Privacy Policy

1. Scope and Applicability

This Privacy Policy applies to:

• Healthcare organizations that license or use the Platform;
• Authorized healthcare professionals, staff, contractors, and administrators using the Platform on behalf of a healthcare organization;
• Visitors to our websites and portals that link to this Privacy Policy.

This Privacy Policy does not apply to third-party websites, services, or applications that may integrate with or be linked from the Platform.

Where Guroo Health processes Protected Health Information (PHI) on behalf of a Customer, we act as a Business Associate (as defined under the U.S. Health Insurance Portability and Accountability Act of 1996, "HIPAA") or equivalent service provider under applicable data protection laws, and our handling of such data is governed by a separate Business Associate Agreement (BAA) or data processing agreement.

2. Information We Collect

2.1 Information Provided by Customers and Users

We may collect information that Customers or Users provide directly, including:

• Account Information: Name, work email address, role, organization name, and authentication credentials;
• Organizational Data: SOPs, workflows, policies, internal documentation, task definitions, and operational content uploaded or created within the Platform;
• Communications: Messages, support requests, feedback, and other communications with Guroo Health;
• Configuration Data: Customizations, preferences, and settings for practice-specific workflows and mini-apps.

2.2 Voice and Audio Data

When enabled by the Customer, the Platform may collect:

• Voice Inputs and Audio Recordings submitted by Users for the purpose of knowledge retrieval, SOP guidance, task execution, or documentation support;
• Transcriptions and Derived Outputs generated from voice inputs.

Voice features are configurable and may be disabled or restricted by the Customer at any time.

2.3 Health and Patient-Related Information

Depending on Customer configuration and use, the Platform may process limited patient-related or clinical context information, including PHI, strictly as instructed by the Customer. Guroo Health does not require Customers to upload PHI unless necessary for a specific, authorized use case.

2.4 Automatically Collected Information

We may automatically collect certain technical information, including:

• IP address, device type, browser type, operating system;
• Log data, usage metrics, feature interaction data;
• Performance and diagnostic data.

This information is used to operate, secure, and improve the Platform.

3. How We Use Information

We use collected information to:

• Provide, operate, and maintain the Platform;
• Enable AI-driven and voice-driven knowledge management, SOP guidance, and workflow assistance;
• Configure and deliver practice-specific mini-apps and productivity tools;
• Improve Platform performance, reliability, and usability;
• Monitor security, prevent fraud, and ensure compliance;
• Provide customer support, training, and communications;
• Comply with legal, regulatory, and contractual obligations.

AI and Machine Learning Use

AI models used within the Platform:

• Operate primarily on Customer-provided data for the purpose of delivering requested functionality;
• Generate outputs such as recommendations, summaries, task guidance, and SOP navigation;
• Are designed to support—not replace—professional judgment.

We do not use Customer PHI to train generalized AI models without explicit contractual authorization.

4. How We Share Information

We may share information only as follows:

4.1 With Customers

Information is made available to the Customer organization and its authorized Users according to access controls and roles defined by the Customer.

4.2 Service Providers and Subprocessors

We may share information with trusted third-party service providers who perform services on our behalf, such as cloud hosting, transcription, analytics, and security services. These providers are contractually obligated to protect data and use it only as instructed.

4.3 Legal and Regulatory Disclosures

We may disclose information if required to do so by law, regulation, court order, or governmental request, or to protect the rights, safety, or security of Guroo Health, Customers, or others.

4.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, information may be transferred as part of the transaction, subject to appropriate confidentiality protections.

5. Data Security

Guroo Health implements administrative, technical, and physical safeguards designed to protect information, including:

• Encryption in transit and at rest;
• Role-based access controls;
• Audit logging and monitoring;
• Secure development and operational practices;
• Regular security reviews and risk assessments.

No system can be guaranteed to be 100% secure; however, we take reasonable and appropriate measures consistent with healthcare industry standards.

6. Data Retention

We retain information only for as long as necessary to:

• Provide the Platform and services;
• Meet contractual obligations;
• Comply with legal and regulatory requirements.

Retention periods for PHI are governed by the applicable BAA or data processing agreement. Upon termination of services, data will be returned or deleted in accordance with contractual terms.

7. User Rights and Choices

Depending on applicable law, Users may have rights to:

• Access, correct, or update personal information;
• Request deletion or restriction of processing;
• Object to certain processing activities.

Requests should be directed to the Customer organization, which controls data access and permissions. Guroo Health will assist Customers in responding to verified requests as required by law.

8. International Data Transfers

Guroo Health is headquartered in the United States. Our engineering, operations, and customer success teams, as well as certain service providers, may be located in other countries, including the Philippines.

When personal data or PHI is accessed or processed outside the United States, such processing is performed solely to support U.S.-based healthcare Customers and is subject to:

• HIPAA and applicable U.S. healthcare privacy requirements;
• Contractual safeguards, including confidentiality obligations, access controls, and security requirements;
• Policies and procedures designed to ensure that offshore access does not alter the Customer's role as Covered Entity or Guroo Health's role as Business Associate.

We implement appropriate technical and organizational measures to ensure that cross-border access does not compromise the confidentiality, integrity, or availability of data.

9. Children's Privacy

The Platform is not intended for use by individuals under the age of 18, and we do not knowingly collect personal information from children.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Platform or other appropriate means. Continued use of the Platform after updates constitutes acceptance of the revised Privacy Policy.

11. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact:

Appendix A: HIPAA-Specific Disclosures

A.1 Role Under HIPAA

When providing services to healthcare organizations, Guroo Health acts as a Business Associate to Covered Entities, as defined under HIPAA. We process PHI solely on behalf of and in accordance with written instructions from our Customers and applicable Business Associate Agreements (BAAs).

A.2 Permitted Uses and Disclosures of PHI

Guroo Health may use or disclose PHI only to:

• Perform services as described in our agreements with Customers;
• Support Platform functionality, including AI-assisted knowledge retrieval and workflow support;
• Comply with applicable legal requirements;
• Support internal operations, provided such use does not involve training generalized AI models.

A.3 Safeguards

We maintain safeguards consistent with the HIPAA Security Rule, including administrative, physical, and technical protections designed to:

• Ensure the confidentiality, integrity, and availability of PHI;
• Protect against reasonably anticipated threats or hazards;
• Prevent impermissible uses or disclosures.

A.4 Subcontractors

All subcontractors that may access PHI are required to enter into written agreements imposing HIPAA-compliant obligations consistent with Guroo Health's role as a Business Associate.

Appendix B: AI & Voice Transparency

B.1 Purpose of AI and Voice Features

Guroo Health's AI-driven and voice-driven features are designed to support healthcare staff by:

• Enabling fast retrieval of SOPs, policies, and institutional knowledge;
• Assisting with task guidance, workflow navigation, and documentation support;
• Improving operational efficiency for both clinical-adjacent and back-office activities.

These features are intended as decision-support tools and do not provide medical advice or replace professional judgment.

B.2 Data Inputs

Depending on Customer configuration, AI and voice features may process:

• User-submitted text, voice inputs, and audio recordings;
• Transcriptions and metadata derived from such inputs;
• Customer-provided operational content, SOPs, and workflows.

B.3 Model Behavior and Training

• AI models operate within defined scopes based on Customer configurations.
• Customer data, including PHI, is not used to train generalized or cross-customer AI models.
• Any model improvement activities involving Customer data require explicit contractual authorization.

B.4 Human Oversight

Customers retain full control over:

• Whether AI and voice features are enabled;
• Which Users may access such features;
• The content made available to AI systems.

AI outputs should be reviewed by Users prior to reliance or action.

B.5 Data Retention and Deletion

Voice recordings and transcriptions are retained only as long as necessary to provide requested functionality and in accordance with Customer-defined retention settings and contractual obligations.

Appendix C: Privacy Summary (Short Form)

Guroo Health provides an AI-enabled platform that helps healthcare organizations manage SOPs, operational knowledge, and back-office workflows.

Enterprise hospital systems, multi-site practices, and small clinics.

We act as a Business Associate when handling PHI and process data only on Customer instructions.

AI and voice features support staff efficiency and do not replace professional judgment. Customer PHI is not used to train generalized AI models.

We apply healthcare-grade security controls aligned with HIPAA requirements.

Customers control their data, configurations, and access permissions.

Contact us at privacy@guroo.health