Privacy Policy
Version 2026-07-06 · Last updated July 6, 2026
Summary of Key Points
- Health information is handled under HIPAA. When you use Xaia in connection with your healthcare provider or organization, your health information is protected health information governed by HIPAA, our Business Associate Agreement with that organization, and your provider’s own privacy notice. We use it only to provide the services and as HIPAA permits.
- We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We never use health information for advertising.
- AI processing does not train on your data. Content is processed by AI models hosted with enterprise cloud providers under agreements that prohibit using your data to train their models.
- Recordings are part of the service. Voice sessions, phone check-ins, and clinical dictation are transcribed, and audio may be processed to make that possible. Transcripts are encrypted at rest.
- Analytics stay on our public website. We use Google Analytics on our marketing pages only; it is disabled on sign-in pages and inside the signed-in application.
- You have rights. For clinical records, contact your healthcare provider (we support their obligations under HIPAA). For account, website, and marketing data, contact us using the details at the end of this policy.
1. Who We Are and What This Policy Covers
Xaia is provided by VRx Health, Inc., a Delaware corporation doing business as “Xaia” (“VRx,” “we,” “us”). This Privacy Policy describes how we collect, use, share, and protect information in connection with our websites, applications, and services (the “Services”), and applies to patients and individual users, healthcare providers and their staff, and visitors to our websites.
We act in two distinct roles. When a healthcare provider or organization uses the Services to care for its patients, we process clinical information on that organization’s behalf as its HIPAA business associate (see Section 2). For information about visitors to our websites, provider and organization accounts, and marketing, we are responsible for the practices described in this policy.
2. HIPAA, Protected Health Information, and Our BAA
When you use the Services in connection with a healthcare provider or organization that is a covered entity (or business associate) under HIPAA, the health information processed through the Services is “protected health information” (“PHI”). PHI is governed by HIPAA, by the Business Associate Agreement between VRx and that organization, and by that organization’s own notice of privacy practices — not by the general descriptions in this policy. If anything in this policy conflicts with the Business Associate Agreement with respect to PHI, the Business Associate Agreement governs.
As a business associate, we use and disclose PHI only to provide the Services to your healthcare organization, for our own proper management and administration as HIPAA permits, and as required by law. Requests to access, amend, or receive an accounting of disclosures of your clinical records should be directed to your healthcare provider; if you send such a request to us, we will forward it to your provider and support their response as our Business Associate Agreement requires.
3. Information We Collect
A. Information you provide. Account and registration details (name, email address, password or passkey, and, for providers, credentials and specialty); health and personal information you share while using the Services, such as chat and voice sessions, assessments, and homework; messages and documents you submit or upload; information you provide in support requests, demo requests, and marketing forms; and payment and subscription details. Payments are processed by our payment processor; we do not store full card numbers.
B. Information collected automatically. When you use the Services we collect log and device information such as IP address, browser and device characteristics, and pages or features used. We also maintain audit logs of access to clinical information, which we are required to keep for security and HIPAA compliance.
C. Information from other sources. At the direction of your healthcare organization, we receive information from other systems: electronic health record (EHR) systems (for example, chart data used to prepare notes and summaries), insurance eligibility and claims responses received through healthcare clearinghouses, referral information sent to a practice by referring providers (including by email or fax), and payment confirmations from our payment processor.
4. Voice, Audio, and Recordings
Several features of the Services involve audio. Patient voice sessions and phone check-ins are transcribed so your care team can review them, and audio is processed (and may be temporarily retained) to produce those transcripts. Clinical documentation features used by providers capture and transcribe clinical encounters or dictation at the provider’s direction; the provider is responsible for obtaining any consent required by law before recording an encounter. Transcripts of clinical content are encrypted at rest.
5. How We Use Artificial Intelligence
The Services use AI models to power conversations, transcription, summaries, draft clinical notes, and related features. Model processing is performed on enterprise cloud platforms (such as Microsoft Azure and Amazon Web Services) under agreements that prohibit those providers from using your content to train their models. AI-generated clinical content is provided to your healthcare provider for review; final clinical decisions are made by people, not by the AI.
6. How We Use Information
We use information to provide and operate the Services (including sessions, documentation, care coordination, scheduling, reminders, and billing support); to create and administer accounts and authenticate users; to secure the Services, prevent fraud and abuse, and maintain audit trails; to provide support and respond to requests; to send service communications and, where permitted, marketing communications about our Services (which you can opt out of); to understand usage of our public website and improve the Services; and to comply with legal obligations. Use of PHI is limited as described in Section 2.
8. De-Identified Data
We may create and use data that has been de-identified in accordance with applicable law (for PHI, in accordance with the HIPAA de-identification standard and our Business Associate Agreement) to improve the Services, for research and analytics, and for other lawful purposes. We do not attempt to re-identify de-identified data and we require the same of our vendors.
10. How Long We Keep Information
Clinical information processed for a healthcare organization is retained according to that organization’s configuration and instructions and applicable legal requirements; when an organization’s use of the Services ends, PHI is returned or destroyed as provided in the Business Associate Agreement, except where law or routine backup constraints require limited retention under continued protection. Account information is kept while your account is active and as needed afterward for legal, audit, and security purposes; audit logs are retained for the periods required by HIPAA and our security obligations. Marketing data is kept until you opt out or ask us to delete it.
11. How We Protect Information
We maintain administrative, technical, and physical safeguards designed to protect the information we process, including encryption in transit and at rest, application-level encryption of clinical transcripts, network firewalls and segmentation, role-based access controls with multi-factor authentication, and audit logging of access to clinical information. No method of transmission or storage is completely secure, and we cannot guarantee absolute security; we notify affected organizations and individuals of breaches as HIPAA and applicable law require.
12. Your Privacy Rights and Choices
Clinical records. Rights over your medical records — access, amendment, and an accounting of disclosures — are exercised through your healthcare provider under HIPAA. If you contact us about your clinical records, we will forward the request to your provider and support their response.
Account, website, and marketing data. Depending on where you live, you may have the right to access, correct, delete, or receive a copy of the personal information we hold about you, and to object to or restrict certain processing. You can exercise these rights by contacting us using the details in Section 16; we will verify your request and respond as applicable law requires, and we will not discriminate against you for exercising your rights. You can opt out of marketing emails at any time using the unsubscribe link in each message.
13. US State Privacy Rights
Residents of California and a growing number of other states with comprehensive privacy laws have specific rights over personal information covered by those laws, including the rights to know, access, correct, delete, and obtain a copy of personal information, and to opt out of sales, sharing for targeted advertising, and certain profiling. Information we process as a HIPAA business associate is generally exempt from these laws and is protected under HIPAA instead. We do not sell personal information or share it for targeted advertising, so there is no need to opt out of those activities with us.
Some states, including Washington and Nevada, have enacted laws specifically protecting consumer health data held outside of HIPAA. To the extent we collect consumer health data not governed by HIPAA (for example, through our public website), we collect and use it only with consent or as necessary to provide what you requested, we do not sell it, and you may request access to or deletion of it using the contact details in Section 16.
14. Children and Minors
Our Services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 outside of a healthcare relationship. A minor may use the Services only when directed by their healthcare provider or organization with the consent of a parent or legal guardian, in which case the minor’s information is handled as PHI under Section 2. If you believe a child has provided us personal information outside of these arrangements, contact us and we will delete it.
15. Changes to This Policy
We may update this Privacy Policy from time to time. The version and “Last updated” date at the top of this page reflect the current revision. For material changes, we will provide notice through the Services or by email before the changes take effect. This policy is incorporated into our Terms of Service.
16. How to Contact Us
If you have questions about this policy or want to exercise your rights, contact our Data Protection Officer at dpo@xaia.health or our support team at support@xaia.health, or write to: VRx Health, Inc., 4123 Saint Clair Ave., Studio City, CA 91604, United States.
