Wellness District LLC and AURA GPT Privacy Policy

Effective Date: September 1, 2025

AURA GPT operates as a HIPAA-compliant Business Associate, providing wellness platform infrastructure that enables healthcare practitioners to securely host and serve their clients. We do not provide healthcare services directly - instead, we provide the secure technology foundation that allows qualified practitioners to deliver wellness services to their clients while maintaining the highest standards of data protection and regulatory compliance.

This privacy policy governs how we collect, use, protect, and share your information as both a platform infrastructure provider and a HIPAA Business Associate. Our commitment centers on strict data minimization, purpose limitation, and comprehensive security measures that protect all parties in our three-way relationship: AURA GPT, healthcare practitioners, and their clients.

Our role and your data rights

As a B2B2C wellness platform, we serve dual functions with distinct responsibilities. For healthcare practitioners who use our platform infrastructure, we act as a technology vendor and Business Associate under HIPAA. For the clients these practitioners serve, we process Protected Health Information (PHI) strictly according to practitioner instructions and HIPAA requirements.

Your data rights depend on your relationship with us: Practitioners have direct contractual rights and control over platform configuration, while clients have HIPAA-mandated access rights and state privacy law protections. All users can access, correct, or request deletion of their information subject to legal retention requirements and legitimate healthcare purposes.

Healthcare practitioners using our platform remain fully responsible for their patient care decisions, HIPAA compliance, and treatment relationships. We provide the secure infrastructure; practitioners provide the healthcare expertise and maintain ultimate responsibility for patient data protection.

Information we collect and process

Protected Health Information (PHI)

We process PHI exclusively as a Business Associate on behalf of healthcare practitioners. This includes clinical notes, treatment plans, appointment records, patient communications, billing information, and health assessment data. We also handle biometric identifiers when practitioners use our platform's authentication features, including voice patterns for telehealth sessions and device-based authentication data.

All PHI processing occurs under signed Business Associate Agreements with specific, limited purposes: platform operation, data storage, secure communication facilitation, appointment scheduling, and payment processing. We cannot and do not use PHI for our own business purposes, marketing, or analytics beyond what is specifically permitted under our Business Associate obligations.

Platform operational data

Beyond PHI, we collect information necessary for platform functionality: account registration details, subscription and billing information, technical support communications, and system usage analytics. This operational data receives the same security protections as PHI but may be used for platform improvement, customer service, and business operations.

We collect device information, IP addresses, and browser data necessary for security monitoring and fraud prevention. Location data is collected only when explicitly enabled for appointment scheduling or emergency contact purposes.

Third-party integrations

Our platform integrates with HIPAA-compliant payment processors, secure cloud storage providers, and communication services. Each integration operates under signed Business Associate Agreements with equivalent data protection standards. We maintain detailed documentation of all third-party data sharing and provide practitioners with granular control over which integrations process their clients' data.

How we protect your information

Comprehensive security framework

We implement HITRUST-certified security controls exceeding HIPAA Security Rule requirements. All PHI is encrypted with AES-256 encryption at rest and TLS 1.3+ in transit. Our access controls enforce role-based permissions with mandatory multi-factor authentication, automatic session timeouts, and continuous audit logging.

Physical safeguards include SOC 2 Type II certified data centers with biometric access controls, environmental monitoring, and 24/7 security personnel. Our technical infrastructure includes intrusion detection systems, automated vulnerability scanning, and real-time threat monitoring.

Network security measures include dedicated VPNs, network segmentation isolating PHI systems, and zero-trust architecture principles. We conduct quarterly penetration testing and maintain continuous security monitoring with immediate breach detection capabilities.

Data backup and disaster recovery

All PHI undergoes encrypted, geographically distributed backup processes with guaranteed 99.9% availability. Our disaster recovery procedures ensure complete data restoration within 4 hours of any system failure, with tested contingency plans for various emergency scenarios.

Backup retention follows healthcare industry standards: 7 years for adult patient records, until age 30 for minor patient records, with secure destruction procedures when legal retention periods expire.

Vendor management and supply chain security

Every vendor accessing our systems must meet or exceed our security standards through comprehensive due diligence assessments. Our supply chain security program includes regular vendor audits, continuous security rating monitoring, and immediate termination procedures for non-compliant providers.

Subcontractor relationships require identical HIPAA compliance standards with signed Business Associate Agreements that flow down all privacy and security obligations.

Your rights and choices

Access and correction rights

Under HIPAA, clients can access their PHI within 30 days of request (with one 30-day extension if needed). We provide electronic copies in requested formats when technically feasible, with no charges for electronic access through patient portals.

Practitioners can access and modify their account information, platform configurations, and business data immediately through their administrative dashboards. Both practitioners and clients can request corrections to inaccurate or incomplete information through our secure support channels.

Data portability and deletion

We support comprehensive data portability using FHIR standards and common healthcare data formats. Practitioners can export complete client records, and clients can direct their data to other healthcare providers or personal health apps.

Data deletion requests are processed according to legal retention requirements and legitimate healthcare purposes. Active treatment relationships and legal compliance obligations may require data retention beyond deletion requests, but we clearly communicate these limitations and timeline expectations.

Consent management and withdrawal

Clients can modify their consent preferences for non-essential platform features while maintaining necessary healthcare communication channels. Consent withdrawal options include: marketing communications, platform improvement analytics, optional feature participation, and third-party integration data sharing.

Practitioners control consent management for their practice-specific features and can configure granular privacy settings that clients can further modify within their patient portals.

Data sharing and disclosure

Permitted disclosures

We disclose PHI only as explicitly authorized under our Business Associate Agreements: to healthcare practitioners for treatment purposes, to authorized support staff for platform maintenance, to business associates for essential services like payment processing and secure communications.

Legal disclosures may occur for court orders, subpoenas, public health requirements, or regulatory investigations, with advance notice when legally permissible. Emergency disclosures follow HIPAA guidelines for imminent threats to health or safety.

Third-party service providers

Our platform integrates with carefully vetted HIPAA-compliant providers: Stripe for payment processing, AWS for secure cloud hosting, encrypted messaging services for patient communications, and specialized healthcare analytics platforms. Each provider operates under comprehensive Business Associate Agreements with equivalent privacy protections.

We provide practitioners with detailed information about all third-party integrations and granular controls over which services process their clients' data. Clients receive clear notifications about third-party involvement in their care through practitioner communications and patient portal disclosures.

Prohibited sharing

We never sell, rent, or trade PHI or personal information for commercial purposes. Marketing partnerships, advertising networks, and data brokers have no access to health information or platform user data.

Analytics and platform improvement activities use only aggregated, de-identified information that cannot be linked to specific individuals, practitioners, or healthcare practices.

Data breach prevention and response

Comprehensive incident response

Our 30-person security team monitors systems continuously with automated threat detection and immediate response protocols. Incident response procedures meet HIPAA's 60-day notification requirements with detailed documentation of affected individuals, data types involved, and remediation measures implemented.

Breach notification procedures include immediate practitioner notification within 24 hours of discovery, individual notifications within 60 days, and HHS reporting as required. We coordinate with affected practitioners to ensure comprehensive patient communication and support services.

Preventive security measures

Advanced threat prevention includes machine learning-based anomaly detection, user behavior analytics, and automated response to suspicious activities. Our security operations center provides 24/7 monitoring with immediate escalation procedures for potential incidents.

Regular security assessments include penetration testing, vulnerability scanning, and compliance audits by independent third parties. Employee security training occurs quarterly with specialized HIPAA compliance components and incident simulation exercises.

International data transfers and multi-jurisdictional compliance

Cross-border protections

When practitioners serve clients across state lines or international borders, we implement Standard Contractual Clauses and additional safeguards meeting GDPR adequacy requirements. International data transfers use enhanced encryption with key management systems maintaining US-based control.

Transfer impact assessments evaluate risks for each cross-border relationship with additional protections for sensitive health information. We maintain data residency options for practitioners requiring location-specific storage.

State privacy law compliance

Beyond HIPAA, we comply with California CPRA, Washington's My Health My Data Act, and other applicable state privacy laws. This includes enhanced protections for biometric data, specific consent requirements for sensitive information, and additional individual rights for non-PHI platform data.

Multi-state operations follow the most protective applicable standard, with state-specific compliance procedures for practitioners operating across jurisdictions.

Data retention and storage

Healthcare-specific retention schedules

We retain PHI according to healthcare industry standards and legal requirements: 7 years for adult patient records, until age 30 for minor patient records, with longer periods for specific clinical conditions or legal requirements.

Platform operational data follows business record standards with 7-year retention for financial transactions, 3 years for technical support records, and immediate deletion for temporary system logs after security analysis completion.

Secure destruction procedures

Certified secure destruction occurs when retention periods expire, using NIST-approved methods for both electronic and physical media. Clients and practitioners receive advance notification of scheduled destruction activities with opportunities to request data exports.

Hardware destruction follows DoD 5220.22-M standards with certificate of destruction documentation maintained for audit purposes.

Contact information and complaint procedures

Privacy officer contact

Chris Foreman
Chief Privacy Officer
info@auragpt.com
(818) 312-6985
131 N El Molino Ave. Ste. 150 Pasadena, CA 91101

Complaint and inquiry procedures

Privacy concerns can be submitted through encrypted email, secure patient portals, or confidential phone lines with guaranteed response within 48 hours. We investigate all complaints thoroughly and provide detailed resolution documentation.

Regulatory complaints may be filed directly with the HHS Office for Civil Rights at https://www.hhs.gov/ocr/complaints or 1-800-368-1019. We do not retaliate against individuals filing complaints and maintain detailed documentation of all privacy-related inquiries and resolutions.

Changes to this privacy policy

We review and update this privacy policy annually or when regulatory requirements change. Material changes require advance notice through practitioner communications, patient portal notifications, and website posting at least 30 days before effectiveness.

Version control maintains historical policy versions accessible through our website, with clear change documentation highlighting modifications affecting user rights or data handling practices.

This privacy policy complements individual Business Associate Agreements with healthcare practitioners and may not cover all aspects of specific contractual relationships. Practitioners and clients should review all applicable agreements and notices for complete privacy protection information.