arcade

Privacy Policy

Last Updated: January 28, 2025

1. Introduction

Arcade Health, Inc. ("Arcade Health," "we," "us," or "our") is committed to protecting your privacy and the privacy of your family members. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Services").

Our Services allow you to access, manage, and share health information for yourself and your dependents (such as minor children) from healthcare providers who use electronic health record (EHR) systems like Epic MyChart.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, phone number, and password when you create an account.
  • Dependent Information: Names, dates of birth, and relationship information for family members you add to your account.
  • Health Information: Any health-related information you manually enter, such as symptoms, medications, or notes.

2.2 Information from Healthcare Providers

With your explicit consent, we retrieve the following Protected Health Information (PHI) from connected healthcare providers:

  • Medical conditions and diagnoses
  • Medications and prescriptions
  • Allergies and adverse reactions
  • Immunization records
  • Laboratory results and vital signs
  • Appointment information
  • Procedures and clinical notes

2.3 Information from Wearables and Health Apps

With your permission, we may collect health data from:

  • Apple HealthKit (steps, heart rate, sleep, etc.)
  • Connected fitness devices and wearables

2.4 Automatically Collected Information

  • Device information (model, operating system, unique identifiers)
  • Usage data (features accessed, time spent, interactions)
  • IP address and general location (city/region level)
  • Crash reports and performance data

3. How We Use Your Information

We use your information to:

  • Provide Services: Display your health records, enable care coordination, and deliver personalized health insights.
  • Guardian Access: Allow authorized guardians to access and manage health records for their minor dependents.
  • Health Insights: Use our AI assistant (Arcade AI) to provide personalized health information and recommendations based on your data.
  • Notifications: Send appointment reminders, medication alerts, and important health updates.
  • Improve Services: Analyze usage patterns to enhance features and user experience.
  • Security: Detect and prevent fraud, abuse, and security incidents.
  • Legal Compliance: Comply with applicable laws, regulations, and legal processes.

4. How We Share Your Information

We do not sell your personal information or health data. We may share information in the following circumstances:

4.1 With Your Consent

  • With healthcare providers when you choose to share records
  • With family members you authorize through Circle of Care features
  • With third-party apps you explicitly connect

4.2 Service Providers

We work with trusted service providers who process data on our behalf:

  • Cloud hosting providers (encrypted data storage)
  • Analytics services (anonymized usage data only)
  • Customer support tools

All service providers are bound by contractual obligations to protect your data and are prohibited from using it for their own purposes.

4.3 Legal Requirements

We may disclose information when required by law, such as:

  • Court orders or subpoenas
  • Public health reporting requirements
  • To protect the safety of individuals

5. Data Security

We implement robust security measures to protect your information:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Access Controls: Strict role-based access controls limit who can access your data.
  • Authentication: Multi-factor authentication and secure session management.
  • Audit Logging: All access to health information is logged for compliance and security monitoring.
  • Regular Assessments: We conduct regular security assessments and penetration testing.
  • HIPAA Compliance: We maintain administrative, physical, and technical safeguards required by HIPAA.

6. Data Retention

We retain your information as follows:

  • Account Data: Retained while your account is active and for 7 years after deletion for legal compliance.
  • Health Records: Retained while your account is active. You may request deletion at any time.
  • Audit Logs: Retained for 7 years as required by HIPAA.
  • Usage Analytics: Anonymized data may be retained indefinitely for service improvement.

7. Your Rights and Choices

You have the following rights regarding your information:

  • Access: Request a copy of your personal and health information.
  • Correction: Request corrections to inaccurate information.
  • Deletion: Request deletion of your account and associated data.
  • Portability: Export your health records in standard formats.
  • Disconnect: Disconnect EHR connections and revoke data access at any time.
  • Consent Management: Review and revoke consents you have granted.
  • Opt-Out: Opt out of non-essential communications.

To exercise these rights, contact us at privacy@arcade.health or use the settings within the app.

8. Guardian and Dependent Access

Our Services allow authorized guardians (parents, legal guardians) to access health records for their minor dependents:

  • Consent Required: Guardians must provide explicit consent before connecting to a dependent's health records.
  • Proxy Access: Access is provided through healthcare provider proxy authorization (e.g., Epic MyChart family access).
  • Age Restrictions: Access may be limited based on the dependent's age and state laws regarding minor privacy.
  • Audit Trail: All access to dependent records is logged and can be reviewed.

9. Children's Privacy

Our Services are intended for use by adults (18+) and authorized guardians. We do not knowingly collect information directly from children under 13. Health information for minor dependents is collected and managed by their authorized guardian.

10. Third-Party Services

Our Services integrate with third-party healthcare systems:

  • Epic MyChart: We use Epic's SMART on FHIR API to retrieve health records with your authorization.
  • Apple HealthKit: With your permission, we sync health data from Apple Health.

These third parties have their own privacy policies. We encourage you to review them.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy in the app and updating the "Last Updated" date. Your continued use of the Services after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

Arcade Health, Inc.

Email: privacy@arcade.health

Support: support@arcade.health

13. HIPAA Notice

Arcade Health acts as a Business Associate under HIPAA when processing Protected Health Information on behalf of covered entities. We maintain a Business Associate Agreement (BAA) with applicable healthcare providers and comply with all HIPAA requirements for the protection of PHI.

14. California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA). This includes the right to know what personal information we collect, request deletion, and opt out of sales (note: we do not sell personal information). To exercise these rights, contact us at privacy@arcade.health.