Privacy Policy

Pinotage Health Corporation ("Pinotage Health", "we", "us") builds AI-powered ambient documentation and clinician-approved coding, compliance, and billing for healthcare organizations. We take the privacy of patients and clinicians seriously. This policy explains, in plain language, what information we collect through this website and our services, why we collect it, how we protect it, and the choices you have.

Two roles matter throughout this policy. For information you submit on this website, we decide how it is used. For protected health information (PHI) processed through our platform, the healthcare provider you see is the covered entity that controls the data: we act as their business associate under a Business Associate Agreement (BAA) and process PHI only on their instructions.

Information we collect

From website visitors. On this website, we collect only what you choose to send us, for example the name, work email, organization, and message you submit when you request a demo or contact us.

From platform users. Our platform processes information on behalf of healthcare providers strictly under the terms of a BAA. Depending on how a provider uses the platform, this can include consultation audio, clinical notes, suggested medical codes, billing information, and the account details of the clinicians and staff the provider authorizes. This is PHI, and the sections below describe how we handle it.

How we use information

We use website information to respond to your enquiry, schedule demonstrations, and improve our services. We do not sell personal information (from this website or from the platform), and we do not use it for advertising. Platform data is used solely to deliver the contracted service to the covered entity that controls it.

How PHI is handled

PHI is processed under a Business Associate Agreement with each covered entity we serve. We apply administrative, physical, and technical safeguards to protect its confidentiality, integrity, and availability. In practice, that includes:

• US data residency under a BAA. PHI is processed only in Google Cloud under Google's Business Associate Agreement, in US regions.
• Encryption. Data is encrypted in transit and at rest.
• Tenant isolation. Each organization's data is isolated, and access controls are enforced on every PHI operation so one organization can never reach another's records.
• Log redaction. PHI and credential fields are redacted from our logs before they are written.
• Signed-URL audio. Consultation audio moves through short-lived signed links rather than passing through our application servers.

HIPAA compliant, attested via Scytale. For a fuller account of our controls and our compliance roadmap, see our security page.

How AI processing works

Our ambient AI listens to a consultation (with the provider's and patient's knowledge), drafts the clinical note, and suggests medical codes. All AI processing of PHI happens inside our Google Cloud environment under the same BAA and US data residency described above: every model call runs through Vertex AI under that same agreement, so no third-party model vendor receives patient data. A clinician reviews and approves every note before it enters the record, and suggested codes are decision-support a clinician signs off on, never an automatic bill.

Sharing & subprocessors

We never sell personal information or PHI, and we do not share it with third parties for their own purposes. We share information only with the service providers we need to operate the platform, under contracts that bind them to appropriate protections (including BAAs where PHI is involved):

• Google Cloud: our hosting and infrastructure provider, operating under a Business Associate Agreement with US data residency.
• Redox: our integration partner for connecting to electronic health record systems over HL7 FHIR R4, used when a provider enables an EHR integration.
• Scytale: our compliance attestation platform, used to monitor and attest our HIPAA compliance.

We may also disclose information where the law requires it, and we will notify the affected covered entity where we are permitted to do so.

Retention & deletion

We retain information only as long as needed to provide the service and to meet legal obligations. For website enquiries, that means keeping your message while we handle it and for our ordinary business records. For PHI, retention follows the covered entity's instructions and the terms of our BAA. Healthcare providers are subject to medical-records retention laws, and we retain or return data accordingly. When a contract ends, we return or destroy PHI as the BAA requires, except where law obliges us to keep it.

You may ask us to delete the personal information you submitted through this website, and we will honor the request subject to any legal obligation to retain it.

Your rights & contact

You may ask us to access, correct, or delete the personal information you have submitted through this website. Where PHI is concerned, HIPAA rights (such as access to and amendment of your medical record) are exercised with the healthcare provider that acts as the covered entity, and we assist that provider as their business associate. If you contact us about your medical record, we will direct you to your provider and support them in responding.

Questions about this policy or your information can be sent to support@pinotagehealth.com or by post to 5900 Balcones Drive STE 100, Austin, Texas 78731.

Changes to this policy

We may update this policy as our services, legal obligations, or practices change. When we do, we will revise the date at the top of this page, and material changes will be reflected here before they take effect. The current version is always available at this address.

See also: Terms of Use.