Privacy Policy

Your data is sacred. We treat it that way.

Effective Date: April 22, 2026

ErgoVolo, Inc. ("ErgoVolo," "we," "us," or "our") is committed to protecting the privacy and security of all information entrusted to us. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website, create an account, or use our web application and related services (collectively, the "Services").

By creating an account or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy, including our use of De-Identified Data to improve our Services and AI models as described below.

Our Commitment to HIPAA Compliance

ErgoVolo operates in the healthcare industry and recognizes the critical importance of protecting health-related information. We are committed to full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and all applicable federal and state regulations governing the privacy and security of Protected Health Information (PHI).

As a Business Associate under HIPAA, ErgoVolo maintains appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of any PHI we receive, create, maintain, or transmit on behalf of our covered entity clients.

Our HIPAA compliance program includes:

  • Business Associate Agreements (BAAs) — We execute BAAs with all covered entity clients before accessing or processing any PHI.
  • Encryption at rest and in transit — All PHI is encrypted using industry-standard AES-256 encryption at rest and TLS 1.2+ in transit.
  • Access controls — Role-based access controls ensure that only authorized personnel can access PHI, and only to the minimum extent necessary to perform their duties.
  • Audit logging — All access to PHI is logged, monitored, and subject to regular audit review.
  • Workforce training — All ErgoVolo team members complete HIPAA privacy and security training upon hire and annually thereafter.
  • Incident response — We maintain a documented breach notification and incident response plan in accordance with HIPAA and HITECH requirements.
  • Risk assessments — We conduct regular risk analyses of our systems, processes, and safeguards as required by the HIPAA Security Rule.

Information We Collect

Account Information

When you create an account or use our Services, we collect:

  • Name, email address, and phone number
  • Professional information (practice name, role, specialty, NPI number)
  • Billing and payment information (processed by our third-party payment processor; we do not store full payment card numbers)
  • Account credentials and authentication data
  • Communications you send to us or through our Services

Healthcare and Claims Data

In the course of providing our Services, you may upload or we may receive:

  • Insurance claims data, including procedure codes, diagnosis codes, payer information, and claim amounts
  • Remittance advice and explanation of benefits (EOB) data
  • Denial information, including denial reason codes and payer correspondence
  • Clinical documentation uploaded for appeal letter generation
  • Patient demographic information associated with claims
  • Practice financial and operational data

This data may constitute Protected Health Information (PHI) under HIPAA. All such information is handled exclusively in accordance with HIPAA requirements, applicable BAAs, and this Privacy Policy.

Information Collected Automatically

When you use our website or Services, we may automatically collect:

  • Device and browser information (type, operating system, screen resolution)
  • IP address (anonymized for analytics)
  • Pages visited, features used, and time spent in the application
  • Referring website address
  • Application usage patterns and interaction data
  • Error logs and performance data

How We Use Your Information

Providing and Operating the Services

We use your information to:

  • Create and manage your account
  • Process and analyze claims data to identify denial patterns and recoverable revenue
  • Scrub claims for potential issues before submission
  • Categorize and prioritize denials in your work queue
  • Generate AI-powered appeal letters using your clinical documentation
  • Provide analytics dashboards and reporting
  • Deliver payer intelligence alerts relevant to your practice
  • Verify patient insurance eligibility
  • Process payments and manage your subscription
  • Communicate with you about your account, services, and support requests

Keeping Your Identified Data Private

Your identified data — including all PHI, personally identifiable information (PII), and any information that could reasonably be used to identify you, your practice, or your patients — is kept strictly private.

  • We never sell your identified data
  • We never use your identified data for marketing to third parties
  • We never share your identified data except as expressly described in this Privacy Policy
  • We never allow your identified data to leave our secure, HIPAA-compliant infrastructure except as necessary to provide the Services you have requested
  • Access to your identified data within ErgoVolo is restricted to the minimum personnel necessary to operate the Services, subject to role-based access controls and audit logging

Use of De-Identified and Aggregated Data for Service Improvement and AI

This section describes how we use anonymized data to improve our Services. Please read it carefully.

What is De-Identified Data?

De-Identified Data is information that has been stripped of all identifiers that could reasonably be used to identify any individual, patient, or healthcare practice. Our de-identification process follows the standards set forth in the HIPAA Privacy Rule (45 CFR 164.514), using either the Expert Determination method or the Safe Harbor method, which requires the removal of 18 categories of identifiers including:

  • Names, addresses, dates (other than year), phone numbers, email addresses
  • Social Security numbers, medical record numbers, health plan beneficiary numbers
  • Account numbers, certificate/license numbers, device identifiers
  • URLs, IP addresses, biometric identifiers, photographic images
  • Any other unique identifying number, characteristic, or code

Once data has been de-identified in accordance with HIPAA standards, it is no longer considered PHI and is not subject to HIPAA restrictions on use.

How We Use De-Identified Data

We use De-Identified Data and aggregated, anonymized data to:

  • Improve our AI models — We train and refine our artificial intelligence and machine learning models using De-Identified Data. This includes improving the accuracy of claim scrubbing rules, denial prediction, appeal letter generation, and payer behavior analysis. These improvements benefit all users of our Services.
  • Build and maintain payer intelligence — We analyze De-Identified Data across our user base to identify payer-specific denial patterns, policy changes, and appeal success rates. This aggregated intelligence is used to improve outcomes for all practices on our platform.
  • Develop new features — We use De-Identified Data to research and develop new product features, analytical tools, and service offerings.
  • Generate industry benchmarks — We may create anonymized, aggregated benchmarks (such as average denial rates by specialty or payer) for use in our Services or in published research and reports. No individual practice or patient can be identified from these benchmarks.
  • Conduct research — We may use De-Identified Data for internal research into healthcare revenue cycle trends, denial patterns, and reimbursement optimization.

What This Means for You

By using our Services, you understand and agree that:

  • We will de-identify data derived from your use of the Services following HIPAA-compliant de-identification standards
  • We will use this De-Identified Data to train AI models, improve our algorithms, and enhance the Services for all users
  • De-Identified Data cannot be traced back to you, your practice, or any individual patient
  • The improvements resulting from this process (smarter denial predictions, better appeal strategies, more accurate claim scrubbing) directly benefit you and every other user of the platform
  • You may not opt out of the use of De-Identified Data, as it is essential to the operation and improvement of the Services and, once properly de-identified, is no longer associated with any identifiable individual or entity

Our Commitment

We commit that our de-identification process will always meet or exceed the standards required by HIPAA. We will never attempt to re-identify De-Identified Data. We will never combine De-Identified Data with other information in a way that could reasonably be expected to identify any individual or practice. If advances in technology or methodology create a risk that previously de-identified data could be re-identified, we will take immediate steps to apply additional safeguards.

Data Security

We implement and maintain comprehensive security measures designed to protect information from unauthorized access, disclosure, alteration, and destruction. These measures include:

  • End-to-end encryption for all data in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-factor authentication for all user and administrative access
  • Regular penetration testing and vulnerability assessments by qualified third parties
  • Isolated, access-controlled production environments with network segmentation
  • Continuous monitoring, intrusion detection, and automated alerting
  • Documented disaster recovery and business continuity plans with regular testing
  • Secure software development lifecycle practices including code review and security testing
  • Vendor security assessments for all third-party service providers

Data Retention and Deletion

We retain your identified data for as long as your account is active and for a reasonable period thereafter to comply with legal obligations, resolve disputes, and enforce our agreements. PHI is retained and disposed of in accordance with applicable HIPAA requirements and the terms of the relevant BAA.

Upon account termination or your written request:

  • We will delete or return your identified data, including PHI, within 30 days, unless retention is required by law or the applicable BAA
  • We will provide you with a copy of your data in a standard, machine-readable format upon request
  • De-Identified Data that has already been created from your information will be retained, as it is no longer associated with you or any identifiable individual and is necessary for the continued operation and improvement of our Services

Third-Party Disclosures

We do not sell, trade, or rent personal information or PHI to third parties. We may share information only in the following limited circumstances:

  • Service providers — With trusted vendors who assist in operating our Services (such as cloud hosting, payment processing, and email delivery), subject to confidentiality obligations, data processing agreements, and, where applicable, BAAs. These vendors are contractually prohibited from using your data for any purpose other than providing services to ErgoVolo.
  • AI model hosting — Our AI models may be hosted by third-party infrastructure providers. These providers process data on our behalf under strict contractual controls, encryption requirements, and, where PHI is involved, BAAs. They do not have independent access to your data.
  • Legal compliance — When required by law, regulation, subpoena, court order, or enforceable government request. We will notify you of such requests to the extent permitted by law.
  • Protection of rights — When necessary to protect the rights, safety, or property of ErgoVolo, our users, or the public, including to detect, prevent, or address fraud or security issues.
  • Business transfers — In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy. We will notify you before your information becomes subject to a different privacy policy.
  • With your consent — We may share information with third parties when you have given us explicit consent to do so.

Your Rights and Choices

You have the following rights regarding your information:

  • Access — You may request a copy of the personal information we hold about you at any time through your account settings or by contacting us
  • Correction — You may update or correct inaccurate information through your account settings or by contacting us
  • Deletion — You may request deletion of your account and associated identified data, subject to our data retention obligations
  • Data portability — You may request a copy of your data in a standard, machine-readable format
  • Opt out of marketing — You may opt out of promotional communications at any time by following the unsubscribe instructions in any marketing email or by contacting us
  • Withdraw consent — Where processing is based on consent, you may withdraw consent at any time, though this will not affect the lawfulness of processing performed prior to withdrawal

For rights related to PHI, covered entities (our healthcare practice clients) remain the primary point of contact for individual patients. We will assist covered entities in fulfilling their obligations to individuals under HIPAA.

To exercise any of these rights, contact us at privacy at ergovolo.com. We will respond to your request within 30 days.

State-Specific Privacy Rights

California residents (CCPA/CPRA): You have the right to know what personal information we collect, request its deletion, opt out of the sale of personal information (we do not sell personal information), and not be discriminated against for exercising your rights.

Residents of other states with privacy laws (including Virginia, Colorado, Connecticut, Utah, and others): You may have similar rights under your state's privacy legislation. Contact us to exercise your rights.

Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that we have collected personal information from a child under 18, we will delete it promptly.

International Data

Our Services are operated in the United States. If you access our Services from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website with a revised effective date
  • Sending you an email notification to the address associated with your account
  • Displaying a prominent notice within the application

If we make material changes to how we use PHI or De-Identified Data, we will provide at least 30 days' notice before the changes take effect. Your continued use of our Services after such changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy, our HIPAA compliance practices, our use of De-Identified Data, or wish to exercise your privacy rights, please contact us at:

privacy at ergovolo.com

ErgoVolo, Inc.