echo
Demo

Privacy Policy

Effective Date: February 25, 2026 Last Revised: February 25, 2026 Company: Echo Health Solutions, Inc. ("Echo Health Solutions," "we," "our," or "us")

Echo Health Solutions is committed to the responsible stewardship of personal information and Protected Health Information ("PHI") in our care. This Privacy Policy describes how we collect, use, disclose, retain, and protect information through our AI-powered practice management platform, including online and voice-based scheduling, inbound and outbound voice communications, two-way SMS/text messaging, paperless digital forms, prior authorization automation, and browser-based automation for data transfer (collectively, the "Services").

This Policy applies to healthcare providers, clinic staff, and authorized administrative users (collectively, "Providers") as well as patients and other individuals whose information is processed through the Services ("Patients"). It should be read together with any applicable Business Associate Agreement ("BAA") and our Terms of Service.

Note to Patients: If you are a patient whose information is managed by one of our Provider clients, your Provider is the primary entity responsible for your health information under HIPAA. Please contact your Provider directly for questions about how your PHI is handled within their practice.

1. Definitions

For purposes of this Privacy Policy:

  • "Personal Information" means any information that identifies or could reasonably be used to identify a natural person, including name, phone number, email address, date of birth, and IP address.
  • "Protected Health Information (PHI)" has the meaning set forth under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, "HIPAA"), and refers to individually identifiable health information created, received, or transmitted by or on behalf of a covered entity or business associate.
  • "Business Associate Agreement (BAA)" means a written contract between Echo Health Solutions and a covered entity (typically, a Provider) as required by HIPAA, governing our processing of PHI on the covered entity's behalf.
  • "Sensitive Personal Information" means a subset of Personal Information that warrants heightened protection, including but not limited to health and medical data, precise geolocation, and biometric identifiers.

2. Information We Collect

We collect information in the following categories, depending on how you interact with our Services:

2.1 Information Provided Directly

  • Provider Account Information: Names, titles, practice name, email addresses, phone numbers, National Provider Identifier (NPI) numbers, and billing information for onboarding and account management.
  • Patient-Submitted Information: Names, dates of birth, phone numbers, email addresses, insurance information, and any information submitted through paperless forms or scheduling workflows.
  • PHI: Appointment details, medical history, diagnosis codes, treatment information, insurance authorization records, and other health information submitted by Providers or Patients through our platform.

2.2 Automated Communications Data

  • Voice Recordings and Call Transcripts: We record and transcribe inbound and outbound phone calls facilitated through our platform, including scheduling calls and automated outreach. Where required by applicable law, parties are notified of recording prior to or at the beginning of a call.
  • SMS/Text Messaging Data: Content of two-way text messages exchanged through our platform, message delivery status, and opt-in/opt-out records.
  • Form Submission Data: Responses to digital intake forms, consent forms, and prior authorization questionnaires.

2.3 Automatically Collected Technical Data

  • Device and Browser Information: Browser type and version, operating system, device identifiers, and screen resolution.
  • Usage Data: Pages visited, features used, session duration, click paths, error logs, and interaction timestamps.
  • Network Data: IP addresses, network identifiers, and approximate location derived from IP address.
  • Cookies and Tracking Technologies: Please see Section 11 (Cookies and Tracking Technologies) for details.

We do not collect data beyond what is reasonably necessary for the purposes described in this Policy.

3. How We Use Information

We use the information we collect for the following purposes:

3.1 Providing and Operating the Services

  • Enabling online, voice, and text-based appointment scheduling and reminders
  • Facilitating two-way patient-provider communications
  • Processing and submitting prior authorization requests on behalf of Providers
  • Populating and transmitting paperless forms and intake documentation
  • Providing browser-based automation for data entry and transfer workflows

3.2 AI and Automated Processing

  • Improving the accuracy, performance, and safety of our AI scheduling, transcription, and automation models
  • Generating analytics dashboards and operational insights for Providers
  • Detecting and preventing errors, fraud, and misuse of the platform

Important: Where voice recordings, call transcripts, or form data are used to train or improve AI models, such data is de-identified or aggregated in accordance with HIPAA's de-identification standards (45 C.F.R. § 164.514) prior to use for model training, unless the applicable BAA expressly authorizes otherwise. Providers may request restrictions on this use by contacting our Privacy Officer (see Section 14).

3.3 Compliance and Legal Obligations

  • Maintaining records required by HIPAA and other applicable laws
  • Responding to lawful government requests, court orders, or legal process
  • Enforcing our Terms of Service and protecting the rights of Echo Health Solutions and our users

3.4 Communications with Providers

  • Sending transactional and operational communications, such as service updates, security notices, and support responses
  • Where separately consented to, sending product announcements or educational content

We do not sell Personal Information or PHI. We do not use Personal Information or PHI for cross-context behavioral advertising.

4. HIPAA Compliance and Business Associate Obligations

Echo Health Solutions functions as a Business Associate under HIPAA with respect to the PHI we process on behalf of Provider clients who are Covered Entities. Our obligations include:

  • Entering into a BAA with each applicable Provider prior to processing PHI
  • Using and disclosing PHI only as permitted by the applicable BAA and HIPAA
  • Implementing required administrative, physical, and technical safeguards under the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C)
  • Notifying the applicable covered entity of any Breach of Unsecured PHI in accordance with the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D), within the timeframes set forth in the applicable BAA (not to exceed 60 calendar days of discovery)
  • Making our practices available to the Secretary of the U.S. Department of Health and Human Services as required

If you are a Patient and believe your PHI rights under HIPAA have been violated, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr.

5. Voice, SMS, and Automated Communications, Consent and Compliance

5.1 TCPA and Federal Communications Act Compliance

Our platform facilitates outbound voice calls and SMS messages on behalf of Providers. By enabling automated calling or texting features within our platform, Providers represent and warrant that they have obtained all legally required prior express written consent from Patients (or their authorized representatives) as required by the Telephone Consumer Protection Act ("TCPA"), 47 U.S.C. § 227, and any applicable Federal Communications Commission regulations, prior to initiating such communications.

5.2 Call Recording Disclosure

Calls conducted through our platform may be recorded and transcribed for quality assurance, scheduling confirmation, and service improvement purposes. Where required under applicable federal or state wiretapping or call recording laws (including two-party or all-party consent states), our system delivers a recording disclosure notification at the outset of each call. Providers are responsible for ensuring their use of our voice features complies with applicable state law in their jurisdiction.

5.3 SMS Opt-Out

Recipients of SMS communications facilitated through our platform may opt out at any time by replying STOP to any text message. Upon receipt of a STOP message, no further SMS communications will be sent to that number through our platform, except as required by law. Recipients may reply HELP for assistance or contact us directly using the information in Section 14.

Your mobile information will not be sold or shared with third parties for promotional or marketing purposes.

6. Data Sharing and Third-Party Disclosures

We may share information as follows:

6.1 Service Providers (Sub-processors)

We engage third-party vendors to assist in delivering our Services, including:

  • Cloud hosting and infrastructure providers (e.g., encrypted data storage and compute services)
  • Telephony and SMS providers for voice and text communications
  • AI and natural language processing vendors for transcription and automation capabilities
  • Prior authorization and clearinghouse services
  • Analytics and monitoring platforms

All such vendors are contractually required to: (a) process information only for the purposes for which they are engaged; (b) implement appropriate technical and organizational safeguards; and (c) where applicable, execute a BAA prior to accessing PHI. We do not authorize service providers to use user data for their own marketing or promotional purposes.

6.2 Covered Entity Clients (Providers)

PHI and related Patient information is shared with and managed by the applicable Provider on whose behalf it was collected. Providers are independently responsible for their own HIPAA compliance obligations as Covered Entities.

6.3 Legal and Regulatory Disclosures

We may disclose information where required or permitted by law, including: (a) in response to a valid subpoena, court order, or governmental inquiry; (b) to comply with applicable law or regulation; (c) to protect the vital interests of an individual; or (d) to establish, exercise, or defend legal claims.

6.4 Business Transfers

In the event of a merger, acquisition, asset sale, or similar transaction, information held by Echo Health Solutions may be transferred to the successor entity. We will notify affected users prior to such a transfer taking effect, to the extent practicable and legally permissible, and will require the successor to honor the commitments in this Policy.

6.5 No Sale or Sharing for Advertising

We do not sell Personal Information or PHI to third parties, and we do not share Personal Information or PHI with third parties for cross-context behavioral advertising purposes.

7. Individual Rights

7.1 Provider and Authorized User Rights

Providers and authorized staff with platform accounts may, subject to applicable law and verification of identity:

  • Access: Review the Personal Information associated with their account
  • Correction: Update or correct inaccurate account information
  • Deletion: Request deletion of their account and associated data, subject to our retention obligations under Section 8 and applicable law
  • Data Portability: Request an export of account-related data in a commonly used format

7.2 Patient Rights Under HIPAA

Patients have rights with respect to their PHI under HIPAA, including rights to access, amend, and receive an accounting of disclosures. Because Patient PHI is held on behalf of and under the direction of the applicable Provider (Covered Entity), Patients should direct HIPAA-related requests to their Provider. Echo Health Solutions will cooperate with Providers in fulfilling such requests as required under the applicable BAA.

7.3 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), including the right to:

  • Know what Personal Information we collect, use, and disclose
  • Delete Personal Information (subject to exceptions)
  • Correct inaccurate Personal Information
  • Opt out of the sale or sharing of Personal Information (note: we do not sell or share Personal Information as defined under CCPA/CPRA)
  • Limit the use and disclosure of Sensitive Personal Information
  • Non-discrimination for exercising privacy rights

To submit a CCPA/CPRA request, contact us using the information in Section 14. We will respond within 45 days, with a possible extension of an additional 45 days where reasonably necessary.

7.4 Other State Privacy Laws

Residents of Virginia, Colorado, Connecticut, Texas, and other states with enacted comprehensive privacy legislation may have similar rights. We honor applicable privacy rights requests from residents of all states with enforceable consumer privacy laws. Contact us using the information in Section 14.

7.5 How to Submit a Request

Privacy requests may be submitted by emailing our Privacy Officer at info@echobooking.com. We may require verification of identity before processing a request.

8. Data Retention

We retain Personal Information and PHI for the following periods:

Data TypeRetention PeriodBasis
PHI (patient records, scheduling data, forms)6 years from date of creation or last effective dateHIPAA (45 C.F.R. § 164.530(j))
Voice recordings and call transcriptsAs specified in BAA; default 6 yearsHIPAA; contractual
SMS message logs6 yearsHIPAA; TCPA compliance records
Provider account dataDuration of account plus 3 yearsContractual; legal claims
Technical and usage logs12–24 monthsSecurity monitoring; operational

Upon expiration of the applicable retention period, data is securely deleted or irreversibly de-identified using HIPAA-compliant methods. Data subject to a legal hold will be retained until the hold is released.

9. Security

We implement a comprehensive information security program designed to protect Personal Information and PHI against unauthorized access, disclosure, alteration, and destruction, including:

  • Encryption: AES-256 encryption at rest; TLS 1.2 or higher in transit for all data communications
  • Access Controls: Role-based access controls (RBAC), multi-factor authentication (MFA) for all platform accounts, and principle of least privilege
  • Audit Logging: Comprehensive audit trails of access to and modifications of PHI, retained per our retention schedule
  • Vulnerability Management: Regular penetration testing, vulnerability scanning, and patching protocols
  • Incident Response: A documented security incident response and breach notification plan, consistent with HIPAA Breach Notification Rule requirements
  • Employee Training: Mandatory HIPAA and security awareness training for all personnel with access to PHI
  • Vendor Management: Security review and contractual requirements imposed on all sub-processors

Despite these safeguards, no system can guarantee absolute security. In the event of a breach of unsecured PHI, we will notify affected covered entities (Providers) as required under HIPAA and our BAA obligations, and affected individuals will be notified in accordance with applicable law.

10. Breach Notification

In the event of a security incident that constitutes a Breach of Unsecured PHI as defined under HIPAA:

  • Provider Notification: We will notify the applicable covered entity (Provider) within the timeframe specified in the BAA, and no later than 60 calendar days following discovery.
  • Patient Notification: The affected Provider, as the Covered Entity, is generally responsible for notifying affected Patients. We will cooperate fully with Providers in meeting their breach notification obligations.
  • Regulatory Notification: We will cooperate with Providers and, where required as a Business Associate, with the U.S. Department of Health and Human Services.

For security incidents affecting Personal Information under applicable state breach notification laws, we will notify affected individuals and regulatory authorities as required by the laws of the applicable state(s).

11. Cookies and Tracking Technologies

Our web-based platform uses the following types of cookies and similar technologies:

TypePurposeProvider-Controlled?
Strictly Necessary CookiesSession management, authentication, securityNo (required for functionality)
Performance/Analytics CookiesUsage analytics, error monitoringYes
Functional CookiesUser preferences, saved settingsYes

We do not use third-party advertising or retargeting cookies. Providers and authorized users may manage cookie preferences through their browser settings. Note that disabling strictly necessary cookies may impair platform functionality.

We do not use session replay tools or behavioral fingerprinting for marketing purposes.

12. AI Processing Transparency

12.1 AI-Powered Features

Our Services incorporate artificial intelligence and machine learning components, including:

  • Natural language processing for voice-based scheduling and transcription
  • Automated prior authorization determination assistance
  • Predictive analytics for scheduling optimization
  • Form data extraction and population

12.2 Human Review

AI-generated outputs (e.g., transcriptions, form pre-fills, authorization recommendations) are designed to assist Providers and their staff, not to replace clinical judgment. Providers are responsible for reviewing and validating AI-generated outputs before acting on them.

12.3 Model Training

Where permissible under the applicable BAA and consistent with HIPAA, de-identified or aggregated data derived from platform interactions may be used to improve our AI models. Data used for model training is processed in accordance with HIPAA's Safe Harbor or Expert Determination de-identification standards. Providers who do not wish for their data to be used for model improvement may opt out by contacting our Privacy Officer.

13. Minors

Our Services are designed for use by licensed healthcare providers and their staff. We do not knowingly collect Personal Information directly from individuals under the age of 13 for our own purposes, and we do not direct our marketing or communications to minors.

Minors (including pediatric patients) may have PHI submitted to our platform on their behalf by a Provider or a parent/guardian with appropriate authority. Such data is handled as PHI in accordance with HIPAA, applicable state minor consent laws, and the applicable BAA. Providers are responsible for ensuring that they have appropriate consent or legal authority when submitting PHI relating to minors.

If we become aware that we have inadvertently collected Personal Information from a minor without appropriate authorization, we will promptly delete such data or take other appropriate remedial action.

14. Contact, Privacy Officer

For questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact our designated Privacy Officer:

Echo Health Solutions Privacy Officer Email: info@echobooking.com Mailing Address: 120 Bretano Way, Greenbrae, CA 94904

We will acknowledge receipt of your inquiry promptly and respond substantively within 30 days, unless a shorter or longer period is required by applicable law.

15. Governing Law

This Privacy Policy is governed by the laws of the State of Delaware, without regard to its conflict of law provisions, except to the extent preempted by federal law (including HIPAA). Nothing in this Policy limits your rights under applicable federal or state privacy law.

16. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, Services, or applicable law. When we make material changes, we will:

  • Post the updated Policy on our website with a revised "Last Revised" date
  • Provide notice to registered Provider accounts via email or in-platform notification at least 30 days before the changes take effect, where feasible

Your continued use of our Services after the effective date of a revised Policy constitutes your acceptance of the updated terms. If you do not agree, you should discontinue use of the Services and contact us to request deletion of your account.

17. Additional Disclosures for Specific Jurisdictions

17.1 European Economic Area / United Kingdom

If you are located in the European Economic Area ("EEA") or United Kingdom ("UK") and interact with our Services, additional rights and protections under the General Data Protection Regulation ("GDPR") or UK GDPR may apply. Our lawful bases for processing personal data include: performance of a contract, compliance with legal obligations, legitimate interests (e.g., platform security and improvement), and, where required, explicit consent. EEA/UK residents may have additional rights including the right to erasure, restriction of processing, and to lodge a complaint with a supervisory authority. Contact our Privacy Officer for more information.

17.2 Texas Medical Records Privacy Act

Providers and Patients located in Texas should be aware that Texas law may impose additional protections and obligations regarding health information beyond those required by HIPAA. Echo Health Solutions complies with applicable Texas Health & Safety Code provisions governing electronic health record systems and patient privacy.

This Privacy Policy was last reviewed by Echo Health Solutions legal counsel on February 25, 2026.