Privacy Policy
End-User Privacy Policy
Privacy Policy
Ucardia, Inc. (“Ucardia,” “we,” “us,” or “our”) is committed to safeguarding the privacy, security, and confidentiality of the information entrusted to us. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you access or use our website, applications, telehealth capabilities, coaching services, connected-device integrations, and related digital platforms (collectively, the “Services”).
By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Services.
Scope of this Policy
This Privacy Policy applies to all information collected through the Services. Separate notices (e.g., a HIPAA Notice of Privacy Practices) may apply when information is handled on behalf of a healthcare provider or other covered entity. When acting as a Business Associate under HIPAA, Ucardia adheres to all applicable HIPAA privacy and security obligations.
This Policy does not apply to third-party websites or applications not controlled by Ucardia.
Eligibility
The Services are intended for individuals aged 18 or older. We do not knowingly collect personal information from children under 13. If you believe a child has provided information to us, contact privacy@ucardia.com and we will promptly delete the information.
Information We Collect
Personal Information You Provide
This includes:
• name, email, phone number, mailing address, date of birth
• clinical, health, or wellness inputs
• messages, assessments, coaching content, behavioral logs
• payment and billing data
• photos or profile images voluntarily submitted
Ucardia does not conduct biometric identification or facial recognition on uploaded images.
Health and Wellness Information
With your authorization, we collect:
• physiologic data (e.g., heart rate, weight, steps, sleep, movement)
• data from connected devices or wearable integrations
• lifestyle patterns, trends, and coaching progress
• telehealth interaction details, where applicable
This information may be considered Protected Health Information (“PHI”) under HIPAA when Ucardia performs services for a covered entity or health care provider. When acting as a Business Associate, Ucardia uses and protects PHI as required by the HIPAA Privacy Rule, Security Rule, and applicable Business Associate Agreements (“BAAs”).
Automatically Collected Technical Data
Ucardia automatically collects:
• IP address, device identifiers, browser and OS details
• usage and interaction logs
• performance telemetry and diagnostic data
• crash logs and security event data
These logs support SOC 2 controls and system monitoring.
Cookies, Tags, and Tracking Technologies
We use cookies, pixels, analytics tags, and similar tools to support functionality, performance, and security.
Users may adjust browser settings to limit cookies. Some features may not function properly if cookies are disabled.
Information Received From Third Parties
We may receive information from:
• healthcare providers or clinical partners
• device manufacturers and API integrations
• analytics, fraud-prevention, or security vendors
• referral sources or enterprise customers
All third-party sources must comply with contractual obligations and applicable privacy laws.
How We Use Information
Core Operational Purposes
We use personal information to:
• provide coaching and wellness services
• support telehealth care when applicable
• personalize health insights and user experience
• verify identity and maintain system integrity
• process transactions and manage accounts
• provide customer support
• meet legal, regulatory, and compliance obligations
HIPAA and Protected Health Information
When information constitutes PHI and Ucardia is acting as a Business Associate:
• use and disclosure is limited to the scope permitted by the BAA
• PHI is never used for marketing without authorization
• PHI is not sold, shared, or used for AI training unless explicitly permitted by law and contract
AI and Machine Learning Use
Ucardia uses artificial intelligence (“AI”) and machine learning (“ML”) technologies to enhance personalization, insights, and Services performance. We may use information—including personal information and device data—to develop, test, and improve AI-enabled features.
We maintain strict safeguards:
• identifiable PHI is never used to train third-party AI models
• we apply de-identification, pseudonymization, or aggregation where appropriate
• vendors may not use information to build their own models
• automated decision-making with a material effect on care is disclosed as required by law
Research, Analytics, and Product Development
We use de-identified or aggregated data to:
• evaluate outcomes and program effectiveness
• improve product quality and performance
• support internal research and innovation
De-identified data is created according to HIPAA and industry best practices and cannot reasonably be used to identify individuals.
Communications
We may send:
• transactional communications
• administrative alerts
• educational or engagement content
• marketing communications (opt-out available)
How We Share Information
We do not sell personal information and do not share sensitive health data for cross-context behavioral advertising.
We may share information under the following circumstances:
With Healthcare Providers or Plans
When supporting treatment, care coordination, healthcare operations, or other activities permitted by HIPAA or applicable law.
With Authorized Service Providers
We engage vendors who support hosting, analytics, data storage, security, device integrations, payment processing, customer engagement, and telehealth infrastructure. Vendors must:
• comply with confidentiality, privacy, and security obligations
• support SOC 2 or equivalent security requirements
• use information solely as instructed by Ucardia
Legal, Compliance, and Regulatory Disclosures
We may disclose information where required to comply with law, court orders, subpoenas, regulatory demands, or to protect the rights, safety, or security of users or the public.
Corporate Transactions
In mergers, acquisitions, financings, or restructurings, information may be transferred consistent with confidentiality requirements and applicable law.
Data Security and Retention
Ucardia maintains administrative, technical, and physical safeguards aligned with:
• HIPAA Security Rule requirements
• SOC 2 Type II security and confidentiality principles
• NIST and industry best practices
Safeguards include encryption at rest and in transit, access controls, continuous monitoring, threat detection, audit trails, secure development practices, and regular assessments.
We retain information only as long as necessary to deliver the Services, comply with law, or support legitimate business needs. Upon account termination, Ucardia deletes personal information within thirty (30) days unless a longer retention period is required by law or contract.
De-identified data may be retained indefinitely.
Your Privacy Rights
Depending on your location, you may have rights to:
• access personal information
• correct inaccurate data
• delete information
• request portability of certain data
• restrict or object to certain uses
• withdraw consent where consent is the basis for processing
• opt out of marketing communications
• opt out of targeted advertising or certain profiling
• opt out of automated decision-making as required by law
Requests must be submitted to privacy@ucardia.com. Ucardia will verify your identity before fulfilling requests.
State-Specific Rights
Ucardia complies with all applicable state consumer privacy laws, including:
• California Consumer Privacy Act (CCPA/CPRA)
• Colorado Privacy Act (CPA)
• Virginia Consumer Data Protection Act (VCDPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)
• Oregon Consumer Privacy Act (OCPA)
• Texas Data Privacy and Security Act (TDPSA)
Residents of these states have rights to access, correct, delete, and receive information about our practices, as well as to opt out of:
• sale of personal data (Ucardia does not sell data),
• targeted advertising (not used for health data), and
• profiling with significant effects.
Where required, we make available an appeals process for denied requests.
International Privacy Rights
If you are located in the EU/EEA, UK, or other GDPR-aligned jurisdictions, you may have additional rights including:
• right to erasure
• right to restrict processing
• right to object
• right to data portability
• right to lodge a complaint with a supervisory authority
When Ucardia acts as a processor for a healthcare provider, the provider is responsible for directing how data rights requests are fulfilled.
10. Cookies, Tracking, and Do Not Track
You may control cookies through browser settings. Ucardia does not respond to Do Not Track signals due to the absence of an industry standard.
Opt-Out Mechanisms
You may opt out of:
• marketing emails (via unsubscribe link or email request)
• device data sharing (via app or device settings)
• certain AI-related processing where required by law
• cookies (via browser settings)
Changes to This Privacy Policy
We may update this Policy periodically. Material changes will be communicated through the Services or via email, as required by law. Updated policies become effective when posted.
Contact Us
Email
legal@ucardia.com
privacy@ucardia.com
Mailing Address
Ucardia, Inc.
1910 Pacific Ave
Suite 2000 – 1741
Dallas, TX 75201
Last Updated: December 2025
