1. Introduction
EtoAI ("we," "our," or "us") is a clinical intelligence platform operated by ETOAI LLC. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform at etoai.net. We are committed to protecting the privacy of healthcare providers and their patients in full compliance with the Health Insurance Portability and Accountability Act (HIPAA) and applicable state laws.
2. Information We Collect
We collect information that you provide directly to us, including:
• Account information: name, email address, organization name, phone number, and password.
• Clinic and practice information: clinic name, specialty, and configuration settings.
• Patient health information (PHI): demographics, medical history, diagnoses, medications, allergies, encounter notes, and other clinical data — entered manually, imported via PDF, or synced via EHR integrations.
• Usage data: log data, IP addresses, browser type, pages visited, and actions taken within the platform.
• Payment information: processed securely via Stripe. We do not store full payment card numbers.
3. HIPAA Compliance & Protected Health Information
EtoAI is a HIPAA-covered Business Associate. We have executed a Business Associate Agreement (BAA) with Google Cloud, our infrastructure provider. Patient health information (PHI) is:
• Encrypted at rest using AES-256 and in transit using TLS 1.2+.
• Stored in isolated, clinic-specific database partitions — no cross-account access is architecturally possible.
• Never used to train AI models or shared with third parties outside of the services necessary to operate the platform.
• Accessible only to authorized users within your clinic, based on role-based access controls you configure.
We will enter into a Business Associate Agreement with any covered entity that requests one. Contact us at hello@etoai.net.
4. EHR Integrations
When you connect an Electronic Health Record (EHR) system such as Athenahealth, Cerner, or Epic, we receive access tokens via OAuth 2.0 that allow us to retrieve patient data from those systems via the FHIR R4 standard. This data is treated as PHI and subject to the same protections described in Section 3. Access tokens are stored encrypted and used solely to sync patient records into your EtoAI vault. You may disconnect any EHR integration at any time from your EHR Integrations dashboard, which revokes our access and deletes the stored token.
5. How We Use Information
We use the information we collect to:
• Provide, operate, and improve the EtoAI platform.
• Sync patient data from connected EHR systems.
• Generate AI-powered clinical briefings, SOAP notes, and risk assessments.
• Send system notifications, billing communications, and support responses.
• Comply with legal obligations and enforce our Terms of Service.
We do not sell your data, use patient PHI for advertising, or share information with third parties for their own commercial purposes.
6. Data Sharing & Disclosure
We may share information with:
• Service providers: Google Cloud (infrastructure), Stripe (payments), Resend (email), Gemini API (AI features) — each under strict data processing agreements.
• EHR providers: Athenahealth, Cerner, Epic — only as necessary to authenticate and sync your clinic's patient data.
• Legal authorities: when required by law, subpoena, or to protect the rights and safety of our users or the public.
We do not share PHI with any party not listed above without your explicit written consent.
7. Data Retention
We retain your account and patient data for as long as your clinic account is active. Upon account termination, we will delete or de-identify your data within 30 days, unless a longer retention period is required by law or requested by you in writing. Audit logs may be retained for up to 7 years in compliance with HIPAA requirements.
8. Security
We implement industry-standard technical and organizational security measures including:
• AES-256 encryption at rest and TLS 1.2+ in transit.
• Role-based access control with multi-tenant database isolation.
• Audit logging of all data access and modification events.
• Regular security reviews and dependency monitoring.
No method of transmission over the internet is 100% secure. We encourage you to use strong passwords and notify us immediately of any suspected unauthorized access at hello@etoai.net.
9. Your Rights
Depending on your jurisdiction, you may have the right to:
• Access or export your clinic's data.
• Correct inaccurate account information.
• Request deletion of your account and associated data.
• Receive a copy of our Business Associate Agreement.
To exercise these rights, contact us at hello@etoai.net. We will respond within 30 days.
10. Children's Privacy
EtoAI is designed for healthcare professionals and is not directed to individuals under 18. We do not knowingly collect personal information from minors. If you believe a minor's data has been submitted to our platform, contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice within the platform at least 30 days before the change takes effect. Your continued use of EtoAI after the effective date constitutes acceptance of the updated policy.
12. Contact Us
ETOAI LLC
Email: hello@etoai.net
Website: https://etoai.net
For HIPAA-specific inquiries or to request a Business Associate Agreement, please email hello@etoai.net with the subject line "BAA Request."
Questions about this policy? Email us at hello@etoai.net. For HIPAA compliance inquiries, include “HIPAA” in your subject line.