Skip to main content
DemoPulseCare
$149Buy Back to Empire
Skip to main content

Privacy Policy

Last updated: March 1, 2026

1. Introduction

PulseCare, Inc. (“PulseCare,” “we,” “our,” or “us”) is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our telehealth and clinical portal platform (“Services”).

PulseCare operates as a covered entity and/or business associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. This Policy should be read in conjunction with our HIPAA Notice of Privacy Practices, which governs how we handle Protected Health Information (PHI).

2. Information We Collect

We collect several categories of information in connection with your use of our Services:

  • Account information: name, email address, professional credentials, and authentication credentials.
  • Protected Health Information (PHI): health records, visit notes, lab results, medications, diagnoses, and other clinical data you or your care team enter into the platform.
  • Usage data: log files, IP addresses, browser type, pages visited, and session duration for security and performance monitoring.
  • Device information: operating system, device identifiers, and network information to support mobile applications.
  • Payment information: billing details processed by our PCI-DSS compliant payment processor; PulseCare does not store full payment card numbers.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide, operate, and improve the Services
  • To facilitate clinical care coordination between providers and patients
  • To send transactional communications (appointment reminders, result notifications, secure messages)
  • To comply with legal and regulatory obligations
  • To detect and prevent fraud, unauthorized access, and security incidents
  • To generate de-identified analytics for platform improvement

We do not sell, rent, or trade your personal information or PHI to third parties for marketing purposes.

4. HIPAA Compliance

PulseCareis designed and operated in accordance with HIPAA's Privacy Rule (45 CFR Part 164) and Security Rule. As a business associate to covered healthcare entities, we execute a Business Associate Agreement (BAA) with each customer organization prior to processing PHI.

Our HIPAA compliance program includes:

  • Annual HIPAA risk assessments by qualified third parties
  • AES-256 encryption for all PHI at rest and in transit
  • Role-based access controls limiting PHI access to authorized users
  • Comprehensive audit logging with 7-year retention
  • Workforce training on HIPAA Privacy and Security Rules
  • Breach notification procedures meeting the HITECH Act requirements

5. Data Security

We implement administrative, physical, and technical safeguards designed to protect your information from unauthorized access, disclosure, alteration, or destruction. Our infrastructure is hosted with an enterprise-grade cloud provider across US, EU, and APAC regions and is designed to support continuous monitoring aligned to SOC 2 Type II.

While we employ industry-leading security measures, no system is completely immune to risk. We encourage users to maintain strong, unique passwords and to enable multi-factor authentication on theirPulseCare accounts.

6. Your Rights

Depending on your jurisdiction and role, you may have the following rights regarding your information:

You have the right to access your personal data, the right to rectify or correct inaccurate data, the right to restrict certain processing, the right to data portability, the right to object to processing, and the right to lodge a complaint with a supervisory authority.

  • Access (Art. 15 GDPR): request a copy of the personal information we hold about you
  • Correction (Art. 16 GDPR): request correction of inaccurate data
  • Deletion (Art. 17 GDPR / “right to be forgotten”): request deletion of your account and associated non-PHI data (PHI deletion is governed by your covered entity's policies and applicable law)
  • Data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format via our FHIR API
  • Restriction of processing (Art. 18 GDPR): request restrictions on certain processing activities
  • Object to processing (Art. 21 GDPR): object to processing based on our legitimate interests, including profiling for direct marketing
  • No automated decision-making (Art. 22 GDPR): you have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects
  • Withdraw consent (Art. 7(3) GDPR): where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal

California and US State Privacy Rights

Residents of California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), and other US states with comprehensive privacy laws have the following additional rights:

  • Know: the categories and specific pieces of personal information we collect, use, disclose, and sell (we do not sell personal information)
  • Delete: request deletion of personal information we have collected from you, subject to certain exceptions
  • Correct: request correction of inaccurate personal information
  • Opt out of sale or sharing: we do not sell or share personal information for cross-context behavioural advertising; no action is required
  • Limit use of sensitive personal information: health data constitutes sensitive personal information under CPRA; we use it solely to provide the service and do not use it for inferring characteristics about you
  • Non-discrimination: we will not discriminate against you for exercising your privacy rights

Global Privacy Control (GPC) and Do Not Track (DNT)

We honour the Global Privacy Control (GPC) browser signal. When detected, we treat it as an opt-out from the sale and sharing of personal information as required by California, Colorado, Connecticut, and other US state privacy laws. The kit ships no analytics by default; when analytics are enabled, the CookieConsent component reads the GPC signal before setting any non-essential cookie.

We do not currently respond to Do Not Track (DNT) signals because there is no universal standard for what “tracking” means in that context. GPC is the legally recognised signal under applicable US state law.

To exercise any of these rights, contact us at privacy@pulsecare.health.

7. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:

Privacy Officer, PulseCare, Inc.
DemoUI kit preview — content is fictional.