Legal

Privacy Policy

Your privacy matters to us. This policy explains what we collect across the TheoVex Ecosystem, how we use and protect it, and the choices and rights you have.

Last updated: June 29, 2026

I

Scope and Acceptance

TheoVex (“TheoVex,” the “Company,” “we,” “us,” or “our”) is an AI research company building an intelligence layer for healthcare and insurance. We are organized as [legal entity type and jurisdiction to be confirmed] with a registered address at [registered mailing address to be confirmed].

This Privacy Policy (the “Policy”) governs your access to and use of our websites, platforms, applications, application programming interfaces (APIs), AI models, and any future products or services we develop or acquire (collectively, the “Ecosystem” or “Services”). The Ecosystem currently includes: Theo (hitheo.ai), the AI orchestration engine and API; Theo Arca (hitheo.ai), our HIPAA-grade model platform; OpenCharts (opencharts.com), the AI super-app workspace; Theovibes (theovibes.com), compliant application generation; Theo Law (theolaw.ai), the legal back-office suite; Theomoney (theomoney.ai), insurance money movement and HSAs; Tomorrow Life (tomorrowlife.com), the life-insurance platform; Theo CRM (theocrm.app), the CRM, ERP, and practice-management OS; together with our parent site at theovex.com.

This Policy is a living document, written to cover our current operations across healthcare, insurance, legal, and financial workloads, and to anticipate future capabilities such as autonomous agents, voice and telephony, and connected-device integrations.

BY ACCESSING OR USING THE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS POLICY AND CONSENT TO THE DATA PRACTICES DESCRIBED HEREIN.

II

Information We Collect

We collect information directly from you, automatically through your use of the Services, and from third parties that you or your organization connect to the Ecosystem.

A. Information You Provide Directly

  • Account and Identity Data: name, email address, postal address, phone number, organization and role, and, where required for regulated workflows, professional identifiers such as a National Provider Identifier (NPI) or producer license number.
  • Protected Health Information (PHI): where a healthcare customer uses the Services to process clinical data, we may handle records such as intake forms, diagnoses, procedures, medications, lab results, and provider notes on that customer's behalf.
  • Insurance and Financial Data: policy and coverage details, claims information, commissions, beneficiaries, and payment or account details processed through Theomoney and related products.
  • User Content: prompts, messages, documents, and files you submit to our AI interfaces, and the outputs generated in response.

B. Information Collected Automatically

  • Device and Connection Data: IP address, browser type, operating system, device identifiers, and language and time-zone settings.
  • Authentication Data: when you sign in with a single sign-on (SSO) provider, we receive basic profile information and authentication tokens.
  • Usage Data: the features you use, actions you take, and diagnostic, performance, and security telemetry generated as you use the Services.

C. Information From Third Parties

  • Integration Partners: data you direct us to exchange with connected systems such as electronic medical records (EMRs), carrier and ERP systems, billing platforms, and other third-party applications.
  • Service Providers and Public Sources: information from vendors that support identity verification, fraud prevention, and compliance, and information available from public or licensed sources.
III

How We Use Your Information

Service Delivery

  • To provide, operate, secure, and improve the Services and your account.
  • To orchestrate AI workflows, route requests, run agentic tools, and return results with citations and usage.
  • To coordinate healthcare, insurance, legal, and financial workflows you initiate.

AI and Machine Learning

  • De-identification first: we do not train general models on raw PHI. Where data is used to improve our models, it passes through the same de-identification controls described in Section V, and protected data is excluded unless de-identified.
  • Quality and safety: we use aggregated, de-identified, or anonymized data to evaluate quality, detect abuse, and improve routing, guardrails, and reliability.

Security, Compliance, and Communications

  • To detect, investigate, and prevent fraud, abuse, and security incidents.
  • To meet legal, regulatory, audit, and contractual obligations.
  • To send service, security, and administrative messages, and, where permitted, relevant product updates.
IV

How We Share Your Information

We operate a connected Ecosystem but maintain strict control over where data goes. We do not sell your personal information for money.

  • At Your Direction: when you connect an integration or share data with a carrier, provider, or third-party app, we transmit data as instructed by you or your organization.
  • Service Providers: we share data with vetted vendors for cloud hosting, infrastructure, payment processing, analytics, and support, bound by confidentiality and data-protection obligations.
  • Within the TheoVex Family: we may share data among TheoVex products and any current or future affiliates to deliver and improve the Ecosystem.
  • Legal and Safety: we may disclose information to regulators, law enforcement, or others where required by law or to protect rights, safety, and the integrity of the Services.
  • Business Transfers: in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this Policy.
V

Protected Health Information and the Theo Arca Guardrail

When we handle PHI on behalf of a healthcare customer, we act as a Business Associate under HIPAA, and that data is governed by our Business Associate Agreement (BAA) and the customer's own privacy practices.

Compliance in our platform is enforced at the system level by the Theo Arca guardrail. Where the de-identifying path is used, the model never sees raw PHI: protected data is detected and replaced with format-preserving tokens held in an encrypted de-identification vault, and only de-identified text is forwarded downstream.

  • Zero-retention default: raw PHI is never persisted to logs, telemetry, or any training corpus; re-identification is scoped, authorized, and recorded.
  • Evidence ledger: an append-only, signed record captures each request, model, prompt version, tool calls, output digest, and approvals for audit.
  • Pinned boundary: requests that carry PHI are pinned to a compliant serving boundary and never leave it unguarded.
VI

Your Privacy Rights and Choices

A. General Rights

  • Access and export the personal data we hold about you.
  • Correct inaccurate data or update your account.
  • Delete your account and associated data, subject to legal and contractual retention obligations.

B. HIPAA (United States)

If you are a patient whose data is stored in our Services by a healthcare provider, we act as a Business Associate; your data is governed by your provider's Notice of Privacy Practices, and we safeguard PHI in accordance with 45 CFR Parts 160 and 164.

C. California (CCPA / CPRA)

  • Right to Know: request the categories and specific pieces of personal information we have collected, and the sources and purposes.
  • Right to Delete and Correct: request deletion or correction of your personal information.
  • Right to Limit: limit the use of sensitive personal information to what is necessary to provide the Services.
  • Non-Discrimination: we will not discriminate against you for exercising these rights.

D. GDPR / UK GDPR (Europe and the UK)

  • Controller and Processor: TheoVex is a controller for its own accounts and a processor for data handled on behalf of enterprise customers.
  • Legal Bases: we process data based on contract, legal obligation, legitimate interests, and consent.
  • Transfers: cross-border transfers rely on appropriate safeguards such as Standard Contractual Clauses.
  • Your Rights: you may access, rectify, erase, restrict, port, or object to processing of your data.
VII

Data Retention and Security

A. Retention

We retain personal data only as long as necessary for the purposes described in this Policy and to meet legal, regulatory, accounting, and reporting obligations. Healthcare and insurance records may be subject to longer statutory retention periods set by applicable law.

B. Security

  • Encryption: data is encrypted in transit and at rest using industry-standard algorithms.
  • Access Control: role-based access, least-privilege provisioning, and tenant isolation.
  • Monitoring: logging, auditing, and ongoing vulnerability management and testing.

No method of transmission or storage is perfectly secure; we cannot guarantee absolute security, but we work continuously to protect your information.

VIII

Cookies and Tracking Technologies

We use cookies and similar technologies to keep you signed in, secure the Services, remember preferences, and understand usage.

  • Essential: required for authentication and security.
  • Analytics: help us understand and improve how the Services are used.
  • Your Controls: you can manage cookies in your browser, and we honor Global Privacy Control (GPC) signals where required by law.
IX

Children's Privacy

The Services are intended for businesses and professionals and are not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children except where a healthcare customer processes a minor patient's records under appropriate authority and consent.

X

Changes to This Policy

We may update this Policy from time to time. Material changes will be reflected by updating the date below and, where appropriate, by additional notice. Your continued use of the Services after an update constitutes acceptance of the revised Policy.

XI

Contact Us

For privacy questions, data-subject requests, or to reach our privacy team, contact us using the details below.

  • TheoVex: Privacy and Compliance
  • Address: [registered mailing address to be confirmed]
  • Email: ariel@theovex.com