Privacy Policy

Last Updated: April 2, 2026

The Short Version

We do not sell your personal data or Protected Health Information (PHI).
Your clinical sessions, notes, and patient data are encrypted at rest and in transit.
We do not use your private data to train public AI models.
We comply with the HIPAA Privacy and Security Rules for all clinical data.
You have the right to access, amend, and request deletion of your data at any time.

At Apollonian Health ("Apollonian," "we," "us," or "our"), we are committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and safeguard information — including Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) — when you use our platform.

1. Information We Collect

Account Information: When you create an account, we collect your name, email address, and professional credentials. We use Firebase Authentication for secure identity management.

Clinical Session Data (PHI): When providers use our recording and note generation features, we process audio recordings, transcripts, and AI-generated clinical notes. This data constitutes Protected Health Information under HIPAA.

Patient Information (PHI): Patient names, contact information, demographic data, and clinical history entered by providers are stored securely in our platform.

Journal & Wellness Data: For individual users, we store journal entries, mood tracking, and conversations with our AI wellness companions.

Payment Information: Subscription payments are processed securely by Stripe. Apollonian does not store credit card numbers on our servers.

Usage & Technical Data: We automatically collect IP addresses, browser type, pages visited, and access timestamps for security auditing (as required by HIPAA § 164.312(b)).

2. How We Use Your Information

We use your information exclusively to:

Provide, maintain, and improve the Apollonian platform and its clinical tools.
Generate AI-assisted clinical notes from recorded therapy sessions.
Provide personalized wellness insights and reflections.
Process subscription payments (via Stripe).
Send technical notices, security alerts, and support messages.
Maintain HIPAA-required audit logs of PHI access for compliance purposes.

3. HIPAA Compliance & Protected Health Information

Apollonian acts as a Business Associate under HIPAA when processing clinical data on behalf of healthcare providers (Covered Entities). We maintain the following safeguards:

Encryption: All PHI is encrypted at rest (AES-256) and in transit (TLS 1.2+).
Access Controls: Role-based access ensures only authorized users can view patient data.
Audit Logging: Every access to PHI is automatically recorded with user, timestamp, IP address, and action type.
Session Security: Automatic logoff after 1 hour of inactivity, as recommended by HIPAA § 164.312(a)(2)(iii).
Business Associate Agreements: We maintain signed BAAs with all subprocessors who handle PHI.
Minimum Necessary Standard: We limit PHI access to the minimum amount required for each function.

4. Audio Recording & AI Processing

Recording: Clinical session recordings are captured with provider consent and are encrypted immediately upon upload.

AI Transcription: Audio recordings are processed by Google's Gemini AI for transcription and note generation. Google maintains a HIPAA Business Associate Agreement with us and does not use your data to train their models.

Data Retention: Audio files may be configured for automatic deletion after processing is complete. Transcripts and clinical notes are retained per the provider's data retention policy and applicable state law.

5. Subprocessors & Third Parties

We engage the following third-party service providers who may process PHI:

Provider	Service	Data Processed
Google Cloud Platform	Hosting, database, storage	All platform data including PHI
Google Gemini API	AI transcription & note generation	Audio, transcripts, clinical context
Firebase Authentication	Identity & login management	Email, name, auth tokens
Stripe	Payment processing	Payment info only (no PHI)

We do not sell, rent, or share PHI with any third party for marketing or advertising purposes.

6. Your Rights Under HIPAA

If you are a patient whose data is processed through our platform, you have the right to:

Access: Request a copy of your health records maintained in our system.
Amendment: Request correction of inaccurate health information.
Accounting of Disclosures: Request a record of when and to whom your PHI has been disclosed.
Restriction: Request limitations on how your PHI is used or disclosed.
Confidential Communications: Request that we communicate with you through a specific channel.

To exercise any of these rights, please contact your healthcare provider or reach out to us directly.

7. Data Deletion

You have full control over your data. Providers can delete patient records, clinical notes, and audio recordings at any time. Individual users can permanently delete their account and all associated data from their Profile settings. Once deleted, this data cannot be recovered.

Note: Certain data may be retained as required by applicable state and federal law (e.g., clinical notes may be retained for 7–10 years per state medical record requirements). HIPAA audit logs are retained for a minimum of 6 years.

8. Breach Notification

In the unlikely event of a data breach involving unsecured PHI, we will:

Notify affected individuals within 60 days of discovery.
Notify the U.S. Department of Health and Human Services (HHS).
Notify prominent media outlets if more than 500 individuals in a single state are affected.

9. Changes to this Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice within the app. The "Last Updated" date at the top of this page will always reflect the most recent revision.

If you have any questions about this Privacy Policy or our HIPAA compliance practices, please contact us.