries, tasks, messages, access records, and Health System-supplied information, are retained and disposed of in accordance with the applicable BAA, Health System Agreement, Health System instructions, and healthcare-law requirements. Personal information that is not governed by those requirements is deleted or de-identified when it is no longer needed for a legitimate business purpose, or if deletion is not immediately feasible (for example, because the information is stored in backup archives), it is securely isolated until deletion is possible.  

Security

We maintain administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, use, disclosure, alteration, and destruction. Our security program is designed to meet the requirements applicable to a HIPAA Business Associate. We use service providers for hosting, storage, and related cloud infrastructure; error and performance monitoring and operational troubleshooting; transcription, Voice Agent, and related voice-processing services where enabled; and authentication, identity-provider, account-access, and identity-verification support. Where those providers process PHI or other Health System Data in a regulated context, we require appropriate compliance protections, including BAAs where applicable. Suvi Health also maintains a formal incident response plan with HIPAA breach-response procedures and, in accordance with the applicable law and BAA, will notify the applicable Health System should any reportable incidents arise. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Please notify us promptly if you believe your account has been compromised.

International Data Transfers

Suvi Health is based in the United States, our Services are intended for use from within the United States, and we process Personal Information in the United States. If you access the Services from outside the United States, you understand that your information will be transferred to, stored in, and processed in the United States, where privacy laws may differ from those in your country of residence.

Children’s Privacy

Our websites and Services are intended for adults age 18 and older, and we do not knowingly collect Personal Information directly from individuals under 18. Patient Users, Authorized Representatives, Caregiver Users, and Care Team Users are responsible for taking reasonable steps to limit the capture of information about minors who may be present during recorded care conversations. If you believe we have collected Personal Information from a child in a manner that is not permitted by law, please contact us at privacy@suvi.health and we will take appropriate steps.

Changes to This Policy

We may update this Policy from time to time. When we make changes, we will update the “Last Updated” date at the top of this Policy and post the revised Policy on our website. If the changes are material, we will provide additional notice as required by applicable law. Your continued use of the Services after the effective date of the revised Policy constitutes your acceptance of the updated terms.

How to Contact Us

If you have questions about this Policy or about how Suvi Health handles Personal Information, or if you would like to exercise your rights, please contact us:

Privacy and Security Officer: Shawn Albert

Suvi Health, Inc.

Attn: Privacy

1580 N Logan St, Ste 660 PMB 557803

Denver, Colorado 80203

United States

Email: privacy@suvi.health