Legal
Effective date: March 1, 2026 · Last updated: March 2, 2026
Sanolume (“Sanolume,” “we,” “our,” or “us”) is a healthcare technology company that builds digital tools for nurses, physicians, and healthcare organizations. This Privacy Policy describes how we collect, use, store, share, and protect information when you:
Together, the Website, App, and E-Signature Service are referred to as the “Services.” This Policy applies to all users of our Services, including healthcare professionals, organization administrators, signers of electronic documents, and website visitors.
By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Policy, please do not use our Services.
Important: To the extent that we process Protected Health Information (“PHI”) as defined under the Health Insurance Portability and Accountability Act (“HIPAA”), such processing is governed by our Business Associate Agreement with your organization, which takes precedence over this Privacy Policy in the event of a conflict. See Section 6 for details.
We collect information in several categories depending on how you interact with our Services.
When you create a Sanolume account, we collect:
When you use the App in a clinical capacity, you may input data that constitutes PHI, including:
Important: You are responsible for the accuracy and appropriateness of all clinical data you enter. Sanolume does not independently verify clinical information. See our Terms of Service for healthcare disclaimers.
When you send or sign documents through Sanolume Sign, we collect:
If you register or manage an organization account, we collect:
When you contact us through our Website or email, we collect:
When you use our Services, we may automatically collect:
What we do not collect: We do not use invasive analytics services (such as Google Analytics, Firebase Analytics, Mixpanel, or Amplitude), crash reporting services (such as Sentry or Crashlytics), or advertising trackers. We do not build behavioral profiles of our users. We do not collect location data, contacts, photos, or other device data beyond what is described above. Our Website uses Umami, a privacy-focused, cookie-free analytics tool that collects only anonymous, aggregated pageview data (see Section 12).
For regulatory compliance and data integrity, we automatically generate and retain:
We collect information that you voluntarily provide when you create an account, enter clinical data, submit a contact form, sign documents, or communicate with us.
We collect certain technical information automatically when you use our Services, including IP addresses, session data, and web server logs. This collection is limited to what is necessary for security, performance, and service delivery. We do not deploy tracking pixels, advertising cookies, or behavioral analytics. On our Website, we use Umami, a privacy-focused analytics tool, to collect anonymous, aggregated usage data such as page paths, referrer URLs, browser type, device type, and country. Umami does not use cookies, does not collect personal data, and cannot identify individual visitors. Visitor counts are derived from a non-reversible hash that rotates daily.
We may receive information from third parties in limited circumstances:
We do not purchase, rent, or otherwise obtain Personal Information from data brokers or marketing lists.
We use the information we collect for the following purposes:
We do not send marketing emails, promotional materials, or newsletters. All communications are transactional or service-related.
We do not use your Personal Information or PHI for advertising, profiling, automated decision-making, or sale to third parties. We do not use PHI for any purpose other than the services specified in our Business Associate Agreement.
Sanolume acts as a Business Associate under HIPAA when we process PHI on behalf of healthcare organizations (Covered Entities). In this capacity, we are bound by the requirements of the HIPAA Privacy Rule (45 C.F.R. Part 164, Subparts A and E) and the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C), as made applicable to Business Associates by the HITECH Act (42 U.S.C. §§ 17931–17940).
Before we process PHI for any Covered Entity, we execute a Business Associate Agreement (BAA) that specifies the permitted uses and disclosures of PHI, our security obligations, breach notification procedures, and the rights and responsibilities of each party. The BAA governs our handling of PHI and takes precedence over this Privacy Policy in the event of any conflict.
In the event of a breach of unsecured PHI, we will:
We have executed a Business Associate Agreement with Amazon Web Services (AWS) via AWS Artifact. This BAA covers all HIPAA-eligible AWS services that we use, including but not limited to Amazon DynamoDB, Amazon S3, AWS Lambda, Amazon API Gateway, Amazon Cognito, Amazon SES, AWS KMS, Amazon CloudWatch, and AWS CloudTrail.
We process your information on the following legal bases:
We do not sell, rent, lease, or trade your Personal Information or PHI. We share information only in the following limited circumstances:
If you use Sanolume as part of an organization (employer, agency, or practice), your organization’s administrator may have access to your account information, subscription status, and — depending on the organization’s data-sharing model — clinical data that you create within the organization’s context.
We use trusted third-party service providers to help operate our Services. These providers are contractually obligated to protect your data, use it only for the purposes we specify, and comply with applicable data protection laws. See Section 9 for a complete list.
When you send a document for electronic signature, the signer will receive the document name and your name and email address. The signed document may be delivered to you and to any other designated completion recipients.
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including:
Where permitted by law, we will attempt to notify you before disclosing your information in response to a legal request.
If Sanolume is involved in a merger, acquisition, reorganization, asset sale, or bankruptcy proceeding, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Website before your information becomes subject to a different privacy policy.
We may share your information with third parties when you have given us explicit consent to do so.
The following third-party service providers process data on our behalf. Each operates under contractual obligations to protect your data.
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, compute, storage, database, authentication, email delivery, encryption, logging | All categories (account data, PHI, documents, audit logs) | United States (us-east-1) |
| Stripe, Inc. | Payment processing for organization subscriptions | Billing contact info, payment method (handled by Stripe — we never receive or store card numbers), transaction amounts | United States |
| Google LLC (Firebase Cloud Messaging) | Push notification delivery to mobile devices | Device tokens only — no PHI, no user identity, no message content | United States |
| Google LLC (Google Play) | Individual subscription billing (Android) | Purchase tokens, subscription status | United States |
| Apple Inc. (App Store) | Individual subscription billing (iOS) | Receipt identifiers, subscription status | United States |
| Umami Software, Inc. | Privacy-focused, cookie-free website analytics | Anonymous pageview data only — no personal data, no IP addresses stored, no cookies | United States |
We maintain an up-to-date list of sub-processors, and we will notify customers of any changes to this list before engaging a new sub-processor. We do not use any advertising or cross-site tracking services. Our only analytics sub-processor is Umami, a privacy-focused tool that collects anonymous, aggregated pageview data without cookies or personal information.
We implement comprehensive administrative, technical, and physical security measures to protect your information. While no system can guarantee absolute security, we employ industry-leading practices, including:
We retain your information only for as long as necessary to fulfill the purposes described in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:
| Data Category | Retention Period | Basis |
|---|---|---|
| Audit logs | 6 years from creation | HIPAA § 164.530(j) (6-year documentation requirement) |
| Infrastructure logs (CloudTrail, CloudWatch) | 7 years | Compliance and forensic investigation |
| Patient & clinical data | User-managed; retained until user deletes | User controls data lifecycle; soft-deleted records preserved for audit integrity |
| E-signature requests | Configurable per request (default: 30 days for unsigned requests) | Business purpose; signed documents retained per organization policy |
| Account data | Duration of account plus 30 days after deletion request | Account management and fraud prevention |
| Payment records | 7 years after transaction | Tax and financial reporting obligations |
| Contact form submissions | 2 years | Business relationship management |
| Device tokens (FCM) | Automatic expiration via TTL | Service delivery; stale tokens expire automatically |
Deletion requests: You may request deletion of your Personal Information at any time by contacting us (see Section 21). We will process your request within thirty (30) days, subject to our legal retention obligations. Note that certain data (such as audit log entries that reference your actions) may be retained in anonymized or pseudonymized form as required by HIPAA.
Organization data: If you are part of an organization, your administrator controls the retention of clinical data created within the organization. Contact your administrator for organization-specific retention policies.
Our Website does not use cookies for analytics, advertising, or behavioral tracking.
Our Website uses Umami, a privacy-focused analytics tool, to understand general usage patterns (e.g., which pages are visited and how often). Umami:
Our Website may also use the following strictly necessary technologies:
We do not use:
Our Services are designed for use by licensed healthcare professionals and are not directed to individuals under the age of 18. We do not knowingly collect Personal Information from children under 18. If you are a parent or guardian and believe that your child has provided us with Personal Information, please contact us immediately at privacy@sanolume.com. Upon verification, we will promptly delete such information from our systems.
Note: Patient records entered by healthcare professionals may include information about minor patients. Such information constitutes PHI and is governed by HIPAA, not the Children’s Online Privacy Protection Act (COPPA), as it is entered by the healthcare professional — not by the minor.
Our Services and infrastructure are hosted in the United States. If you access our Services from outside the United States, your information will be transferred to, stored, and processed in the United States. By using our Services, you consent to this transfer.
For users subject to the GDPR or other international data protection laws, we will ensure that appropriate safeguards are in place for any transfer of Personal Information outside the European Economic Area (EEA), United Kingdom, or Switzerland, including Standard Contractual Clauses (SCCs) approved by the European Commission where required.
Depending on your jurisdiction, you may have the following rights regarding your Personal Information:
To exercise any of these rights, please contact us at privacy@sanolume.com. We will respond to your request within thirty (30) days (or sooner as required by applicable law). We may need to verify your identity before processing your request.
PHI access requests: If your request pertains to PHI, it may be subject to the HIPAA access provisions (45 C.F.R. § 164.524). Please contact your healthcare organization (the Covered Entity) directly, as they control access to PHI. We will assist the Covered Entity in fulfilling your request.
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), provides you with additional rights regarding your Personal Information.
In the preceding twelve (12) months, we have collected the following categories of Personal Information as defined by the CCPA:
Note: PHI that is collected and maintained in compliance with HIPAA is exempt from the CCPA (Cal. Civ. Code § 1798.145(c)(1)(A)).
You may submit a verifiable consumer request by emailing privacy@sanolume.com or by using our contact form. You may also designate an authorized agent to submit requests on your behalf, provided the agent submits proof of authorization. We will respond within forty-five (45) days, with the possibility of a forty-five (45) day extension if necessary, with notice to you.
We disclose Personal Information to our service providers (listed in Section 9) solely for business purposes. We do not disclose Personal Information in exchange for monetary or other valuable consideration.
We do not offer any financial incentives or price differences in exchange for the collection, retention, or sale of Personal Information.
Several other U.S. states have enacted comprehensive privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and others. If you are a resident of one of these states, you may have similar rights to those described in Sections 15 and 16, including the right to access, correct, delete, and obtain a portable copy of your data, and in some states, the right to opt out of targeted advertising, profiling, and sale of personal data.
We do not engage in targeted advertising, profiling for decisions that produce legal or similarly significant effects, or sale of personal data. To exercise your rights under any applicable state privacy law, please contact us at privacy@sanolume.com. If we deny your request, you may have the right to appeal our decision, and we will provide instructions for doing so.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent local legislation provide you with additional rights regarding your personal data.
Legal bases: See Section 7 for the legal bases under which we process your personal data.
Some web browsers transmit “Do Not Track” (DNT) signals. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently respond to them. However, as described in Section 12, we do not engage in cross-site tracking or behavioral profiling, and our only analytics tool (Umami) is cookie-free and collects no personal data, so our data practices are consistent with the intent of DNT signals regardless.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:
Your continued use of our Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised Policy, you must stop using our Services and may request deletion of your data.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We aim to respond to all privacy-related inquiries within thirty (30) days. For requests related to HIPAA or PHI, please also contact your healthcare organization’s privacy officer.