Mobile App Privacy Policy

Latest update on January 02, 2026

LUVVIPRO — HOSPITAL / CLINICIAN APP PRIVACY POLICY

Effective Date: [JANUARY 02, 2026]

Last Updated: [JANUARY 02, 2026]


1. INTRODUCTION

LuvviCare (“Luvvi,” “we,” “our,” or “us”) provides a secure, family-centered clinical communication platform designed for hospitals and healthcare organizations. This Privacy Policy describes how information is handled when healthcare professionals and authorized staff use the Luvvi Care Clinical Platform across care settings including NICU, PICU, adult care, rehabilitation, hospice, behavioral health, and home healthcare.


Our Privacy Commitment

  • We apply appropriate safeguards as required under HIPAA, GDPR, and other applicable data protection laws.

  • We operate as a Business Associate / Data Processor, depending on jurisdiction.

  • We do not sell data, advertise using patient data, or provide unauthorized access.

  • The healthcare facility remains the controller or covered entity responsible for patient information.


2. SCOPE

This Privacy Policy applies to:

  • Healthcare professionals, clinicians, therapists, nurses, administrators, and support staff using the platform

  • IT personnel overseeing account and security management

  • Use of the web dashboard, mobile apps, and authorized API integrations

  • Patient information processed on behalf of healthcare facilities

This policy supplements your organization’s existing privacy and security policies and applies in conjunction with applicable Business Associate Agreements (BAA/DPA).

3. INFORMATION WE PROCESS

We process information strictly on behalf of the healthcare facility, including:

3.1 Patient Information (Provided by the Facility or Entered by Users)

  • Demographics and admission information

  • Care status updates, milestones, vitals, therapy participation

  • Family contact information when authorized

  • Photos, videos, or media content uploaded or sent by care teams

  • Audio Care usage (parent voice recordings, comfort playback sessions)

We do not directly access any medical record systems unless authorized by the healthcare facility.

3.2 User Information (Healthcare Professionals)

  • Identity and authentication details (SSO credentials, email, access role)

  • Professional details (name, department, credentials, role)

  • Activity and access logs (audit trails, timestamps, patient records accessed)

  • Device data when using video or livestream features (non-identifiable)

3.3 Platform Operations Data

  • Communication and media delivery logs

  • Usage data (feature usage, frequency, anonymized analytics)

  • Integration logs (EHR interoperability, API activity)

  • Technical performance metrics (app stability, error reports)

4. HOW INFORMATION IS USED

Information is used to support secure, patient-centered communication and operational workflows, including:

4.1 Clinical Messaging and Communication

  • Send approved photos, videos, updates, and eCards to authorized family members

  • Facilitate two-way video calls and secure livestream sessions

  • Deliver Audio Care content (family messages, comfort audio, approved therapeutic recordings)

  • Provide automatic language translation (PHI anonymized when possible)

4.2 Care Coordination & Family Engagement

  • Track and document family communication activity (as permitted by the facility)

  • Facilitate milestone documentation and progress updates

  • Enhance interdisciplinary communication

  • Support optional engagement and satisfaction tracking using aggregated or anonymized insights

No personal identifiers are shared without authorization.

4.3 Platform Operations and Compliance

  • Enforce authentication, access control, and minimum necessary use

  • Maintain audit logs required under HIPAA and GDPR

  • Support incident analysis and security monitoring

  • Enable feature optimization using anonymized usage data

5. INFORMATION SHARING

Information is shared only as authorized and required to support clinical and operational needs.

5.1 Within the Healthcare Facility

  • Authorized care team members under role-based access

  • Hospital administration for oversight, audit, quality, and compliance

  • IT and platform administrators (for support and monitoring)

5.2 With Service Providers (Processors/Subprocessors)

We use third-party providers for:

  • Secure cloud hosting and infrastructure

  • Authentication and identity management

  • Video streaming, encryption, and content delivery

  • Translation (with secure deletion after processing)

All service providers are required to follow strict privacy and security standards under contractual agreements.

5.3 Sponsors and Partners (Where Applicable)

  • Sponsors may display branding, when agreed by the facility

  • Only aggregated, non-identifiable usage insights may be shared

  • No patient data or personal information is shared with sponsors

5.4 Legal and Regulatory Disclosures

We may disclose information when legally required to:

  • Respond to valid court orders or legal processes

  • Support regulatory audits or investigations

  • Address safety, abuse, fraud, or imminent harm

  • Comply with public health and oversight requirements

6. SECURITY AND COMPLIANCE

6.1 Technical Safeguards

  • Encryption at rest and in transit (AES-256, TLS 1.3 or higher)

  • Role-based access control and multi-factor authentication

  • Intrusion detection, audit logging, and continuous monitoring

  • Secure backend architecture based on least privilege and zero-trust principles

6.2 Administrative and Organizational Safeguards

  • Annual privacy, HIPAA, GDPR, and security awareness training

  • Documented policies for access control, incident response, and data handling

  • Signed BAAs/DPAs with all covered entities

  • Breach notification procedures per HIPAA/GDPR timelines

6.3 Certifications & Validation

  • HIPAA-aligned safeguards implemented

  • GDPR Data Processing Agreements in place

  • Regular third-party penetration testing

  • ISO 27001 / HITRUST certifications under consideration

7. AUDIO CARE PLATFORM (When Enabled)

  • Audio content from parents or approved therapeutic sources may be delivered

  • Hospitals determine what recordings are clinically appropriate

  • Volume controls, speaker setup, and session tracking are supported

  • No personal processing beyond authorized comfort playback

8. DATA LOCATION AND RETENTION

8.1 Data Hosting

  • Data is hosted in secure data centers appropriate to the facility’s region where feasible

  • If data must be transferred internationally, it is protected using approved legal mechanisms (e.g., Standard Contractual Clauses)

8.2 Retention

Information is retained based on legal, operational, and facility requirements:


Data Type

Patient Communication & Audit Logs

User Activity Logs

Video/Audio Content

Technical Logs

Typical Retention

6–10 years or per facility policy

6 years (HIPAA) or per audit standards

Per facility policy or until removed

90–365 days


9. USER RESPONSIBILITIES

You agree to:

  • Protect access credentials and report any compromise promptly

  • Access only information necessary for your role (minimum necessary standard)

  • Follow your facility’s privacy, consent, conflict-of-interest, and media policies

  • Obtain appropriate authorization before using video or audio tools

  • Report suspected security incidents without delay

10. INCIDENT RESPONSE

Luvvi Care provides reporting mechanisms for suspected security events or breaches.

Notifications follow applicable legal timeframes (HIPAA, GDPR, or other regulations).

11. CHANGES TO THIS POLICY

If this policy is updated, facilities and/or administrators will be notified at least 30 days in advance where applicable.

The “Last Updated” date will always reflect the most current version.

12. CONTACT

Compliance & Privacy Office

Luvvi

Nyon Business Park

Route de Crassier 7

1262 Eysins

General Privacy: security@luvvi.com

HIPAA & US Compliance: security@luvvi.com

GDPR & International: security@luvvi.com

Security & Incident Reporting: security@luvvi.com