Privacy Policy — Salud AI
Effective Date: August 2025
Last Updated: August 2025
1) Who We Are and Scope
Salud AI (“Salud AI,” “we,” “us,” “our”) provides a consumer mobile/web application that helps users log and organize health‑related information, receive wellness and precautionary guidance, and generate sharable summaries. Salud AI is not a health care provider and does not offer medical care or telehealth at this time. Our Service is intended for U.S. users.
This Privacy Policy explains how we collect, use, disclose, and protect information, including Consumer Health Data (CHD) and other personal information, and describes your rights and choices. This Policy applies to our app, website, and related services (collectively, the “Service”).
Important: Some laws apply to data even if HIPAA does not. We operate with HIPAA‑aligned safeguards and also comply with state CHD laws (e.g., Washington’s My Health My Data Act and Nevada SB370) and the FTC Health Breach Notification Rule for health apps. If in the future we add clinical services or integrate with covered entities, certain data we handle may become Protected Health Information (PHI) under HIPAA; we’ll update this Policy and provide any required Notice of Privacy Practices at that time.
2) Key Terms (Plain English)
• Personal Information / Personal Data: Information that identifies or relates to you, like your name or email.
• Consumer Health Data (CHD): Health‑related information regulated by certain states (e.g., WA, NV). It can include symptom logs, conditions, wellness goals, and location data associated with health inferences.
• Protected Health Information (PHI): Individually identifiable health information regulated by HIPAA when handled by covered entities/business associates.
• De‑identified / Aggregated Data: Data that cannot reasonably identify you.
3) Information We Collect
We collect information you provide, we receive automatically, and we get from integrations you choose to connect.
You provide:
• Account info: name, email, phone (optional), password.
• Health inputs: symptoms, history, medications, lifestyle, uploaded documents (lab results, prescriptions, bills), notes, and goals you log.
• Communications: messages to support, feedback, survey responses.
• Consent choices: collection/sharing authorizations, marketing preferences.
Automatically:
• Device and usage data: app version, device type, OS, crash logs, session metrics, in‑app interactions.
• Approximate location (if you enable it in your device settings). We do not use geofencing around health facilities.
From integrations (optional, only if you connect them):
• Apple Health, Google Fit, wearables, or EHR portals (e.g., through FHIR/SMART‑on‑FHIR) may send metrics you authorize (steps, heart rate, sleep, etc.). You can disconnect any time in settings.
Payment data: If you purchase premium features, our payment processor (e.g., Stripe) collects card/billing details; we do not store full card numbers.
Children: The Service is not for children under 13. If you are 13–17, use requires a parent/guardian’s consent. If we learn we collected data from a child under 13, we’ll delete it.
4) How We Use Information
• Provide and improve the Service (features, stability, safety, personalization).
• Wellness guidance and content (informational only; no diagnosis or treatment).
• Summaries and reports you can share at your discretion.
• Customer support and communications about changes, security, and features.
• Research and analytics (using de‑identified/aggregated data).
• Compliance and safety (protect against fraud, security incidents, or misuse; meet legal obligations).
We do not sell your CHD or PHI. We do not use geofencing around health care facilities.
5) Our Legal/Compliance Footing (U.S. Focus)
• HIPAA (future‑ready): We implement HIPAA‑aligned safeguards. If/when Salud AI becomes a covered entity or business associate through new clinical features, we will issue a HIPAA Notice of Privacy Practices and update our vendor BAAs.
• FTC Health Breach Notification Rule: As a health app, we will notify you (and, if required, regulators/media) in the event of certain data breaches not covered by HIPAA.
• State CHD Laws (WA/NV and others): We obtain separate, distinct opt‑in consent before collecting or sharing CHD where required; we prohibit geofencing around health facilities; and we provide access/deletion/withdrawal rights as mandated.
• California CPRA: If CPRA applies, we honor rights to know/access, delete, correct, limit use of sensitive personal info, and opt‑out of sale/share. We do not sell personal information.
6) How We Share Information
We share information only as needed and with protections:
• Service providers (processors): cloud hosting, analytics, security, support, email/SMS, document processing—bound by contracts to use data only to provide services for us and to protect it.
• Integrations you enable: Apple Health/Google Fit/EHRs—data flows as you authorize and control.
• At your direction: If you share a report with your clinician or third parties, that disclosure is initiated by you.
• Legal/safety: To comply with law, regulation, court order, or to protect rights, safety, or security.
• Business transfers: In a merger, acquisition, or similar event; we’ll require successors to honor this Policy.
• De‑identified/aggregated data: For research, analytics, or insights that do not identify you.
We do not use geofencing to identify, track, or target users around health facilities, and we do not sell CHD. If in the future we consider selling CHD, we would first obtain valid written authorization in states that require it and give you clear choices. At present, we do not sell CHD.
7) Your Rights and Choices
Account & Preferences. You can update profile info and manage connected integrations in settings.
Access, Correction, Deletion, and Consent Withdrawal.
• Request access to or deletion/correction of your data.
• Withdraw consent for CHD collection/sharing (where required); we’ll stop future collection/sharing and delete per law (subject to lawful retention needs).
• We will verify requests and respond within applicable timelines.
California (CPRA) rights (if applicable): know/access, delete, correct, limit sensitive personal information use, and opt‑out of sale/share (we do not sell). We do not discriminate for exercising rights.
Washington (MHMDA) & Nevada (SB370) rights (if applicable): clear CHD privacy disclosures, separate opt‑in consent for collection and for sharing, no geofencing, and rights to access and delete CHD; processes for revoking authorizations and processors bound by contract.
To exercise rights: email info@salud.love or use in‑app privacy controls. We will verify your identity and fulfill requests as required by law.
8) Security
We use administrative, technical, and physical safeguards designed to protect data (e.g., encryption in transit/at rest, access controls, audit logging, vulnerability management). No system is 100% secure. If a breach occurs, we will notify you and applicable authorities consistent with law.
9) Data Retention
We retain data only as long as needed for the purposes in this Policy, to provide the Service, for security/fraud prevention, to comply with legal obligations, and to resolve disputes. You may request deletion at any time—subject to legal retention requirements.
10) International Users
The Service is intended for the United States. If you access it from elsewhere, you do so at your own risk and consent to U.S. processing.
11) Third‑Party Websites/Services
We are not responsible for third‑party sites/services linked in the app. Review their privacy policies.
12) Changes to This Policy
We may update this Policy. We will post the updated version with a new Effective Date and notify you of material changes (e.g., via email, in‑app).
13) Contact Us
Salud AI Privacy Team
Email: info@salud.love
If you have a disability and need this Policy in an alternative format, contact us.