Platform Privacy Notice

Last Updated: January 27, 2026   Effective Date: October 1, 2025

Applies To: All Authenticated Users of the airPM Remote Patient Monitoring Platform

airPM LLC ("Company", "we", "us") provides this Platform Privacy Notice to explain how we collect, use, and disclose information about Authorized Users (including clinicians, administrators, staff, and patients) who access our secure SaaS platform.

1. Relationship to HIPAA & Patient Data

1.1. Business Associate Status. We operate as a Business Associate to the healthcare entity that authorized your access (the "Medical Practice" or "Covered Entity").

1.2. Patient Data (PHI). While this Platform processes Protected Health Information (PHI), the medical content within the Platform is governed by:

  • The Health Insurance Portability and Accountability Act (HIPAA);
  • The Business Associate Agreement (BAA) in place between airPM LLC and the Medical Practice; and
  • The Medical Practice's own Notice of Privacy Practices (NPP).

1.3. Scope of this Notice. This Privacy Notice governs your use of the Platform software (e.g., login credentials, device security, audit logs, and technical interaction). In the event of any conflict between this Privacy Notice and the BAA regarding the handling of PHI, the terms of the BAA shall control.

2. Information We Collect From You

We collect specific data about you (the user logging in) to maintain security and compliance.

2.1. Account Information.

  • Identity: Name, email address, professional title/role (for Staff), and system identifiers.
  • Credentials: Encrypted passwords and multi-factor authentication (MFA) details.

2.2. Audit Logs & Activity Data (Mandatory). To comply with the HIPAA Security Rule (45 CFR § 164.312(b)), we automatically record detailed audit logs of your activity within the Platform, including:

  • Logins: Dates, times, and IP addresses of all login attempts (successful and failed).
  • Record Access: Specifically which records you viewed, updated, or exported.
  • Actions: Edits to notes, changes to settings, survey responses, and data exports.
Note: These audit logs are immutable and may be reviewed by the Medical Practice for compliance auditing purposes.

2.3. Device & Connection Information.

  • IP address, browser type, and operating system (used for security monitoring and geographic access restrictions).

3. No Third-Party Tracking

Unlike our public marketing website, the authenticated Platform does not use third-party advertising cookies or tracking pixels (such as Google Analytics, Facebook Pixel, or LinkedIn Insights). We do not track your activity across other websites once you log out of the Platform.

4. How We Use Your Information

We use the information collected from Authorized Users to:

  • Authenticate your identity and grant access to the appropriate data.
  • Detect and Prevent security incidents, fraud, or unauthorized access.
  • Facilitate the services (e.g., sending email alerts regarding workflows or therapy updates).
  • Provide Support when you contact our helpdesk regarding a technical issue.

5. Disclosure of Information

We do not sell the personal information of our Authorized Users. We may disclose your information:

  • To Healthcare Providers & Administrators:
    • For Staff Users: Your employer (the Medical Practice) has the right to audit the activities of its employees. We will provide access logs to the Medical Practice Account Owner/Admin upon request.
    • For Patient Users: Your assigned healthcare providers have access to your activity, questionnaire responses, and therapy data to monitor your treatment.
  • To Subprocessors: To trusted third-party infrastructure providers (e.g., AWS for hosting, Twilio for SMS dispatch) solely for the purpose of providing the Service.
  • Legal Obligations: If required by law, subpoena, or to protect the safety of patients.

5.1. SMS Consent & Mobile Number Privacy. Notwithstanding any other provision in this Privacy Notice, mobile telephone numbers and SMS consent data collected by the Platform will not be shared with any third parties or affiliates for marketing or promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties. For the avoidance of doubt, the above allows sharing with our service providers (such as our SMS aggregator) solely for the purpose of delivering the messages required for the Service.

6. Security & Data Retention

6.1. Security Measures. We utilize industry-standard encryption (HTTPS/TLS 1.2+) for data in transit and AES-256 encryption for data at rest. Access controls ensure you only see data relevant to your organization or your own care.

6.2. Retention of Logs. Your user activity logs (Audit Trails) are retained for a minimum of ten (10) years to support legal and compliance requirements, after which they are securely deleted.

7. Contact Us

If you have questions about this Platform Privacy Notice or how your account data is handled, please contact:

airPM LLC
Email: support@airpm.io