Effective Date: June 22, 2026 (last reviewed)
Previous version: March 15, 2026. Updates added Sections 7A (Subprocessors) and 9A (California Privacy Rights).
Omniasis, Inc. ("Omniasis," "we," "our," or "us") is committed to protecting the privacy and security of your personal information, including Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use the Omniasis Cardiac Rehab Coach mobile application and the Omniasis Cardiac Rehabilitation Platform (collectively, the "Platform").
By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with these practices, please do not use the Platform.
We collect the following categories of information:
Name, email address, date of birth, phone number, and other contact information provided during account registration.
IP address, browser type (for admin portal), app crash reports, and usage analytics. We do not collect precise location data.
We use the information we collect for the following purposes:
Our app integrates with Apple HealthKit to read and write health data, including heart rate, blood oxygen saturation (SpO2), active energy burned, and workout sessions. Your use of HealthKit data is subject to the following commitments:
You can revoke HealthKit access at any time through your iPhone's Settings > Health > Data Access & Devices.
Omniasis operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) and fully complies with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Our safeguards include:
We maintain Business Associate Agreements (BAAs) with all third-party service providers who may access PHI, including Amazon Web Services.
Your data is stored on secure servers provided by Amazon Web Services (AWS) in HIPAA-eligible regions within the United States. We implement industry-leading security measures including:
We may share your information in the following limited circumstances:
We do NOT sell, rent, lease, or trade your personal information or health data to any third parties for marketing, advertising, or any other commercial purposes. This commitment applies to all data, including data obtained from Apple HealthKit.
We rely on the following subprocessors to operate the Platform. Each subprocessor is bound by a written agreement requiring confidentiality, appropriate security controls, and (where they handle PHI) a Business Associate Agreement.
| Subprocessor | Purpose | Data category | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, database storage (DynamoDB), serverless compute (Lambda), object storage (S3), encryption (KMS), email delivery (SES), authentication (Cognito), monitoring (CloudWatch). | PHI, account, audit logs, encrypted backups. | United States (us-east-1) |
| Apple HealthKit | On-device collection of vital signs (heart rate, SpO2, HRV, workouts) from Apple Watch and iPhone sensors. | PHI (transient, on device). HealthKit data is read by the app and forwarded to our backend only with the user's active session consent. | User's device (no Apple cloud sync of HealthKit data initiated by Omniasis) |
| Apple App Store / TestFlight | Distribution of the iOS application to authorized devices. | No PHI. Account email may be visible to Apple for App Store account management. | Apple infrastructure |
| GitHub (source code) | Source code repository and CI/CD triggers. No PHI is stored in source. | No PHI. | United States |
We will notify hospital customers of any material changes to this subprocessor list before the change takes effect, in accordance with Business Associate Agreement obligations. The current list is maintained on this page; customers may also request the current list at any time from the Privacy Officer contact in Section 13.
We retain your health data in accordance with applicable federal and state laws and clinical record-keeping standards:
You may request deletion of your data at any time, subject to legal retention requirements. See Section 9 for details.
Under HIPAA and applicable state and federal laws, you have the right to:
To exercise any of these rights, please contact our Privacy Officer at the address listed in Section 13.
This section supplements Section 9 for California residents whose personal information we collect or process. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides additional rights to California residents.
We collect the categories of personal information described in Section 2 (Personal Information, Health Information, Device and Wearable Information, Technical Data). We collect these categories for the business purposes described in Section 3 (How We Use Your Information). We retain each category for the periods described in Section 8 (Data Retention).
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months and have no plans to do so. This commitment is reiterated in Section 7.
In addition to the rights in Section 9, California residents have the right to:
Submit a verifiable consumer request by email to privacy@omniasis.com with subject line "California Privacy Request." We will respond within 45 days as required by law. We may need to verify your identity before fulfilling the request; we will only use the information you provide to verify your identity for this purpose.
You may designate an authorized agent to submit a request on your behalf. The agent must provide proof of your written authorization, and we will require you to verify your own identity directly.
When information is governed by HIPAA (Protected Health Information), HIPAA rules and HIPAA-mandated retention periods take precedence over CCPA/CPRA rights to the extent of any conflict. CCPA/CPRA rights apply to personal information that is not PHI, and to PHI to the extent CCPA/CPRA does not conflict with HIPAA.
The Platform is intended for adults aged 18 and older who are enrolled in a cardiac rehabilitation program under clinical supervision. We do not knowingly collect information from individuals under the age of 18. If we become aware that we have collected data from a minor, we will take steps to delete that information promptly.
In the event of a breach of unsecured PHI, Omniasis will comply with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D). We will notify affected individuals without unreasonable delay and no later than 60 days following discovery of the breach. We will also notify the U.S. Department of Health and Human Services and, where required (breaches affecting 500 or more individuals), the media.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the updated policy on our Platform, updating the effective date above, and where appropriate, notifying you via email or in-app notification. Your continued use of the Platform after the effective date of a revised policy constitutes acceptance of the updated terms.
If you have questions about this Privacy Policy, wish to exercise your rights, or need to report a privacy concern, please contact our Privacy Officer:
You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr.
© 2026 Omniasis, Inc. All rights reserved.