Effective Date: August 4, 2025 (Last Updated)
PLEASE READ THIS NOTICE CAREFULLY. This Notice describes how your health information may be used and disclosed by Dektori, and your rights regarding that information. Although Dektori is not a "covered entity” under the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA), we are firmly committed to protecting your privacy and voluntarily comply with HIPAA’s standards for safeguarding health information. Your privacy is important to us, and we handle your health data with the same care as a HIPAA-covered healthcare provider.
Your Health Information and Our Commitment to Privacy
When this Notice refers to "your health information” or "Protected Health Information” (PHI), it means any individually identifiable information about your health, healthcare provided to you, or payment for healthcare. PHI includes personal details such as your name, contact information, or date of birth combined with information related to your past, present, or future physical or mental health or medical services. Examples of PHI on the Dektori platform include symptoms or health questions you submit, your medical history, consultation notes from providers, and billing or payment information connected to your identity. Even though Dektori primarily offers general educational health information, any personal health details you share that can identify you are treated as PHI under this Notice.
We collect PHI directly from you when you create an account, enter information in your profile, submit questions or describe symptoms, or communicate with healthcare providers through Dektori. PHI is also generated during your use of the platform, for example when a provider records consultation notes or when a summary of advice is documented. We only collect the minimum necessary health information required to deliver our services, and the decision to share such information is entirely voluntary. By choosing to share PHI with us, you consent to the use and disclosure described in this Notice.
All PHI you provide is stored securely in compliance with HIPAA-level standards. Dektori uses Amazon Web Services (AWS) Elastic Compute Cloud (EC2) infrastructure for hosting, under a signed Business Associate Agreement (BAA). This means that your information is stored on HIPAA-eligible servers, encrypted both in transit and at rest, and subject to strict access and monitoring controls. Dektori serves as custodian of your records and retains PHI only for as long as necessary to provide services or as required by law. Once information is no longer needed, it is securely deleted or de-identified.
How We May Use and Disclose Health Information
Dektori uses and discloses PHI only for purposes outlined in this Notice or as otherwise required by law. In every case, we limit use and disclosure to the minimum necessary. We will not use or share your PHI without your authorization except as described below.
We may use your health information to deliver Dektori’s services. This includes enabling providers to review your submissions, understand your health questions, and provide educational health consultations. Information you provide may be shared with affiliated providers involved in your consultation so they can best assist you. Although Dektori’s services are designed primarily for health education and not as formal medical treatment, any PHI disclosed during these interactions is handled with the same privacy protections as in a clinical setting.
We may also use and disclose your PHI to process payments when services require a fee. For example, if you purchase a consultation or subscription, your name and billing details may be shared with our secure payment processors such as Stripe, PayPal, or bank transfer partners. These processors are responsible for handling card or account information and are bound by strict data security and confidentiality obligations. Dektori itself does not retain your full credit card number; we receive only confirmation of payment and transaction records. Your contact information may also be used to send receipts or communicate with you regarding billing.
In addition, PHI may be used for Dektori’s healthcare operations. This includes quality assurance reviews, training of providers, customer service, auditing, legal and compliance activities, and platform maintenance. We may review consultation transcripts to improve service quality, analyze anonymized usage trends to enhance features, or use feedback you provide to guide provider coaching. If outside consultants such as attorneys or auditors are engaged, they may review limited PHI under binding confidentiality agreements. In all cases, operations-related use of PHI occurs under strict privacy and security controls.
Third-Party Service Providers and Integrated Technologies
Dektori works with carefully selected third-party service providers, often referred to as "business associates,” to operate the platform and deliver services to you. These include cloud hosting providers, payment processors, communication tools, translation services, and analytics platforms. Each of these service providers is contractually bound to protect your information through Business Associate Agreements (BAAs) or equivalent legal safeguards. They may only use PHI for the purposes of providing their contracted services and are prohibited from using it for their own benefit.
Our cloud infrastructure, including AWS EC2 and related HIPAA-eligible services, is secured under a signed BAA, ensuring all PHI stored is encrypted and safeguarded. Payment processors such as Stripe and PayPal handle sensitive billing details directly, using industry-standard encryption and PCI-compliant systems. Dektori itself does not retain full credit card numbers or other sensitive financial data, but receives confirmation of successful transactions. When you choose to pay by bank transfer or digital wallet, only the information necessary to complete and confirm the transaction is shared.
For communication and interaction on the platform, we may use secure messaging systems, live chat code, or authenticated login integrations such as Facebook Login and Apple Login. These services allow you to connect easily with your account, and the only data shared is what is required to authenticate and provide you with access. Where language support is required, Microsoft Text Translator may process text you input for translation purposes. Only the information necessary for translation is shared, and it is transmitted securely.
We also integrate tools such as Google Analytics, Google Tag Manager, site tracking scripts, and Google reCAPTCHA to help us maintain security, monitor platform performance, and understand user engagement. These tools collect limited technical or behavioral information, such as page views or activity patterns, but not your personal health data. We configure these services to use data in ways that are consistent with HIPAA best practices, and any information they process is subject to strict contractual and technical controls.
Newsletter subscription services may be used to manage communications with you. If you choose to subscribe, only your contact details and preferences are shared, and you may opt out at any time. Firebase configuration and Google APIs are also used for technical support functions such as authentication, notifications, and application reliability. In all cases, we share only the minimum PHI required and ensure encryption, monitoring, and security safeguards are in place.
Disclosures Required or Permitted by Law
There are certain circumstances where Dektori may be required or permitted to disclose PHI without your authorization. These disclosures are limited to what the law allows and are always handled with care. We may be compelled to release information if we receive a valid court order, subpoena, or other legal directive. If it is lawful to do so, we will notify you before complying with such a request.
We may also disclose PHI if necessary to prevent a serious threat to your health or safety, or that of another person. This could include reporting suspected abuse, neglect, or domestic violence, or notifying appropriate authorities when there is a risk of imminent harm. In limited cases, PHI may be disclosed for public health activities, such as reporting communicable diseases or assisting in health surveillance. Similarly, we may disclose information to law enforcement or government agencies if legally required as part of investigations, missing person cases, or national security and intelligence matters.
Outside of these circumstances, Dektori does not disclose your PHI unless you provide explicit written authorization. For example, we will never sell your PHI or use it for marketing purposes without your consent. If you authorize us to use your information for a particular purpose not described in this Notice, you may revoke that authorization at any time, and we will honor your decision for all future uses or disclosures.
Your Rights Regarding Your Health Information
As a user of Dektori, you have important rights concerning your PHI. You have the right to access and receive a copy of the information we maintain about you, whether in electronic form through our secure user portal or in paper format upon request. We will generally provide access within thirty days, and if we cannot fulfill your request, we will provide a written explanation.
You also have the right to request an amendment if you believe any of your PHI is inaccurate or incomplete. While we may deny a request if we determine the information is correct, or if we are not the originator of the record, we will explain the basis for denial in writing and allow you to provide a statement of disagreement.
You may request restrictions on how your PHI is used or disclosed. Although we are not required to agree to every restriction, we will make a good faith effort to honor reasonable requests, especially if you pay for a service out of pocket and wish to limit disclosures to a health plan. You also have the right to request confidential communications, such as asking that we contact you only by email or at an alternative address.
You have the right to receive an accounting of disclosures of your PHI made by Dektori, other than those related to treatment, payment, or operations, or those you authorized directly. This record covers a six-year period and will detail what was disclosed, to whom, and for what purpose.
If there is ever a breach of your unsecured PHI, you have the right to be notified without unreasonable delay. Our notification will explain the nature of the breach, what information was involved, what steps we are taking to contain it, and what actions you can take to protect yourself.
Finally, you have the right to file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated. Dektori will not retaliate against you for raising a concern or filing a complaint.
Security Measures
Dektori employs comprehensive safeguards to protect the confidentiality, integrity, and availability of your PHI. All communications between your device and our systems are encrypted, and PHI is encrypted at rest in our databases. Our secure user portal requires strong authentication, session timeouts, and role-based access to ensure that only authorized individuals may view PHI.
Internally, access to PHI is restricted to staff and providers who need the information to perform their duties, and all employees and contractors receive HIPAA training and sign confidentiality agreements. Network security measures include firewalls, intrusion detection, continuous monitoring, and regular vulnerability assessments. Physical security is provided by AWS data centers, which employ strict controls such as 24/7 monitoring, restricted access, and biometric entry systems.
We maintain Business Associate Agreements with all third-party service providers that may handle PHI. These agreements obligate them to implement encryption, breach notification procedures, and HIPAA-level security measures. Integrated technologies—such as live chat support, translation tools, login services, analytics platforms, and payment gateways—are carefully vetted and configured to operate in line with HIPAA best practices. We limit PHI sharing to the minimum necessary and ensure encryption is always in place.
Contacting Us About Privacy
If you have questions, concerns, or requests related to this Notice or your PHI, you may contact Dektori at info@dektori.com or use the secure messaging functions within your account. We will respond promptly, typically within thirty days.
You may also file a complaint with the Office for Civil Rights at the U.S. Department of Health and Human Services if you believe your rights under HIPAA have been violated. We encourage you to contact us first so that we may address your concerns directly, but you are not required to do so.
Changes to This Notice
Dektori reserves the right to update this Notice at any time. Changes may apply to all PHI we maintain, including information created before the revision. When we make updates, we will post the revised Notice on our website and within the application, updating the effective date above. Your continued use of the platform constitutes acceptance of the updated practices.
Commitment to Privacy
Protecting your privacy is fundamental to our mission of making health education accessible while respecting your rights. By hosting services on HIPAA-eligible AWS EC2 infrastructure under a Business Associate Agreement, encrypting all PHI, and working only with vetted service providers bound by privacy agreements, Dektori ensures that your information is treated with the highest standards of care.
If you have any questions about this Notice, or about how we safeguard your information, please reach out to us at info@dektori.com.
