Privacy policy

Introduction

Leo.ai (“Leo.ai,” “we,” “us,” or “our”) is a patient‑centric AI‑powered advocacy platform designed to help individuals navigate healthcare with clarity, control, and confidence. We are committed to protecting your privacy and safeguarding your Personal Data, including personal health information, in compliance with applicable privacy, health, and consumer protection laws. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Leo.ai app and related services (collectively, the “Services”).

By using the Services, you acknowledge that you have read and understand this Privacy Policy.

Definitions

  • “Personal Data” means any information that identifies or relates to an identified or identifiable individual, including contact information, account details, and health‑related data.

  • “Personal Health Information (PHI)” means health‑related Personal Data such as medical history, diagnoses, medications, insurance details, and other information related to a person’s physical or mental health.

  • “Processing” means any operation performed on Personal Data, including collection, use, storage, disclosure, analysis, or deletion.

  • “Third Party” means any entity other than Leo.ai, its controlled affiliates, and the individual to whom the data relates.

1. How We Obtain Consent

We obtain informed, proactive consent from you for the initial collection and access of your Personal Data, including PHI. This may occur when you:

  • Create an account or sign in.

  • Complete your profile or add health information.

  • Connect external systems (for example, health providers, insurers, benefits tools, or devices).

  • Enable specific features that require additional data access.

We present clear, plain‑language explanations of what data will be collected, how it will be used, and with whom it may be shared so you can make informed choices.

2. Information We Collect

We may collect the following categories of information, depending on how you use the Services:

  • Personal Information: Name, contact details, date of birth, authentication credentials, and other identifiers you provide.

  • Health Information / PHI: Medical history, symptoms, diagnoses, medications, treatment plans, insurance coverage, claims information, provider details, and other health‑related data you provide or that you authorize us to access.

  • Care Context Information: Information about appointments, referrals, care teams, communication with providers and payers, and related documents you upload or connect.

  • Usage and Device Data: App usage logs, feature interaction data, device identifiers, browser or device type, IP address, and diagnostic information to maintain and improve the Services.

  • Cookies and Similar Technologies: Information collected through cookies, SDKs, and similar tools to maintain sessions, remember preferences, and understand how the Services are used.

Where required by law, we will only place non‑essential cookies or similar technologies with your consent.

3. How We Use Your Information (Primary Uses)

We use your information only as necessary to provide, maintain, and improve the Services and support your healthcare advocacy, including to:

  • Help you organize and understand your health information in one place.

  • Facilitate healthcare navigation, including appointment preparation, benefit and coverage understanding, and insurance claim or denial support.

  • Support communication with providers, payers, and caregivers consistent with your instructions.

  • Personalize your experience, such as tailoring content, reminders, and workflows to your needs.

  • Maintain the security, integrity, and performance of the Services.

  • Conduct internal analytics and service improvement, using de‑identified or aggregated data where possible.

  • Comply with applicable laws, regulations, and legal processes.

We do not use your Personal Data for purposes that are inconsistent with this Privacy Policy without obtaining your additional consent or relying on another valid legal basis.

4. No Default Secondary Use or Disclosure

We do not use, share, or disclose your Personal Data by default for any secondary purpose that falls outside the purposes described in Section 3. Any secondary or downstream use, sharing, or disclosure—for example, sharing with other apps or services you choose to connect—will occur only when:

  • You have provided separate, informed, proactive consent for that specific use or sharing; and

  • We have clearly described what data will be used, how it will be used, and with whom it will be shared.

We do not infer your consent for one use from your consent to a different use.

5. Marketing and Targeted Advertising

We do not sell your Personal Data. We do not use your PHI for targeted advertising. We will only use or disclose your Personal Data for marketing or advertising purposes when you have given distinct, informed, opt‑in consent.

  • Consent for marketing is collected individually; consent from one person (for example, a caregiver) does not authorize the use of Personal Data that relates to another person (for example, a patient), unless that person has separately consented or the use is otherwise permitted by law.

  • Where we engage in targeted advertising or promotional outreach based on your data, we will clearly describe the activity and provide an easy way to opt out or withdraw consent at any time.

6. Children’s Data and COPPA

Leo.ai is generally intended for adults and for minors whose information is provided or managed by a parent, legal guardian, or other legally authorized representative. We comply with the Children’s Online Privacy Protection Act (COPPA) and any applicable local or international laws relating to children’s data.

  • We do not knowingly collect Personal Data from children in a manner that violates applicable child privacy laws.

  • Where we knowingly process information about a child as defined by applicable law, we will obtain verifiable parental or guardian consent, provide clear notices about our practices, and offer mechanisms for review, correction, and deletion of the child’s information.

If you believe we have collected children’s information in a way that violates this Policy, please contact us so we can investigate and take appropriate action.

7. Disclosure of Information

We do not sell your information. We may share your Personal Data in the following limited circumstances:

  • At Your Direction: With healthcare providers, insurers, caregivers, or other parties when you explicitly instruct or authorize us to share information, or when sharing is necessary to complete a workflow you initiate.

  • Service Providers: With trusted vendors who provide services on our behalf, such as hosting, security, analytics, communications, and technical support, under contracts that require them to protect your data and use it only for our specified purposes.

  • Legal and Safety Requirements: When we reasonably believe disclosure is required to comply with law, regulation, court order, or government request; to enforce our Terms; or to protect the rights, safety, or property of you, other users, or Equinox Solutions.

  • Business Transitions: As described in Section 13 below, in connection with mergers, acquisitions, financings, reorganizations, bankruptcy, or similar events.

Whenever possible, we seek to minimize identifying information in disclosures and use aggregated or de‑identified data.

8. Transparency and Control Over Third‑Party Sharing

We strive to make it easy for you to understand if, when, and how your data is shared with Third Parties. To that end, we will:

  • Clearly describe the categories of Third Parties with whom we may share data (for example, hosting providers, analytics vendors, EHR or payer integrations).

  • Where technically feasible, provide in‑app settings or dashboards that allow you to view, enable, disable, or disconnect Third‑Party integrations or connections.

  • Stop sharing new Personal Data with a disconnected Third Party once you disable or remove the integration, subject to any legal obligations that Third Party may have regarding data already received.

We encourage you to review the privacy policies of any Third Party you choose to connect to the Services.

9. No Unauthorized Data Use

We do not use or disclose your Personal Data for any purpose that is not:

  • Described in this Privacy Policy; and

  • Covered by your proactive, informed consent or another valid legal basis (such as legal obligation or vital interests).

If we ever wish to introduce a new, materially different use of your Personal Data, we will first provide clear notice and, where required, obtain your consent before beginning that new use.

10. AI, Machine Learning, and Model Training

Leo.ai uses artificial intelligence and machine‑learning systems to provide features such as denial and appeal planning, appointment preparation, and communication assistance with providers and payers. To power these features, we may process your Personal Data, including PHI, consistent with this Policy and applicable law.

When we use your data for AI and model‑related purposes, we apply the following safeguards:

  • Service Operation: We process your data as needed to generate outputs and guidance in real time while you use AI‑enabled features.

  • Model Improvement: Where we use data to train, tune, or improve models, we prioritize de‑identified or aggregated data that cannot reasonably be used to identify you.

  • Consent for Identifiable Training: If we wish to use identifiable PHI for model improvement beyond what is permitted by law and this Policy, we will obtain your separate, informed consent, clearly explaining the nature of the processing, the categories of data involved, and your options, including the ability to opt out where required.

We do not allow Third Parties to use your identifiable PHI obtained through Leo.ai for their own general model training or unrelated purposes without your explicit consent.

11. Your Rights and Choices (Including Withdrawal of Consent)

Depending on your location and applicable law, you may have certain rights regarding your Personal Data, including the right to:

  • Access and obtain a copy of your Personal Data.

  • Correct or update inaccurate or incomplete information.

  • Request deletion of certain data, subject to legal and contractual retention obligations.

  • Restrict or object to certain processing activities.

  • Port your data to another service, where technically feasible and legally required.

You may also withdraw previously granted consents at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To facilitate this, we provide clear, easy‑to‑use mechanisms in the App and through our support channels that allow you to:

  • Change or revoke data‑sharing permissions.

  • Disconnect linked accounts, integrations, or data sources.

  • Opt out of marketing communications or specific processing activities where applicable.

We explain these options in a user‑friendly and transparent manner and will honor your updated choices as soon as reasonably practicable, subject to legal or contractual limitations.

12. Data Security

We employ administrative, technical, and physical safeguards designed to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include access controls, encryption in transit and at rest where appropriate, secure development practices, and ongoing monitoring for vulnerabilities.

However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

13. Data Retention and Business Transitions

Data Retention

We retain Personal Data only for as long as necessary to:

  • Provide and improve the Services you request.

  • Maintain business and financial records in accordance with legal requirements.

  • Resolve disputes and enforce our agreements.

When Personal Data is no longer needed for these purposes, we will delete it or de‑identify it in accordance with our data retention policies and applicable law.

Business Continuity and Data Handling

If Leo.ai is involved in a business transition such as a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, your Personal Data may be transferred as part of that transaction where permitted by law. In such circumstances, we will:

  • Require the successor entity to honor this Privacy Policy or provide privacy protections that are at least as protective as those described here.

  • Provide you with clear notice of the transition and your options, including whether your data will be retained, deleted, or transferred and how you can exercise your rights (for example, requesting deletion or limiting certain uses), subject to applicable law.

14. International Transfers

If we transfer your Personal Data to countries outside your place of residence, we will do so in compliance with applicable data transfer and protection laws and will implement appropriate safeguards, such as standard contractual clauses or other legally recognized mechanisms.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make a material change—meaning a change that introduces new uses of Personal Data or processing that a reasonable user would not expect—we will provide you with advance notice through the App, email, or other prominent means before the change takes effect.

For such material changes, we will:

  • Provide you the opportunity to affirm your consent to the new terms before we continue any new use or disclosure of your Personal Data; or

  • Provide you with a clear way to withhold or withdraw consent and/or terminate your use of the Services if you do not agree to the new data uses.

Your continued use of the Services after the effective date of any updated Policy constitutes your acceptance of the changes.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Email:privacy@projectleo.ai

We will review and respond to your request in accordance with applicable law.