Privacy Policy

CrelioHealth ("CrelioHealth," "we," "our," or "us") respects your privacy and is committed to protecting the information entrusted to us. This Privacy Policy explains how we collect, use, disclose, store, and protect information when you access or use our websites, laboratory information management systems (LIMS), laboratory information systems (LIS), patient portals, mobile applications, integrations, APIs, and related services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy.

1. Applicability and Explicit Differentiation of Roles

This Privacy Policy applies to information collected through our websites, applications, products, services, customer support channels, and other interactions with CrelioHealth. It applies to customers, healthcare organizations, laboratories, healthcare providers, patients accessing customer-operated portals, business partners, vendors, and visitors to our websites.

To align with US regulatory standards, CrelioHealth clearly delineates its operational roles regarding data ownership and processing:

CrelioHealth as a Business Associate (Patient and Healthcare Data): In the vast majority of our operations, CrelioHealth provides technology services to healthcare organizations and laboratories that determine how patient information is collected and used. In such circumstances, CrelioHealth acts strictly as a Business Associate or data processor on behalf of its customers (the Covered Entities). We process Protected Health Information (PHI) solely in accordance with contractual obligations, executed Business Associate Agreements (BAAs), and applicable law.

CrelioHealth as a Covered Entity / Independent Data Controller (Corporate and Account Data): For standard business operations, CrelioHealth collects corporate and account data. This includes laboratory administrator login credentials, billing details, purchase records, and marketing analytics. CrelioHealth administers this corporate information independently to maintain, secure, and optimize our commercial accounts and public-facing platforms. Corporate and account data are kept structurally isolated from patient PHI workflows.

2. Types of Information We Collect

Google Single Sign-On (SSO) and API Disclosures

Certain Services allow users to authenticate through Google Single Sign-On. When you choose to use this authentication method, we receive information associated with your Google account that is necessary to verify your identity and facilitate access to the Services. This information is used solely for authentication, account management, and security purposes.

Google API Compliance Statement: CrelioHealth's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Personally Identifiable Information (Corporate & Account Data)

We may collect personally identifiable information that you voluntarily provide when creating an account, requesting information, subscribing to communications, purchasing Services, contacting us, or otherwise interacting with CrelioHealth. Such information may include your name, email address, telephone number, mailing address, organization details, job title, payment information, and other information necessary to provide the Services.

Sensitive Personal Information and Protected Health Information (PHI)

Depending on how our customers use the Services, CrelioHealth processes sensitive personal information and Protected Health Information on behalf of healthcare organizations, laboratories, healthcare providers, and other authorized entities. Such information may include patient identifiers, laboratory records, diagnostic information, treatment-related information, insurance information, and other healthcare-related data necessary for the delivery and management of healthcare services.

Non-Personally Identifiable Information and Technical Tracking

We may automatically collect certain information regarding your interaction with the Services. This information may include browser type, operating system, device information, IP address, access times, usage patterns, log files, diagnostic data, and other technical information that helps us operate, maintain, and improve the Services.

Our websites and applications use web browser cookies and similar technologies to enhance functionality, improve user experience, analyze website performance, remember user preferences, and support security measures. Users may choose to modify browser settings to refuse cookies; however, certain features of the Services may not function properly if cookies are disabled.

Geolocation Information

Certain Services collect location-related information when necessary to support operational workflows. For example, location information from the CrelioHealth Phlebotomist Application may be used to provide estimated arrival times, facilitate order fulfillment, communicate delivery updates, support order status notifications, and assist with related operational activities. Such information is collected only as necessary for the provision of Services and in accordance with applicable permissions and settings.

3. Purpose of Collection and Use of Information

CrelioHealth collects and uses information for legitimate business, operational, contractual, and legal purposes:

Service Delivery: Delivering and maintaining the Services, providing customer support, managing accounts, processing transactions, and optimizing user interfaces.

Product Improvement: Analyzing system interaction to develop new features, conduct internal analytics, and maintain system health.

Communications: Issuing service-related notices, responding to customer inquiries, administering promotional updates, or distributing newsletters where permitted by law.

Logistics: Using operational application data to support order management, delivery tracking, and phlebotomy workflow activities.

Compliance: Meeting regulatory requirements, enforcing contractual rights, and defending the cybersecurity of our systems.

4. Protected Health Information (HIPAA) and Regulatory Standards

CrelioHealth processes Protected Health Information ("PHI") on behalf of healthcare organizations, laboratories, and other entities subject to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").

Processing Rules: When acting as a Business Associate, CrelioHealth processes PHI solely for the purpose of providing contracted Services and in accordance with applicable Business Associate Agreements and legal requirements.

Security Controls: We implement administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of PHI. Access to PHI is strictly limited to authorized personnel who require such access to perform their operational duties.

Commercial Restraints: CrelioHealth does not sell PHI and does not use PHI for advertising or marketing purposes.

Artificial Intelligence and Automated Technologies

Certain features of the Services utilize artificial intelligence, machine learning, automation, or advanced analytical technologies to support laboratory and healthcare workflows. These technologies assist users in performing operational tasks and improving efficiency. Any information processed through such technologies remains fully subject to applicable privacy, security, and contractual obligations.

AI Data Custody Statement: CrelioHealth does not use customer data or Protected Health Information to train publicly available artificial intelligence models. Customers remain responsible for reviewing and validating information generated through automated tools where appropriate.

5. State-Specific Privacy Rights and Notices

Comprehensive State Privacy Frameworks (CCPA/CPRA, etc.)

Residents of certain U.S. states (including California, Virginia, Colorado, Connecticut, Utah, and others) are entitled to specific rights regarding their personal information. These rights may include the right to know what personal information is collected, the right to access and correct personal information, the right to request deletion of personal information, and the right to obtain a portable copy of their personal information.

Statutory Exemptions: Please note that the vast majority of information processed by CrelioHealth consists of Protected Health Information (PHI) managed on behalf of our healthcare clients. PHI is legally exempt from state-level consumer privacy frameworks (such as the California Consumer Privacy Act) because it is already strictly regulated under federal HIPAA laws. Clinical trial data and specific business-to-business (B2B) operational items may be similarly excluded.

No Sale or Sharing for Targeted Advertising: CrelioHealth does not sell, rent, or trade personal information. Furthermore, CrelioHealth does not "share" personal information with third parties for cross-context behavioral or targeted advertising purposes under the CCPA/CPRA.

Global Privacy Control (GPC): Our public-facing corporate websites are configured to recognize and honor automated browser opt-out signals, such as the Global Privacy Control (GPC), for users residing in applicable jurisdictions.

Consumer Health Data Laws (e.g., Washington My Health My Data Act)

In certain US jurisdictions, strict state laws govern non-HIPAA consumer health data, such as Washington State's My Health My Data Act (MHMDA). These frameworks regulate health data collected outside the scope of traditional provider-patient relationships (for example, if a consumer enters wellness information or medical queries directly into an unauthenticated web form or a non-HIPAA public portal).

CrelioHealth does not actively collect consumer health data outside its secure, HIPAA-compliant LIMS, LIS, and authenticated patient portal workflows. If any non-HIPAA consumer health data falls within our scope, CrelioHealth implements strict, explicit, separate consent mechanisms before data collection, usage, or sharing in compliance with these statutes.

6. Children's Privacy (COPPA Compliance)

Our public websites, marketing initiatives, and direct sales outreach are not directed to children under the age of 13, and we do not knowingly collect personal information directly from children.

In our capacity as a technology service provider and Business Associate, patient data relating to minors under the age of 13 may be processed through our Services. This data is strictly entered and transmitted by authorized healthcare provider customers or by a verified parent or legal guardian accessing the secure patient portal for healthcare and laboratory service delivery purposes.

7. Data Hosting, Security, and International Transfers

Data Residency

For our US-based customers, all Protected Health Information (PHI) and application data are securely hosted on cloud infrastructure servers located entirely within the United States.

International Access Controls

CrelioHealth operates globally and utilizes its specialized engineering, maintenance, and corporate support operations based in India to maintain service efficiency.

• US production databases containing patient PHI remain isolated in the United States.
• If global engineering or support teams access US-hosted environments for troubleshooting, system maintenance, or critical technical support, such cross-border access is strictly restricted, monitored, logged, and subject to rigid administrative, technical, and physical safeguards.
• CrelioHealth implements reasonable contractual safeguards to protect information in accordance with applicable US federal and state privacy rules.

General Technical Safeguards

We employ commercially reasonable administrative, technical, and physical safeguards designed to preserve the confidentiality, integrity, and availability of information. However, no method of electronic storage or internet transmission is completely flawless, and we cannot guarantee absolute security.

8. Disclosures and Sharing of Personal Information

CrelioHealth limits access to personal information to employees, contractors, service providers, partners, and authorized third parties who require access to perform legitimate business functions or support the provision of the Services. These parties are bound by strict confidentiality agreements and must manage information in alignment with legal and contractual requirements.

We disclose data to authorized customers, patients, healthcare providers, laboratories, or regulatory authorities where required by contract, law, or authorized client instructions. We may also share aggregated, anonymized, or de-identified information that does not identify any individual.

Our systems may contain links to third-party services that operate independently. CrelioHealth is not responsible for the privacy practices, security measures, or actions of third parties outside our direct contractual scope.

9. Data Retention and Ownership

Data Retention

CrelioHealth retains information only for as long as necessary to provide the Services, fulfill contractual obligations, comply with legal and regulatory requirements, resolve disputes, and maintain business records. Upon the termination of Services, information is returned, archived, or securely deleted in accordance with our customer agreements and legal limits.

Data Ownership

Customer data remains the exclusive property of the customer who provided or controls the information. CrelioHealth does not claim ownership over customer data, patient records, laboratory results, or PHI processed through our technology. Customers maintain full responsibility for dictating retention, access, disclosure, and use rules for their data.

10. Incident Response and Breach Notification

CrelioHealth maintains comprehensive policies and procedures designed to detect, investigate, respond to, and mitigate security incidents. In the event of a reportable data breach involving personal information or PHI, CrelioHealth will issue notifications consistent with applicable contractual commitments, state laws, and federal HIPAA regulations.

11. Dispute Resolution, Arbitration, and Acceptance

Your Acceptance of These Terms

By accessing or using the Services, you signify your acceptance of this Privacy Policy. If you do not agree with this policy, you must discontinue your use of the Services. Continued use following the posting of modifications constitutes acceptance of those updates. CrelioHealth reserves the right to modify this document at any time, with updates becoming effective immediately upon posting.

Dispute Resolution and Arbitration

If you have questions, concerns, complaints, or requests relating to this Privacy Policy or our privacy practices, you may contact us directly. Your use of the Services is also subject to our master Terms and Conditions and any applicable B2B service agreements.

Any legal disputes or complaints concerning our privacy operations are subject to the mandatory arbitration clauses, venue restrictions, governing law rules, and class-action waivers set forth in our separate governing corporate agreements. In the event of any conflict between this Privacy Policy and a separate customer service agreement, the terms of the applicable service agreement shall prevail.

12. Contact Us

If you have questions regarding this Privacy Policy, our compliance frameworks, or our data handling practices, please reach out to us at the appropriate channel below:

Corporate & General Privacy Inquiries:

HIPAA, Business Associate Agreements, & Security Controls

For specialized inquiries concerning HIPAA compliance, physical/technical security documentation, system audits, or Business Associate Agreements, please contact our dedicated security team:

Additional compliance disclosures may be accessed directly via our corporate Trust Center upon request.