HIPAA Notice

Effective Date: March 13, 2026

Last Updated: March 13, 2026

This HIPAA Notice of Privacy Practices (“Notice”) describes how KindredLink, Inc. (“KindredLink,” “we,” “us,” or “our”) may use and disclose your Protected Health Information (“PHI”) and explains your rights regarding that information. This Notice applies to all PHI created, received, maintained, or transmitted through the KindredLink.ai platform.

1. Our HIPAA Compliance Status

We believe in transparency about where we stand. KindredLink has adopted a HIPAA-conscious architecture and is actively pursuing full HIPAA certification. Here is our current status:

HIPAA-Conscious Architecture

Active

HIPAA Certification

In Progress

Business Associate Agreements

Available

Our platform has been designed from the ground up with HIPAA’s Administrative, Technical, and Physical Safeguard requirements in mind. While we have not yet completed formal HIPAA certification, we implement safeguards that meet or exceed the standards required by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. We are actively working with compliance auditors to achieve formal certification.

Business Associate Agreements (BAAs) are available for covered entities, healthcare providers, and care facilities upon request. Contact privacy@kindredlink.ai to initiate a BAA.

2. What Constitutes Protected Health Information

In the context of the KindredLink platform, PHI may include the following categories of individually identifiable health information:

  • Biographical and Demographic Data: Name, date of birth, address, contact information, and family relationships associated with health or care contexts.
  • Wearable and Health-Related Data: Data from connected wearable devices, including activity metrics, motion patterns, sleep data, and other physiological indicators.
  • Cognitive Assessments: Results from Legacy Quest cognitive therapy exercises, cognitive engagement scores, baseline assessments, and longitudinal cognitive trend data.
  • Behavioral Indicators: Engagement patterns, mood indicators, social interaction metrics, isolation risk scores, and behavioral change observations generated by the platform.
  • Location Data: Within-facility location tracking data used for safety monitoring and engagement analysis in care facility environments.
  • Voice Recordings: Audio recordings captured through the Digital Presence and Eternal Voice features, which may contain health-related disclosures made during biographical conversations.

3. How We Protect PHI

3.1 Administrative Safeguards

  • Privacy Officer: We have designated a Privacy Officer responsible for the development and implementation of our privacy and security policies.
  • Workforce Training: All employees and contractors with access to PHI receive HIPAA privacy and security training upon onboarding and annually thereafter.
  • Policies and Procedures: We maintain comprehensive written policies governing the use, disclosure, and protection of PHI.
  • Risk Assessments: We conduct regular risk assessments to identify and mitigate vulnerabilities in our systems and processes.
  • Business Associate Agreements: We require BAAs with all third-party service providers who may access, process, or store PHI on our behalf.

3.2 Technical Safeguards

  • Encryption in Transit: All data transmitted between clients and our servers is encrypted using TLS 1.3.
  • Encryption at Rest: All stored PHI is encrypted using AES-256 encryption.
  • Access Controls: Role-based access control (RBAC) restricts access to PHI to authorized users based on their role and the minimum necessary standard.
  • Unique User Identification: Each user is assigned a unique identifier for tracking access and accountability.
  • Automatic Logoff: Sessions are configured to automatically terminate after a period of inactivity.
  • Audit Controls: Comprehensive audit logging records all access to and modifications of PHI, including the identity of the accessor, timestamp, and nature of the access.
  • Integrity Controls: Mechanisms are in place to ensure that PHI is not improperly altered or destroyed.
  • Transmission Security: All electronic transmissions of PHI are encrypted and integrity-verified.

3.3 Physical Safeguards

  • Data Center Security: Our infrastructure is hosted on cloud platforms that maintain SOC 2 Type II certified data centers with physical access controls, environmental protections, and 24/7 monitoring.
  • Workstation Policies: Employees accessing PHI are required to use encrypted devices, screen locks, and secure network connections.

4. AI Processing and PHI

Our platform uses artificial intelligence to deliver core Service functionality. We apply the following protections when PHI is processed by AI systems:

  • No Model Training: PHI is never used to train, fine-tune, or improve foundational AI models. Your data is not contributed to any third-party AI training datasets.
  • Data Processing Agreements: All AI service providers are bound by Data Processing Agreements that prohibit the use of PHI for any purpose beyond fulfilling our specific Service requests.
  • Minimum Necessary: Only the minimum PHI necessary to generate the requested AI output is transmitted to AI processing systems.
  • No Persistent Storage: AI providers process PHI transiently and do not retain it after processing is complete. All conversation context and history is maintained within our own secured infrastructure.

5. Uses and Disclosures of PHI

We may use or disclose your PHI in the following circumstances:

5.1 Treatment

We may share PHI with authorized care team members at your facility to support care planning, cognitive therapy, and wellness monitoring. This includes sharing engagement reports, cognitive assessment results, and behavioral indicators with healthcare providers involved in your care.

5.2 Healthcare Operations

We may use PHI for healthcare operations, including quality assessment and improvement activities, care coordination, case management, and conducting or arranging for audits and compliance reviews.

5.3 Authorization

Other uses and disclosures of PHI not described in this Notice will be made only with your written authorization. You may revoke an authorization at any time in writing, except to the extent that we have already taken action in reliance on it.

5.4 Family Members

With your consent or the consent of your authorized representative, we may disclose relevant PHI to family members involved in your care or who are authorized to access your profile on the platform.

5.5 Legal Requirements

We may disclose PHI when required by law, including for public health activities, health oversight, judicial and administrative proceedings, and law enforcement purposes, as permitted by HIPAA.

5.6 Averting a Serious Threat

We may use or disclose PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

5.7 Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals, the relevant covered entity, and the U.S. Department of Health and Human Services as required by the HIPAA Breach Notification Rule.

6. Your Rights Regarding PHI

Under HIPAA, you have the following rights:

6.1 Right to Access

You have the right to inspect and obtain a copy of your PHI maintained by us. We will provide the requested information within 30 days of receiving a verified request. We may charge a reasonable, cost-based fee for copies.

6.2 Right to Amend

You have the right to request that we amend your PHI if you believe it is inaccurate or incomplete. We will respond to your request within 60 days. We may deny the request in certain circumstances as permitted by HIPAA, but will provide a written explanation if we do.

6.3 Right to an Accounting of Disclosures

You have the right to receive an accounting of certain disclosures of your PHI made by us during the six years prior to your request (or since the effective date of this Notice, whichever is shorter).

6.4 Right to Request Restrictions

You have the right to request restrictions on certain uses and disclosures of your PHI. We are not required to agree to all restriction requests, but we will consider them in good faith. We are required to comply with a restriction request if the disclosure is to a health plan for payment or healthcare operations purposes and the PHI pertains solely to a service for which you have paid out of pocket in full.

6.5 Right to Confidential Communications

You have the right to request that we communicate with you about your PHI by alternative means or at alternative locations. We will accommodate reasonable requests.

6.6 Right to a Copy of This Notice

You have the right to obtain a paper or electronic copy of this Notice at any time by contacting us.

6.7 Right to Request Deletion

You may request deletion of your PHI. We will comply with verified deletion requests within 30 days, except where retention is required by law or for ongoing treatment purposes. Certain anonymized audit records may be retained as required by HIPAA documentation requirements.

7. Breach Notification

In the event of a breach of unsecured PHI, we will:

  • Notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach.
  • Notify the relevant covered entity (for business associate relationships) promptly upon discovery.
  • Notify the U.S. Department of Health and Human Services (HHS) as required — for breaches affecting 500 or more individuals, within 60 days; for smaller breaches, annually.
  • Provide notification that includes a description of the breach, the types of information involved, steps individuals should take to protect themselves, a description of what we are doing to investigate and mitigate the breach, and contact information for questions.

8. Business Associate Obligations

When KindredLink acts as a Business Associate to a Covered Entity (such as a care facility or healthcare provider), we are bound by the terms of our Business Associate Agreement and applicable HIPAA regulations. Our obligations include:

  • Using and disclosing PHI only as permitted by the BAA and HIPAA
  • Implementing appropriate safeguards to prevent unauthorized use or disclosure
  • Reporting any security incidents or breaches to the Covered Entity
  • Ensuring that any subcontractors who access PHI agree to the same restrictions and conditions
  • Making PHI available to individuals who request access, as directed by the Covered Entity
  • Returning or destroying PHI upon termination of the BAA, where feasible

9. Minimum Necessary Standard

We apply the minimum necessary standard to all uses, disclosures, and requests for PHI. This means we make reasonable efforts to limit the PHI used, disclosed, or requested to the minimum necessary to accomplish the intended purpose. This standard applies to:

  • Internal access: employees and systems access only the PHI necessary for their specific functions
  • Disclosures to care teams: only information relevant to the individual’s care is shared
  • AI processing: only the minimum data necessary to generate the requested output is transmitted
  • Service provider access: third parties receive only the PHI required to perform their contracted services

10. Data Retention

We retain PHI in accordance with the following guidelines:

  • HIPAA Documentation: HIPAA requires retention of certain documentation (including this Notice, policies, procedures, and authorization forms) for a minimum of six (6) years from the date of creation or the date when the document was last in effect, whichever is later.
  • Active Accounts: PHI is retained for as long as your account remains active and the Service is being provided.
  • Account Deletion: Upon verified account deletion request, personal PHI is deleted within 30 days. AI-generated content and associated media are deleted within 90 days.
  • Audit Logs: Anonymized audit logs documenting access to PHI are retained for a minimum of six (6) years as required by HIPAA.
  • Legal Holds: PHI subject to a legal hold, pending litigation, or regulatory investigation will be retained until the matter is resolved.

11. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights (OCR).

To file a complaint with KindredLink:

Contact our Privacy Officer at privacy@kindredlink.ai. We will investigate all complaints and respond within 30 days.

To file a complaint with HHS OCR:

U.S. Department of Health and Human Services, Office for Civil Rights — https://www.hhs.gov/hipaa/filing-a-complaint

We will not retaliate against you for filing a complaint.

12. Changes to This Notice

We reserve the right to change the terms of this Notice at any time. Any material changes will be effective for all PHI we maintain at that time. When we make material changes, we will post the revised Notice on this page with an updated effective date and notify affected individuals and covered entities as required by HIPAA. The revised Notice will be available on our website and upon request.

13. Contact Information

For questions, concerns, or requests related to this HIPAA Notice or your PHI, please contact us:

KindredLink, Inc.

Privacy Officer: privacy@kindredlink.ai

Security: security@kindredlink.ai