Privacy Policy

Last updated: April 13, 2025

Who we are

Our website address is: https://tuvahealth.com

Thank you for choosing to be part of our community at Tuva Health ("Company", "we", "us", or "our"). We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about our policy or our practices with regards to your personal information, please contact us at [email protected].

Overview

Tuva Health provides an open-source healthcare data platform that enables healthcare analytics and clinical research. We process sensitive healthcare information and take our data protection responsibilities seriously.

This privacy policy applies to:

  • All information collected through our website (https://tuvahealth.com)
  • Our cloud-based healthcare data processing platform
  • Any related services, sales, marketing or events (we refer to them collectively in this privacy policy as the "Services")

Please read this privacy policy carefully as it will help you understand what data we collect, how we use it, and what rights you have regarding your information.

What personal data do we collect?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when expressing an interest in obtaining information about us or our products and services, when participating in activities on the Site, or otherwise contacting us using the contact or newsletter subscription form.

The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect can include the following:

  • Name and contact data (such as email address, phone number, job title, organization)
  • Account credentials (such as usernames and passwords)
  • Billing information (such as credit card details and billing addresses)
  • Feedback and correspondence (such as information you provide in your responses to surveys, when participating in market research activities, reporting a problem with our Services, or otherwise corresponding with us)

Healthcare data you upload to our platform

In Short: As a healthcare data processing platform, we process the healthcare data you upload.

If you are a customer of our cloud-based healthcare data processing platform, we process the healthcare data you upload to our platform. This data may include:

  • Protected Health Information (PHI) as defined by HIPAA
  • Healthcare claims data
  • Patient demographic information
  • Clinical data
  • Other healthcare-related data sets

We process this data solely in accordance with our contractual obligations to you, applicable laws, and your explicit instructions. We implement appropriate technical and organizational measures to protect this data.

Information automatically collected

In Short: Some information — such as IP address and/or browser and device characteristics — is collected automatically when you visit our website or use our Services.

We automatically collect certain information when you visit, use or navigate our website or platform. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

The information we collect automatically includes:

  • Log and usage data (such as IP address, browser type, browser version, pages visited, time and date of visit, time spent on pages)
  • Device data (such as device type, operating system)
  • Location data (such as general geographic region based on IP address)

Like many businesses, we also collect information through cookies and similar technologies. You can find out more about this in our Cookie Policy section below.

How do we use your information?

In Short: We process your information for purposes based on legitimate business interests, the fulfillment of our contract with you, compliance with our legal obligations, and/or your consent.

We use personal information collected via our website for a variety of business purposes described below. We process your personal information for these purposes in reliance on our legitimate business interests, in order to enter into or perform a contract with you, with your consent, and/or for compliance with our legal obligations. We indicate the specific processing grounds we rely on next to each purpose listed below.

Website Visitor Information

We use information collected through our website for the following purposes:

  • To respond to your inquiries and fulfill your requests
  • To send administrative information to you (such as changes to our terms, conditions, and policies)
  • To provide, improve, test, and monitor the effectiveness of our website
  • For our business purposes, such as data analysis, audits, fraud monitoring and prevention, developing new products, enhancing, improving or modifying our website, identifying usage trends, and operating and expanding our business activities

Customer Platform Data

For our cloud-based healthcare data processing platform customers, we process the healthcare data you upload to our platform solely for the following purposes:

  • To provide the data processing services as contracted
  • To improve our healthcare data models and analytics capabilities
  • To operate, maintain, and improve our platform
  • To comply with our legal and regulatory obligations
  • For other purposes for which we obtain your consent

We will never use your healthcare data for:

  • Marketing or advertising purposes
  • Selling to third parties
  • Creating consumer profiles unrelated to the contracted services
  • Any purpose outside of our contractual relationship without your explicit consent

Will your information be shared with anyone?

In Short: We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill business obligations.

We may process or share data based on the following legal basis:

  • Consent: We may process your data if you have given us specific consent to use your personal information for a specific purpose.
  • Legitimate Interests: We may process your data when it is reasonably necessary to achieve our legitimate business interests.
  • Performance of a Contract: Where we have entered into a contract with you, we may process your personal information to fulfill the terms of our contract.
  • Legal Obligations: We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).
  • Vital Interests: We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.

More specifically, we may need to process your data or share your personal information in the following situations:

Website Visitor Information

  • Vendors and Service Providers: We may share your data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. Examples include: payment processing, data analysis, email delivery, hosting services, customer service and marketing efforts. We may allow selected third parties to use tracking technology on the website, which will enable them to collect data about how you interact with the website over time. This information may be used to, among other things, analyze and track data, determine the popularity of certain content, and better understand online activity.
  • Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

Customer Platform Data

  • Subprocessors: We may engage subprocessors to help us provide our services. All subprocessors are contractually bound to the same level of data protection as outlined in our contract with you and this privacy policy. A current list of subprocessors is available upon request.
  • Compliance with Laws: We may disclose your information where required by law, regulation, legal process, or governmental request.
  • With Your Consent: We may share your information with your consent or at your direction.
Under no circumstances will we sell your personal information or the healthcare data uploaded to our platform to third parties.

Do we use cookies and other tracking technologies?

In Short: We may use cookies and other tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information on our website. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Policy below.

Cookie Policy

Types of Cookies We Use:

  • Essential Cookies: These cookies are necessary for the website to function properly. They enable core functionality such as security, network management, and account access. You may disable these by changing your browser settings, but this may affect how the website functions.
  • Analytics Cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.
  • Functional Cookies: These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third-party providers whose services we have added to our pages.
  • Advertising Cookies: These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other sites.

Your Cookie Choices: Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our website.

To opt-out of interest-based advertising by advertisers on our website visit http://www.aboutads.info/choices/.

How long do we keep your information?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy policy unless otherwise required by law.

Website Visitor Information

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy policy, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it.

Customer Platform Data

We retain the healthcare data you upload to our platform for the duration of our contractual relationship, plus any additional period required by law or as specified in our contract with you. Upon termination of our services, we will securely delete or return all customer data as specified in our contract with you, unless retention is required by law.

How do we protect your information?

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. These measures include:

  • Encryption: All data in transit and at rest is encrypted using industry-standard encryption protocols.
  • Access Controls: Strict access controls and authentication mechanisms to ensure only authorized personnel can access data.
  • Infrastructure Security: Our infrastructure is hosted in secure, SOC 2 compliant data centers with physical security controls.
  • Employee Training: Regular security awareness training for all employees.
  • Security Audits: Regular security assessments and penetration testing.
  • Incident Response: A comprehensive incident response plan to address any potential data breaches.

For our healthcare data processing platform, we implement additional security measures in compliance with HIPAA and other applicable healthcare data protection regulations.

However, please also understand that no security system is impenetrable. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

Do we collect information from minors?

In Short:  We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly solicit data from or market to children under 18 years of age. By using the website, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent's use of the website. If we learn that personal information from users less than 18 years of age has been collected, we will take reasonable measures to promptly delete such data from our records. If you become aware of any data we have collected from children under age 18, please contact us using the contact information provided below.

What are your privacy rights?

In Short: In some regions, such as the European Economic Area (EEA), United Kingdom (UK), and California, you have rights that allow you greater access to and control over your personal information.

Depending on where you are located, you may have the following rights:

  • Right to Know/Access: You have the right to know what personal information we collect about you and to request a copy of it.
  • Right to Correction: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
  • Right to Deletion: You have the right to request that we delete your personal information, subject to certain exceptions.
  • Right to Restrict Processing: You have the right to request that we restrict the processing of your personal information under certain circumstances.
  • Right to Data Portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
  • Right to Object: You have the right to object to our processing of your personal information.
  • Right to Not Be Subject to Automated Decision-making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

If you are resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

If you are resident in the United Kingdom, you can find more information about your rights and how to exercise them from the Information Commissioner's Office: https://ico.org.uk/.

California Privacy Rights

If you are a California resident, you have specific rights regarding your personal information under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These include:

  • Right to Know: You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months.
  • Right to Delete: You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.
  • Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.
  • Right to Opt-Out of Sales and Sharing: You have the right to opt-out of the sale or sharing of your personal information. However, Tuva Health does not sell or share personal information as defined under the CCPA/CPRA.
  • Right to Limit Use and Disclosure of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information collected about you. However, Tuva Health only processes sensitive personal information for purposes which you cannot limit under California law.

To exercise any of these rights, please submit a request using the contact information provided below. We will respond to your request within 45 days (and within 90 days where reasonably necessary and upon notice to you).

California Civil Code Section 1798.83, also known as the "Shine The Light" law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.

HIPAA Compliance

As a company that processes protected health information (PHI), we comply with the Health Insurance Portability and Accountability Act (HIPAA) where applicable. For customers who are covered entities or business associates under HIPAA, we enter into Business Associate Agreements (BAA) that govern our handling of PHI.

For information on our HIPAA compliance practices and to request a BAA, please contact us at [email protected].

International Data Transfers

Your information, including personal information, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction.

If you are located outside the United States and choose to provide information to us, please note that we transfer the data, including personal information, to the United States and process it there.

For transfers from the EEA, UK, or Switzerland to countries not deemed to provide an adequate level of data protection, we employ appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, UK, or Swiss authorities as appropriate.

Do we make updates to this policy?

In Short: Yes, we will update this policy as necessary to stay compliant with relevant laws.

We may update this privacy policy from time to time. The updated version will be indicated by an updated "Last updated" date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy policy frequently to be informed of how we are protecting your information.

How can you review, update or delete the data we collect from you?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it in some circumstances. To request to review, update, or delete your personal information, please submit a request using the contact information below. We will respond to your request within 30 days.

How can you contact us about this policy?

If you have questions or comments about this policy, you may email us at [email protected] or write to us at:

Tuva Health, Inc. 
1994 East Tartan Avenue
Salt Lake City, UT 84108-2646
United States