AUTONOMIC HEALTH
Privacy Policy
Site, App, ANS Test, CloudANS, Autonomic AI, and CAJAL
Effective Date: November 4, 2024 Last Updated: May 1, 2026
Autonomic Health, Inc. ("Autonomic Health," "we," "our," or "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you access or use our website at https://www.autonomichealth.ai (the "Site"), our mobile and desktop applications (the "App"), the Autonomic AI educational chatbot, the ANS Testing Service, the CloudANS partner platform, the CAJAL autonomic intelligence model layer, integrations with wearable devices, and all related applications, content, features, and services (collectively, the "Services").
This Privacy Policy applies to all users of the Services in the United States, including individual users, patients receiving Clinical Services through independent licensed Clinicians on the Clinician Portal, healthcare providers, clinical and technology Partners, and researchers. By using the Services, you acknowledge the practices described in this Privacy Policy.
HEALTH DATA AND AI MODEL TRAINING. Section 4 explains, in plain language, how we use de-identified health data for research and to train our AI models, including CAJAL. You can opt out of this use at any time through your account settings or by emailing privacy@autonomichealth.ai. See Section 4 for details.
Contents
1. Who We Are
2. Information We Collect
3. How We Use Information
4. De-Identified Data, Research, and AI Model Training
5. HIPAA and Protected Health Information
6. How We Share Information
7. Cookies, Tracking, and Mobile Identifiers
8. Your Privacy Rights and Choices
9. State-Specific Privacy Disclosures
10. Data Retention
11. Data Security
12. Children's Privacy
13. Third-Party Links and Services
14. International Users
15. Changes to this Privacy Policy
16. How to Contact Us
1. Who We Are
Autonomic Health is a health technology company focused on the autonomic nervous system (the "ANS"). Our Services include the ANS Testing Service, the CloudANS partner platform, the Autonomic AI educational chatbot, the CAJAL autonomic intelligence model, and a Clinician Portal through which independent licensed clinicians ("Clinicians") provide diagnoses and treatment recommendations. Autonomic Health is not itself a medical practice and does not provide medical care. The clinical relationship is between you and the Clinician.
2. Information We Collect
We collect the categories of personal information described below. Specific examples are provided to make the categories concrete; the actual elements collected depend on the Services you use.
| Category | Examples |
|---|---|
| Identifiers and contact information | Name, email address, mobile phone number, postal address, account credentials, date of birth, IP address, device identifiers. |
| Biometric and physiological data | Heart rate variability (HRV), sympathetic and parasympathetic activity measurements, respiration, electrodermal activity, motion data, and other autonomic markers collected from the ANS Testing Service and connected wearables. |
| Health and clinical information | Self-reported symptoms, conditions, medications, lifestyle factors, prior diagnoses, ANS test results, Clinician notes, prescriptions, and content shared with the Autonomic AI chatbot. |
| Commercial information | Products and services purchased, transaction history, subscription status. |
| Internet and device activity | Pages visited, App screens viewed, features used, clicks, session duration, browser type, operating system, app version, crash logs. |
| Geolocation data | Approximate location derived from IP address; precise location only with your permission and only if needed for a feature you have enabled. |
| Sensor data | Wearable device sensor outputs, accelerometer and gyroscope readings, where you connect such a device. |
| Inferences | Inferences we draw from the above to deliver autonomic insights and personalize the Services. |
| Professional or employment information (Partners) | Institution affiliation, professional credentials, role, and contact information for users accessing CloudANS on behalf of a Partner. |
2.1 Sources
Directly from you when you create an account, place an order, complete intake forms, talk to Autonomic AI, or contact support.
From your devices when you connect a wearable, install the App, or visit the Site.
From Clinicians who interpret your ANS Test results and document care through the Clinician Portal.
From Partners who provide a co-branded "Powered by Autonomic Health" experience and share information with us under a written Partner Agreement and, where required, a Business Associate Agreement.
From service providers such as cloud hosting, analytics, and shipping providers acting on our behalf.
From public sources, such as professional registries used to verify Clinician credentials.
We do not purchase personal information from data brokers.
3. How We Use Information
We use the information we collect to:
Provide, operate, secure, and improve the Services, including delivering the ANS Test, supporting Clinicians, and personalizing your experience.
Communicate with you about the Services, your account, test status, appointments, security, and policy updates.
Process payments and manage subscriptions.
With your permission, send you marketing and educational content. You can unsubscribe at any time.
Detect, investigate, and prevent fraud, abuse, security incidents, and other harmful or illegal activity.
Comply with our legal and regulatory obligations and respond to lawful requests from public authorities.
Conduct internal research, quality improvement, and population health analytics.
Train, validate, evaluate, and improve our AI and machine learning models, including CAJAL and Autonomic AI, using de-identified or aggregated data as described in Section 4.
Establish, exercise, or defend legal claims.
4. De-Identified Data, Research, and AI Model Training
Autonomic Health's mission depends on understanding the autonomic nervous system at scale. To advance that mission, we use de-identified and aggregated information derived from your use of the Services for research, product development, quality improvement, population health analytics, and the training, validation, evaluation, and improvement of our AI and machine learning models, including CAJAL and Autonomic AI (collectively, "Permitted Research and Model Use").
4.1 How We De-Identify
Before information is used for Permitted Research and Model Use, we de-identify it using methods that meet either:
the HIPAA Safe Harbor standard (45 C.F.R. § 164.514(b)(2)), which removes specified categories of identifiers and provides that we have no actual knowledge that the remaining information could be used to identify you, or
the HIPAA Expert Determination standard (45 C.F.R. § 164.514(b)(1)), under which a qualified statistician determines that the risk of re-identification is very small.
Once data is de-identified in accordance with HIPAA, it is no longer Protected Health Information and is not subject to HIPAA. We may use, retain, copy, modify, combine with other data, and share such de-identified data for any lawful purpose, including Permitted Research and Model Use, indefinitely. This includes after you delete your account, because removing already-incorporated data from trained AI models or already-published research is not technically feasible.
4.2 No Re-Identification
We do not attempt to re-identify de-identified data. We require our service providers, research partners, and Partners to make the same commitment by contract. If de-identified data ever becomes re-identifiable in our hands, we will treat it as Protected Health Information subject to HIPAA.
4.3 Aggregated Data
We may also use aggregated data, meaning information about groups of users that does not identify any individual, for any lawful purpose, including publishing scientific findings and benchmarks.
4.4 Identifiable Research
From time to time, we may invite you to participate in research studies that use identifiable information, are sponsored by a third party, or are subject to oversight by an Institutional Review Board (IRB). Identifiable research participation requires your separate, opt-in informed consent. Your decision to participate or not participate will not affect your access to the Services.
4.5 Your Right to Opt Out
OPT OUT. You may opt out of having your information de-identified for Permitted Research and Model Use at any time by emailing privacy@autonomichealth.ai. Opt-out applies prospectively and does not require us to remove information from models or research that have already used the data.
4.6 No Sale of Personal Information
We do not sell your personal information. We do not sell your Health Data. We do not authorize third parties to attempt to re-identify de-identified data derived from your information. We do not share your personal information for cross-context behavioral advertising as those terms are defined under applicable state privacy laws.
5. HIPAA and Protected Health Information
When Autonomic Health handles Protected Health Information ("PHI") in connection with Clinical Services delivered through the Clinician Portal, we act as a business associate to the licensed Clinician (or their professional entity), and the Clinician is the covered entity under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"). We are bound by HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule, and by a written Business Associate Agreement ("BAA") that we sign with each Clinician.
In our role as a business associate, we:
Maintain administrative, physical, and technical safeguards to protect PHI as required by the HIPAA Security Rule, including encryption in transit and at rest, role-based access controls, multi-factor authentication, and audit logging.
Use and disclose PHI only as permitted by the BAA, by HIPAA, or by your authorization.
Apply the minimum-necessary standard to all uses and disclosures of PHI.
Do not sell PHI.
Provide breach notification consistent with HIPAA's Breach Notification Rule and our BAA obligations.
Sign Business Associate Agreements with downstream service providers and subcontractors that handle PHI on our behalf.
5.1 Where to Find Your HIPAA Notice of Privacy Practices
The Clinician (or their professional entity) is the covered entity and is responsible for providing you with a Notice of Privacy Practices describing how PHI is used and disclosed in connection with your care. You should receive that Notice directly from the Clinician at the time of your clinical engagement.
Autonomic Health does not currently publish its own Notice of Privacy Practices, because it operates as a business associate rather than a covered entity under HIPAA. If Autonomic Health later begins offering Clinical Services directly to consumers, in which it holds the patient relationship and clinical record, we will publish our own Notice of Privacy Practices for those flows and update this Privacy Policy.
5.2 Sharing PHI With Us
If you are a healthcare provider, clinical Partner, or technology Partner sharing patient data with us, please contact us at privacy@autonomichealth.ai to ensure a current Business Associate Agreement is in place before transmitting PHI.
6. How We Share Information
We share information only as described below.
6.1 Clinicians and Clinical Services
With your direction or consent, we share your Health Data and account information with the licensed Clinician on the Clinician Portal who is interpreting your ANS Test results and providing Clinical Services to you. Information shared with the Clinician becomes part of the Clinician's medical record and is governed by the Clinician's Notice of Privacy Practices.
6.2 Service Providers
We share information with vendors who perform services on our behalf, including cloud hosting and infrastructure (for example, Amazon Web Services), data warehousing, analytics, customer support, communications, payment processing, and shipping. Service providers are bound by written contracts that limit their use of your information to the services they provide to us. Service providers that handle PHI sign Business Associate Agreements.
6.3 Partners
Where you use the Services through a Partner under a co-branded "Powered by Autonomic Health" experience, we may share information with the Partner as necessary to provide the Service to you, subject to a Partner Agreement and, where required, a Business Associate Agreement. The Partner's use of your information is also governed by the Partner's privacy notice.
6.4 Research Collaborators
With your separate consent for identifiable research, or on a de-identified or aggregated basis as described in Section 4, we may share information with academic institutions, medical centers, or other research collaborators for legitimate scientific and clinical purposes.
6.5 Legal and Safety
We may disclose information when we believe in good faith that disclosure is necessary to comply with law, respond to lawful requests from public authorities (including subpoenas, court orders, and law enforcement requests), protect the rights, property, or safety of Autonomic Health, our users, or others, enforce our agreements, or detect, prevent, or address fraud, security, or technical issues.
6.6 Business Transfers
If Autonomic Health is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction, subject to standard confidentiality protections. We will notify you of any such change to the extent required by law.
6.7 With Your Direction
We share information at your direction, for example when you ask us to send your test results to another provider or family member.
7. Cookies, Tracking, and Mobile Identifiers
We and our service providers use cookies, web beacons, software development kits (SDKs), and similar technologies to operate the Site and App, remember your preferences, analyze how the Services are used, and support security. The categories include:
Strictly necessary, required for core Site or App functionality (for example, authentication and security).
Analytics, to understand how the Services are used and improve them. Providers may include Mixpanel, Amplitude, or similar.
Preference, to remember your settings and preferences.
You can control cookies through your browser settings. The App offers controls for analytics SDKs in your account settings or, where required, at first launch. Disabling certain cookies or SDKs may affect functionality.
7.1 Global Privacy Control and Opt-Out Signals
We treat opt-out preference signals like the Global Privacy Control (GPC) as a valid request to opt out of the sale or sharing of personal information for users in jurisdictions that recognize such signals, including California.
7.2 Mobile Identifiers and SDKs
The App may use mobile identifiers (for example, IDFA on iOS, AAID on Android) and third-party SDKs for analytics, crash reporting, and performance monitoring. You can control mobile identifiers through your device's privacy settings. The App will request App Tracking Transparency consent on iOS where required.
8. Your Privacy Rights and Choices
Depending on the Service you use and your state of residence, you may have one or more of the following rights with respect to your personal information:
Right to know or access. You can ask us to confirm whether we hold personal information about you and to provide a copy.
Right to correct. You can ask us to correct inaccurate or incomplete information.
Right to delete. You can ask us to delete your personal information, subject to legal exceptions (for example, medical-records retention requirements or de-identified data already used for research or model training).
Right to data portability. You can ask us to provide a copy of certain information in a structured, commonly used, machine-readable format.
Right to opt out. You can opt out of the sale or sharing of personal information (we do not sell or share personal information for behavioral advertising), targeted advertising, and certain profiling.
Right to limit use of sensitive information. Where applicable, you can ask us to limit the use of sensitive personal information to purposes necessary to provide the Services.
Right to opt out of de-identified research and model training. See Section 4.5.
Right to withdraw consent. Where we rely on your consent, you may withdraw it at any time without affecting prior processing.
Right to non-discrimination. We will not deny you Services or charge you a different price for exercising your privacy rights.
Right to lodge a complaint. You can complain to your state Attorney General or other supervisory authority.
8.1 How to Exercise Your Rights
To exercise your rights, email privacy@autonomichealth.ai or use the in-product privacy controls in your account. We will respond within the timeframe required by applicable law (typically 45 days, with one possible 45-day extension). We may need to verify your identity before responding to a request, and we will limit verification to information already associated with your account where possible.
8.2 Authorized Agents
You can use an authorized agent to submit a request on your behalf. The agent must provide proof that you authorized them to act for you, and we may ask you to verify your identity directly with us.
8.3 Appeals
If we deny your request in whole or in part, you can appeal by replying to our denial within sixty (60) days. We will respond to appeals within the timeframe required by applicable law. If you remain unsatisfied, you may contact your state Attorney General.
8.4 Marketing Choices
You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, replying STOP to a marketing SMS, or emailing privacy@autonomichealth.ai. We will continue to send transactional and service-related communications even if you opt out of marketing.
9. State-Specific Privacy Disclosures
9.1 California (CCPA / CPRA and CMIA)
California residents have the rights described in Section 8 under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the "CCPA"). The categories of personal information we collect, the sources, purposes, recipients, and retention are described in Sections 2 through 10 of this Privacy Policy.
Sensitive personal information. We collect categories of "sensitive personal information" under the CCPA, including precise geolocation (where you grant permission), account log-in credentials, and information concerning health (including biometric and Health Data). We use sensitive personal information only to perform the Services, and for the additional purposes permitted by 11 C.C.R. § 7027(m), including security, fraud prevention, and short-term transient use.
Sale and sharing. We do not sell personal information for monetary or other valuable consideration, and we do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA.
Confidentiality of Medical Information Act. Where we receive medical information directly from a California provider or under a written authorization, we treat that information as "medical information" under the California Confidentiality of Medical Information Act (Cal. Civ. Code §§ 56 et seq.) and use and disclose it only as permitted by that statute, by your written authorization, or by HIPAA.
Shine the Light. California Civil Code § 1798.83 permits California residents to request information about disclosures of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
9.2 Washington (My Health My Data Act)
Washington residents and consumers whose Consumer Health Data is collected in Washington are protected by the Washington My Health My Data Act (RCW 19.373). A separate Consumer Health Data Privacy Policy describing our practices for Consumer Health Data and your specific rights under that statute is posted on our homepage and in the App. The separate policy controls in the event of a conflict with this Privacy Policy with respect to Consumer Health Data.
9.3 Nevada (SB370)
Nevada residents have rights under the Nevada Consumer Health Data Privacy Law (SB370) similar to those described in our Washington Consumer Health Data Privacy Policy. To exercise those rights, contact privacy@autonomichealth.ai.
9.4 Other State Privacy Laws
Residents of Virginia, Colorado, Connecticut, Texas, Oregon, Utah, Iowa, Indiana, Tennessee, Montana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Kentucky, Rhode Island, and other states that have enacted comprehensive consumer privacy laws may have rights similar to those described in Section 8. To exercise those rights, contact privacy@autonomichealth.ai. We will respond within the timeframe required by your state's law.
10. Data Retention
We retain personal information only for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods depend on the category of information:
| Category | Retention |
|---|---|
| Account information | Duration of account plus the period required to defend potential claims (typically 6 years). |
| ANS Test results and Health Data | Duration of account plus the medical-records retention period required by the state in which the ordering Clinician practices (typically 7 to 10 years; longer for minors). |
| Clinician-generated medical records | Held by the Clinician or their professional entity according to applicable state medical-records laws. |
| Audit logs and security records | Up to 7 years to support compliance, security investigations, and legal defense. |
| Payment and billing records | 7 years, consistent with U.S. tax and accounting requirements. |
| Marketing data | Until you withdraw consent or after a period of inactivity, whichever is shorter. |
| De-identified and aggregated data | Retained indefinitely, including after account deletion. See Section 4. |
When data is no longer needed, we securely delete or further de-identify it.
11. Data Security
We implement administrative, technical, and physical safeguards designed to protect your information, including:
Encryption of personal information in transit (TLS 1.2 or higher) and at rest.
Role-based access controls, multi-factor authentication, and least-privilege provisioning.
Regular vulnerability scanning, penetration testing, and independent security assessments.
HIPAA-aligned policies, including a written information security program, incident response plan, and workforce training.
Vendor security review for service providers handling personal information or PHI.
No method of transmission or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for promptly notifying us of any unauthorized use of your account.
Breach notification. If a breach of unsecured PHI or other personal information occurs, we will provide notification consistent with HIPAA's Breach Notification Rule and applicable state breach-notification laws.
12. Children's Privacy
The Services are intended for users 18 years of age or older. We do not knowingly collect personal information from individuals under 18 without verifiable parental or guardian consent and, for individuals under 13, in compliance with the Children's Online Privacy Protection Act ("COPPA"). If you believe we have inadvertently collected information from a child, please contact privacy@autonomichealth.ai and we will promptly delete it.
13. Third-Party Links and Services
The Services may include links to third-party websites, integrations with third-party platforms (such as App Stores, wearable manufacturers, payment processors, and partner brands), and content from third parties. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third party whose services you access.
14. International Users
The Services are offered to and intended for users located in the United States. If you access the Services from outside the United States, you do so at your own risk and you acknowledge that your information will be processed in the United States, where data-protection laws may differ from those in your jurisdiction. We do not currently offer the Services to residents of the European Economic Area, the United Kingdom, or other jurisdictions where additional registrations or compliance steps would be required.
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on the Site, providing in-App notice, or sending email or other reasonable notice, and we will update the "Last Updated" date. Your continued use of the Services after the effective date constitutes acceptance of the updated Privacy Policy.
16. How to Contact Us
If you have questions, concerns, or requests related to this Privacy Policy or our data practices, contact:
Autonomic Health, Inc.
Privacy: privacy@autonomichealth.ai
General: info@autonomichealth.ai
Website: https://www.autonomichealth.ai
We are committed to working with you to address questions about your privacy.
END OF PRIVACY POLICY