AuxoHealth
Back to home

Legal

Privacy Policy

How we collect, use, store, and protect information — including PHI — under HIPAA, 42 CFR Part 2, and applicable state law.

Last updated · April 16, 2026

Effective Date: [TO BE SET AT PUBLICATION] Last Updated: April 16, 2026 Version: 1.0 DRAFT

⚠️ DRAFT — COUNSEL REVIEW REQUIRED BEFORE PUBLICATION. This document was prepared based on public regulatory guidance as of April 2026. Do not publish without review by a healthcare attorney licensed in Texas.

1. Introduction

Auxo Health Solutions, [LEGAL ENTITY TYPE — e.g., a Texas limited liability company] ("Auxo", "we", "us", "our") provides a behavioral health electronic health record ("EHR") platform to substance use disorder ("SUD") treatment facilities, mental health providers, and related healthcare organizations ("Customers").

This Privacy Policy explains how we collect, use, and disclose information about:

  • Visitors to our website (auxohealthsolutions.com and app.auxohealthsolutions.com)
  • Prospective and current Customers and their authorized representatives
  • Authorized Users — employees, contractors, and clinicians of our Customers who use the Auxo platform
  • Vendors and business partners

This Privacy Policy does NOT apply to Protected Health Information ("PHI") processed by Auxo on behalf of a Customer. See Section 3 below.

2. Information We Collect

2.1 Information You Provide

  • Account information: name, email address, phone number, job title, organization name, professional credentials (NPI, state license numbers), and the password you choose.
  • Billing information: business name, billing contact, billing address, tax identification number. Payment card data is handled by our payment processor (Stripe) and never stored on Auxo servers.
  • Communications: messages you send us (support tickets, sales inquiries, feedback).
  • Marketing preferences: email subscription status, topics of interest.

2.2 Information Collected Automatically

  • Usage data: pages visited, features used, actions taken in the platform (aggregated and anonymized).
  • Device information: browser, operating system, IP address, device type, screen resolution.
  • Cookies and similar technologies: session cookies for authentication; analytics cookies to understand usage patterns. See Section 10 below.

2.3 Information from Third Parties

  • Professional data sources: we may verify NPI numbers against the NPPES registry or state license numbers against state medical boards.
  • Publicly available information from business directories, LinkedIn, and similar sources used for sales prospecting.

3. Our Role as a HIPAA Business Associate

When a Customer (such as a treatment facility) uses Auxo to create, receive, maintain, or transmit Protected Health Information ("PHI"), Auxo acts as a Business Associate under the Health Insurance Portability and Accountability Act ("HIPAA"). In that capacity:

  • Auxo's processing of PHI is governed by the Business Associate Agreement ("BAA") executed between Auxo and the Customer, and by HIPAA and applicable state law — not this Privacy Policy.
  • Patients do not have privacy rights directly against Auxo under HIPAA. Patients exercise their privacy rights (access, amendment, accounting of disclosures, complaints) through their treatment provider (the Customer).
  • Each Customer maintains its own Notice of Privacy Practices ("NPP") describing how it uses and discloses PHI; contact the treatment facility that treats you for its NPP.
  • If you are a patient and have a privacy complaint about your treatment provider, you may file a complaint with your treatment provider or with the U.S. Department of Health and Human Services Office for Civil Rights: https://www.hhs.gov/hipaa/filing-a-complaint/

For Customers whose records are subject to 42 CFR Part 2 (federal SUD records confidentiality), Auxo operates as a "Qualified Service Organization" under 42 CFR § 2.11 and protects Part 2 records in accordance with the Part 2 regulations and the BAA.

4. How We Use Your Information

We use personal information described in Section 2 for the following purposes:

  • To provide and operate the Auxo platform
  • To authenticate users and protect accounts
  • To process billing and payments
  • To provide customer support and respond to inquiries
  • To send administrative messages (service updates, security alerts, policy changes)
  • To send marketing communications (you may opt out at any time)
  • To analyze usage patterns and improve the platform
  • To detect, prevent, and respond to fraud, abuse, and security incidents
  • To comply with legal obligations and enforce our Terms of Service
  • For corporate transactions (merger, acquisition, financing) — where permitted by law

We do not use Customer Data or PHI to train foundation artificial intelligence ("AI") or machine learning ("ML") models. Our AI subprocessors (such as Anthropic) have contractually committed to zero data retention for our account.

5. How We Share Your Information

5.1 Sub-Processors

We share personal information with vendors and service providers who help us operate the platform. Our current sub-processors are listed at: https://app.auxohealthsolutions.com/legal/sub-processors

Each sub-processor that processes PHI has executed a Business Associate Agreement with us. Sub-processors are contractually required to (i) use personal information only to perform services for us, (ii) implement appropriate safeguards, and (iii) flow down BAA protections to their own sub-processors.

5.2 With Your Direction

We share personal information with third parties when you instruct us to (for example, integrations you configure in the Auxo platform).

5.3 Legal Requirements

We may disclose personal information when we have a good-faith belief that disclosure is:

  • Required by law, legal process, or government order
  • Necessary to comply with a subpoena, warrant, or court order (for PHI, we apply HIPAA and 42 CFR Part 2 procedures — see our disclosure handling policy)
  • Necessary to protect the rights, property, or safety of Auxo, our Customers, patients, or the public
  • Related to a suspected violation of our Terms of Service

5.4 Corporate Transactions

If Auxo is involved in a merger, acquisition, financing, bankruptcy, or sale of assets, personal information may be transferred to the acquiring entity, subject to continuing contractual obligations and, for PHI, HIPAA and Part 2 requirements.

5.5 Aggregated and De-Identified Data

We may share aggregated or de-identified information that does not reasonably identify any individual for analytics, benchmarking, marketing, or research. For PHI, de-identification is performed in accordance with HIPAA Safe Harbor (45 CFR 164.514(b)(2)) or Expert Determination (45 CFR 164.514(b)(1)).

5.6 We Do Not Sell Personal Information

Auxo does not sell personal information for monetary consideration, and does not engage in "sharing" for cross-context behavioral advertising, as those terms are defined under applicable state privacy laws (including the California Consumer Privacy Act and Texas Data Privacy and Security Act).

6. Data Retention

We retain personal information as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law. Specific retention periods:

  • Account information: retained while your account is active, plus 7 years (to support audit and tax obligations)
  • Billing records: retained for 7 years
  • Support communications: 3 years
  • Website analytics: 24 months (aggregated); 14 months (identifiable where applicable)
  • PHI: retained only as directed by the Customer and as required by HIPAA, 42 CFR Part 2, and the BAA; returned or destroyed per 45 CFR 164.504(e)(2)(ii)(J) upon contract termination

7. Security

We implement administrative, physical, and technical safeguards designed to protect personal information, including:

  • Encryption of personal information and PHI in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-factor authentication for access to production systems
  • Role-based access control and least-privilege enforcement
  • Audit logging of access to PHI
  • Regular security training for our workforce
  • Annual third-party security assessments
  • Vendor due diligence for all sub-processors
  • Incident response and breach notification procedures aligned with HIPAA, 42 CFR Part 2, and applicable state laws

No security program can guarantee absolute security. If you believe your account has been compromised, contact us immediately at security@auxohealthsolutions.com.

8. Your Privacy Rights

8.1 All Users

Regardless of where you live, you may:

  • Ask us to access personal information we hold about you
  • Ask us to correct inaccurate personal information
  • Ask us to delete personal information (subject to legal and contractual retention requirements)
  • Opt out of marketing emails (via the unsubscribe link in every email)
  • Manage cookie preferences via your browser settings

Send requests to privacy@auxohealthsolutions.com. We will respond within 45 days.

8.2 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know the categories and specific pieces of personal information we collect, use, share, and sell
  • Right to delete personal information
  • Right to correct inaccurate personal information
  • Right to opt out of sale or sharing (we do not sell or share)
  • Right to limit use of sensitive personal information
  • Right to non-discrimination for exercising these rights

Categories of personal information we collect (per Cal. Civ. Code § 1798.140 categories): identifiers, commercial information, internet/network activity, professional/employment information, inferences. We do not knowingly collect biometric, genetic, precise geolocation, or children's (under 16) information about visitors or business contacts.

To exercise California rights, email privacy@auxohealthsolutions.com or call [PHONE]. You may designate an authorized agent by providing written authorization and verifying your identity.

Global Privacy Control: We honor browser-level GPC signals as opt-out of sale/sharing requests (though we do not sell or share in any case).

8.3 Texas Residents (TDPSA)

Under the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Chapter 541), effective July 1, 2024, Texas residents have the following rights regarding personal information processed by Auxo outside the HIPAA/Part 2 context:

  • Right to confirm processing and access personal information
  • Right to correct inaccuracies
  • Right to delete personal information
  • Right to data portability
  • Right to opt out of sale, targeted advertising, and profiling with legal effects

Sensitive data: We do not knowingly process sensitive data (as defined in § 541.001) about visitors or business contacts without consent.

We do not sell personal data for monetary or other valuable consideration.

To exercise Texas rights, email privacy@auxohealthsolutions.com. We will respond within 45 days. To appeal a denial, email the same address; if unresolved, you may file a complaint with the Texas Attorney General: https://www.texasattorneygeneral.gov/

8.4 Other U.S. State Privacy Laws

Residents of Colorado, Connecticut, Virginia, Utah, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, Kentucky, Minnesota, Maryland, and other states with comprehensive privacy laws have rights similar to those described in Sections 8.2 and 8.3. Email privacy@auxohealthsolutions.com to exercise them.

8.5 Patient Privacy Rights (HIPAA)

If you are a patient, your HIPAA privacy rights (including the right to access your medical record, request amendments, request an accounting of disclosures, and request restrictions) are exercised through your treatment provider, not through Auxo. Contact the treatment facility that treats you.

9. Children

The Auxo platform is designed for use by healthcare professionals and is not directed at children under 16. We do not knowingly collect personal information from children under 16 through our website. Patient-minor PHI processed through the platform is governed by HIPAA and the Customer's Notice of Privacy Practices.

10. Cookies and Tracking

We use the following categories of cookies:

  • Strictly necessary (authentication, security) — cannot be disabled
  • Functional (remembering preferences)
  • Analytics (understanding usage, improving the platform) — [LIST ANALYTICS PROVIDERS]

Manage cookies via your browser settings. We do not use third-party advertising cookies or pixels on our authenticated application pages. Marketing website analytics may use [LIST] — opt out via our cookie banner.

11. International Data Transfers

Auxo operates in the United States. If you access the platform from outside the U.S., you consent to transfer of your personal information to the U.S., which may have different data protection laws than your jurisdiction. We do not currently offer the platform to customers outside the U.S.

12. Changes to This Policy

We may update this Privacy Policy. Material changes will be announced via email to registered Customers and posted on this page at least 30 days before taking effect. The "Last Updated" date at the top shows the most recent revision.

13. Contact Us

Auxo Health Solutions is [LEGAL ENTITY NAME AND TYPE], registered in [STATE].