Privacy Policy
1. Introduction and Scope
1.1 Scope. This Privacy Policy explains how The Arlo Healthcare Company (“Arlo,” “we,” “us,” or “our”) collects, uses, and discloses information in connection with the Arlo website and related technology, including functionality you access through your connected AI assistant or application (the “Services”).
1.2 What this policy does not cover. It does not govern the clinical record created in treating you by a licensed healthcare professional (a “Provider”) engaged by the independent medical group responsible for your care, currently NVP Medical Group CA, P.C. (the “Medical Group”). That record is maintained by the Medical Group and is governed by the Medical Group's separate notice of privacy practices, not by this policy.
2. How We Handle Two Kinds of Information
2.1 Platform information we control. Account and identity information, payment information, device and usage information, communications with us, and your communication preferences. We act as the controller of this information, and this policy governs it.
2.2 Health information the Medical Group controls. The health information you provide, any summary your connected AI assistant transmits at your direction, records retrieved at your direction, and the clinical record a Provider creates. This information is collected to facilitate the care you request; Arlo handles it on the Medical Group's behalf as its contractor, and it forms part of the clinical record the Medical Group maintains, which is governed by the Medical Group's notice of privacy practices.
3. Information We Collect
3.1 Information you provide (platform). Account and identity information such as name, email address, physical address, phone number, date of birth, and sex assigned at birth; and payment information.
3.2 Health information you provide; connected-agent summary. Health information you choose to provide to obtain a consultation, your responses to Arlo's automated intake questions, and any summary your connected AI assistant transmits at your direction, is collected to facilitate the care you request. It is made available to the Medical Group and the Provider treating you and forms part of the clinical record the Medical Group maintains. Your connected AI assistant is your own third-party service, governed by your agreement with its provider, not by this policy.
3.3 Records retrieved at your direction. If you use the records-retrieval feature, an independent third-party service retrieves your existing medical records and related health information (which may include information held by your healthcare providers, health plans, and health information networks, such as claims or insurance information) at your direction so they can be made available to your Provider and incorporated into the clinical record. That service is governed by its own terms and privacy practices.
3.4 Information collected automatically (platform). When you use the Services we automatically collect device and usage information such as IP address, browser type, and log data, using cookies and similar technologies as described in Section 9.
4. How We Use Information
4.1 Purposes of use. We use platform information to operate the Services, process payments, communicate with you, provide support, maintain security, improve the Services, and comply with law. We use health information only to facilitate the care you request, on the Medical Group's behalf.
4.2 Automated intake and routing. Arlo uses an automated system to help you begin a consultation. It gathers the information you provide, asks follow-up questions, screens for indications that you should seek emergency care, and prepares a preliminary, non-diagnostic summary to help you decide whether to proceed and to orient the Provider. This is administrative intake and routing, not medical advice, diagnosis, or treatment; all clinical decisions are made by the Provider. Arlo performs this automated intake using a third-party AI service that processes your information only to provide the intake in real time; that third-party service does not retain your information after processing it and does not use it to train its models. The conversational assistant you use to interact with Arlo is your own connected AI assistant, governed by your agreement with its provider.
4.3 No sale; no targeted advertising. We do not sell your personal information, and we do not use it for cross-context behavioral or interest-based advertising.
4.4 De-identified and aggregated information. We may create and use de-identified or aggregated information (which does not include your health information), such as age ranges and gender, to understand who uses the Services, to improve them, and to develop and improve our models and tools. We do not use this information for advertising, we do not sell it or share it with third parties for their own purposes, and we do not attempt to re-identify it.
5. How We Disclose Information
5.1 To the Medical Group and Providers. To facilitate the care you request, we make the necessary information available to the Medical Group and the Provider treating you.
5.2 To service providers. We share information with vendors that perform services on our behalf under contract, such as our payment processor, the records-retrieval service, a prescription-routing service that transmits a prescription to the pharmacy you choose, a third-party AI service that performs the automated intake, and hosting and IT providers, limited to what they need to perform those services.
5.3 For legal reasons; business transfers. We may disclose information to comply with law or legal process, to protect rights and safety, and in connection with a merger, acquisition, or sale of assets.
5.4 No third-party marketing. We do not disclose your information to third parties for their own marketing, and we do not permit our service providers to use it for any purpose other than providing services to us.
6. The Clinical Record and the Medical Group
6.1 The clinical record a Provider creates is the property of the Medical Group, which is responsible for it. We handle health information, including the information you provide and records retrieved at your direction, only as the Medical Group's contractor, to facilitate the care you request. The Medical Group's notice of privacy practices, presented to you separately, describes how that record is used and disclosed.
7. Medical Information Under California Law
7.1 We treat medical information as confidential. We do not use or disclose medical information for marketing without authorization, and we handle it in accordance with the California Confidentiality of Medical Information Act and other applicable California law.
8. HIPAA
8.1 Arlo is not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). This policy describes how Arlo handles the information it collects. The clinical record created by your Provider is maintained by the Medical Group under its own notice of privacy practices.
9. Cookies and Similar Technologies
9.1 Cookies. We use cookies and similar technologies, including third-party analytics and attribution tools, to operate the Services, understand how they are used, and measure how visitors find our site. We do not use these technologies for interest-based or cross-context behavioral advertising. No health information is collected on our website; the information you provide to obtain care is handled as described in this policy and is not shared with these analytics or advertising tools. Where required, we will provide a cookie banner allowing you to manage non-essential cookies.
9.2 Do Not Track and opt-out preference signals. Some browsers offer a "Do Not Track" (DNT) signal. Because there is no common industry standard for interpreting DNT signals, we do not currently respond to them. We do not sell or share your personal information, so there is nothing for a global opt-out preference signal to apply to.
10. Your Privacy Choices and Rights
10.1 Your rights. Depending on applicable law, you may have rights to access, correct, or delete your personal information, to limit the use of sensitive personal information, and to opt out of the sale or sharing of personal information (we do not sell or share). To exercise a right, contact us using Section 15. We will not discriminate against you for exercising your rights.
10.2 Sensitive information. Some information we handle (such as health information and sex assigned at birth) may be considered sensitive. We use such information only to provide the Services and the care you request and as otherwise permitted by law.
11. Data Retention
11.1 We retain information for as long as needed to provide the Services and for the purposes described in this policy, and as required by law, after which we delete or de-identify it. The Medical Group separately retains the clinical record in accordance with its own legal obligations.
12. Security and Breach Notification
12.1 We maintain reasonable administrative, technical, and physical safeguards designed to protect information. No system is perfectly secure. If a breach affecting your information occurs, we will provide notifications as required by applicable law.
13. Children
13.1 Accounts and children. Account holders must be at least 18 years old. A parent or legal guardian may use the Services to obtain care for a minor child in their care and provides the child's information for that purpose. Children may not create accounts or use the Services on their own.
13.2 Children under 13. If you use the Services to obtain care for a child under 13, we collect personal information about the child. We do so only after you, as the child's parent or legal guardian, provide verifiable consent, and you may refuse to permit further collection or use of the child's information at any time. If you refuse, we may be unable to provide the Services for the child.
13.3 Information we collect about a child. The information we collect about a child may include the child's name, date of birth, sex assigned at birth, the health information you provide for the consultation, and the device and usage information described in Section 3. The clinical record a Provider creates in treating the child is maintained by the Medical Group under its notice of privacy practices, as described in Sections 1 and 6.
13.4 How we use a child's information. We use a child's information only to provide the care you request, on the Medical Group's behalf, and to operate, secure, and support the Services. We do not use a child's information for advertising, and we do not sell or share it.
13.5 Parental rights. As the parent or legal guardian, you may review the personal information we have collected about your child, request that we delete it, and refuse to permit its further collection or use. To do so, contact us at help@arlohealth.ai.
13.6 Retention. We collect only the information reasonably necessary to provide the Services and retain a child's information only as long as needed for that purpose and as required by law.
14. SMS/Text Messaging
14.1 Transactional text messages. If you provide your mobile phone number, Arlo Health will send you text messages for account verification and updates about your care. Message frequency varies. Message and data rates may apply. You can opt out at any time by replying STOP to any message, and get help by replying HELP or contacting support@arlohealth.ai.
14.2 No third-party sharing of SMS consent. Mobile phone numbers and SMS opt-in consent are not shared with or sold to third parties or affiliates for marketing or promotional purposes.
15. Changes; Contact
15.1 Changes to this policy. We may update this policy from time to time. If we make material changes, we will provide reasonable notice, for example by posting the updated policy and updating the “Last Updated” date. The updated policy describes our practices from its effective date forward.
15.2 Contact. If you have questions about this policy or our privacy practices, contact us at help@arlohealth.ai.