Privacy Policy

1. Introduction

Glow Holdings, Inc., a Nevada corporation doing business as GlohCo ("Company," "we," "us," or "our"), operates the GlohCare platform at www.glohcare.com (the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your information, including Protected Health Information ("PHI"), in compliance with the Health Insurance Portability and Accountability Act ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), 42 CFR Part 2, and applicable state privacy laws including the Texas Medical Records Privacy Act and the California Consumer Privacy Act ("CCPA").

2. Information We Collect

2.1 Account Information

• Name, email address, phone number, and professional credentials (NPI, license number)
• Role designation (patient, clinician, administrator)
• Organization affiliation
• Authentication credentials and multi-factor authentication data

2.2 Protected Health Information (PHI)

• Demographic information (name, date of birth, sex, contact information, emergency contacts)
• Medical record number (MRN) and insurance identifiers
• Medical history, diagnoses, and treatment records
• Behavioral health assessments (PHQ-9, GAD-7, PCL-5, AUDIT-C, C-SSRS)
• Vital signs and biometric data from connected devices (heart rate, blood pressure, SpO2, temperature, weight, glucose, HRV)
• Medication records and adherence data
• Clinical encounter notes, SOAP notes, and care plans
• AI-assisted clinical decision support outputs and risk assessments
• Communication records between patients and their care team
• Substance use disorder (SUD) treatment records (subject to 42 CFR Part 2 protections)

2.3 Usage and Device Data

• Pages visited, features used, and session duration
• Browser type, operating system, and screen resolution
• IP address (collected for security and audit purposes)
• Device identifiers for connected health monitoring devices
• Timestamp and frequency of Service interactions

3. How We Use Your Information

3.1 Treatment

Sharing information with your authorized care team to provide, coordinate, and manage your healthcare, including AI-assisted clinical decision support, risk assessments, and care plan recommendations.

3.2 AI-Powered Features

Processing your information through our AI features (Care Concierge, Clinical Co-Pilot, AI Scribe, GlohPredict™ risk engine) to generate clinical summaries, draft documentation, risk scores, and personalized health insights. All AI outputs are labeled and require clinician review.

3.3 Payment

Processing claims, billing, and reimbursement for services rendered through the platform, including ICD-10 and CPT code generation.

3.4 Healthcare Operations

Quality improvement, clinical outcomes tracking, compliance auditing, workforce training, and administrative functions necessary to operate the Service.

3.5 Analytics

Generating de-identified, aggregate analytics for population health management, facility performance metrics, and platform improvement. Individual-level analytics (page views, feature usage, session data) are stored in our analytics system and used to improve user experience.

3.6 Legal and Regulatory Compliance

Fulfilling obligations under HIPAA, HITECH, 42 CFR Part 2, state privacy laws, and other applicable regulations, including breach notification, audit responses, and law enforcement requests as required by law.

4. Your Rights Under HIPAA

As a patient, you have the following rights with respect to your Protected Health Information:

5. AI and Automated Processing Disclosure

GlohCare uses artificial intelligence and automated processing to enhance clinical care. We are committed to transparency about how these technologies process your information:

• Care Concierge: Patient-facing AI chat that uses your health data (vitals, assessments, care plans) to provide wellness support, appointment preparation, and symptom triage. Responses are AI-generated and are not medical advice.
• Clinical Co-Pilot: Generates chart summaries, "what changed" reports, and draft clinical notes for clinician review. Clinicians must validate all AI outputs before finalizing.
• AI Scribe: Processes ambient audio to generate structured SOAP notes with suggested ICD-10 and CPT codes. All outputs are labeled "AI Draft" and require clinician approval.
• GlohPredict™: Calculates predictive risk scores (readmission, crisis, adherence, treatment response) using your health data. High-risk scores may trigger automated alerts to your care team. Risk scores are decision-support tools, not diagnoses.
• No third-party AI training: Your data is never shared with third parties for the purpose of training AI models. AI processing occurs within our secured infrastructure.

6. How We Share Your Information

• Authorized Providers: PHI is shared with healthcare providers on your authorized care team for treatment purposes.
• Business Associates: We may share PHI with third-party service providers who perform functions on our behalf (e.g., cloud infrastructure, AI processing) under Business Associate Agreements that require them to safeguard your information.
• As Required by Law: We may disclose PHI when required by federal, state, or local law, including court orders, subpoenas, or public health reporting requirements.
• Health and Safety: We may disclose PHI to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
• We do not sell PHI. We will never sell your Protected Health Information to any third party for any purpose, including marketing, advertising, or data brokering.
• SUD Records: Records related to substance use disorder treatment are subject to additional protections under 42 CFR Part 2 and require your separate, written consent before disclosure to any party, including other healthcare providers.

7. Data Security Measures

We implement comprehensive administrative, physical, and technical safeguards to protect your information:

• Encryption at Rest: AES-256-GCM encryption for all PHI, with field-level encryption for sensitive data elements.
• Encryption in Transit: TLS 1.3 for all data transmitted between your device and our servers.
• Access Controls: Role-based access controls (RBAC) and row-level security (RLS) policies limiting data access to authorized personnel with a legitimate purpose.
• Multi-Factor Authentication: Required for all clinician and administrator accounts.
• Session Management: Automatic session timeout after fifteen (15) minutes of inactivity; account lockout after repeated failed login attempts.
• Audit Logging: Comprehensive, tamper-resistant logging of all PHI access events, stored in write-once, compliance-mode storage for a minimum of six (6) years.
• Break-the-Glass Controls: Emergency access requires documented justification, triggers supervisor notification, and automatically revokes after a limited period.
• Infrastructure: Hosted on HIPAA-eligible AWS infrastructure with BAA coverage, private networking, and encryption throughout the stack.
• Vulnerability Management: Regular security assessments, dependency scanning, and penetration testing.

8. Data Retention

Clinical records and PHI are retained for a minimum of six (6) years as required by HIPAA, or longer where required by applicable state law. Audit logs are retained for a minimum of six (6) years in tamper-proof, write-once storage (S3 Object Lock, Compliance mode) and cannot be modified or deleted. Account information is retained for the duration of your account and for a reasonable period thereafter to fulfill legal obligations. You may request deletion of non-clinical account data by contacting our Privacy Office.

9. Analytics and Tracking

We collect usage analytics to improve the Service and understand how features are used. Analytics data is stored in our internal analytics system and includes:

• Page views and navigation patterns
• Feature usage frequency and session duration
• Login events and authentication metrics
• Error events for debugging and reliability improvement
• Performance metrics (page load times, API response times)

Analytics data is stored in our analytics_events table and is associated with your user session. We do not use third-party advertising trackers. We do not serve targeted advertisements. The Service uses essential cookies only (authentication session cookies) and does not use marketing or advertising cookies.

10. Satisfaction Surveys

We may periodically present Net Promoter Score (NPS) surveys within the Service to measure user satisfaction. Survey responses are voluntary, associated with your account, and used solely to improve the Service. Survey data does not include PHI and is not shared with third parties.

11. Children's Privacy

The Service is not intended for use by individuals under the age of eighteen (18) without the supervision and consent of a parent or legal guardian. We do not knowingly collect personal information from children under 18 without parental consent. If you are a parent or guardian and believe your child has provided personal information through the Service without your consent, please contact our Privacy Office immediately at privacy@glohcare.com.

12. California and State Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), subject to the HIPAA exemption for PHI. To the extent applicable, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information (subject to legal retention requirements)
• Opt out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising your privacy rights

Residents of other states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, and others) may have similar rights. To exercise any privacy rights, contact our Privacy Office at privacy@glohcare.com.

13. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. Material changes will be communicated via the platform and, where required, by direct notice. The effective date at the top of this page will be updated to reflect the most recent revision. We will make the prior version of this policy available upon request. Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

14. Complaints

If you believe your privacy rights have been violated, you may file a complaint with our Privacy Office or directly with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you for filing a complaint. You may file a complaint with HHS at https://www.hhs.gov/hipaa/filing-a-complaint or by calling 1-877-696-6775.

15. Contact Information

For questions about this Privacy Policy, to exercise your rights, or to file a complaint, contact our Privacy Officer: