Privacy Policy

Tengrium Health is a technology-enabled health platform that combines artificial intelligence with human clinical expertise to provide diagnosis, monitoring, and treatment services for various health conditions. Upon launch, we will operate as a Healthcare Provider and Covered Entity under the Health Insurance Portability and Accountability Act (HIPAA) and comply with all applicable federal and Florida state privacy laws.

Protecting your health information is fundamental to our mission. We maintain comprehensive privacy and security programs that comply with:

• HIPAA Privacy Rule (45 CFR Part 164, Subpart E)
• HIPAA Security Rule (45 CFR Part 164, Subparts A and C)
• HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D)
• Florida Information Protection Act (Florida Statute § 501.171)
• Florida medical records privacy laws (Florida Statute § 456.057)
• Florida Constitutional right to privacy (Article I, Section 23)

Upon launch of healthcare services, as a HIPAA-covered healthcare provider, we will collect and maintain Protected Health Information necessary to provide our services. PHI includes any health information that can identify you, including:

Medical and Clinical Information

• Medical history, symptoms, and health conditions
• Diagnoses and treatment plans
• Medications and allergies
• Laboratory and test results
• Clinical notes and assessments
• Care coordination information
• Telehealth visit recordings (with your authorization)
• Health monitoring data from our platform
• Provider communications and consultations

Identifying Information

• Name, date of birth, and contact information
• Social Security number (when required)
• Medical record number
• Insurance information and subscriber identification
• Emergency contact information
• Demographic information (age, gender, race, ethnicity)

To manage your Tengrium Health account and subscription, we collect username and password, email address and phone number, subscription plan and billing cycle, service preferences and settings, communication preferences, and account activity and usage history.

We collect payment information necessary to process your subscription fees, including cardholder name, billing address, payment card information (processed through PCI DSS-certified payment processors), transaction history, and billing records.

When you use our platform, we automatically collect IP address and geolocation information (city/state level), device information, platform usage patterns and interactions, session duration and frequency, feature utilization data, performance and error logs, and cookies and similar tracking technologies.

We maintain records of communications with you, including customer service interactions, support tickets, email correspondence, chat messages within our platform, phone call logs, and survey responses.

Upon launch of healthcare services, under HIPAA, we may use and disclose your PHI without your authorization for:

Treatment

Providing diagnosis, monitoring, and treatment services; coordinating care with other healthcare providers; consulting with specialists; delivering telehealth services; managing your treatment plan; and providing clinical decision support.

Payment

Processing your subscription payments, billing activities and collections, determining service eligibility, and managing your account and subscription.

Healthcare Operations

Quality assessment and improvement, training healthcare professionals, compliance and audit activities, business planning, customer service, evaluating provider and platform performance, accreditation, and legal and regulatory compliance.

Tengrium Health uses artificial intelligence and machine learning to improve diagnostic accuracy, enhance treatment recommendations, and advance healthcare delivery. We use our proprietary blind model training and data analysis that protects and verifiably upholds all privacy and data protections as required by federal privacy law.

Our Blind AI Training and Data Analysis Process

We follow the HIPAA Safe Harbor method (45 CFR § 164.514(b)(2)), which requires removal of 18 specific identifiers before data can be used for AI training:

• Names
• Geographic subdivisions smaller than state
• All dates (except year) directly related to an individual
• Telephone and fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate and license numbers
• Vehicle identifiers and serial numbers
• Device identifiers and serial numbers
• Web URLs and IP addresses
• Biometric identifiers
• Full-face photographs
• Any other unique identifying numbers or characteristics

We use your information to operate and maintain the platform, provide customer support, send service-related communications, manage your subscription, improve performance, develop new features, conduct research (using de-identified data), and ensure platform security.

We may use or disclose your information when required by law, responding to court orders or subpoenas (with proper notice under Florida law), cooperating with law enforcement, reporting to public health authorities, complying with health oversight activities, preventing serious threats, and fulfilling workers' compensation requirements.

You will receive essential service communications including account updates, appointment reminders, billing information, and security notifications.

We do not sell your health information to third parties. We do not share your PHI with external parties except as described in this policy and permitted by law.

Upon launch, we may share PHI with Business Associates who perform services on our behalf. Under HIPAA, they are required to protect your PHI, sign Business Associate Agreements, use your information only as authorized, implement appropriate safeguards, and report any breaches immediately.

Types include telehealth technology platforms, cloud infrastructure providers (data stored only in U.S., U.S. territories, or Canada per Florida law), IT support, legal and compliance consultants, billing and payment processors, and analytics platforms (with BAAs).

We may share your PHI with other healthcare providers involved in your care, including specialists, your primary care physician (with your authorization), emergency personnel, and other coordinating providers.

We may disclose PHI without your authorization when required or permitted by law for public health activities, health oversight, legal proceedings (with proper notice under Florida law), law enforcement, preventing serious threats, and reporting abuse, neglect, or domestic violence.

Any uses or disclosures not described in this policy require your written authorization, including marketing uses, sale of PHI (we do not engage in this), and most uses of psychotherapy notes. You may revoke your authorization at any time in writing.

When using or disclosing PHI for payment or healthcare operations, we limit the information to the minimum necessary to accomplish the intended purpose, as required by HIPAA and Florida law.

Upon launch of healthcare services, as our patient, you will have important rights regarding your health information:

You have the right to inspect and obtain copies of your PHI. We will respond within 30 days (with possible 30-day extension), provide information in your requested format, and charge a maximum of $6.50 for electronic copies. You may direct us to send copies to another person.

You may request amendment of PHI you believe is incorrect or incomplete. We will respond within 60 days (with possible 30-day extension). If denied, you may submit a statement of disagreement.

You may receive a list of certain disclosures covering the six years prior to your request. The first accounting per 12-month period is free.

You may request restrictions on how we use or disclose your PHI. If you pay out-of-pocket in full and request we not disclose to your health plan, we must agree (unless otherwise required by law).

You may request that we communicate with you in a specific way or at a specific location. We will accommodate reasonable requests.

You may receive a paper copy of this Privacy Policy upon request, even if you agreed to receive it electronically.

You have the right to be notified if a breach of your unsecured PHI occurs (see Section 11).

The Florida Constitution (Article I, Section 23) provides explicit privacy protection for medical records. We comply with Florida's more stringent requirements, including written authorization for certain disclosures, prohibition on marketing use without specific authorization, and restrictions on third-party re-disclosure.

Florida law (§ 381.004) provides "super-confidential" status for HIV/AIDS information. We obtain appropriate consent before testing, maintain strict confidentiality, and never use HIV status for insurance or employment decisions.

Per Florida Senate Bill 264, all patient information stored offsite must be maintained in the continental United States, U.S. territories, or Canada. We do not use offshore data storage.

Under Florida law (§ 456.057), when a subpoena is issued for your medical records, we provide proper notice to you or your legal representative before responding.

Tengrium Health implements comprehensive administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of your health information in compliance with the HIPAA Security Rule and Florida law.

Regular security risk assessments, workforce security with background checks, security awareness training, contingency planning with data backup and disaster recovery, and comprehensive Business Associate management.

Facility access controls, workstation security with privacy screens and automatic locks, and device and media controls including secure destruction and disposal.

• Data in Transit: TLS 1.2 or higher
• Data at Rest: AES-256 or equivalent
• Device Encryption: All mobile devices and laptops with PHI access
• Access Controls: Unique IDs, multi-factor authentication, role-based access
• Monitoring: Audit logging, intrusion detection, incident response

End-to-end encryption, secure authentication, virtual waiting rooms, automatic session termination, and regular security assessments.

24/7 security monitoring, rapid response team, forensic investigation capabilities, breach notification procedures, and mitigation protocols.

End-to-end encryption, BAAs with all technology providers, secure authentication, unique meeting IDs, automatic termination after inactivity, and unauthorized access prevention.

Our Responsibilities: Private secure locations, provider disclosure of others present, HIPAA-compliant platforms only, regular security assessments.

Your Responsibilities: Private locations, secure Wi-Fi, updated software, disclose others present.

Prohibited: Public streaming platforms (Facebook Live, TikTok, Twitch), unapproved apps, unsecured communication methods.

Sessions are not recorded without your explicit authorization. You may decline without affecting your care. Authorized recordings are stored securely as part of your medical record.

Audio-only services available via traditional telephone. Standard HIPAA protections apply.

Identity verification at each session, privacy environment checks, secure messaging through patient portal between sessions.

We use cookies, web beacons, and similar technologies to enhance your experience, with different practices for authenticated and unauthenticated areas.

On public areas, we collect pages visited, browser/OS, general location, referring website, and device type. Analytics tools with health-related data access operate under BAAs.

Enhanced protections: all vendors under BAAs, IP anonymization, advertising/remarketing disabled, cross-domain tracking disabled.

• Strictly Necessary: Authentication, security, session management
• Functional: Preferences, language, accessibility
• Analytics: Usage patterns, performance, error detection
• Marketing: We do not use cookies for targeted advertising, selling data, behavioral tracking, or third-party ad networks

Control cookies through browser settings, platform settings, and mobile device settings. We honor Do Not Track signals. We do not sell personal information or track you across third-party websites.

Tengrium Health operates on a subscription basis. We do not sell or distribute medications. We do not bill insurance companies for subscription services.

All transactions processed through PCI DSS Level 1 certified processors. We do not store complete card numbers or CVV/CVC codes. Payment information stored as encrypted tokens.

Payment information maintained separately from medical records. When association is necessary, both HIPAA and PCI DSS protections apply.

Upgrade, downgrade, or cancel at any time. Clear cost disclosure, advance renewal notice, detailed billing statements. Treatment is never conditioned on subscription level.

Financial assistance and payment plans may be available. Inability to pay does not affect emergency care. We implement transaction monitoring, address verification, and fraud detection measures.

We maintain comprehensive programs to prevent unauthorized access. In the unlikely event of a breach, we will notify you promptly.

Florida requires notification within 30 days — faster than HIPAA's 60-day requirement. We comply with the more stringent timeline:

• Individual Notification: Within 30 days of breach discovery
• Media Notification: Within 30 days if 500+ Florida residents affected
• HHS Notification: Within 30–60 days depending on size
• Florida Attorney General: Within 30 days if 500+ affected

Description of the breach and timing, types of information involved, steps you can take, our investigation and mitigation response, and contact information.

Keep login credentials confidential, use strong passwords, enable multi-factor authentication, and report suspicious activity to security@tengriumhealth.com.

For patients under 18, parents or legal guardians create and control accounts. Florida law grants certain minors rights to consent to specific healthcare independently (e.g., STD testing under § 384.30). Emancipated minors have full adult rights.

We do not knowingly collect personal information from children under 13 without verifiable parental consent. If we become aware a child has provided information without consent, we will delete it promptly.

Essential service communications (security, billing, reminders) cannot be opted out. Marketing communications can be managed through account settings or unsubscribe links.

View and update information, manage preferences, enable multi-factor authentication (strongly recommended), and request account closure. Health records retained per legal requirements after closure.

Request electronic copies in your preferred format (PDF, CCD, CSV). Direct transmission to another provider available. Maximum $6.50 fee for electronic copies.

Contact our Privacy Official in writing to opt out of de-identification for AI training. This will not affect your care or services.

• Medical records: Minimum 7 years from last service (Florida requirement)
• Pediatric records: Until age 25 or 7 years, whichever is longer
• Privacy documentation: 6 years from creation or last effective date
• Security logs: Minimum 6 years per HIPAA

When retention periods expire, we use cryptographic erasure, secure deletion software (DoD 5220.22-M or equivalent), physical destruction, and certified destruction services.

We may retain information beyond standard periods when legal proceedings are pending, investigations are ongoing, or other legal obligations require preservation.

We reserve the right to amend this Privacy Policy. Material changes will be communicated via website posting, email notification, and patient portal notice. Changes apply to all PHI we maintain. We retain all versions for 6 years per HIPAA.

Additional protections include 30-day breach notification, constitutional privacy right for medical records, enhanced HIV/AIDS confidentiality, geographic data storage restrictions, subpoena notice requirements, and marketing prohibition.

Residents of states with additional privacy laws (California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and others) retain those protections. Contact our Privacy Official to exercise state-specific rights.

We do not currently collect biometric information for identification purposes. If implemented in the future, we will obtain specific consent and comply with all applicable biometric privacy laws.

You may file a complaint with Tengrium Health or with the U.S. Department of Health and Human Services Office for Civil Rights:

Filing a complaint will not affect your treatment or services. HIPAA prohibits retaliation for exercising privacy rights.

This Privacy Policy works together with our forthcoming Notice of Privacy Practices (NPP), Terms of Service, Business Associate Agreements, and specific consent forms. It is governed by federal law (HIPAA) and Florida state law. Where they conflict, the more stringent protection applies.

We provide free language assistance services. To request an interpreter or translated materials, contact us at info@tengrium.com.

Protected Health Information (PHI)

Individually identifiable health information transmitted or maintained by a covered entity or business associate.

Covered Entity

Health plans, clearinghouses, and providers who transmit health information electronically in HIPAA-covered transactions.

Business Associate

A person or entity performing functions on behalf of a covered entity involving access to PHI.

De-identified Information

Health information from which all 18 HIPAA Safe Harbor identifiers have been removed.

Treatment

Provision, coordination, or management of healthcare and related services.

Payment

Activities to obtain reimbursement for healthcare services, including billing and claims management.

Healthcare Operations

Administrative, quality improvement, training, and business activities necessary to run a healthcare organization.

Minimum Necessary

The HIPAA requirement to use only the minimum PHI needed for the intended purpose.

Authorization

Written permission allowing specific uses of PHI beyond treatment, payment, and operations.

Breach

An impermissible use or disclosure that compromises the security or privacy of PHI.

Encryption

An algorithmic process transforming data into a form with low probability of meaning without a key.

Business Associate Agreement (BAA)

A contract specifying how a business associate will protect and use PHI.

HIPAA

The Health Insurance Portability and Accountability Act of 1996.

Safe Harbor Method

A de-identification method requiring removal of 18 specific identifiers.

HIPAA Resources

• HHS Office for Civil Rights — hhs.gov/hipaa
• Your Rights Under HIPAA
• Telehealth Privacy Guidance

Florida Resources

• Florida Department of Health
• Florida Attorney General

Identity Theft Resources

• FTC Identity Theft — identitytheft.gov
• Free Annual Credit Reports
• Equifax: 1-800-685-1111 · Experian: 1-888-397-3742 · TransUnion: 1-800-888-4213