Dektori ("we," "us," or "our") is dedicated to safeguarding your privacy and ensuring the security of your personal and health information. This Privacy Policy and Notice of Privacy Practices ("Privacy Policy") outlines our practices concerning the collection, use, storage, and sharing of information from users of our telehealth platform ("Platform"). It also details your rights regarding your data. This document integrates our general website privacy practices with our Notice of Privacy Practices for Protected Health Information ("PHI"), in full compliance with the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other applicable data protection laws, including, where relevant, the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By accessing or using the Dektori Platform, you explicitly consent to the practices described in this Privacy Policy and acknowledge that your information (including personal health information) may be transferred to and processed in the United States or other jurisdictions where our service providers operate. If you do not agree with the terms of this Privacy Policy, please refrain from using our Platform. We may provide additional privacy disclosures or obtain specific consents as required by applicable law. This Privacy Policy is an integral part of our Terms of Use, and any capitalized terms not defined herein shall have the meanings ascribed to them in the Terms of Use.
We collect various categories of information from or about you in order to provide, operate, and improve the Dektori Platform and its services. Information is gathered through direct interactions with you, through automated technologies that record how you use our services, and, in some circumstances, through third parties who are involved in facilitating access or payment. We are committed to collecting only the minimum information necessary for the purposes described in this Policy and in compliance with applicable law.
When you create an account, schedule or participate in a consultation, subscribe to our newsletters, interact with our live chatbot, or otherwise communicate with us, you may provide us with personal identifiers such as your name, date of birth, postal address, email, and telephone number. You may also supply demographic information such as age, gender, country of residence, and optional profile details. During the course of using the Platform for health education or telehealth consultations, you may submit information that qualifies as Protected Health Information (PHI), which can include your medical history, symptoms, medications, test results, diagnostic images, consultation notes, or other health-related details. Although our services emphasize education rather than treatment, we treat any such data in accordance with HIPAA-level protections as described in our Notice of Privacy Practices.
Payment information is another category you may provide when purchasing consultations or services. This can include billing address, contact details, and transaction-related information. Sensitive payment card data is handled through integrated processors such as Stripe (which may include Visa, Mastercard, Apple Pay, and Google Pay), PayPal, or bank transfer facilitators. These processors operate under secure PCI-DSS and HIPAA-aligned frameworks; Dektori itself does not store complete credit card numbers but may retain billing contacts and transaction confirmations to ensure proper record-keeping.
In addition, we collect the content of your communications when you contact our support team, use the live chatbot, or correspond with providers via the Platform’s messaging system. This includes consultation questions, attachments, feedback, or complaints. If you choose to subscribe to our newsletter, you will provide us with your email address and preferences for communications. Subscription data is stored securely and may be used to send health updates, announcements, or promotional material consistent with your consent.
When you access or use the Platform, we automatically collect certain information about your device, browsing activity, and interactions. This information is essential to the functionality, performance, and security of our services. It includes technical details such as your Internet Protocol (IP) address, browser type, device identifiers, operating system, language settings, pages or features you visit, the dates and times of your access, and how you navigate through the Platform. We may also log session activity, including login and logout times, click paths, and page response times, to analyze trends and enhance service quality.
Your approximate location may be inferred from your IP address in order to customize the Platform, for example by displaying local time zones or matching you with regionally available providers. If you enable precise location access on your device, we may collect geolocation data to enhance certain features; you may revoke such access at any time in your device or browser settings.
To secure accounts and prevent abuse, we use tools such as Google reCAPTCHA, which analyze limited technical and behavioral signals to distinguish between human and automated access attempts. We also rely on configuration and authentication systems provided by Google APIs, Google Client JSON, and Firebase, which may capture device tokens or application performance metrics. These integrations allow us to deliver secure logins, maintain reliable connections, and provide timely notifications such as consultation reminders. While these services may receive metadata about your device or app usage, they do not access your consultation content or PHI.
Analytics technologies are another category of automated collection. For example, we use Google Analytics and Google Tag Manager, along with site tracking scripts, to evaluate how users engage with our services. These tools may set cookies or similar identifiers to measure visitor numbers, session length, navigation flows, and errors encountered. Data collected in this way is used to improve functionality and is not linked to your consultation records. We configure these tools in accordance with best practices to minimize personal identification and limit secondary use.
In some circumstances, we obtain information about you from third parties that you choose to interact with or that support essential services. For instance, if a healthcare provider enters details on your behalf, if a parent or guardian supplies information for a minor, or if a payment processor provides us with updated billing information, we will collect and retain such data for the limited purpose of fulfilling the service.
You may also choose to log in through external authentication providers such as Apple, Google, or Facebook. If you do so, we receive limited account details from these services—most commonly your name and email address, and, in some cases, a profile picture or an anonymized relay email (as in the case of Apple). The exact information shared depends on your settings with the provider and the permissions you grant. These details are used only for authentication, account creation, and account recovery, and are never sold or repurposed for unrelated marketing.
In addition, if you subscribe to our newsletter through a third-party mailing service, we collect your email address and subscription preferences, which are then managed by the newsletter service provider. The provider may also record whether you opened or clicked on a message, which we use solely to understand engagement and improve communications.
Finally, when you request translation support, Microsoft Text Translator may process text that you input for the purpose of rendering it into another language. The service is used only to facilitate communication and does not retain or independently use the content outside of delivering translations. If PHI is contained in the text, we take steps to minimize exposure and transmit it securely.
We use the information we collect for various legitimate purposes essential to operating, providing, and improving the Dektori Platform and services. These purposes include:
● Providing Telehealth Services: We use your personal information and PHI to facilitate the telehealth services you request. This includes connecting you with healthcare providers, enabling providers to review your medical information and offer consultations or second opinions, and coordinating care or referrals. For example, Dektori may use your medical records and information to ensure the consulting doctor has the necessary details to advise on your case. We may also use your contact information to register you, verify your identity, and communicate with you about your appointments or care.
● Treatment, Payment, and Health Care Operations (Notice of Privacy Practices): As a telehealth platform, we may use and disclose your PHI for purposes of treatment, payment, and health care operations as permitted by HIPAA. This means:
○ Treatment: Your PHI can be used and shared with physicians, nurses, technicians, or other healthcare professionals for your diagnosis and treatment. For instance, we will share your provided medical history and test results with the independent provider (doctor) who is consulting with you, so they can make informed medical recommendations. We might also use your information to remind you of follow-up appointments or inform you of alternative treatments or health services that could benefit you.
○ Payment: We use and disclose your information to bill and receive payment for the health services provided. For example, we may use your payment information to process your credit card transaction for a consultation. If applicable, we might also share necessary PHI with your health insurance plan to get authorization or payment for the telehealth services (e.g., an insurer may require details of the service before reimbursing the cost). Only the minimum necessary information will be disclosed for billing purposes.
○ Health Care Operations: We may use your information for our internal operations to ensure the quality and efficacy of our services. This can include activities like quality assessment and improvement, clinical protocol development, customer service, provider performance evaluation, training of staff, legal and auditing functions, and general administrative activities. For example, we might review records of consultations (with identifying details limited or removed when possible) to monitor the quality of care provided by our network providers. We may also use PHI in de-identified form (so it can no longer be associated with you individually) for purposes of data analytics, medical research, or improving our Platform’s performance.
● Communicating with You: We use your contact information (email, phone number) to communicate with you about your use of the Platform. This includes sending service-related announcements, responses to your inquiries, appointment confirmations, and customer support messages. With your consent, we may also send you newsletters or promotional communications about new services or health tips. You can opt out of marketing emails or texts at any time. (Transactional or account-related messages are not optional, as they are necessary for providing our services.)
● Personalizing and Improving the User Experience: We may use your information to personalize your experience on the Platform. For example, we might recommend certain services or content based on your usage history or show you relevant healthcare resources. We also use aggregated usage data to understand how our users as a whole interact with our Platform, which helps us improve the design, functionality, and content of our website and app. This can include fixing bugs, analyzing site performance, and improving user interface for better accessibility.
● Analytics and Marketing: Non-identifiable information (such as general usage patterns or device data) may be used to perform analytics and to engage in marketing or advertising for our services. For instance, we might use cookies to track which pages of our site are most popular and use that data to inform our marketing strategy. We may also use certain limited personal data to reach you with targeted advertising on third-party platforms, but only in accordance with applicable law. Any email marketing will be done in compliance with anti-spam laws and with appropriate consent. You have choices about cookies and advertising as described in the "Cookies and Tracking” section of this Policy, and you may opt out of marketing communications.
● Compliance with Legal Obligations: We may process and use your information as necessary to comply with applicable laws, regulations, subpoenas, court orders, or other legal processes. This includes using your data to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements. For example, if we are required by law to report certain information to regulatory agencies (such as the U.S. Food and Drug Administration for reporting on the safety of a medical device) we will use and disclose the necessary information. We also use information to fulfill our obligations for record-keeping (for example, maintaining transaction records for tax and accounting purposes) and to comply with healthcare laws and regulations.
● Protection of Rights and Interests: We may use your information as necessary to protect our rights, privacy, safety, or property, and/or that of you or others. This includes using information to detect, prevent, and address fraud, security, or technical issues. If necessary, we will use information to enforce our Terms of Use or this Privacy Policy, or to establish or exercise our legal rights. For example, we may use certain data to investigate a violation of our policies or to pursue remedies or limit damages in the event of a dispute.
● Other Purposes with Your Consent: If we intend to use your personal information for any purpose not described in this Policy, we will obtain your consent as required. In particular, if we ever need to use or disclose your PHI in a way that requires your authorization under HIPAA (for example, for certain marketing activities or sharing psychotherapy notes), we will ask for your written authorization before doing so. If you provide an authorization for a specific use of PHI, you can later revoke it in writing, and we will no longer use or disclose that information for that purpose going forward (except to the extent we have already relied on your authorization).
We do not use your personal information for any automated decision-making or profiling that produces legal or similarly significant effects. We do not sell or rent personal information to third parties for their own marketing purposes. All uses of personal and health information are in accordance with applicable law and for legitimate business and health care purposes as described above.
We understand the importance of keeping your information private. We share your personal information only in the ways described in this Privacy Policy, and we do so with appropriate safeguards. The categories of recipients with whom we may share information include:
● Healthcare Providers (Treatment Purposes): We will share your PHI with the independent doctors or other healthcare professionals who provide telehealth consultation or treatment to you via the Dektori Platform. These providers need access to your relevant medical information to provide you with care. They are required to keep such information confidential in accordance with law and professional ethics. For example, if you request a second opinion consultation, the medical records and images you upload will be disclosed to the consulting physician so that they can review your case and give informed advice.
● Your Authorized Representatives: If you have a personal representative (such as a legal guardian, caretaker, or someone holding a health care power of attorney) or if you are using the Platform on behalf of someone else as their parent/guardian or caregiver, we will disclose information to that person as allowed by your consent or by law. For instance, if a parent initiates a consultation for a minor child, we will share the child’s health information with that parent/guardian.
● Service Providers (Processors): We employ trusted third-party companies and individuals to perform services on our behalf, and we may need to share certain personal information with them to fulfill those services. These service providers include, for example:
○ Payment processors who handle credit card transactions or insurance billing (your financial information is transmitted securely to these processors for payment purposes).
○ Cloud hosting and IT infrastructure providers that securely store our data and ensure our Platform runs smoothly.
○ Email, text messaging, or telecommunication providers that help us send appointment reminders or facilitate video conferencing for telehealth visits.
○ Analytics and marketing partners who assist in analyzing data or executing marketing communications on our behalf (only with appropriate data protection agreements and, where applicable, your consent).
○ Translation or medical record review services if we use translators or specialists to help interpret or summarize medical records (particularly for international cases, with your consent or as necessary for your care).
These third-party service providers act on our instructions, and we provide them only the information necessary for them to perform their specific functions. They are contractually obligated to protect your information and not to use it for any purpose other than the services they provide to us.
● Affiliated Entities: Dektori may share personal information with our corporate affiliates or subsidiaries (if any) that are under common ownership or control, so that they may assist in providing services or for internal administrative purposes. Any affiliate with whom we share data will abide by terms at least as restrictive as this Privacy Policy.
● Business Transfers: If Dektori is involved in a merger, acquisition, financing due diligence, restructuring, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of such a transaction. Should such a transfer occur, we will require the receiving party to handle your personal information in a manner that is consistent with this Privacy Policy (unless, for any reason, you are notified and consent to a different handling). For example, if another company acquires Dektori or its assets, customer information (including personal data) would likely be one of the assets transferred, but it would remain subject to the promises made in any pre-existing privacy policy unless you agree otherwise.
● Legal Compliance and Protection: We may disclose information about you if we believe in good faith that such disclosure is necessary to: (a) comply with a law, regulation, legal process, or governmental request; (b) enforce our Terms of Use or other agreements; or (c) protect the rights, property, or safety of Dektori, our users, our providers, or the public. This includes exchanging information with law enforcement or regulators when required by law or to address issues such as suspected fraud or security vulnerabilities. For instance, if required by a subpoena or court order, we may be obligated to disclose certain records to the authorities. Similarly, if we believe that disclosing certain information will help prevent imminent harm to a patient or others (such as in a medical emergency or if there is a serious and credible threat to someone’s health or safety), we may share information with the appropriate authorities or persons in line with ethical and legal obligations. PHI may be disclosed to public health authorities or other entities authorized to assist in disaster relief, disease control, reporting adverse events, or other public health and safety activities as permitted by law. We may also disclose PHI to report abuse, neglect, or domestic violence to government authorities if required or authorized by law, and if we believe a patient is a victim of such abuse or neglect (in such cases, we will only disclose with appropriate safeguards or as expressly required by law).
● With Your Consent or at Your Direction: Aside from the above situations, we will share your information with third parties only if you specifically authorize it or direct us to do so. For example, if you request that we send a copy of your medical records to a physician outside our Platform or to a family member, we will do so with your permission. Similarly, if you choose to participate in a program or service that involves sharing data (such as a collaborative care program with a local provider), we will disclose data as needed with your consent.
● De-identified or Aggregated Data: We may share information that has been de-identified (stripped of personal identifiers such that it cannot reasonably be used to identify you) or aggregated (combined with data of other users). Such information is not personally identifiable and may be used freely, for example in publishing general usage statistics, improving healthcare research, or developing new services. We will not re-identify such data and will ensure any third party receiving it agrees to keep it de-identified.
Important: We do not sell your personal information to third parties for their own marketing or commercial uses. We do not disclose your health information to any third party for purposes unrelated to your care, payment, our operations, or the other exceptions permitted by law, without your explicit authorization. Any third parties with whom we share data must contractually agree to protect the confidentiality and security of the data. If in the future Dektori desires to share your information in a manner not covered by this Privacy Policy, we will seek your consent before doing so.
When you visit the Dektori website or use the mobile application, we and certain authorized third-party providers make use of cookies, software development kits (SDKs), pixels, and other tracking technologies to collect information about your interactions with the Platform. These technologies allow us to maintain secure sessions, recognize returning users, remember preferences, measure performance, and improve the overall functionality and security of the Platform. They also support integrated services such as authentication, translation, analytics, communications, and payments.
Cookies are small text files that are placed on your device by your browser. Some are strictly necessary for the Platform to function correctly—for example, to maintain your login session or to remember security tokens when you navigate between pages. Others are functional or analytical in nature and allow us to understand how users interact with different parts of the Platform. For instance, Google Analytics, Google Tag Manager, and other site tracking scripts help us analyze traffic flows, the frequency of visits, session lengths, and technical errors. The data collected by these tools may include your IP address, device identifiers, browser type, and patterns of navigation. This information is generally aggregated and used to generate statistics, but in some cases it may be associated with account-level identifiers for fraud prevention or security.
Certain integrations make use of cookies or equivalent tokens to provide specific services. When you log in using Apple, Google, or Facebook, authentication cookies or access tokens are placed to verify your identity and maintain your session. These cookies contain only the information necessary to authenticate you and do not expose your login credentials to Dektori. Our live chatbot similarly relies on session cookies to remember your ongoing conversation, enabling continuity if you navigate between pages. Newsletter subscription tools may set cookies or pixels to record whether you opened a message or clicked a link, so that we can measure engagement and manage delivery effectively.
Other technical integrations also involve the use of cookies and tracking. Google reCAPTCHA employs behavioral tracking and device fingerprinting to detect automated bots attempting to access the Platform. Firebase may assign device tokens to support delivery of notifications, diagnostics, and crash reporting. Google API services and Client JSON configurations may rely on tokens or identifiers that confirm you are properly authorized to access Platform functions. These tools may collect technical telemetry data—such as error codes, device models, and application version numbers—that help maintain stability and security but are not used to analyze individual health consultations or PHI.
Although most tracking is functional or analytical, some cookies may also be used for limited marketing purposes. Dektori does not host third-party advertisements unrelated to its services, but we may conduct targeted outreach to inform you of new features or health education opportunities. In doing so, we may use Google or Facebook marketing pixels to measure campaign effectiveness. These pixels record visits and basic interactions, but we configure them not to collect or disclose PHI.
You have choices regarding cookies and tracking. Most browsers automatically accept cookies, but you may adjust your settings to decline them or to alert you when cookies are being set. You may also clear cookies from your device at any time. Please note that rejecting or disabling certain cookies may cause portions of the Platform to stop functioning—for example, you may be logged out unexpectedly, or you may not be able to access the live chatbot or payment checkout. For email tracking, you can disable image loading in your email client, unsubscribe from newsletters, or use the opt-out mechanisms provided in our communications.
At present, there is no universal industry standard for how websites should respond to browser-based "Do Not Track” signals, and accordingly Dektori does not interpret or respond to such signals. We will monitor regulatory and industry developments and, should a binding standard emerge, we will implement appropriate updates to our practices. In the meantime, you may control tracking through your browser settings, opt-out links provided by Google or Facebook, or by disabling non-essential cookies through our cookie management interface (where available).
Dektori is based in the United States, and our Platform is designed to connect users worldwide with U.S.-licensed healthcare providers. If you are accessing our services from outside the United States, be aware that your personal information (including PHI) will be transferred to and stored on servers in the United States or other jurisdictions where our service providers are located. By using the Platform, you expressly consent to the transfer, storage, and processing of your data in the United States. Please note that the privacy and data protection laws of the United States might not be as comprehensive or protective as those in your home country. However, we will handle your information as described in this Privacy Policy, and in accordance with applicable law, no matter where it is processed.
If you reside in the European Economic Area (EEA), United Kingdom, Switzerland, or another region with robust data protection laws (e.g., GDPR), we will ensure that appropriate safeguards are in place for the transfer of your personal data to the U.S. or other jurisdictions. This may include using Standard Contractual Clauses approved by the European Commission, reliance on adequacy decisions (such as the EU-U.S. Data Privacy Framework, if applicable), or obtaining your explicit consent where required.
Where the General Data Protection Regulation (GDPR) or similar laws apply, we process your personal data under the following legal bases:
We are committed to empowering you with control over your personal information. Depending on your jurisdiction, you may have the following rights regarding your data:
● Access, Correction, and Portability: You have the right to access the personal information we maintain about you and to request copies of it. This includes the right to obtain a copy of your health records that we have, in either paper or electronic form. We will provide your PHI in the format you request if it’s readily producible in that format (for example, if you request an electronic copy, we will provide an electronic copy, such as a PDF or through a secure portal, unless it is not feasible for us to do so). You also have the right to request that we transmit a copy of your PHI to a third party that you designate (for instance, to another doctor or to a personal health app), and we will do so upon your written request and as long as the transmission is technically feasible. If any of your personal information is inaccurate or incomplete, you have the right to request that we correct or update it. This includes the ability to correct basic account information through your account settings, as well as the right to ask us to correct errors in your health information. For PHI, if you believe that information in your medical record is incorrect or incomplete, you may request an amendment to that record. We will review your request and, if we agree, will amend the information. If we deny your amendment request (for example, if we believe the record is accurate as is), we will provide you an explanation in writing and you may have the right to submit a statement of disagreement that will be kept with the record.
● Deletion (Right to Erasure): You have the right to request deletion of your personal data, subject to certain limitations. For general personal information that we hold about you, if you wish to close your account or have us delete personal information, you can contact us to make this request. We will honor deletion requests to the extent required by applicable law. Please note that we may need to retain certain information for legal obligations (for example, health records may need to be retained for a certain number of years under healthcare regulations) or legitimate business purposes (such as completing transactions you initiated, detecting fraud, or exercising our legal rights). We may also retain data in backups or archives for a certain period, but will securely protect and isolate it from further use. PHI that forms part of a medical record is often required by law to be maintained for a minimum period (e.g., several years) and cannot be deleted upon demand. However, we can delete other supplemental personal data not required for those records, and when PHI is no longer required to be retained, we will dispose of it securely. If you are a California resident or reside in a jurisdiction with specific deletion rights, our compliance with your request will be in accordance with those laws. When we delete data, we will make it inaccessible in our production systems and follow our data destruction practices to remove it from our records (unless retention is required by law).
● Restriction of Processing: You have the right to request that we restrict the processing of your information in certain circumstances. For example, you may request restriction if you contest the accuracy of the data or if you object to our processing and want to limit it while your objection is being resolved. For PHI, you can request additional restrictions on how we use or disclose your health information beyond what is described in our Notice of Privacy Practices. We are not required to agree to most such additional PHI restrictions, except in specific situations (such as if you pay for a service in full out-of-pocket, you can request we not disclose information about that service to your health insurer if not otherwise required by law). However, if we do agree to an additional restriction, we will honor it except where disclosure is needed for emergency treatment or is required by law. In any case, we will consider and respond to all requests for restriction, and will accommodate them if we reasonably can.
● Objection to Processing: Where applicable law grants this right (for example, under GDPR), you may object to our processing of your personal data, particularly if we are processing it under a legitimate interest basis. You also have the right to object at any time to the processing of your personal data for direct marketing purposes. If you object, we will stop processing the information unless we have compelling legitimate grounds or a legal obligation to continue. With respect to communications, if you object to or opt out of marketing emails or texts, we will honor that choice. Note that even if you opt out of marketing, we may still send you transactional or service-related communications (such as appointment reminders or security alerts) as these are not promotional.
● Data Portability: In addition to the access rights above, in some jurisdictions you have the right to data portability. This means you can request to receive certain personal data in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller (for example, another healthcare provider or platform) without hindrance. Where technically feasible, and if requested, we will directly transmit your data to another organization at your direction. For example, per HIPAA, you may direct us to send an electronic copy of your medical information to a designated third party of your choice.
● Withdrawal of Consent: If we rely on your consent to process personal data, you have the right to withdraw that consent at any time. For example, if you provided consent for us to collect certain health information or to send you marketing messages, you can withdraw your consent and we will stop that processing going forward. This will not affect the lawfulness of processing based on consent before its withdrawal. If you withdraw consent for a particular service or activity, we may not be able to provide certain services to you (for instance, if you withdraw consent to process your health data, we may not be able to continue offering telehealth consultations). We will advise you if this is the case at the time you withdraw your consent.
● Additional Rights for EU and Similar Jurisdictions: If you are in the EU or a jurisdiction with similar rights, you also have the right not to be subject to a decision based solely on automated processing (we do not engage in such automated decision-making as noted), and the right to lodge a complaint with a supervisory authority in your country. We summarize that you have certain rights regarding your personal data, including the right to access it, correct it, erase it, restrict its processing, transfer it, or object to certain uses. These include all the rights described above as applicable. You also have the right to lodge a complaint with your local data protection authority or supervisory authority if you believe we have infringed your privacy rights. We encourage you to first reach out to us so we can address your concerns directly.
Exercising Your Rights: To exercise any of your rights described here, please contact us using the information in the "Contact Us” section below. We may need to verify your identity before fulfilling certain requests (for example, by asking you to confirm certain account details or to provide ID) to ensure that these rights are exercised securely and by the correct individual. In some cases, we may refuse or limit your request if the law permits or requires us to do so – for example, if fulfilling a deletion request would impair our compliance with legal obligations. We will inform you of the outcome of your request within the timeframe required by law (typically within 30 days for most requests, with the possibility of an extension if necessary, which we will communicate to you).
● Confidential Communications (Health Information): If you receive healthcare services via our Platform, you have the right to request that we send communications about your PHI by alternative means or to alternative locations to preserve confidentiality. For example, you can ask that we only contact you at a certain email address or send postal mail to a specific address, to avoid others seeing your communications. We will accommodate reasonable requests submitted to us (we may ask you to make the request in writing and specify how or where you wish to be contacted, and, if applicable, how payment will be handled if you have concerns about that).
● Accounting of Disclosures (Health Information): You have the right to request an "accounting of disclosures,” which is a list of certain disclosures we have made of your PHI over a defined period (up to the past 6 years). This would include disclosures to outside entities for purposes other than treatment, payment, or healthcare operations (as those routine disclosures are not required to be listed), and excluding disclosures you authorized or certain other exceptions. If you need an accounting of disclosures, please contact us. The first accounting in a 12-month period is free; we may charge a reasonable fee for additional requests in the same period, but we will let you know the cost in advance and give you a chance to withdraw or modify the request.
● Notification of Breaches: We take the security of your data seriously and have measures in place to prevent breaches. However, in the event that a breach of unsecured PHI occurs, we will notify you without unreasonable delay and no later than as required by law (within 60 days under U.S. law) after we discover the breach. We will provide details of the breach, what information was involved, any steps we have taken to mitigate the issue, and any steps we recommend you take to protect yourself. We will also fulfill any reporting obligations to government authorities. For breaches of other personal data (non-PHI), we will notify affected individuals and regulators as required by applicable laws (such as GDPR or state laws) and in a timely manner.
● No Retaliation: We want you to feel comfortable exercising your privacy rights. Dektori will not retaliate against you or deny you services if you choose to exercise any of the rights described in this section or if you file a privacy complaint in good faith. Your care and access to services will not be affected by any privacy-related complaint or request you make.
We employ robust administrative, technical, and physical safeguards to protect the security and confidentiality of your personal information and PHI. In accordance with HIPAA and industry best practices, we have implemented measures designed to prevent unauthorized access, maintain data accuracy, and ensure appropriate use of information. These measures include, but are not limited to:
● Encryption: We secure personal data in transit and at rest using encryption technologies. For example, any connection between your browser or app and our Platform is protected via Transport Layer Security (TLS) or Secure Sockets Layer (SSL) encryption (HTTPS), which helps prevent eavesdropping on data exchanged. Sensitive data (such as health records and payment details) is stored in encrypted form in our databases or in the systems of our trusted service providers.
● Access Controls: We limit access to personal information to only those employees, contractors, and service providers who need it to perform their duties. Access to PHI is restricted through role-based access controls and a need-to-know principle. Each authorized person has unique credentials, and access privileges are reviewed periodically. We also require strong passwords and, where appropriate, implement multi-factor authentication for access to systems containing sensitive data.
● Auditing and Monitoring: We maintain logs of access to personal data and monitor our systems for any unauthorized access attempts or unusual activity. Security logs are regularly reviewed, and we utilize intrusion detection and prevention systems to alert us to potential threats.
● Secure Infrastructure: Our servers are hosted in secure data centers with physical security controls (like 24/7 monitoring, access badges, biometric scanners, etc.). We employ firewalls, anti-malware software, and continuous security patch management to protect our infrastructure. Our system design and development follow security-by-design principles and OWASP guidelines to mitigate common web vulnerabilities. We also conduct regular security assessments, such as penetration testing and code reviews, to identify and address potential weaknesses.
● Data Backups and Recovery: We perform regular backups of critical data to prevent data loss. Backup data is encrypted and stored securely. We have disaster recovery and business continuity plans in place to ensure that our services remain available (or can be quickly restored) in the event of a major incident.
● Training and Policies: We train our staff on privacy and security best practices, including how to handle PHI properly. We have internal policies and incident response plans that dictate how to respond to potential security incidents. In the event of a suspected data breach, we will promptly investigate and take appropriate remedial action.
● Third-Party Security: When we engage third-party service providers (such as cloud hosting, payment processors, or communication tools), we vet their security practices and ensure they agree to protect our users’ information. For providers handling PHI on our behalf, we sign Business Associate Agreements (BAAs) as required by HIPAA, obligating them to safeguard PHI to the same standards.
Despite our efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, while we strive to protect your personal information, we cannot guarantee its absolute security. You also play a role in protecting your information: we encourage you to use a strong, unique password for your Dektori account, to protect that password, and to log out of the Platform when you are finished, especially if using a shared device. If you suspect any unauthorized access to or use of your account or information, please contact us immediately.
We respect the privacy of children. Our Platform is not intended for children under 13 years of age, and we do not knowingly collect personal information from anyone under 13 without verifiable parental consent. If you are under 13, please do not use Dektori or provide any information about yourself. If we learn that we have inadvertently collected personal information from a child under 13 without proper consent, we will delete that information as soon as possible.
Dektori requires that a parent or legal guardian initiate the use of our services for minor children. If you are between 13 and 18 (or the age of majority in your jurisdiction, if higher), you may use the Platform only with involvement of and consent from your parent or guardian. Specifically, a parent or guardian must create the account, provide any necessary information, and supervise the consultation for users who are minors. By accepting this Privacy Policy and using our services, you affirm that you are either (a) at least 18 years old, or (b) if you are 13 or older but under 18, that you are using the Platform under the supervision and with the permission of your parent or legal guardian, who agrees to this Privacy Policy and our Terms on your behalf.
If you are a parent or guardian and believe we might have any information from or about a child under 13 that was collected without your consent, please contact us immediately (see "Contact Us” below). We will take prompt steps to remove that information and terminate any account used exclusively by such a child. We do not use children’s personal information for any marketing or promotional purposes.
(This section serves as our formal Notice of Privacy Practices for purposes of U.S. healthcare privacy laws. It describes how we protect and use medical information and your rights concerning that information. Some of this may overlap with sections above, but it is presented here in compliance with HIPAA requirements.)
Our Responsibilities: Dektori is required by law to maintain the privacy and security of your Protected Health Information and to provide you with this Notice of our legal duties and privacy practices. We will let you know promptly if a breach occurs that may have compromised the privacy or security of your PHI (see "Notification of Breaches” above). We must follow the duties and privacy practices described in this Notice and give you a copy of it upon request. We will not use or share your health information other than as described here unless you tell us we can in writing. If you do give us authorization to use or disclose information for a purpose not covered in this Notice, you may change your mind at any time and revoke that authorization (this will not affect any use/disclosure that occurred while your permission was in effect).
Uses and Disclosures of PHI Without Your Authorization: The following categories describe the ways we may use and disclose your PHI without your written authorization, as permitted by HIPAA (and in some cases, other laws). For all of these uses and disclosures, we only share the minimum necessary information and we ensure that any third-party recipients safeguard the information.
● Treatment: We may use and disclose your PHI to provide, coordinate, or manage your health care and related services. This includes sharing information with doctors, nurses, technicians, or other healthcare professionals who are treating you or consulting about your case. For example, if you use Dektori to get a second opinion on a diagnosis, we will share your relevant medical history, test results, and imaging with the consulting physician so they have the information needed to advise you. We may also use your PHI to contact you with appointment reminders or information about treatment alternatives or health-related benefits and services that may be of interest to you, as part of your care.
● Payment: We may use and disclose your PHI to obtain payment for the health care services provided to you. For example, we might disclose certain information to your health insurance company to determine whether the service is covered, to authorize services or referrals, or to obtain reimbursement for the services provided. We may also use your information to bill you directly for services (e.g., sending you an invoice) or to process claims and coordinate benefits with other insurers. Any disclosure for payment purposes will adhere to the minimum necessary rule and will typically include details such as your name, the service performed, diagnosis codes, and other information needed for the insurer or payer to process the payment.
● Health Care Operations: We may use and disclose your PHI for our health care operations, which are activities necessary to run Dektori and ensure our users receive quality care. Health care operations may include quality assessment and improvement activities, reviewing the competence or qualifications of healthcare professionals, training programs, accreditation, certification, licensing or credentialing activities, medical reviews, audits (including fraud and abuse detection), and business planning and development. For instance, we might review anonymized portions of patient records to evaluate the performance of our participating providers or to determine what new services we should offer. If we use PHI for training or internal case studies, we would remove or obscure identifying details whenever possible.
Third-Party Service Providers (Business Associates): Dektori may share your PHI with certain trusted third-party vendors who help us run our platform and deliver services to you. These third parties function as our "business associates,” and include services such as:
● Cloud Storage and IT Providers: We may host data (including PHI) on secure cloud servers or use IT support services to maintain our systems. Any cloud storage or IT provider we use will be HIPAA-compliant and required to protect your data (for example, by using encryption and robust security protocols).
● Payment Processors: As noted above, a payment processing company may handle your credit card or payment transactions on our behalf. Such processors get only the information needed to process your payment and are obligated to keep it secure and confidential.
● Communications and Portal Services: We may use secure messaging services or portal software to enable you to communicate with providers and access your records. These providers also must safeguard any PHI that passes through their systems.
● Other Services: In some cases, Dektori users outside the U.S. may require language translation services during a consultation. If so, we would use a HIPAA-compliant translation service and only share the necessary information for that purpose. We could also use analytics or email services to send you appointment reminders or updates; if those tools handle PHI, they will be bound by the same privacy requirements.
Each of these third-party service providers has a contractual obligation to adhere to privacy and security rules equivalent to HIPAA standards. In other words, we ensure any company that might see or store PHI as part of their work for Dektori must agree to keep it confidential and secure. We do not allow our service providers to use your health information for their own purposes. They can only use your information to provide services to us and to you, and must safeguard it just as we do.
● Disclosures Required or Permitted by Law: We may disclose your PHI when required to do so by law, or when certain legal and public policy considerations permit us to do so without your authorization. For example:
● Legal Compliance: If we receive a court order, subpoena, or other valid legal process compelling the disclosure of your health information, we may be required to release your PHI to comply with that law or order. We will only disclose the minimum amount of information necessary and will, whenever lawful and feasible, inform you of such requests.
● Reporting Abuse or Threats: If a Dektori provider believes that a disclosure of PHI is necessary to prevent a serious threat to someone’s health or safety, or if we suspect abuse or neglect of a minor, elder, or vulnerable individual, we may report that information to the appropriate authorities as required by law. This could include sharing relevant PHI with public health or social service agencies authorized to receive such reports.
● Public Health Activities: We may disclose PHI to public health authorities for reasons such as controlling disease, reporting vital statistics (like births or deaths), or notifying a person who may have been exposed to a communicable disease if required by law. (As a platform focusing on educational consultations, these instances are uncommon, but we include them here to meet privacy standards.)
● Law Enforcement and Government Requests: If law enforcement officials or government agencies (for instance, as part of an investigation) legally require PHI, we may disclose the requested information. Examples include identifying or locating a missing person or suspect, reporting a crime, or cooperating with national security or intelligence activities that are legally authorized.
In each case above, Dektori will make such disclosures only to the extent the law requires or allows and will abide by all applicable privacy protections. Wherever possible, we will inform you if your information has been disclosed under this section (for instance, if not prohibited by law, we would let you know that we provided information in response to a subpoena).
● Uses and Disclosures Requiring Your Authorization: Any other use or disclosure of your PHI not described in this Notice will be made only with your written authorization. This means that unless an activity is specifically listed above (or otherwise allowed by HIPAA’s privacy rules), we will ask for your permission before using or sharing your health information. For example, Dektori will not sell your PHI or use it for marketing purposes without your explicit authorization. If you give us authorization to use your information for a particular purpose not covered by this Notice, you may revoke that authorization at any time (by contacting us in writing), and we will honor that revocation going forward. Revoking authorization will not affect any uses or disclosures that we have already made with your permission.
In summary, Dektori uses your health information primarily to serve you – by facilitating consultations and related services – and for necessary operations like payment and quality improvement. We may also share information with trusted service partners who help run our platform, but always under strict privacy agreements. We do not use or disclose your PHI for anything outside of these purposes unless you tell us we can, or unless the law requires it. If you have any questions about whether your information might be used in a certain way, please contact us for clarification.
Dektori reserves the right to change or update this Notice of Privacy Practices at any time. We may revise the contents of this Notice as our services evolve or as privacy laws and standards change. If we make a significant change to our privacy practices, we will update this Notice and change the effective date at the top. Any changes to the Notice will apply to all PHI that we maintain, including information we created or received before the change, as allowed by law. Whenever we make an important change, the updated Notice will be posted on our website (and within our app, if applicable) in a place where you can easily find it. We will also provide a summary of material changes if required. We encourage you to review our Notice of Privacy Practices periodically to stay informed about how we protect your information.
You can always obtain the latest version of this Notice by visiting the Privacy section of the Dektori website or by contacting us and requesting a copy. Your continued use of Dektori’s services after a Notice update will signify your acceptance of the revised privacy practices.
If you have any questions, comments, or concerns about this Notice or Dektori’s privacy practices, please contact us. You may also contact us if you wish to exercise any of your privacy rights described above, or if you wish to file a privacy-related complaint.
How to Contact Dektori: The best way to reach us is by emailing our privacy team at info@dektori.com. You may also send correspondence to our mailing address (please refer to Dektori’s official website for the most current address information) or contact us through the secure messaging features in your Dektori account. When you contact us, please let us know it is regarding a privacy matter so we can direct your inquiry appropriately. We will respond as promptly as possible, generally within 30 days or sooner if required by law.
As noted above in "Your Rights,” you also have the option to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) if you believe we have not handled your PHI properly. You can find information on how to submit a complaint to the OCR on their website (http://www.hhs.gov/ocr/privacy/hipaa/complaints) or ask us for assistance. We encourage you to contact us first so we have the opportunity to address your concerns and find a solution.
No Retaliation: We want to reiterate that Dektori will not retaliate against you for raising a privacy concern or filing a complaint. Your trust is our priority, and we appreciate the opportunity to improve our practices and resolve any issues in a fair manner.
Thank you for taking the time to review Dektori’s Privacy Policy and Notice of HIPAA Privacy Practices. Protecting your privacy is fundamental to our mission of providing accessible health information and telehealth services. We remain committed to safeguarding your health information and maintaining your trust.
