🔖 Reading Guide — Highlighted sections indicate critical areas you should review carefully:
Critical — Must-read clauses
HIPAA — Health information protections
Your Rights — Privacy rights & choices
Security — Data & platform security
Biometric & Audio — Special data categories
1. Introduction
Thank you for choosing to be part of our community at MonitorHealth.ai, doing business as MonitorHealth.ai ("MonitorHealth.ai", "we", "us", or "our"). We are committed to protecting your personal information, your health information, and your right to privacy. If you have any questions or concerns about our policy, or our practices with regards to your personal information, please contact us at support@monitorhealth.ai.
The use of our Platform — which includes the MonitorHealth.ai Mobile Application and the MonitorHealth.ai Website (www.monitorhealth.ai), together with our related Websites, Applications, Services, Products, and content (collectively, "Services") — is possible without any indication of personal data. However, if a data subject wants to use our services via our website or mobile application, processing of personal data could become necessary.
The processing of personal data, such as the name, address, e-mail address, date of birth, telephone number, and protected health information of a data subject shall always be in accordance with the USA privacy laws applicable, including but not limited to HIPAA (Health Insurance Portability and Accountability Act), FERPA (Family Educational Rights and Privacy Act) when applicable, state privacy laws, and federal regulations.
Please read this privacy policy carefully and thoroughly as it helps you make informed decisions about sharing your personal information and protected health information with us.
⚠ Critical — Please Read
IF YOU DO NOT AGREE WITH THE TERMS OF THIS PRIVACY POLICY, PLEASE DO NOT ACCESS THE WEBSITE/MOBILE APPLICATION OR USE OUR SERVICES.
2. HIPAA Compliance & Protected Health Information
🛡 HIPAA — Health Information Protection
MonitorHealth.ai is committed to protecting your health information in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and all applicable federal and state privacy regulations.
Any individually identifiable health information created, received, maintained, or transmitted through our platform is classified as Protected Health Information (PHI) and is handled with the highest level of care and security.
HIPAA Compliance Note: MonitorHealth.ai is working to establish formal Business Associate Agreements (BAAs) with infrastructure providers to ensure full HIPAA compliance. We implement healthcare-grade security measures including encryption, access controls, and audit logging.
3. Information We Collect
In Short: We collect personal information and protected health information necessary to provide mental health monitoring services when you create an account with us.
Information You Provide
Personal Information:
- First and Last Name
- Mailing Address (as needed)
- Email Address
- Phone Number (including mobile for SMS services)
- Date of Birth and Age
- Gender
- Healthcare provider information
Protected Health Information (PHI):
- Medical history and current conditions (as needed)
- Mental health assessments and screening results
- Crisis intervention records
- Healthcare provider communications
- Treatment goals and care plans
Information Automatically Collected
In Short: We automatically collect device information, behavioral patterns, and biometric data through various sensors and technologies for mental health monitoring.
Device and Usage Information:
- IP address, device ID, and MAC address
- Operating system and browser information
Biometric and Sensor Data:
- Facial recognition patterns and geometric measurements
- Voice recordings and speech pattern analysis
- Environmental audio during monitoring sessions
4. Biometric Data & Face ID Technology
In Short: We collect and process biometric identifiers including facial recognition data for secure authentication and health monitoring purposes.
🔬 Biometric & Audio — Special Data Category
Biometric Data We Collect and Process:
- Facial geometry and recognition patterns (Face ID)
- Voice prints and speech patterns
- Behavioral biometrics (typing patterns, device interaction)
- Physiological measurements from device sensors
Face ID and Facial Recognition:
- Purpose: Secure user authentication and behavioral health monitoring
- Third-Party Processing: Facial recognition data may be processed by third-party providers including Amazon Web Services (AWS)
- Storage: Biometric templates are encrypted using AES-256 encryption and stored separately from other PHI
- Template Updates: Active biometric templates are refreshed and updated annually to maintain accuracy and security
- Retention: Facial recognition data is deleted upon user request or account termination
- Consent: Explicit opt-in consent is required for biometric data collection with clear explanation of purposes
- Data Format: The biometric template is stored in non-readable format and the original face cannot be re-created from this binary data. It is used only to authenticate an individual — no original image is stored.
Your Biometric Rights — Under applicable state biometric privacy laws (including BIPA where applicable):
- Right to informed consent before biometric collection
- Right to deletion of biometric data upon request
- Right to know the specific purpose and duration of biometric data storage
- Right to opt-out of biometric collection while still accessing other services
5. Audio Data & Voice Processing
In Short: We collect, analyze, and automatically manage audio recordings for mental health assessment with strict retention controls.
🎤 Audio Data — Special Handling
Audio Data Collection and Processing:
- Voice Recordings: Collection of voice samples for mood analysis, speech pattern recognition, and mental health assessment
- Ambient Audio: Limited collection of environmental audio during active monitoring sessions for context analysis
- Real-time Processing: Voice analysis occurs in real-time with immediate conversion to health metrics
- No Audio File Signature: Audio files will not be used for user authentication. Audio files are NOT processed to capture the voice key / voice signature — they are truly for clinician review only
Third-Party Audio Processing: Audio data may be processed by specialized third-party services including:
- Speech-to-text conversion services
- Voice emotion analysis platforms
- Audio quality enhancement tools
All audio processors are HIPAA-compliant Business Associates with appropriate safeguards.
Automatic Audio File Management:
- Temporary Storage: Raw audio files are temporarily stored on encrypted HIPAA-compliant servers
- Professional Review Period: Audio files are available to healthcare providers for clinical review
- Doctor-Controlled Deletion: Raw audio files are permanently deleted only after healthcare provider review and approval
- Provider Retention Options: Healthcare providers may flag audio files for extended retention if clinically necessary
- Retention of Analytics: While raw audio may be deleted per provider instructions, derived health metrics and analytics may be retained as part of your health record
- Emergency Override: Audio files involved in crisis intervention may be retained longer as medically necessary and legally required
Audio Data Security:
- End-to-end encryption during transmission
- AES-256 encryption for temporary storage
- Secure deletion protocols ensuring data is unrecoverable
- Access logs for all audio file interactions
6. Advanced Sensor & Monitoring Technologies
In Short: We utilize multiple advanced technologies for comprehensive mental health monitoring with appropriate privacy safeguards.
Passive Monitoring Technologies:
- Environmental Monitoring: Ambient sound analysis, location context, and social interaction patterns
- Digital Biomarkers: Keystroke dynamics, app usage patterns, and communication frequency analysis
Machine Learning and AI Processing:
- Pattern Recognition: Advanced algorithms analyze behavioral patterns to predict mood episodes
- Predictive Modeling: AI models process multiple data streams to identify crisis risk factors
- Personalization: Machine learning adapts monitoring parameters to individual user patterns
- Data Minimization: AI processing is designed to extract health insights while minimizing raw data retention
7. Mobile Device Permissions & Access
In Short: We request specific device permissions necessary for comprehensive mental health monitoring, with clear opt-out options.
If you use our mobile application, we may request access to the following:
| Permission |
Purpose & Details |
| Camera Access |
Purpose: Face ID authentication
Can be disabled: Yes, through device settings
Impact if disabled: Alternative authentication required; reduced mood monitoring accuracy
|
| Microphone Access |
Purpose: Voice pattern analysis for mental state assessment and audio recording
Can be disabled: Yes, though voice-based features will be unavailable
|
| Storage Access |
Purpose: Temporary storage of encrypted health assessments
All data encrypted at rest using AES-256
Regular automated cleanup of temporary files
|
8. Who Will Your Information Be Shared With?
📋 Data Sharing — Transparency Notice
Direct Data Collection Notice: MonitorHealth.ai directly collects patient information with explicit consent and operates as an independent healthcare technology provider.
Current Infrastructure Partners:
| Service |
Purpose |
| AWS App Runner |
Application hosting |
| Supabase |
Encrypted database storage for health data, patient responses, and audio files |
| SignalWire |
SMS delivery services |
| AWS Rekognition |
Face ID authentication templates (templates only — no images stored) |
| Email Systems |
Secure transmission of patient responses to healthcare providers |
| OpenAI Whisper |
Audio transcription services (local processing — no data transmitted externally) |
| Hugging Face Transformers |
Sentiment analysis (on-premise processing only) |
Data Sharing with Healthcare Providers:
- Patient health responses shared with designated healthcare providers via secure communication
- Audio files made available to healthcare providers for clinical review
- Biometric templates used solely for patient authentication
Data Protection Measures:
- All data encrypted at rest and in transit using AES-256 encryption
- Role-based access controls limit data access to authorized personnel
- Audit logs track all data access and sharing activities
- Secure deletion protocols ensure data cannot be recovered when deleted
9. International Data Transfers & Regional Compliance
In Short: Your data may be processed in countries other than your own, with appropriate safeguards in place.
Data Processing Locations:
- Primary Region: United States (AWS US-East)
- Backup Regions: Canada and European Union (for redundancy only)
- Data Residency: Health data remains within your country of residence when legally required
Cross-Border Transfer Safeguards: When data is transferred internationally:
- Standard Contractual Clauses (SCCs) for EU transfers
- Adequate protection mechanisms under applicable data protection laws
- All international processors maintain equivalent privacy protections
- Users are notified of data transfer locations during account setup
Regional Privacy Law Compliance:
- United States: HIPAA, state biometric privacy laws (BIPA, CCPA where applicable)
- European Union: GDPR compliance with explicit consent mechanisms
- Canada: PIPEDA compliance for Canadian users
- Other Jurisdictions: Compliance with local healthcare data protection requirements
10. How Long Do We Keep Your Information?
In Short: We retain your information only as long as necessary for healthcare purposes, with automated deletion protocols.
Data Retention Periods:
| Data Type |
Retention Period |
| Clinical Health Records (active treatment) |
Retained while receiving services |
| Clinical Health Records (post-treatment) |
7 years from last interaction (healthcare standard) |
| Raw Audio Files |
Deleted only after healthcare provider review and approval |
| Biometric Templates |
Updated annually during active use; deleted upon patient request or account termination |
| Voice Analytics Results |
Retained as part of health record per healthcare provider discretion |
| Facial Recognition Data |
Deleted immediately after mood analysis completion unless flagged by provider |
| Behavioral Patterns |
Aggregated data retained based on clinician discretion |
Automated Deletion Protocols:
- Daily automated cleanup of expired temporary files
- Quarterly review of retention compliance
- Immediate deletion upon verified user request
- Secure deletion ensuring data is unrecoverable (DOD 5220.22-M standard)
Legal Basis for Retention:
- Healthcare treatment requirements (HIPAA)
- Legal obligations (state healthcare regulations)
- Legitimate interests (service improvement, safety monitoring)
- User consent (research participation, extended monitoring)
11. Information Security Measures
In Short: We protect your information through comprehensive security measures aligned with healthcare industry standards.
🔒 Security — How We Protect Your Data
Technical Safeguards:
- Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit
- Access Controls: Multi-factor authentication, role-based access, principle of least privilege
- Monitoring: 24/7 security monitoring, intrusion detection systems, automated threat response
- Data Loss Prevention: Real-time monitoring to prevent unauthorized data access or export
- Secure Development: Code security reviews, vulnerability testing, penetration testing
Organizational Safeguards:
- ISO 27001:2013 certified Information Security Management System
- SOC 2 Type II annual audits of security controls
- HITRUST CSF certification for healthcare information security
- Regular security awareness training for all employees
- Incident response procedures with 24-hour breach notification protocols
However, no method of transmission over the internet or electronic storage is 100% secure. While we implement industry-leading security measures, we cannot guarantee absolute security.
12. Your Privacy Rights & Choices
In Short: You have extensive rights under HIPAA, state privacy laws, and federal regulations to control your health information.
📋 Your Rights — HIPAA & Privacy
HIPAA Rights:
- Access: Right to inspect and obtain copies of your PHI within 30 days
- Amendment: Right to request corrections to your PHI
- Restriction: Right to request limits on use and disclosure of your PHI
- Confidential Communications: Right to request communications via alternative methods
- Accounting: Right to receive a list of PHI disclosures (past 6 years)
- Breach Notification: Right to be notified of any PHI breaches within 60 days
- Complaints: Right to file complaints with us or the U.S. Department of Health and Human Services
Biometric Data Rights:
- Right to explicit consent before any biometric collection
- Right to deletion of biometric templates upon patient request
- Right to opt-out of facial recognition while maintaining other services
- Right to annual template updates for accuracy and security
- Right to know retention periods and third-party processors
Audio Data Rights:
- Right to request immediate deletion of voice recordings
- Right to prevent audio analysis while using other platform features
- Right to access derived analytics without raw audio retention
- Right to provider-controlled retention for clinically necessary recordings
- Right to review provider decisions regarding audio file retention
Device Permission Controls:
- Right to revoke any device permission at any time
- Right to granular control over sensor data sharing
- Right to use services with limited permissions (with reduced functionality)
- Right to delete all device-collected data upon request
How to Exercise Your Rights:
Response Timeline: All requests processed within 30 days with confirmation provided. Identity verification may be required for sensitive requests. Most requests are processed at no charge (copies may incur reasonable fees).
Opt-Out Options:
- Marketing Communications: Use the unsubscribe link in any marketing email, adjust account settings preferences, or email support@monitorhealth.ai
- Technology Features: You may skip biometric authentication or turn off voice analysis features at any time
13. Cookies & Tracking Technologies
In Short: We use cookies and similar technologies to improve our services and analyze usage patterns.
Types of Tracking Technologies:
- Essential Cookies: Account authentication and security; service functionality and performance. These cannot be disabled without affecting core services.
- Analytics Cookies: Google Analytics (anonymized IP addresses); usage patterns and feature effectiveness; service improvement and optimization.
- Preference Cookies: User interface customizations; language and accessibility settings; communication preferences.
Your Cookie Choices:
- Browser Settings: Configure cookie preferences in your browser
- Opt-Out Tools: Visit aboutads.info/choices for advertising opt-outs
- Google Analytics: Use Google's opt-out tool
- Do Not Track: We respect browser DNT signals where technically feasible
Mobile App Tracking:
- App analytics for crash reporting and performance optimization
- Usage analytics to improve mental health monitoring algorithms
- No cross-app tracking or advertising identifiers
- All mobile tracking subject to the same privacy protections as web services
14. Changes to This Privacy Policy
In Short: We will update this policy as necessary to stay compliant with relevant laws and will inform you of any material changes.
Update Notification Process:
- Material Changes: 30-day advance notice via email and app notification
- Minor Updates: Posted immediately with revision date
- Legal Requirement Changes: Immediate implementation with user notification
- User Impact Assessment: Clear explanation of how changes affect your data
Version Control:
- All privacy policy versions archived and available upon request
- Change log maintained showing specific modifications
- Effective date clearly displayed on all policy versions
- Previous policy versions honored for existing users during transition periods
Privacy-Specific Contacts:
Mailing Address:
MonitorHealth.ai Privacy Office
1201 Cold Spring Dr
O'Fallon, MO 63368
Regulatory Complaints:
- U.S. Department of Health and Human Services — Office for Civil Rights (HIPAA): hhs.gov/hipaa/filing-a-complaint
- State Privacy Regulators: Contact information varies by state — we will provide specific regulator contacts upon request based on your location.
MonitorHealth.ai is committed to transparency and protecting your privacy rights. This policy is reviewed annually and updated as necessary to reflect changes in technology, regulation, and our services.
© 2026 Monitor Health LLC. All rights reserved.