Privacy Policy

1. Introduction

Rivvi, Inc. ("Rivvi," "we," "us," or "our") provides a comprehensive patient engagement platform that enables healthcare organizations to communicate with patients through voice, text, and other digital channels. This Privacy Policy explains how we collect, use, disclose, and protect information when healthcare organizations ("Users") use our platform to engage with their patients.

This Privacy Policy applies to:

• Healthcare organizations and their authorized personnel who use our platform
• Information about patients that is processed through our platform
• Visitors to our website

2. Definitions

• "Users": Healthcare organizations, providers, health systems, and their authorized staff who have accounts on the Rivvi platform
• "Patients": Individuals whose information is processed through our platform on behalf of Users
• "Patient Data": All information related to patients that is collected, stored, or processed through our platform
• "PHI": Protected Health Information as defined under HIPAA
• "Platform": The Rivvi software, applications, and services

3. Our Role in Data Processing

3.1 HIPAA Business Associate

When processing PHI, Rivvi acts as a Business Associate to Covered Entities under HIPAA. We process PHI only as permitted by our Business Associate Agreements (BAAs) with Users and applicable law.

3.2 Data Processor

For patient data, we act as a data processor on behalf of our Users, who are the data controllers. We process patient data only according to User instructions and do not use it for our own purposes except as described in this policy.

4. Information We Collect

4.1 User Account Information

From healthcare organizations and their staff, we collect:

• Organization name and contact information
• User names, email addresses, and phone numbers
• Account credentials and authentication data
• Billing and payment information
• Usage logs and platform interaction data

4.2 Patient Data Processed on Behalf of Users

Through our platform, Users may process:

• Contact Information: Names, phone numbers, addresses, email addresses
• Voice Data: Recordings of patient calls, voice biomarkers, call analytics
• Communication Data: Call transcripts, text messages, email communications
• Health Information: Medication lists, adherence data, appointment information, health conditions
• Campaign Data: Responses to outreach campaigns, survey answers, engagement metrics
• Uploaded Data: Information from Excel files, CSV uploads, or API transfers
• Behavioral Data: Opt-in/opt-out preferences, communication preferences, response patterns

4.3 Automatically Collected Information

We automatically collect:

• IP addresses and device information
• Browser type and operating system
• Platform usage statistics and performance data
• Error logs and diagnostic information

5. How We Use Information

5.1 User Information

We use User information to:

• Provide, maintain, and improve our platform
• Authenticate users and manage accounts
• Process payments and billing
• Communicate about service updates and changes
• Provide customer support
• Ensure platform security and prevent fraud
• Comply with legal obligations

5.2 Patient Data

We process Patient Data solely on behalf of and according to instructions from our Users to:

• Enable patient engagement campaigns
• Facilitate appointment scheduling and reminders
• Support medication adherence programs
• Provide voice and text communication services
• Generate analytics and reports for Users
• Maintain audit logs for compliance purposes
• Detect and prevent fraud or abuse

5.3 Aggregated and De-identified Data

We may create aggregated, de-identified datasets to:

• Improve our platform and services
• Conduct healthcare industry research
• Develop new features and capabilities
• Create industry benchmarks and insights

Such data cannot be used to identify any individual patient.

6. Data Sharing and Disclosure

6.1 We Do Not Sell Patient Data

We never sell, rent, or trade Patient Data to third parties.

6.2 Sharing with User Instructions

We share Patient Data only as directed by our Users through the platform's functionality.

6.3 Service Providers

We may share information with trusted third-party service providers who assist us in operating our platform, including:

• Cloud infrastructure providers (AWS, Google Cloud, Azure)
• Telephony and SMS providers
• Payment processors
• Analytics services
• Security and compliance auditors

All service providers are bound by confidentiality agreements and are only permitted to use information as necessary to provide services to us.

6.4 Legal Requirements

We may disclose information if required to do so by:

• Court order or subpoena
• Law enforcement request with proper legal authority
• Compliance with applicable laws and regulations
• Protection of rights, property, or safety

6.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, information may be transferred to the successor entity. We will notify Users of any such change.

7. Data Security

7.1 Security Measures

We implement comprehensive security measures including:

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)
• Multi-factor authentication for User accounts
• Role-based access controls
• Regular security audits and penetration testing
• 24/7 security monitoring and incident response
• HIPAA-compliant physical and technical safeguards

7.2 Breach Notification

In the event of a data breach affecting PHI, we will notify affected Users within 72 hours or as required by applicable law and assist with patient notifications as required under HIPAA.

8. TCPA Compliance Support

Our platform includes features to support Users' TCPA compliance:

• Consent tracking and documentation
• Time-of-day calling restrictions
• Opt-out management and suppression
• Call frequency controls
• Do Not Call (DNC) registry integration

Users remain responsible for ensuring their use of the platform complies with TCPA and all applicable laws.

9. Data Retention

9.1 Retention Periods

• Patient call recordings: Retained for 6 years unless otherwise specified by User
• Transcripts and analytics: Retained for 6 years
• Consent records: Minimum 4 years to support TCPA compliance
• Opt-out records: Retained indefinitely
• User account data: Retained for the duration of the account plus 6 years

9.2 Deletion Requests

Users may request deletion of Patient Data through their account dashboard or by contacting support. We will comply with deletion requests unless retention is required by law or contractual obligations.

10. Individual Rights

10.1 HIPAA Rights

Patients have rights under HIPAA to:

• Access their health information
• Request amendments to their records
• Request restrictions on uses and disclosures
• Request confidential communications
• Receive an accounting of disclosures

Patients should direct these requests to their healthcare provider (our User), who may then instruct us to assist in fulfilling the request.

10.2 State Privacy Rights

Depending on location, individuals may have additional rights under state privacy laws. We will cooperate with Users to fulfill valid requests.

11. International Data Transfers

If we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard contractual clauses
• Adequacy decisions
• Privacy Shield certification (where applicable)

12. Children's Privacy

Our platform is not intended for use by children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will promptly delete it.

13. Cookies and Tracking

13.1 Platform Cookies

We use essential cookies to:

• Maintain User sessions
• Ensure platform security
• Remember User preferences

13.2 Analytics

We may use analytics tools to understand platform usage and improve our services. Users can opt out of analytics tracking in their account settings.

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify Users of material changes via email or platform notification. Continued use of our platform after changes constitutes acceptance of the updated policy.

15. Contact Information

For questions about this Privacy Policy or our privacy practices, contact us at:

Rivvi, Inc.
Email: support@rivvi.ai

Acknowledgment

By using the Rivvi platform, Users acknowledge that they have read and understood this Privacy Policy and agree to the collection, use, and disclosure of information as described herein.