Privacy Policy

Last updated: February 15, 2026

AmyloidOps (“we,” “us,” or “our”) is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our platform, a clinic operating system for anti-amyloid immunotherapy program management (the “Service”).

1. Information We Collect

1.1 Account Information

When your organization creates accounts for authorized users, we collect names, email addresses, professional roles, and organizational affiliations. Account creation is managed by authorized administrators at your healthcare organization.

1.2 Protected Health Information (PHI)

In the course of providing the Service, we may process Protected Health Information as defined under HIPAA on behalf of your healthcare organization. PHI is entered and managed by authorized clinical users and may include patient demographics, therapy plans, infusion schedules, MRI reports, lab results, and clinical assessments. We process PHI solely as a Business Associate under a signed Business Associate Agreement (BAA) with your covered entity.

1.3 Usage Data

We automatically collect technical information including IP addresses, browser type, device information, pages viewed, and timestamps. This data is used for security monitoring, performance optimization, and audit trail maintenance.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Process and manage patient therapy workflows, infusion scheduling, and safety clearances on behalf of your organization
  • Generate compliance reports and audit trails
  • Send system notifications, including task alerts, clearance reminders, and MRI review notifications
  • Monitor system security and detect unauthorized access
  • Comply with legal obligations, including HIPAA requirements
  • Improve and optimize the Service

3. How We Share Your Information

We do not sell, rent, or trade personal information or PHI. We may share information in the following limited circumstances:

  • Within your organization: Authorized users at your healthcare organization can access data based on their assigned roles and permissions.
  • Service providers: We use trusted third-party service providers (e.g., cloud hosting, email delivery) who are bound by contractual obligations to protect data and, where applicable, are parties to BAAs.
  • Legal requirements: We may disclose information when required by law, subpoena, court order, or government request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction, subject to the same privacy protections.

4. Data Security

We implement administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of your data:

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Role-based access controls (RBAC) with site-level isolation
  • Complete audit logging of all data access and modifications
  • Regular security assessments and vulnerability scanning
  • Multi-tenant architecture with logical data separation

5. Data Retention

We retain data for the duration of your organization’s service agreement. PHI is retained in accordance with applicable healthcare record retention requirements and your organization’s policies. Upon termination of the service agreement, we will return or securely destroy PHI in accordance with the terms of the BAA and applicable law. Audit logs are retained for a minimum of six (6) years as required for HIPAA compliance.

6. HIPAA Compliance

AmyloidOps operates as a Business Associate under HIPAA. We enter into Business Associate Agreements with all covered entity customers. Our HIPAA compliance program includes:

  • Administrative, physical, and technical safeguards as required by the HIPAA Security Rule
  • Breach notification procedures in accordance with the HIPAA Breach Notification Rule
  • Minimum necessary standard for all PHI access and disclosures
  • Workforce training and access management
  • Regular risk assessments and compliance audits

For details on our compliance program, see our Compliance page.

7. Your Rights

Individual patient rights regarding PHI (access, amendment, accounting of disclosures) are managed through your healthcare organization as the covered entity. If you are an authorized user of the Service, you may:

  • Access and update your account information
  • Request data export for records you are authorized to view
  • Contact your organization’s administrator to modify or deactivate your account

8. Cookies and Tracking

We use essential cookies required for authentication, session management, and security. We do not use advertising cookies or third-party tracking technologies. Session cookies expire upon logout or after a period of inactivity.

9. Children’s Privacy

The Service is designed for use by authorized healthcare professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to organizational administrators via email or in-app notification. Continued use of the Service after such changes constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

AmyloidOps Privacy Team
Email: privacy@amyloidops.com