Almry Notice of HIPAA Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Last Updated: August 14, 2025

IMPORTANT NOTICE REGARDING AI SERVICES: WHEN YOU USE OUR PREMIUM AI HEALTH ASSISTANT FEATURES, YOUR PROTECTED HEALTH INFORMATION (PHI) WILL BE SHARED WITH THIRD-PARTY AI SERVICE PROVIDERS THAT ARE NOT COVERED BY HIPAA. SEE SECTION "USES AND DISCLOSURES FOR AI PROCESSING" FOR DETAILS.

This Notice applies to Almry ("we," "us," or "our") and its services. The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") is a federal law that requires us to maintain the privacy of your Protected Health Information ("PHI").

Our Role and Responsibilities

The Almry application is primarily a tool that you, the user, control. In its default Local Storage Mode, your PHI is stored only on your device, and we do not have access to it; in this context, we are not acting as a "Covered Entity" or "Business Associate" under HIPAA with respect to that data.

When you voluntarily enable Hosted Storage Mode or use Premium AI features, you authorize us to store and process your PHI on your behalf to facilitate certain services, such as lab test ordering and AI health assistance. In this capacity we:

• Maintain the privacy and security of your PHI stored on our servers to the extent required by law.

• Provide you with this Notice of our legal duties and privacy practices.

• Notify you following a breach of your unsecured PHI.

• Follow the terms of the Notice that is currently in effect.

• Important: Obtain your explicit authorization before sharing your PHI with third-party AI providers that are not covered by HIPAA.

Uses and Disclosures of Your PHI

The following categories describe different ways that we may use and disclose your PHI when you have enabled Hosted Storage Mode or Premium features.

• For Treatment, Payment, and Health Care Operations:

  • Treatment: We may disclose your PHI to lab partners when you order a test.

  • Payment: We use your PHI to bill you or a third-party payment processor for services you purchase, such as lab tests.

  • Health Care Operations: We may use your PHI for our business operations, including:

    • Quality assessment and improvement activities

    • Customer service and complaint resolution

    • Business planning and development

    • Comprehensive audit logging including:

      • Access timestamps and duration

      • IP addresses and geolocation data

      • Device information (ID, type, OS, browser)

      • Actions performed on PHI

      • User authentication methods

    • Security monitoring and fraud prevention

    • Risk assessment and management

• Uses and Disclosures for AI Processing (Requires Your Authorization):

  • Third-Party AI Providers: When you use our Premium AI Health Assistant features, we share your complete health records and medical information with third-party AI service providers including but not limited to:

    • Google (Gemini models)

    • OpenAI (GPT models)

    • Anthropic (Claude models)

    • X.AI (Grok models)

    • Other AI providers as we may add

  • IMPORTANT HIPAA LIMITATION: These AI providers are NOT Business Associates under HIPAA. This means:

    • They are not legally required to protect your PHI under HIPAA

    • They may process your data on servers outside the United States

    • They may retain your data according to their own policies (typically 30-90 days)

    • We cannot control how they handle your PHI once shared

    • You have limited rights to request changes or deletions from AI providers

    • Your data may be used to improve AI services (though typically not for training on individual data)

    • Different privacy laws may apply depending on the AI provider's jurisdiction

  • Your Authorization: By enabling and using Premium AI features, you provide written authorization for us to disclose your PHI to these third parties. You may revoke this authorization at any time by discontinuing use of Premium AI features, but this will not affect disclosures already made.

• As Required By Law: We will disclose PHI about you when required to do so by federal, state, or local law.

• To Avert a Serious Threat to Health or Safety: We may use and disclose PHI about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.

• Public Health Risks: We may disclose PHI for public health activities, such as to prevent or control disease, injury, or disability.

• Legal Proceedings: We may disclose PHI in the course of any judicial or administrative proceeding, in response to a court order, subpoena, or other lawful process.

• Law Enforcement: We may release PHI if asked to do so by a law enforcement official in response to a warrant, summons, or similar process.

Uses and Disclosures That Require Your Authorization

Other uses and disclosures of PHI not covered by this Notice or the laws that apply to us will be made only with your written permission ("Authorization"). This includes:

• Most uses and disclosures of PHI for marketing purposes

• Disclosures that constitute a sale of PHI

• Sharing PHI with AI providers for Premium features (as described above)

You may revoke an Authorization at any time, in writing, but it will not affect any actions we have already taken.

Your Rights Regarding Your PHI

You have the following rights regarding the PHI we maintain about you in Hosted Storage Mode:

• Right to Access: You have the right to inspect and get a copy of the PHI we maintain about you. You can access and export your data directly from the Almry app. Note: We cannot retrieve PHI already shared with third-party AI providers.

• Right to Amend: If you feel that PHI we have about you is incorrect or incomplete, you may ask us to amend the information. We may deny your request for certain reasons, but we will tell you why in writing. Note: We cannot amend information already sent to AI providers.

• Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures we made of your PHI, including disclosures to AI providers.

• Right to Request Restrictions: You have the right to request a restriction or limitation on the PHI we use or disclose about you for treatment, payment, or health care operations. We are not required to agree to your request, but we will try to accommodate it. You may restrict AI processing by not using Premium features.

• Right to a Paper Copy of This Notice: You are entitled to a paper copy of this notice at any time.

• Right to Be Notified of a Breach: You have the right to be notified following a breach of your unsecured PHI, including breaches involving AI providers to the extent we become aware of them.

• Right to Revoke Authorization: You have the right to revoke your authorization for us to share PHI with AI providers by discontinuing use of Premium AI features. This will not affect disclosures already made.

Special Considerations for AI Processing

When your PHI is shared with AI providers:

• No HIPAA Protection: AI providers are not bound by HIPAA and may handle your data according to their own privacy policies

• Limited Control: We cannot force AI providers to delete or correct your PHI

• Data Location: Your PHI may be processed and stored in various countries

• Retention Periods: AI providers may retain your data for varying periods (typically 30 days or less)

• Alternative Option: You can use local AI models (Free tier) which process data only on your device

Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, please contact our Privacy Officer at the email address below. You will not be penalized for filing a complaint.

Questions About AI and Your Privacy

We understand you may have specific concerns about AI processing of your health information. Our Privacy Officer is available to discuss:

• How AI providers handle your data

• Your options for using our services without AI

• Steps you can take to protect your privacy

• Any concerns about third-party data handling

De-Identified Data and Research

We may create and use de-identified health information that cannot reasonably be used to identify you. Once information is de-identified in accordance with HIPAA standards (Safe Harbor or Expert Determination methods), it is no longer subject to this Notice and may be used for:

• Healthcare research and analytics

• Product and service development

• Public health initiatives

• Industry benchmarking

• Publication of health trends and insights

Comprehensive Security Monitoring

To protect your PHI and comply with HIPAA Security Rule requirements, we maintain detailed audit logs that track:

• All access to PHI (who, what, when, where, why)

• Login attempts and authentication events

• Data exports and sharing activities

• System changes and administrative actions

• Security incidents and breach attempts

These audit logs are retained for a minimum of 6 years as required by HIPAA.

Your Additional Rights

• Right to Request Alternative Communications: You may request that we communicate with you about your PHI in a specific way or at a specific location.

• Right to Notification of Future Uses: If we intend to use your PHI for purposes not covered in this Notice, we will seek your authorization first.

• Right to Opt-Out of Certain Uses: You may opt out of certain uses of your PHI, such as for research purposes, while still using our core Services.

Contact Information

If you have any questions about this Notice, including questions about AI processing of your PHI, audit logging practices, or de-identified data use, please contact our Privacy Officer at privacy@almry.com.