Privacy Policy

This policy applies to our public websites (including sanova.health), products, and services that link to it. It covers information we process on behalf of our customers (e.g., clinics, health systems) and information we collect directly from site visitors and account users.

This policy is informational and not a legal contract. If a Business Associate Agreement (BAA) or a Master Services Agreement (MSA) is in place, those govern if there’s a conflict.

• Personal Data: any information that identifies or could reasonably identify an individual.
• Protected Health Information (PHI): individually identifiable health information regulated by U.S. HIPAA.
• Customer: a healthcare provider organization or other entity that signs up for Sanova Tech services.
• End User: clinicians, staff, or patients interacting with our services.

Account & contact data

• Names, emails, phone numbers, role/title, organization.
• Billing details, admin settings, support communications.

Product & operational data

• Usage logs, device/browser info, IP, timestamps, feature telemetry.
• Configuration metadata (e.g., templates, integrations, roles).

Clinical/PHI (when Customer enables PHI features)

• Encounter data, transcripts, notes, orders, claims-related data.
• Uploaded files (e.g., lab results, imaging PDFs), audit events.

• Directly from you (forms, account setup, support tickets).
• From Customers and their systems (EHR, SSO/IdP, RPM devices).
• Automated collection (product telemetry, cookies—see below).
• Authorized third parties (e.g., clearinghouses, referral partners).

• Provide, secure, and maintain our services and user accounts.
• Enable clinical workflows (e.g., transcription, orders, insights).
• Configure access controls (SSO/SAML, RBAC) and audit activity.
• Improve accuracy, performance, and reliability of the platform.
• Provide support, training, and service communications.
• Comply with law and enforce agreements.

We do not sell Personal Data. We do not use PHI to train foundation models or for advertising.

When Sanova Tech processes PHI on behalf of a covered entity or business associate, Sanova Tech acts as a Business Associate under HIPAA. We will sign a BAA upon request. PHI is processed only to provide the contracted services, subject to the BAA and Customer’s configuration.

• Encryption in transit and at rest; access controls & audit logs.
• Segregated environments per tenant; break-glass workflows.
• Regional data hosting options with Customer selection (US by default).
• Sub-processors are vetted and bound by written agreements.

We may share information with: (i) service providers/sub-processors that help us operate (cloud, storage, security, communications, analytics); (ii) integration partners you connect (EHR, SSO/IdP, billing); (iii) professional advisors; and (iv) authorities where required by law. We require appropriate contractual safeguards and only permit processing consistent with this policy and our agreements.

A current list of material sub-processors is available upon request at privacy@sanovatech.io.

• Sanova Tech provides AI-assisted features (e.g., transcription, summaries, coding suggestions, insights). Outputs are designed for professional review—not a substitute for clinical judgment.
• Where required by applicable U.S. law, we enable human review and appeal of automated outputs that could materially affect individuals.
• PHI used in AI features remains subject to the BAA and regional controls. We do not use Customer PHI to train third-party foundation models.

We use strictly necessary cookies for security and session management. With consent (where required), we may use functional or analytics cookies to understand product performance. You can adjust preferences via your browser settings or our in-product cookie controls.

• SSO/SAML, RBAC, MFA enforcement, and SCIM provisioning.
• Network isolation, WAF/DDoS protections, vulnerability management.
• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Audit logging, tamper-evident records, and export to SIEM.
• Vendor risk reviews and incident response procedures.

No method of transmission or storage is 100% secure; we maintain commercially reasonable safeguards appropriate for healthcare workloads.

Customers may choose a regional deployment. By default, Sanova Tech hosts U.S. healthcare workloads in U.S. data centers. Cross-region transfers are restricted unless explicitly allowed by the Customer and permitted by applicable U.S. law.

We retain information for as long as needed to provide the services, comply with legal obligations, resolve disputes, and enforce agreements. Customers control retention of their PHI and content via product settings or their records policies. We offer data export upon request.

HIPAA

Individuals may have rights to access, amend, and receive an accounting of disclosures of PHI, typically exercised through the covered entity (our Customer). We assist Customers in fulfilling HIPAA rights as required by the BAA.

CCPA/CPRA (California)

• Right to know, correct, and delete Personal Information.
• Right to opt-out of sale or sharing of Personal Information.
• Right to non-discrimination for exercising rights.
• We do not sell Personal Information as defined by the CCPA/CPRA. We do not use PHI for targeted advertising.

To exercise your rights, contact us at privacy@sanovatech.io. We may need to verify your identity and, for PHI, coordinate with the appropriate Customer (covered entity). Authorized agent requests are honored where permitted by law.

Our services are directed to professional users and organizations. We do not knowingly collect Personal Data directly from children under 16 on public sites. Patient data processed under a Customer’s direction is handled per the BAA and applicable law.

We may update this policy from time to time. Material changes will be posted on this page with a new “Last updated” date, and we may provide additional notice where required.

Sanova Tech, Inc.
123 Market Street, Suite 400, San Francisco, CA 94105, USA

Support: support@sanovatech.ioPrivacy: privacy@sanovatech.io