Privacy Policy

Version 2026-07-06 · Last updated July 6, 2026

Summary of Key Points

  • Health information is handled under HIPAA. When you use Xaia in connection with your healthcare provider or organization, your health information is protected health information governed by HIPAA, our Business Associate Agreement with that organization, and your provider’s own privacy notice. We use it only to provide the services and as HIPAA permits.
  • We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We never use health information for advertising.
  • AI processing does not train on your data. Content is processed by AI models hosted with enterprise cloud providers under agreements that prohibit using your data to train their models.
  • Recordings are part of the service. Voice sessions, phone check-ins, and clinical dictation are transcribed, and audio may be processed to make that possible. Transcripts are encrypted at rest.
  • Analytics stay on our public website. We use Google Analytics on our marketing pages only; it is disabled on sign-in pages and inside the signed-in application.
  • You have rights. For clinical records, contact your healthcare provider (we support their obligations under HIPAA). For account, website, and marketing data, contact us using the details at the end of this policy.

1. Who We Are and What This Policy Covers

Xaia is provided by VRx Health, Inc., a Delaware corporation doing business as “Xaia” (“VRx,” “we,” “us”). This Privacy Policy describes how we collect, use, share, and protect information in connection with our websites, applications, and services (the “Services”), and applies to patients and individual users, healthcare providers and their staff, and visitors to our websites.

We act in two distinct roles. When a healthcare provider or organization uses the Services to care for its patients, we process clinical information on that organization’s behalf as its HIPAA business associate (see Section 2). For information about visitors to our websites, provider and organization accounts, and marketing, we are responsible for the practices described in this policy.

2. HIPAA, Protected Health Information, and Our BAA

When you use the Services in connection with a healthcare provider or organization that is a covered entity (or business associate) under HIPAA, the health information processed through the Services is “protected health information” (“PHI”). PHI is governed by HIPAA, by the Business Associate Agreement between VRx and that organization, and by that organization’s own notice of privacy practices — not by the general descriptions in this policy. If anything in this policy conflicts with the Business Associate Agreement with respect to PHI, the Business Associate Agreement governs.

As a business associate, we use and disclose PHI only to provide the Services to your healthcare organization, for our own proper management and administration as HIPAA permits, and as required by law. Requests to access, amend, or receive an accounting of disclosures of your clinical records should be directed to your healthcare provider; if you send such a request to us, we will forward it to your provider and support their response as our Business Associate Agreement requires.

3. Information We Collect

A. Information you provide. Account and registration details (name, email address, password or passkey, and, for providers, credentials and specialty); health and personal information you share while using the Services, such as chat and voice sessions, assessments, and homework; messages and documents you submit or upload; information you provide in support requests, demo requests, and marketing forms; and payment and subscription details. Payments are processed by our payment processor; we do not store full card numbers.

B. Information collected automatically. When you use the Services we collect log and device information such as IP address, browser and device characteristics, and pages or features used. We also maintain audit logs of access to clinical information, which we are required to keep for security and HIPAA compliance.

C. Information from other sources. At the direction of your healthcare organization, we receive information from other systems: electronic health record (EHR) systems (for example, chart data used to prepare notes and summaries), insurance eligibility and claims responses received through healthcare clearinghouses, referral information sent to a practice by referring providers (including by email or fax), and payment confirmations from our payment processor.

4. Voice, Audio, and Recordings

Several features of the Services involve audio. Patient voice sessions and phone check-ins are transcribed so your care team can review them, and audio is processed (and may be temporarily retained) to produce those transcripts. Clinical documentation features used by providers capture and transcribe clinical encounters or dictation at the provider’s direction; the provider is responsible for obtaining any consent required by law before recording an encounter. Transcripts of clinical content are encrypted at rest.

5. How We Use Artificial Intelligence

The Services use AI models to power conversations, transcription, summaries, draft clinical notes, and related features. Model processing is performed on enterprise cloud platforms (such as Microsoft Azure and Amazon Web Services) under agreements that prohibit those providers from using your content to train their models. AI-generated clinical content is provided to your healthcare provider for review; final clinical decisions are made by people, not by the AI.

6. How We Use Information

We use information to provide and operate the Services (including sessions, documentation, care coordination, scheduling, reminders, and billing support); to create and administer accounts and authenticate users; to secure the Services, prevent fraud and abuse, and maintain audit trails; to provide support and respond to requests; to send service communications and, where permitted, marketing communications about our Services (which you can opt out of); to understand usage of our public website and improve the Services; and to comply with legal obligations. Use of PHI is limited as described in Section 2.

7. When and With Whom We Share Information

A. Your healthcare organization and care team. Information you share through the Services in connection with your care is made available to your healthcare provider and their care team, and, at your organization’s direction, to its EHR and other systems.

B. Service providers (subprocessors). We use vendors under contract to operate the Services, limited to what is necessary and bound by confidentiality and, where PHI is involved, HIPAA-compliant agreements. Categories include cloud hosting and storage, AI model hosting, speech-to-text and text-to-speech processing, telephone and messaging carriers, email delivery, payment processing, and healthcare clearinghouses for eligibility and claims.

C. Legal and safety. We may disclose information when required by law, to respond to lawful requests, or to protect the rights, safety, and security of users, VRx, or others.

D. Business transfers. If VRx is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this policy, and, for PHI, subject to HIPAA and the Business Associate Agreement.

E. What we do not do. We do not sell personal information, we do not share personal information for cross-context behavioral advertising, and we do not use health information for advertising. We have not sold or shared personal information in the preceding twelve months.

8. De-Identified Data

We may create and use data that has been de-identified in accordance with applicable law (for PHI, in accordance with the HIPAA de-identification standard and our Business Associate Agreement) to improve the Services, for research and analytics, and for other lawful purposes. We do not attempt to re-identify de-identified data and we require the same of our vendors.

9. Cookies and Analytics

We use cookies that are necessary to operate the Services, such as session cookies that keep you signed in and cookies that protect against request forgery. We use Google Analytics on our public marketing website to understand site traffic; analytics are disabled on sign-in pages and inside the signed-in application, and we do not use advertising cookies. Because no uniform standard for Do-Not-Track signals has been adopted, we do not currently respond to DNT browser signals.

10. How Long We Keep Information

Clinical information processed for a healthcare organization is retained according to that organization’s configuration and instructions and applicable legal requirements; when an organization’s use of the Services ends, PHI is returned or destroyed as provided in the Business Associate Agreement, except where law or routine backup constraints require limited retention under continued protection. Account information is kept while your account is active and as needed afterward for legal, audit, and security purposes; audit logs are retained for the periods required by HIPAA and our security obligations. Marketing data is kept until you opt out or ask us to delete it.

11. How We Protect Information

We maintain administrative, technical, and physical safeguards designed to protect the information we process, including encryption in transit and at rest, application-level encryption of clinical transcripts, network firewalls and segmentation, role-based access controls with multi-factor authentication, and audit logging of access to clinical information. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; we notify affected organizations and individuals of breaches as HIPAA and applicable law require.

12. Your Privacy Rights and Choices

Clinical records. Rights over your medical records — access, amendment, and an accounting of disclosures — are exercised through your healthcare provider under HIPAA. If you contact us about your clinical records, we will forward the request to your provider and support their response.

Account, website, and marketing data. Depending on where you live, you may have the right to access, correct, delete, or receive a copy of the personal information we hold about you, and to object to or restrict certain processing. You can exercise these rights by contacting us using the details in Section 16; we will verify your request and respond as applicable law requires, and we will not discriminate against you for exercising your rights. You can opt out of marketing emails at any time using the unsubscribe link in each message.

13. US State Privacy Rights

Residents of California and a growing number of other states with comprehensive privacy laws have specific rights over personal information covered by those laws, including the rights to know, access, correct, delete, and obtain a copy of personal information, and to opt out of sales, sharing for targeted advertising, and certain profiling. Information we process as a HIPAA business associate is generally exempt from these laws and is protected under HIPAA instead. We do not sell personal information or share it for targeted advertising, so there is no need to opt out of those activities with us.

Some states, including Washington and Nevada, have enacted laws specifically protecting consumer health data held outside of HIPAA. To the extent we collect consumer health data not governed by HIPAA (for example, through our public website), we collect and use it only with consent or as necessary to provide what you requested, we do not sell it, and you may request access to or deletion of it using the contact details in Section 16.

14. Children and Minors

Our Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 outside of a healthcare relationship. A minor may use the Services only when directed by their healthcare provider or organization with the consent of a parent or legal guardian, in which case the minor’s information is handled as PHI under Section 2. If you believe a child has provided us personal information outside of these arrangements, contact us and we will delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time. The version and “Last updated” date at the top of this page reflect the current revision. For material changes, we will provide notice through the Services or by email before the changes take effect. This policy is incorporated into our Terms of Service.

16. How to Contact Us

If you have questions about this policy or want to exercise your rights, contact our Data Protection Officer at dpo@xaia.health or our support team at support@xaia.health, or write to: VRx Health, Inc., 4123 Saint Clair Ave., Studio City, CA 91604, United States.