# Privacy Policy
Source: Brace Health
Canonical URL: https://www.bracehealth.com/privacy-policy
Last updated: 2026-06-08
Primary question: How does Brace Health handle personal information?

Read the Brace Health privacy policy, including how Brace Health handles personal information, healthcare data, HIPAA-related data, cookies, and privacy rights requests.

## Privacy Policy
Effective as of July 1, 2024.
This Privacy Policy explains how Brace Health, Inc. ("BH," "we," "us," or "our") handles personal information collected through our digital properties that link to this Privacy Policy, including our website (collectively, the "Service"). By using our Service, you agree to the terms outlined in this policy.
### 1. Healthcare Data and HIPAA Compliance
At Brace Health, we understand the sensitive nature of healthcare data and are committed to maintaining the privacy and security of your health information. As an AI-driven healthcare operations company serving many types of healthcare organizations, we handle various types of health-related data, including Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).
This Section 1 applies to Protected Health Information ("PHI") and other health information that we process on behalf of healthcare providers and other covered entities. When we act as a Business Associate under HIPAA, our collection, use, disclosure, and protection of PHI are governed by HIPAA, applicable Business Associate Agreements, and applicable law. The remainder of this Privacy Policy describes our handling of personal information that is not PHI or is otherwise not subject to HIPAA.
#### Types of Health Data We Process
The health data we collect and process may include, but is not limited to:
- Medical history and conditions
- Treatment information
- Billing and payment records
- Insurance information
- Demographic data related to healthcare services
#### HIPAA Compliance
Brace Health is fully committed to complying with HIPAA regulations. As a Business Associate to covered entities (healthcare providers), we implement all required safeguards to protect PHI:
- **Administrative Safeguards:** We have policies and procedures in place to manage the creation, access, use, and disclosure of PHI.
- **Physical Safeguards:** We maintain physical security measures to protect our systems and the PHI they contain from unauthorized access.
- **Technical Safeguards:** We use encryption, access controls, and audit trails to ensure the confidentiality, integrity, and availability of electronic PHI.
#### Use and Disclosure of Health Data
We only use and disclose health data, including PHI, as permitted by HIPAA and authorized by our healthcare provider clients. This typically includes uses and disclosures for:
- Treatment, payment, and healthcare operations purposes
- Purposes specified in our Business Associate Agreements
- Other purposes as required or permitted by law
#### Patient Rights Regarding Their Health Data
Patients whose data we process on behalf of healthcare providers, have certain rights under HIPAA, including:
- The right to access their health information
- The right to request corrections to their health information
- The right to know how their health information has been disclosed
- The right to request restrictions on certain uses and disclosures
#### State-Specific Health Data Regulations
In addition to HIPAA, we comply with state-specific regulations regarding the privacy and security of health data. We continuously monitor and adapt our practices to comply with evolving state regulations.
#### Contact Information
If you have any questions or concerns about how we handle health data or our HIPAA compliance practices, please contact our Privacy Officer at:
Email: legal@bracehealth.com
Address: Brace Health, Inc, 20 University Road, 5th Floor, Cambridge, MA 02138.
For more detailed information about our general data practices, please continue reading this Privacy Policy.
### 2. Personal Information We Collect
#### Information You Provide to Us
Personal information you may provide includes:
- **Contact Data:** Such as your name, email, billing address, phone number, and professional affiliation.
- **Profile Data:** Including your username, password, and preferences set for your online account.
- **Communications:** Correspondence when you contact us with inquiries or feedback. Calls with BH may be recorded or monitored for training, quality assurance, customer service, and reference purposes.
- **Payment and Transactional Data:** Payment card details, bank account numbers, billing information, and records of services purchased.
- **Practice Data:** Information related to healthcare practice operations, scheduling, billing, and administration. Information that constitutes PHI is governed by Section 1 and applicable HIPAA requirements.
- **Marketing Data:** Preferences for receiving communications and engagement details.
- **Other Information:** Any other information that we may collect which is not specifically listed here, but which we will use in accordance with this Privacy Policy or as otherwise disclosed at the time of collection.
#### Information We Obtain from Other Sources
We may augment personal information with data from:
- **Public Sources:** Publicly available information, including healthcare provider directories, government records, business websites, and social media platforms.
- **Data Providers:** Services that offer demographic and other information.
- **Business Partners:** Partners with whom we conduct joint marketing, educational, or business development activities.
- **Third-Party Services:** Services that users choose to connect to our Service, such as authentication providers or other integrated platforms.
#### Automatic Data Collection
Our service providers and partners may log data about your interactions with our Service, such as:
- **Device Data:** Including your device's OS type/version, browser type, screen resolution, IP address, and general location.
- **Online Activity Data:** Pages viewed, time spent on pages, clicks, navigation paths, and access times and durations.
- **Location Data:** We may infer your approximate location from your IP address or other device information.
#### Cookies and Similar Technologies
We use cookies and similar technologies to:
- **Cookies:** Store information to help navigate between pages, remember preferences, and facilitate analytics.
- **Web Beacons:** Track webpage or email access and content engagement.
- **SDKs:** Incorporate third-party code in our app to collect data for analytics and advertising.
For information about how we use these technologies and your choices regarding them, see the "Your Choices" section below.
### 3. How We Use Your Personal Information
We may use your personal information for the following purposes or as otherwise described at the time of collection:
#### Research and Development
We may use your personal information to analyze, improve, develop, and enhance the Service, our business, and new products and services, including to understand user needs and preferences, personalize user experiences and communications, develop new products, services, features, and functionality, and evaluate the performance and effectiveness of the Service.
As part of these activities, we may create aggregated, de-identified, or anonymized data from personal information by removing information that identifies or could reasonably be used to identify an individual. We may use and disclose such aggregated, de-identified, or anonymized data for any lawful business purpose, including to improve the Service, conduct analytics, and promote our business.
We may also use personal information and healthcare-related information to develop, train, validate, improve, and monitor artificial intelligence and machine-learning models, subject to applicable law, HIPAA obligations, Business Associate Agreements, and other contractual commitments.
For clarity, this section applies only to personal information that is not PHI. Our use of PHI is governed by Section 1, applicable Business Associate Agreements, and HIPAA.
#### Marketing and Advertising
We, our service providers, and our third-party partners may use personal information for marketing and advertising purposes, including:
- Sending marketing communications regarding BH, our services, events, updates, and other information that may be of interest to you, as permitted by law.
- Measuring, analyzing, and improving the effectiveness of our marketing activities and communications.
- Working with advertising, analytics, and social media partners that may use cookies and similar technologies to collect information about your interactions with our Service and other online services over time in order to provide advertising tailored to your interests.
You may opt out of marketing communications and certain advertising activities as described in the "Your Choices" section below.
#### Service Delivery, Compliance and Protection
We may use your personal information to:
- Provide, operate, maintain, secure, improve, and develop the Service, our business, and new products and services;
- Establish and maintain user accounts and profiles;
- Communicate with you regarding the Service, including announcements, updates, support, administrative, transactional, and security-related communications;
- Enable and administer security features of the Service, including authentication, fraud prevention, account protection, and device recognition;
- Provide customer support and respond to requests, questions, and feedback;
- Comply with applicable laws, lawful requests, and legal processes, including responding to subpoenas, court orders, and requests from governmental authorities;
- Protect our, your, or others' rights, privacy, safety, security, or property, including by establishing, exercising, or defending legal claims;
- Audit and monitor compliance with legal requirements, contractual obligations, and internal policies;
- Evaluate, negotiate, and complete corporate transactions, including mergers, acquisitions, financings, asset sales, reorganizations, and other business combinations, and conduct related due diligence and integration activities;
- Enforce the terms and conditions governing the Service; and
- Detect, prevent, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity, including cyberattacks, identity theft, and other security incidents.
### 4. How We Share Your Personal Information
We may share your personal information with the following parties and as otherwise described in this Privacy Policy or at the time of collection:
- **Affiliates:** Our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Policy.
- **Service Providers:** Companies and individuals that provide services on our behalf or help us operate the Service or our business (such as hosting, information technology, customer support, email delivery, marketing, and website analytics).
- **Business Partners:** Companies that have entered into joint ventures or partnerships with us, including healthcare technology providers and other entities that support clinical practices.
- **Professional Advisors:** Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
- **Authorities and Others:** Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.
- **Business Transferees:** Acquiring and other relevant parties to business transactions (or potential transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in, BH or our affiliates (including, in connection with a bankruptcy or similar proceedings).
### 5. Your Choices
You have the following choices with respect to your personal information:
- **Access or Update Your Information:** If you have registered for an account with us, you may review and update certain account information by logging into the account.
- **Opt-Out of Marketing Communications:** You may opt-out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of marketing emails, or by contacting us. You may continue to receive service-related and other non-marketing emails.
- **Cookies:** Most browsers let you remove or reject cookies. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. If you do not accept cookies, however, you may not be able to use all functionality of the Service and it may not work properly.
- **Advertising Choices:** You can limit use of your information for interest-based advertising by:
  - **Browser Settings:** Blocking third-party cookies in your browser settings.
  - **Privacy Browsers/Plug-ins:** Using privacy browsers or ad-blocking browser plug-ins that let you block tracking technologies.
  - **Platform Settings:** Google and Facebook offer opt-out features that let you opt-out of use of your information for interest-based advertising.
    - **Google:** https://adssettings.google.com/
    - **Facebook:** https://www.facebook.com/about/ads
- **Mobile Settings:** Using your mobile device settings to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.
- **Do Not Track:** Some Internet browsers may be configured to send "Do Not Track" signals to the online services that you visit. We currently do not respond to "Do Not Track" signals.
#### Privacy Rights Under Applicable Law
Depending on your state of residence and applicable law, you may have certain rights regarding your personal information, including:
- The right to access personal information we maintain about you;
- The right to request correction of inaccurate personal information;
- The right to request deletion of your personal information, subject to certain exceptions;
- The right to obtain a copy of your personal information in a portable format;
- The right to opt out of certain targeted advertising, profiling, or other processing activities;
- The right to limit or withdraw consent to the processing of sensitive personal information where required by applicable law; and
- The right to appeal our decision regarding a privacy rights request where provided by applicable law.
To exercise any of these rights, please contact us using the information provided in the "How to Contact Us" section below. We will respond to requests in accordance with applicable law.
### 6. Other Sites and Services
The Service may contain links to websites, mobile applications, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or other online services that are not associated with us. We do not control websites, mobile applications, or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy policies of any third-party services you access.
### 7. Security Measures
We employ technical, organizational, and physical safeguards designed to protect the personal information we collect. However, we cannot guarantee the security of your personal information. We recommend that you take steps to protect against unauthorized access to your password, phone, and computer by, among other things, signing off after using a shared computer, choosing a robust password that nobody else knows or can easily guess, and keeping your log-in and password private.
### 8. Data Retention
We retain personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, including to provide and improve the Service, comply with legal obligations, resolve disputes, enforce our agreements, and protect our legal rights.
The length of time we retain personal information depends on the nature of the information, the purposes for which it was collected, our contractual obligations, and applicable legal requirements.
When we process Protected Health Information ("PHI") on behalf of healthcare providers or other covered entities, the retention, return, and destruction of such information is governed by applicable Business Associate Agreements, HIPAA, and other applicable law.
When personal information is no longer required for the purposes described above, we will delete, de-identify, anonymize, or otherwise dispose of it in accordance with applicable law and our record retention practices. In some circumstances, we may retain personal information for longer periods where required or permitted by law, or where necessary to establish, exercise, or defend legal claims. We may retain aggregated, de-identified, or anonymized information indefinitely.
### 9. International Data Transfers
We are headquartered in the United States and may use service providers that operate in other countries. Your personal information may be transferred to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country. When we transfer personal information outside of the country in which you reside, we implement appropriate safeguards to protect your information in accordance with this Privacy Policy and applicable law.
### 10. Children's Privacy
The Service is not intended for use by children under 16 years of age. If we learn that we have collected personal information through the Service from a child under 16 without the consent of the child's parent or guardian as required by law, we will delete it. We do not knowingly collect, use, or disclose personal information from children under 13 without appropriate parental notice and consent.
### 11. Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service. If required by law, we will also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via email or another manner through the Service.
Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your continued use of the Service after the effective date of any modified Privacy Policy indicates your acceptance of the modified Privacy Policy.
### 12. How to Contact Us
If you have any questions, comments, or concerns about this Privacy Policy or our privacy practices, please contact us at:
Email: legal@bracehealth.com
Address: Brace Health, Inc, 20 University Road, 5th Floor, Cambridge, MA 02138
### 13. Additional Information for Specific Jurisdictions
#### California Residents
The California Consumer Privacy Act (CCPA) requires us to provide the following information to California residents:
- Categories of personal information we collect
- Sources of personal information
- Business or commercial purpose for collecting personal information
- Categories of third parties with whom we share personal information
- California residents' rights and choices regarding their personal information
#### European Economic Area (EEA), UK, and Swiss Residents
If you are located in the EEA, UK, or Switzerland, you have certain rights under applicable data protection laws, including:
- **Access:** You can request a copy of the personal information we hold about you.
- **Rectification:** You can ask us to correct or update your personal information.
- **Erasure:** In certain circumstances, you can ask us to delete your personal information.
- **Restriction:** You can ask us to restrict the processing of your personal information.
- **Data Portability:** You can ask for a copy of your personal information in a machine-readable format.
- **Objection:** You can object to our processing of your personal information.
To exercise these rights, please contact us using the information provided in the "How to Contact Us" section. If you have concerns about our data practices, you have the right to complain to your local data protection authority.
We process personal information on the following legal bases:
- To perform a contract with you
- For our legitimate business interests
- To comply with our legal obligations
- With your consent
For more information about our data practices in the EEA, UK, and Switzerland, please contact our Data Protection Officer at legal@bracehealth.com.