Privacy Policy.

1. Who We Are

Perpetua Health is a product of ChronaSystems, Inc. ("Perpetua," "we," "us," or "our"), a Texas corporation headquartered in Houston, Texas. We provide an AI operations platform for medical practices. This Privacy Policy describes how we collect, use, and protect information when you use our website at perpetuahealth.co and the Perpetua application (collectively, the "Service").

2. Information We Collect

2.1 Practice Information

When a medical practice signs up, we collect practice name, tax ID, legal entity, business address, phone numbers, provider NPIs, specialties, operating hours, and EHR system.

2.2 Account Information

We collect user names, email addresses, phone numbers, and role assignments for every user added to a practice's Perpetua workspace. Authentication is handled by Clerk.

2.3 Protected Health Information (PHI)

In the course of providing the Service, we receive and process PHI regulated under HIPAA. PHI may include patient names, dates of birth, insurance details, appointment times, reasons for visit, call recordings, and call transcripts. We process PHI only as authorized by our Business Associate Agreement (BAA) with each practice — never for secondary purposes like marketing or AI training.

2.4 Payment Information

Billing and payment is handled by Stripe. We do not store credit card numbers or bank account numbers on our servers. Stripe maintains PCI-DSS Level 1 compliance.

2.5 Usage & Technical Data

We collect standard web analytics (page views, referrers, browser type, IP address) and application telemetry (agent runs, error logs, performance metrics). This data is never used to identify individual patients.

3. How We Use Information

We use the information we collect to:

• Deliver the Service (answer calls, verify insurance, book appointments, send reminders, etc.)
• Authenticate users and secure accounts
• Process payments and manage subscriptions
• Send transactional emails (receipts, password resets, alerts)
• Monitor service health and investigate incidents
• Respond to support requests
• Comply with legal and regulatory obligations

We do not use PHI to train AI models. Our language models are served by upstream providers under zero-retention contracts.

4. How We Store & Secure Data

All customer data is stored on Supabase (Postgres) hosted on AWS in a HIPAA-eligible configuration with a signed BAA. Data is encrypted at rest using AES-256 and in transit using TLS 1.3. Row-Level Security policies enforce that no user can access data belonging to another organization.

Additional security measures include: role-based access control, multi-factor authentication for all employee accounts, automated audit logging of every PHI access, intrusion detection, and regular penetration testing.

Data is backed up continuously and retained per the retention schedule in Section 8. Backups are encrypted with separate keys.

5. Third-Party Subprocessors

We rely on a small number of subprocessors to operate the Service. Each signs a BAA or equivalent privacy agreement.

We do not sell or rent your information to third parties. We do not share data with advertisers or data brokers.

6. HIPAA Compliance

Perpetua is a Business Associate under HIPAA. Before any PHI is transmitted, we execute a Business Associate Agreement (BAA) with the covered entity. Our BAA commits us to:

• Use and disclose PHI only as permitted by the BAA and HIPAA
• Implement administrative, physical, and technical safeguards
• Report any breach affecting PHI within 24 hours of discovery
• Return or destroy PHI upon termination of the Service
• Make our BAA, policies, and audit logs available for review

See our HIPAA compliance page and BAA page for additional detail.

7. Your Rights

Practices and users have the following rights, exercisable by emailing privacy@perpetuahealth.com:

• Access: request a copy of the data we hold about you
• Correction: correct inaccurate or incomplete data
• Deletion: request deletion of your account and associated data
• Portability: export your data in a machine-readable format
• Opt-out: opt out of non-essential communications

For PHI rights (access, amendment, accounting of disclosures), patients should contact their healthcare provider. Perpetua will fulfill such requests through the provider as their Business Associate.

8. Data Retention

• Account data: retained for the life of the subscription plus 90 days.
• PHI: retained per the practice's direction and applicable state retention laws. Default is 7 years for medical record–related data.
• Call recordings & transcripts: retained 12 months by default. Configurable by the practice.
• Audit logs: retained 7 years.
• Backups: encrypted rolling 30-day window.

9. Children's Privacy

The Service is not directed at children under 13. Pediatric patient information received through the Service is PHI and handled under our BAA with the treating practice.

10. International Users

The Service is operated from the United States and intended for U.S. medical practices. If you access the Service from outside the U.S., your information will be transferred to, stored, and processed in the U.S.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify account owners by email at least 30 days before the change takes effect.

12. Contact Us

Questions about this Privacy Policy or our data practices?