At Luminora AI ("we," "us," or "our"), we are committed to protecting the privacy and security of personal information and Protected Health Information ("PHI") processed through our AI automation services. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI Consulting, Appointment Setter Development, Chatbot Development, and Voice Agent Development services (collectively, the "Services").
This Privacy Policy applies to healthcare organizations ("Clients") that use our Services, as well as to the individuals whose information is processed through our Services ("End Users"). By using our Services, Clients agree to the terms of this Privacy Policy and confirm they have obtained all necessary consents from End Users for the processing of their information as described herein.
When providing our Services to Clients that are covered entities under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), we operate as a "Business Associate" as defined under HIPAA. In this role, we enter into a Business Associate Agreement ("BAA") with each Client that governs our handling of PHI. In the event of any conflict between this Privacy Policy and an applicable BAA, the terms of the BAA will control with respect to PHI.
We collect information from our Clients, including:
-Business contact information (name, email address, phone number, physical address)
-Account and login information
-Billing and payment information
-Service preferences and configurations
-Communications with our team
-Information provided during AI consulting engagements
Depending on the Services provided to our Clients, we may process the following types of End User information:
-Contact information (name, email address, phone number)
-Appointment details and scheduling preferences
-Conversation data from interactions with our chatbots and voice agents
-Healthcare-related information, which may include PHI (such as appointment types, basic health concerns shared with chatbots, or scheduling needs)
When you use our Services, we automatically collect certain information, including:
-Log data (IP address, browser type, operating system, device information)
-Usage data (features accessed, actions taken, time spent on features)
-Performance data (error reports, diagnostic information)
Cookies and similar tracking technologies (as detailed in our Cookie Policy)
We use Client information to:
-Provide, maintain, and improve our Services
-Process payments and send billing information
-Communicate about Service updates, features, and support
-Respond to inquiries and provide customer service
-Analyze usage patterns to enhance Service functionality
-Send promotional communications (with consent)Comply with legal obligations
We process End User information only as necessary to provide our Services to Clients and as directed by our Clients. This may include:
-Facilitating appointment scheduling through our appointment setter systems
-Enabling patient communication through our chatbots and voice agents
-Analyzing conversation patterns to improve response accuracy
-Training and improving our AI models (using de-identified data only)
-Generating aggregated, de-identified analytics for our Clients
We process information based on the following legal grounds:
-Performance of our contract with Clients
-Compliance with legal obligations
-Legitimate business interests
-Consent, where required by law
-As authorized under applicable BAAs
We may share information with third-party service providers who help us deliver our Services, including:
-Cloud hosting providers
-Payment processors
-Analytics services
-Customer support software providers
-AI technology partners
All service providers are contractually obligated to use information only for the purposes of providing services to us and in compliance with applicable privacy laws and regulations, including HIPAA where applicable.
We may share End User information as directed by our Clients. For example, appointment information may be shared with electronic health record systems or other healthcare providers as specified by our Clients.
We may disclose information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). Before disclosing PHI in response to legal requirements, we will ensure compliance with HIPAA and applicable BAAs.
If we are involved in a merger, acquisition, or sale of all or a portion of our assets, information may be transferred as part of that transaction. We will notify Clients of any such change in ownership or control of their information.
We may share information with third parties when we have consent to do so.
We retain Client information for as long as needed to provide our Services and comply with legal obligations. We retain End User information as specified in our agreements with Clients and in accordance with applicable BAAs.
After the retention period expires, we will delete or de-identify the information, unless we are legally required to retain it longer.
We implement appropriate technical, administrative, and physical safeguards to protect the information we process from unauthorized access, disclosure, alteration, and destruction. Our security measures include:
-Encryption of data in transit and at rest
-Access controls and authentication requirements
-Regular security assessments and penetration testing
-Employee training on privacy and security best practices
-Secure development practices for our AI systems and applications
-Business continuity and disaster recovery plans
While we take reasonable measures to protect information, no security system is impenetrable, and we cannot guarantee the absolute security of information.
As a Business Associate under HIPAA, we implement safeguards required by HIPAA when processing PHI. This includes:
-Administrative safeguards (policies, procedures, training)
-Physical safeguards (facility access controls, workstation security)
-Technical safeguards (access controls, encryption, audit controls)
-Organizational requirements (Business Associate Agreements)
End Users have certain rights regarding their PHI under HIPAA. These rights should be exercised through the applicable healthcare provider (our Client), as we process PHI solely on behalf of our Clients.
We primarily store and process information within the United States. If we transfer information to countries outside the United States, we will ensure appropriate safeguards are in place to protect the information and comply with applicable data protection laws.
Our Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will promptly delete that information.
In the context of healthcare services, we may process information about minors as directed by our Clients (healthcare providers) and in compliance with HIPAA and other applicable laws.
As a Client, you have the right to:
-Access, correct, or delete your information
-Request information about how your data is processed
-Opt out of marketing communications
-Request a copy of information in a structured, machine-readable format
To exercise these rights, please contact us using the information provided in the "Contact Information" section.
End Users should direct privacy requests to the applicable healthcare provider (our Client). If we receive a request directly from an End User, we will redirect the request to the appropriate Client and assist as required under our BAA.
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify Clients of material changes through email or notices within our Services. Continued use of our Services after such notifications constitutes acceptance of the updated Privacy Policy.
California residents may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to:
-Know what personal information is collected, used, shared, or sold
-Delete personal information
-Opt-out of the sale of personal information
-Non-discrimination for exercising their CCPA rights
However, CCPA/CPRA contains exceptions for information covered by HIPAA, which may apply to much of the information we process.
Residents of other states with comprehensive privacy laws (such as Virginia, Colorado, Connecticut, Utah, and others) may have similar rights under their respective state laws.
Our AI systems may engage in automated processing and decision-making related to appointment scheduling, chatbot responses, and voice agent interactions. The extent of this automation is configured by our Clients and disclosed to End Users through our Clients' own privacy notices.
To improve our AI systems, we may use de-identified information derived from Service usage. This process involves removing all identifying information and applying technical safeguards to ensure the data cannot be re-identified. We do not use PHI for AI training without appropriate authorization in accordance with HIPAA.
We maintain responsible AI governance practices, including:
-Regular auditing for bias and fairness in AI systems
-Human oversight of AI systems
-Transparency in AI capabilities and limitations
-Documentation of AI training methodologies
If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us at:
Luminora AI
2332 Pio Pl
Honolulu, Hawaii, 96819
+1 (808) 498-7019
adriancaddali208@gmail.com
Attention: Privacy Officer
For complaints or concerns that cannot be resolved directly with us, you may contact:
U.S. Department of Health and Human Services
Office for Civil Rights 200 Independence Avenue, S.W.
Washington, D.C. 20201
1-877-696-6775
By using our Services, you acknowledge that you have read and understood this Privacy Policy.