top of page

1. Introduction and Scope 

This Privacy Policy explains how ARBO ("ARBO," "we," "us") collects, uses, discloses, and protects information when you use our websites, mobile apps, and the ARBO platform (collectively, the "Services") in the United States. 

ARBO is a technology platform. ARBO does not provide medical advice, diagnosis, or treatment, and ARBO does not employ or subcontract healthcare professionals to provide patient care. Healthcare services available through the Services are provided by independent, licensed providers or clinics (each, a "Provider"). 

If you use the Services through a Provider (for example, for telehealth visits, scheduling, documentation, messaging, or payments), your Provider may be a "Covered Entity" under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). In that case, your Provider's Notice of Privacy Practices ("NPP") governs how the Provider uses and discloses your Protected Health Information ("PHI"). ARBO may act as a "Business Associate" to Providers and will handle PHI as required by HIPAA and applicable Business Associate Agreements ("BAAs"). 

This Privacy Policy does not replace a Provider’s NPP. If there is a conflict regarding PHI, the Provider’s NPP and HIPAA obligations generally control for the Provider’s activities. 

2. Key Definitions

 

  • Personal Information: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with an individual or household. 

  • Protected Health Information (PHI): individually identifiable health information regulated by HIPAA when created or received by a Covered Entity or Business Associate, including electronic PHI (ePHI). 

  • Covered Entity / Business Associate: the meanings defined in HIPAA and its implementing regulations. 

  • De-identified Data: information that has been de-identified under HIPAA or other applicable law so that it cannot reasonably be used to identify an individual. 

  • FHIR: HL7 Fast Healthcare Interoperability Resources, a standard for exchanging healthcare information electronically. 

 

3. Information We Collect 

We collect information in the following categories (as applicable to your role as a patient, Provider, or clinic administrator): 

 

3.1 Account and Profile Information 

  • Contact information (name, email address, phone number). 

  • Login credentials and authentication factors (e.g., multi-factor authentication data). 

  • Provider profile and credentialing information where applicable (e.g., license number, specialty), submitted by the Provider or clinic. 

 

3.2 Health and Care-Related Information 

  • Information entered into the electronic health record (EHR) or similar features within the Services, including intake forms, clinical notes, prescriptions, orders, and documents uploaded by you or your Provider. 

  • Telehealth session data such as appointment metadata, call quality metrics, and, if enabled by the Provider and permitted by law, recordings and transcripts of visits. 

  • Messages exchanged through the Services (including messages routed from integrated channels, if enabled by a Provider/clinic). 

 

3.3 Interoperability and Integrations (including FHIR) 

  • Data that you or a Provider connects or imports from third-party systems (e.g., hospitals, labs, EHRs) through authorized integrations, including FHIR-based APIs where supported. 

  • Identifiers needed to enable integrations (e.g., tokens, system IDs). 

 

3.4 Payments and Transactions 

  • Billing details such as transaction amounts, invoices, subscription status, and the last four digits of a payment card when provided by a payment processor. 

  • ARBO does not store full payment card numbers; payments are processed by third-party payment processors. 

 

3.5 Usage, Device, and Log Data 

  • IP address, device identifiers, browser type, operating system, and language settings. 

  • Log and audit information such as access events, feature usage, and security logs. 

  • Cookies and similar technologies (see Section 8). 

 

3.6 Support and Communications 

  • Information you share when you contact support or participate in surveys, events, or training. 

  • Any files or content you submit for troubleshooting. 

 

4. How We Use Information 

We use information for the following purposes (as permitted by applicable law and, where relevant, under HIPAA): 

  • Provide, operate, and maintain the Services, including account creation, scheduling, messaging, telehealth facilitation, documentation, and marketplace features. 

  • Enable AI-assisted features, such as transcription, summarization, documentation support, and workflow automation, as configured by Providers or clinics. These features are intended to support clinical workflows and administrative efficiency, not to replace a Provider’s professional judgment. 

  • Process payments, subscriptions, refunds, chargebacks, and related accounting. 

  • Monitor, secure, and troubleshoot the Services, including detecting fraud, abuse, or security incidents. 

  • Communicate with you about service-related messages (e.g., appointment reminders, product updates, security notices). 

  • Comply with legal obligations and enforce our terms and policies. 

  • Create De-identified Data and use it for analytics, product improvement, and research consistent with applicable law. 

 

5. How We Share Information 

We may share information in the following circumstances: 

 

5.1 With Providers and Clinics 

When you use the Services in connection with a Provider or clinic, information you submit or generate through the Services may be shared with that Provider or clinic as part of delivering the Services. 

 

5.2 With Service Providers and Subcontractors 

We use vendors to help operate the Services (for example, cloud hosting, communications, customer support, analytics, observability, and security tooling). Vendors are contractually required to protect the information and use it only to provide services to ARBO. When PHI is involved, applicable HIPAA subcontractor obligations and BAAs (or equivalent terms) apply. 

 

5.3 With Payment Processors 

Payment processing is handled by third-party processors. They process payment information under their own privacy practices and security standards. 

 

5.4 Legal, Safety, and Business Transfers 

  • To comply with law, legal process, or lawful requests from public authorities. 

  • To protect the rights, safety, and security of ARBO, our users, Providers, or others. 

  • In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets (subject to applicable confidentiality and legal requirements). 

 

5.5 With Your Consent or Direction 

We may share information with third parties when you (or an authorized Provider/clinic administrator) instruct us to do so, such as exporting data through integrations or sharing records for continuity of care. 

 

6. HIPAA and Health Information 

If your Provider is a Covered Entity, HIPAA may apply to certain information processed through the Services. In many cases, ARBO acts as a Business Associate and processes PHI on behalf of the Provider under a BAA. 

To exercise HIPAA rights related to PHI (such as access, amendment, or an accounting of disclosures), you should contact your Provider directly. ARBO will assist Providers in fulfilling HIPAA requests as required by the BAA and applicable law. 

Certain information may be excluded from access under HIPAA, such as psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, as defined under HIPAA. 

If you believe your HIPAA rights have been violated, you may file a complaint with your Provider, ARBO, and/or the U.S. Department of Health and Human Services Office for Civil Rights (OCR). 

 

7. U.S. State Privacy Rights 

Depending on your state of residence, you may have additional rights under state privacy laws (for example, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) and other state privacy statutes). These rights may include: 

  • Right to know/access: request information about the Personal Information we collect, use, and disclose. 

  • Right to delete: request deletion of certain Personal Information, subject to legal exceptions. 

  • Right to correct: request correction of inaccurate Personal Information. 

  • Right to opt out of certain processing: such as targeted advertising, and in some jurisdictions, the sale or sharing of Personal Information. 

  • Right to non-discrimination: you will not be discriminated against for exercising applicable rights. 

ARBO does not sell Personal Information as that term is defined under the CCPA/CPRA. If ARBO engages in targeted advertising or similar activities in the future, we will provide required opt-out mechanisms. 

7.1 Washington Consumer Health Data (My Health My Data Act) 

If you are a Washington resident, you may have rights with respect to "consumer health data" under the Washington My Health My Data Act (MHMDA). ARBO does not sell consumer health data. Where MHMDA applies, you may have rights to access, delete, or withdraw consent for the collection and sharing of consumer health data, subject to applicable exemptions. 

To submit a request under state privacy laws, contact us using the information in Section 13. We may need to verify your identity and, where applicable, your authority to act on behalf of another person (including as an authorized agent). 

8. Cookies and Similar Technologies 

We use cookies and similar technologies to operate the Services, remember preferences, provide security, and analyze usage. You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Services. 

Where required by law, we will provide choices for non-essential cookies and similar technologies. 

9. Security

 

We maintain administrative, technical, and physical safeguards designed to protect information, including PHI, against unauthorized access, use, and disclosure. 

  • Encryption in transit and at rest where appropriate. 

  • Role-based access controls and least-privilege permissions. 

  • Multi-factor authentication and secure session management. 

  • Audit logging and monitoring to detect and investigate suspicious activity. 

  • Vendor security reviews and contractual protections, including HIPAA subcontractor controls where applicable. 

No system is 100% secure. If you believe your account has been compromised, please contact us promptly. 

10. Data Retention 

We retain information for as long as reasonably necessary to provide the Services, comply with legal and contractual obligations, resolve disputes, and enforce agreements. Retention of health records may be governed by a Provider’s policies and applicable medical record retention laws. We may de-identify information and retain de-identified data for longer periods as permitted by law. 

11. Children’s Privacy 

The Services are not directed to children under 13. We do not knowingly collect Personal Information from children under 13 without verifiable parental consent, consistent with the Children’s Online Privacy Protection Act (COPPA). If you believe a child has provided us information without appropriate consent, please contact us and we will take steps to delete it as required by law. 

Where a Provider enables care for minors, a parent or legal guardian may manage the minor’s account and permissions consistent with applicable law and the Provider’s policies. 

12. Changes to This Privacy Policy 

We may update this Privacy Policy from time to time. We will post the updated version with a revised effective date. If changes are material, we will provide additional notice as required by law. 

13. Contact Us 

If you have questions about this Privacy Policy or wish to submit a privacy request, you can contact us at: 

  • Mailing Address (Privacy Contact): ARBO-HEALTH, CORP, Attn: Privacy Officer, 7345 W SAND LAKE ROAD, STE 210 OFFICE 5009, ORLANDO, FL 32819, United States. Phone: +1 (689) 600-1033. Email: privacy@arbo-health.com

Privacy Policy
Effective Date: January 07, 2026 

bottom of page