Privacy Policy

We collect information you provide directly to us, information generated through your use of our services, and — with your permission — information from connected health devices.

Information you provide:

• Account information: name, email, date of birth, phone number, address, and emergency contact.
• Health information: medical history, current symptoms, medications, diagnoses, treatment goals, and responses to clinical assessments.
• Payment information: billing address and payment details (processed by our PCI-compliant payment provider; we do not store full card numbers).
• Communications: messages you send to your care team or our support team.

Information collected automatically:

• Device and usage data: IP address, browser type, operating system, pages viewed, and session duration.
• Cookies and similar technologies (see our Cookie Policy).

Information from connected devices (optional):

• Wearable health data such as sleep, heart rate variability, and activity — only if you choose to connect a supported device.

We use your information to:

• Provide, maintain, and improve our telehealth services and match you with appropriate clinicians.
• Enable your care team to evaluate, diagnose, treat, and coordinate your care.
• Process payments and verify insurance eligibility.
• Send you appointment reminders, clinical updates, and service communications.
• Detect, prevent, and respond to fraud, abuse, security incidents, and legal violations.
• Comply with legal obligations, including HIPAA and applicable state privacy laws.

We do not sell your personal or health information. We do not use your health information for advertising.

We share information only in the following limited circumstances:

• With your care team: your matched clinicians and the authorized Attunio staff who support your care.
• With service providers: vetted third parties who process data on our behalf under strict confidentiality and HIPAA Business Associate Agreements (hosting, payments, messaging, analytics).
• For payment and insurance: with your insurance provider and payment processors as needed to bill for services you receive.
• With your consent: if you direct us to share information with another provider, family member, or third party.
• For legal reasons: to comply with subpoenas, court orders, or applicable law, or to protect the rights, safety, or property of patients, staff, or the public.
• Business transfers: in connection with a merger, acquisition, or sale of assets, subject to the same privacy commitments.

Attunio acts as a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for the clinical services we provide. Your protected health information (PHI) is handled in accordance with our Notice of Privacy Practices, which is provided at onboarding and available anytime from your patient portal.

You have the right to access, inspect, amend, and receive an accounting of disclosures of your PHI. To exercise these rights, contact privacy@attunio.co.

We maintain administrative, technical, and physical safeguards designed to protect your information, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Strict role-based access controls with multi-factor authentication for all staff.
• SOC 2 Type II independent audits and continuous security monitoring.
• LegitScript-certified telehealth operations.
• Incident response and breach notification procedures compliant with HIPAA and state law.

No system is perfectly secure. In the event of a breach affecting your information, we will notify you as required by law.

You can:

• Access, download, or correct your records through your patient portal or by contacting us.
• Disconnect a wearable device or withdraw consent to data collection at any time.
• Opt out of non-essential marketing communications via the unsubscribe link in every message.
• Request deletion of your account, subject to legal retention requirements for medical records.

Residents of California, Virginia, Colorado, and other states with comprehensive privacy laws have additional rights, including the right to know what personal information is collected and the right to request deletion. To exercise these rights, email privacy@attunio.co.

We retain medical records for the period required by applicable state and federal law (generally 7 years after the last date of service, longer for minors). Non-clinical account information is retained only as long as necessary to provide services, comply with legal obligations, and resolve disputes.

Attunio's services are intended for adults 18 and older. We do not knowingly collect information from children under 18 outside of authorized Family Therapy contexts involving a consenting adult patient. If you believe we have collected information from a child without proper authorization, contact us immediately.

We may update this policy from time to time. Material changes will be notified by email or through your patient portal at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Questions about this Privacy Policy or your information?

• Email: privacy@attunio.co
• Mail: Attunio Health Technology, Inc., Attn: Privacy Officer, 123 Health Street, Austin, TX 78701