Privacy Policy

1. About Vantage

Vantage (getvantage.tech) is a healthcare revenue operations platform that provides AI-assisted patient communication, scheduling, and practice management tools to healthcare providers ("Covered Entities"). Vantage operates as a Business Associate to those Covered Entities when processing Protected Health Information on their behalf.

This Privacy Policy describes how Vantage, Inc. ("Vantage," "we," "us," or "our") collects, uses, discloses, and protects information when you use our platform, website, or services.

2. Information We Collect

2.1 Information Provided by Healthcare Providers

Healthcare providers who use Vantage may upload or transmit patient information to enable scheduling, communication, and care coordination. This may include:

• Patient names, dates of birth, and contact information
• Appointment details and scheduling history
• Insurance information and billing data
• Clinical notes, care instructions, and relevant health information
• Communication preferences

2.2 Information Collected from Patients

When patients interact with Vantage-powered communications (such as appointment reminders, SMS messages, or web intake forms), we may collect:

• Name, phone number, and email address
• Appointment preferences and confirmations
• Responses to intake or screening questionnaires
• Opt-in/opt-out preferences for messaging

2.3 Information Collected Automatically

When you visit our website or use our platform, we automatically collect certain technical information:

• IP address and general geographic location
• Browser type, operating system, and device identifiers
• Pages viewed, features used, and time spent
• Referring URLs and navigation paths
• Cookies and similar tracking technologies

2.4 Account Information

If you create a Vantage account (e.g., as a practice administrator or staff member), we collect:

• Name, email address, and job title
• Login credentials (passwords are hashed and never stored in plain text)
• Billing and payment information (processed by PCI-compliant third-party processors)
• Communication and notification preferences

3. How We Use Your Information

We use the information we collect to:

• Deliver, operate, and improve our platform and services
• Send appointment reminders, scheduling notifications, and care-related messages on behalf of healthcare providers
• Provide customer support and respond to inquiries
• Process billing and manage provider accounts
• Monitor system performance, security, and integrity
• Comply with legal obligations, including HIPAA requirements
• Investigate and prevent fraud, abuse, or unauthorized access
• Conduct internal analytics to improve our AI models and service quality (using de-identified data only)

We do not sell, rent, or trade Personal Information or Protected Health Information to third parties for marketing or advertising purposes.

4. HIPAA Compliance

4.1 Protected Health Information (PHI)

PHI includes individually identifiable health information transmitted or maintained in any form or medium that relates to a patient's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. When Vantage processes PHI on behalf of a Covered Entity, we do so only as permitted by the applicable BAA and HIPAA regulations.

4.2 Permitted Uses and Disclosures of PHI

As a Business Associate, Vantage may use or disclose PHI only to:

• Perform services specified in the Business Associate Agreement
• Carry out our legal responsibilities as required by law
• Report violations to the applicable Covered Entity
• Respond to a data breach as required under the Breach Notification Rule

We do not use PHI for our own purposes beyond those permitted under HIPAA and the applicable BAA.

4.3 Minimum Necessary Standard

Vantage applies the HIPAA Minimum Necessary Standard, meaning we access, use, and disclose only the minimum amount of PHI necessary to accomplish the intended purpose.

4.4 Administrative, Physical, and Technical Safeguards

We implement and maintain comprehensive HIPAA-required safeguards, including:

• Administrative: Designated Privacy Officer and Security Officer, workforce training, risk assessment procedures, and access management policies
• Physical: Controlled facility access, workstation security policies, and device and media controls
• Technical: Encryption of PHI at rest and in transit (AES-256 / TLS 1.2+), audit logging, automatic session timeouts, and role-based access controls

4.5 Subcontractors

Any subcontractors or sub-Business Associates that handle PHI on our behalf are contractually required to implement equivalent HIPAA safeguards and enter into appropriate agreements prior to accessing any PHI.

5. How We Share Information

We do not sell your personal information. We share information only in the following circumstances:

5.1 With Healthcare Providers

We share patient information with the healthcare provider on whose behalf that information was collected, as directed by that provider's instructions and consistent with the BAA.

5.2 With Service Providers

We work with vetted third-party vendors to help operate our platform (e.g., cloud hosting, SMS delivery, payment processing). These vendors are contractually bound to use information only for the services they provide and to maintain appropriate security standards. Those handling PHI are required to enter into BAAs with us.

5.3 For Legal Compliance

We may disclose information when required by law, court order, or government regulation, including responses to lawful requests from public authorities such as law enforcement or regulatory agencies, subject to applicable legal protections.

5.4 Business Transfers

If Vantage is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction. We will notify affected parties and ensure appropriate protections remain in place, including honoring existing BAAs.

5.5 With Your Consent

We may share information for other purposes with your explicit consent.

6. Data Security & Safeguards

Vantage takes data security seriously and employs industry-standard and HIPAA-required technical, administrative, and physical safeguards to protect your information, including:

• End-to-end encryption of data in transit using TLS 1.2 or higher
• Encryption of PHI and sensitive data at rest using AES-256
• Role-based access controls limiting data access to authorized personnel only
• Multi-factor authentication for platform access
• Continuous system monitoring, intrusion detection, and audit logging
• Regular third-party security assessments and penetration testing
• Annual workforce security training and background screening policies
• Documented incident response and business continuity plans

7. Data Retention

We retain information for as long as necessary to fulfill the purposes described in this Policy and to comply with applicable legal and regulatory requirements, including:

• PHI: Retained in accordance with the applicable BAA and applicable state medical records laws (typically a minimum of 6 years from the date of creation or last effective date, whichever is later)
• Account information: Retained for the duration of the provider account and up to 7 years after account closure for legal and compliance purposes
• Technical/usage data: Generally retained for up to 24 months
• Communication logs: Retained for up to 3 years unless a longer period is required by law or contract

When information is no longer required, we securely destroy or de-identify it in accordance with HIPAA and applicable law.

8. Your Rights

8.1 HIPAA Patient Rights

If you are a patient whose PHI is processed through Vantage on behalf of a healthcare provider, your rights under HIPAA are governed by your provider's Notice of Privacy Practices. These rights typically include:

• Right to Access: Request a copy of your health information
• Right to Amend: Request corrections to inaccurate or incomplete health information
• Right to an Accounting of Disclosures: Obtain a list of certain disclosures of your PHI
• Right to Request Restrictions: Ask to limit how your information is used or disclosed
• Right to Confidential Communications: Request that communications be sent by alternative means or to alternative locations
• Right to a Paper Copy: Receive a paper copy of the Notice of Privacy Practices

To exercise these rights, please contact your healthcare provider directly. Vantage will support your provider in fulfilling these requests as required by our BAA.

8.2 General Privacy Rights

Depending on your location, you may have additional rights under applicable privacy law (including, where applicable, the California Consumer Privacy Act and similar state laws):

• Right to Know: Request information about what personal data we hold about you
• Right to Delete: Request deletion of your personal information, subject to legal exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt Out: Opt out of certain sharing or processing activities
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To submit a privacy request, contact us at privacy@getvantage.tech. We will respond within the timeframe required by applicable law.

9. Third-Party Services

Our platform integrates with third-party electronic health record (EHR) systems, communication providers, and other healthcare technology platforms to deliver our services. These integrations are governed by applicable BAAs and data use agreements. Integration partners currently include providers such as Epic, Cerner, Athenahealth, eClinicalWorks, and Curogram, among others.

Our website may also contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently.

We use cookies and similar tracking technologies on our marketing website for analytics and performance purposes. You may adjust your browser settings to refuse cookies, though some features may not function as intended.

10. Breach Notification

In the event of a breach of unsecured PHI, Vantage will notify affected Covered Entities without unreasonable delay and no later than 60 calendar days after discovery of the breach, as required under the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).

Notification will include, to the extent possible:

• A description of the breach, including the date of the breach and date of discovery
• The types of PHI involved
• Steps individuals should take to protect themselves
• Steps Vantage is taking to investigate, mitigate, and prevent recurrence
• Contact information for the Covered Entity and, where required, affected individuals

Covered Entities remain responsible for notifying affected patients, the U.S. Department of Health and Human Services (HHS), and, where applicable, the media, as required under HIPAA.

11. Children's Privacy

Vantage's platform is not directed to children under 13, and we do not knowingly collect personal information from children under 13 through our marketing website or platform accounts. Healthcare providers using Vantage may process health information for minor patients as part of their clinical operations; such processing is governed by the applicable BAA and the healthcare provider's own policies and applicable state minors' privacy laws.

If you believe we have inadvertently collected personal information from a child under 13 outside of a provider relationship, please contact us at privacy@getvantage.tech.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the "Last updated" date at the top of this page and, where required, provide additional notice (such as via email to registered account holders or through prominent notice on our website).

Your continued use of Vantage services after changes become effective constitutes your acceptance of the revised Policy. We encourage you to review this page periodically.