This Policy applies to individuals who:

• Use the Empower web application as a clinical or administrative user;
• Use the Empower mobile application (iOS or Android) as a clinical, administrative, or patient user;
• Access the patient portal, intake forms, partner referral forms, or other public-facing tools; or
• Otherwise interact with our website or communicate with us.

Account & profile information. Name, email address, phone number, role, employer or affiliated organization, credentials (for clinical users), profile photo, password, and multi-factor authentication details.

Protected Health Information (PHI). When you use the Services in a clinical context, we collect and process PHI such as patient demographics, contact information, insurance details, diagnoses, encounter notes, treatment plans, medications, lab and assessment results, scheduling data, clinical messages, referrals, and billing information.

Communications. Messages, emails, voice calls, video sessions, voicemails, call recordings (where lawful and consented), chat messages, faxes, and the metadata associated with them (timestamps, participants, durations).

Payment information. Billing contact details and limited payment metadata. Full card numbers and bank account numbers are handled by our payment processor (Stripe) and are not stored on Empower servers.

Device and usage information. IP address, device type, operating system, browser type, mobile device identifiers, crash logs, diagnostic data, pages and features used, timestamps, and audit-log entries for security and compliance purposes.

Mobile permissions.With your consent, our mobile app may access your device’s microphone and camera (for video visits and VoIP calls), notifications (for messages, calls, and clinical alerts), contacts (only when you choose to share), photo library (when you upload a document or profile picture), and background audio (to keep an active call connected). You can revoke these permissions at any time in your device settings.

Cookies and similar technologies. We use strictly necessary cookies for authentication and session management, and we may use limited analytics to understand product reliability and performance. We do not use advertising cookies or sell your data.

• To provide, operate, secure, and improve the Services;
• To support clinical care, scheduling, documentation, billing, and care coordination on behalf of our covered-entity customers;
• To authenticate users, prevent fraud, and maintain audit trails as required by HIPAA;
• To deliver notifications, reminders, and service-related communications;
• To respond to support requests and troubleshoot issues;
• To comply with legal, regulatory, and contractual obligations;
• To analyze aggregated or de-identified data to improve quality of care, reliability, and product performance.

We do not sell PHI or personal information, and we do not use PHI for advertising or marketing unrelated to your care.

With your healthcare providers and organization. PHI is shared with the covered entity (e.g., your clinic, practice, or treatment program) that uses Empower to deliver your care, including authorized staff working within that organization.

With service providers (subprocessors). We share information with trusted vendors who help us operate the Services under written agreements (including BAAs where PHI is involved). These include, among others: Amazon Web Services (hosting, storage, email), Stripe (payments), Twilio (voice, SMS, fax), Daily.co (video visits), OpenAI (limited AI-assisted features such as translation and clinical-note drafting under a BAA), and product analytics or monitoring tools used solely for security and reliability.

For legal and safety reasons. We may disclose information when required by law, valid legal process, or to protect the rights, safety, or property of patients, users, or the public, consistent with HIPAA and other applicable law.

Business transfers. If Empower is involved in a merger, acquisition, financing, or sale of assets, information may be transferred subject to this Policy and applicable law, including continued HIPAA protections for PHI.

If you are a patient, your rights with respect to your PHI — including the right to access, amend, restrict, and obtain an accounting of disclosures — are administered by the covered entity that provides your care. Please direct PHI-related requests to that organization. Empower will support those requests as the covered entity’s Business Associate.

You may also have additional rights under state laws (such as California, Washington, Virginia, Colorado, and others). Where those rights apply, we honor them in accordance with applicable law.

We use administrative, physical, and technical safeguards designed to protect your information, including: encryption in transit (TLS) and at rest (AES-256), role-based access control, scoped row-level data filters, multi-factor authentication, comprehensive audit logging, intrusion detection, vulnerability management, and 24/7 monitoring on HIPAA-eligible AWS infrastructure. No method of transmission or storage is 100% secure, but we work continuously to maintain a strong security posture.

We retain PHI for the period required by the covered entity, by applicable law, and by our BAAs — typically a minimum of seven (7) years for clinical and audit records. Account and non-PHI operational data are retained for as long as needed to provide the Services and to meet legal, accounting, and security obligations. When records are deleted, they are removed from active systems and securely purged from backups in accordance with our retention schedule.

Push notifications.With your permission, the Empower mobile app sends push notifications for incoming calls, messages, schedule changes, and clinical alerts. You can disable notifications at any time in your device’s settings.

Background activity. The app may run limited background activity to keep a call connected, deliver real-time notifications, and maintain a secure session. It does not collect location, contacts, or media in the background.

Crash and diagnostic data. We may collect anonymized crash reports and diagnostic data to improve stability. This data does not contain PHI.

App Store information.When you download the app from Apple’s App Store, Apple may collect information about your download and use of the app as described in Apple’s privacy policy. Empower does not control Apple’s practices.

Empower’s Services may be used to deliver care to minors under the direction of a covered entity and a parent or legal guardian. We do not knowingly collect personal information from children outside of that clinical context. If you believe a child has provided information to us inappropriately, please contact us and we will take prompt action.

The Services are operated from the United States and are intended for use within the United States. If you access the Services from another country, you understand that your information will be processed in the U.S., which may have data protection laws that differ from those in your country.

We may update this Privacy Policy from time to time. When we do, we will revise the “Effective Date” above and, where appropriate, provide additional notice (such as an in-app banner or email). Your continued use of the Services after an update constitutes acceptance of the revised Policy.

If you have questions about this Privacy Policy, our privacy practices, or wish to exercise a privacy right, please contact:

• Privacy: privacy@empowermh.co
• General support: support@empowermh.co

If you are a patient and your question concerns your medical record or HIPAA rights, please contact the clinic or treatment program that provides your care directly.