Privacy Policy

Overview

Ailva is a clinical intelligence platform operated by Truthbound Industries Inc. (“we,” “us,” or “our”), based in Austin, TX. This Privacy Policy describes how we collect, use, store, and protect information when you use Ailva and the ailva.ai website. By using our services, you agree to the practices described in this policy.

Information We Collect

Account information: When you create an account, we collect your NPI number, name, email address, and professional credentials. We verify your NPI against the NPPES registry to confirm your status as a licensed healthcare professional.

Usage data: We collect clinical queries you submit, the responses generated, and your interactions with platform features. This data is used to improve the service and is not linked to individual patient records.

Technical data: We collect IP address, device type, and browser information. On the marketing site, this data is collected via Plausible Analytics, which is entirely cookie-free and does not track individual users.

How We Use Information

We use the information we collect to: verify your professional credentials via the NPPES registry, provide clinical evidence responses to your queries, improve evidence synthesis accuracy and relevance, communicate service updates and important notices, and perform rate limiting and security monitoring to protect the platform.

Patient Data

Ailva does not store patient-identifiable health information. Clinical queries may contain de-identified clinical context such as age, sex, conditions, medications, or lab values. These are not linked to individual patient records.

Users must not enter patient names, medical record numbers, dates of birth, Social Security numbers, or other HIPAA identifiers into Ailva. Ailva is a clinical evidence tool, not an electronic health record system.

De-identification methodology: Where clinical queries contain contextual health information, such data is treated as de-identified only when it meets the HIPAA Safe Harbor standard (45 CFR 164.514(b)(2)), which requires the absence of all 18 categories of identifiers specified by the rule. Ailva does not apply the Expert Determination method (45 CFR 164.514(b)(1)). If any query is found to contain identifiers, it is flagged, removed from general processing, and handled in accordance with our breach notification procedures.

Third-Party Service Providers

We do not sell your personal information. We work with the following service providers to operate Ailva:

Neon (PostgreSQL database hosting, US) stores account and query data. Vercel (application hosting, US) processes web requests. Upstash (rate limiting infrastructure, US) enforces usage limits. Resend (transactional email, US) sends account-related emails. Sentry (error monitoring, US) receives error data with personally identifiable information scrubbed. Plausible (analytics, EU) provides cookie-free, privacy-first analytics on the marketing site only.

Because Ailva does not process Protected Health Information (PHI) and our Terms of Service prohibit physicians from entering identifiable patient data, Business Associate Agreements (BAAs) are not required at this time. All service providers are contractually bound to data protection provisions consistent with industry standards. As Ailva's capabilities expand, we will execute BAAs with all vendors that process, store, or transmit PHI, as required by the HIPAA Privacy Rule (45 CFR 164.502(e)) and Security Rule (45 CFR 164.314(a)).

In production, clinical query processing uses self-hosted infrastructure. No clinical query content is shared with third-party AI services. We may share anonymized, aggregated usage statistics with advertising partners to demonstrate audience reach. Individual queries and account information are never shared with advertisers.

Data Retention

Account data is retained while your account is active and deleted within 30 days of account closure. Clinical queries are retained for 2 years for service improvement, then de-identified using the HIPAA Safe Harbor method (45 CFR 164.514(b)(2)), which requires the removal of all 18 categories of identifiers, or permanently deleted. Session data is automatically expired after 30 minutes of inactivity. Transactional email metadata is retained per Resend’s data retention policy.

In all data handling practices, we apply the HIPAA minimum necessary principle (45 CFR 164.502(b)): we collect, use, and retain only the minimum amount of information required to fulfill each stated purpose.

Your Rights

You have the right to: access a copy of the data we hold about you, correct any inaccurate information, delete your account and all associated data, and request portability of your data in a machine-readable format.

To exercise any of these rights, contact us at contact@ailva.ai. We will respond to your request within 30 days.

Data Security

We implement robust security measures to protect your information. All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Passwords are hashed with Argon2id. Multi-factor authentication is available for all accounts. Rate limiting is enforced on all endpoints. We conduct regular security assessments to identify and address potential vulnerabilities.

Breach Notification

In the event of a breach of unsecured Protected Health Information, Truthbound Industries Inc. will notify affected individuals without unreasonable delay and no later than 60 calendar days from the date the breach is discovered, as required by the HIPAA Breach Notification Rule (45 CFR 164.404). Notification will include a description of the breach, the types of information involved, steps individuals should take to protect themselves, what we are doing to investigate and mitigate the breach, and contact information for further inquiries. If a breach affects 500 or more individuals, we will also notify the U.S. Department of Health and Human Services (HHS) and prominent media outlets serving the affected area, as required by 45 CFR 164.406 and 45 CFR 164.408.

California and U.S. State Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information. Similar rights may apply to residents of Virginia, Colorado, Connecticut, and other states with comprehensive privacy legislation.

Categories of personal information collected: We collect identifiers (NPI number, name, email address, IP address), professional information (specialty, credentials), internet or electronic network activity (clinical queries, engagement events, browsing data), and inferences drawn from the above (specialty-based content recommendations).

Purpose of collection: We collect personal information for the business purposes described in this Privacy Policy, including providing the Service, contextual advertising, service improvement, and security.

Sale or sharing of personal information:We do not sell personal information as defined under the CCPA. We may share de-identified, aggregate data with advertising partners for contextual ad targeting, which does not constitute a “sale” under the CCPA because the data is not reasonably linkable to an individual. We honor the Global Privacy Control (GPC) signal as a valid opt-out request.

Your rights under CCPA/CPRA: You have the right to (1) know what personal information we collect, use, and disclose, (2) request deletion of your personal information, (3) correct inaccurate personal information, (4) opt out of the sale or sharing of personal information, and (5) not be discriminated against for exercising your privacy rights. To exercise any of these rights, contact us at contact@ailva.ai or use the “Your Privacy Choices” link on the site. We will respond to verifiable consumer requests within 45 days.

Do Not Track: We honor the Global Privacy Control (GPC) signal. We do not respond to browser-level Do Not Track (DNT) signals as there is no industry standard for compliance.

Analytics

The ailva.ai marketing site uses Plausible Analytics, a privacy-first analytics platform that is fully GDPR-compliant. No cookies are set by our analytics. No personal data is collected or stored by our analytics provider.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will post the revised policy on this page with an updated “Last updated” date. We encourage you to review this policy periodically.

Contact

For privacy inquiries, contact us at contact@ailva.ai.

Truthbound Industries Inc. · Austin, TX