Privacy Policy
Your privacy matters to us. This policy explains what we collect across the TheoVex Ecosystem, how we use and protect it, and the choices and rights you have.
Last updated: June 29, 2026
Scope and Acceptance
TheoVex (“TheoVex,” the “Company,” “we,” “us,” or “our”) is an AI research company building an intelligence layer for healthcare and insurance. We are organized as [legal entity type and jurisdiction to be confirmed] with a registered address at [registered mailing address to be confirmed].
This Privacy Policy (the “Policy”) governs your access to and use of our websites, platforms, applications, application programming interfaces (APIs), AI models, and any future products or services we develop or acquire (collectively, the “Ecosystem” or “Services”). The Ecosystem currently includes: Theo (hitheo.ai), the AI orchestration engine and API; Theo Arca (hitheo.ai), our HIPAA-grade model platform; OpenCharts (opencharts.com), the AI super-app workspace; Theovibes (theovibes.com), compliant application generation; Theo Law (theolaw.ai), the legal back-office suite; Theomoney (theomoney.ai), insurance money movement and HSAs; Tomorrow Life (tomorrowlife.com), the life-insurance platform; Theo CRM (theocrm.app), the CRM, ERP, and practice-management OS; together with our parent site at theovex.com.
This Policy is a living document, written to cover our current operations across healthcare, insurance, legal, and financial workloads, and to anticipate future capabilities such as autonomous agents, voice and telephony, and connected-device integrations.
BY ACCESSING OR USING THE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS POLICY AND CONSENT TO THE DATA PRACTICES DESCRIBED HEREIN.
Information We Collect
We collect information directly from you, automatically through your use of the Services, and from third parties that you or your organization connect to the Ecosystem.
A. Information You Provide Directly
- Account and Identity Data: name, email address, postal address, phone number, organization and role, and, where required for regulated workflows, professional identifiers such as a National Provider Identifier (NPI) or producer license number.
- Protected Health Information (PHI): where a healthcare customer uses the Services to process clinical data, we may handle records such as intake forms, diagnoses, procedures, medications, lab results, and provider notes on that customer's behalf.
- Insurance and Financial Data: policy and coverage details, claims information, commissions, beneficiaries, and payment or account details processed through Theomoney and related products.
- User Content: prompts, messages, documents, and files you submit to our AI interfaces, and the outputs generated in response.
B. Information Collected Automatically
- Device and Connection Data: IP address, browser type, operating system, device identifiers, and language and time-zone settings.
- Authentication Data: when you sign in with a single sign-on (SSO) provider, we receive basic profile information and authentication tokens.
- Usage Data: the features you use, actions you take, and diagnostic, performance, and security telemetry generated as you use the Services.
C. Information From Third Parties
- Integration Partners: data you direct us to exchange with connected systems such as electronic medical records (EMRs), carrier and ERP systems, billing platforms, and other third-party applications.
- Service Providers and Public Sources: information from vendors that support identity verification, fraud prevention, and compliance, and information available from public or licensed sources.
How We Use Your Information
Service Delivery
- To provide, operate, secure, and improve the Services and your account.
- To orchestrate AI workflows, route requests, run agentic tools, and return results with citations and usage.
- To coordinate healthcare, insurance, legal, and financial workflows you initiate.
AI and Machine Learning
- De-identification first: we do not train general models on raw PHI. Where data is used to improve our models, it passes through the same de-identification controls described in Section V, and protected data is excluded unless de-identified.
- Quality and safety: we use aggregated, de-identified, or anonymized data to evaluate quality, detect abuse, and improve routing, guardrails, and reliability.
Security, Compliance, and Communications
- To detect, investigate, and prevent fraud, abuse, and security incidents.
- To meet legal, regulatory, audit, and contractual obligations.
- To send service, security, and administrative messages, and, where permitted, relevant product updates.
Protected Health Information and the Theo Arca Guardrail
When we handle PHI on behalf of a healthcare customer, we act as a Business Associate under HIPAA, and that data is governed by our Business Associate Agreement (BAA) and the customer's own privacy practices.
Compliance in our platform is enforced at the system level by the Theo Arca guardrail. Where the de-identifying path is used, the model never sees raw PHI: protected data is detected and replaced with format-preserving tokens held in an encrypted de-identification vault, and only de-identified text is forwarded downstream.
- Zero-retention default: raw PHI is never persisted to logs, telemetry, or any training corpus; re-identification is scoped, authorized, and recorded.
- Evidence ledger: an append-only, signed record captures each request, model, prompt version, tool calls, output digest, and approvals for audit.
- Pinned boundary: requests that carry PHI are pinned to a compliant serving boundary and never leave it unguarded.
Your Privacy Rights and Choices
A. General Rights
- Access and export the personal data we hold about you.
- Correct inaccurate data or update your account.
- Delete your account and associated data, subject to legal and contractual retention obligations.
B. HIPAA (United States)
If you are a patient whose data is stored in our Services by a healthcare provider, we act as a Business Associate; your data is governed by your provider's Notice of Privacy Practices, and we safeguard PHI in accordance with 45 CFR Parts 160 and 164.
C. California (CCPA / CPRA)
- Right to Know: request the categories and specific pieces of personal information we have collected, and the sources and purposes.
- Right to Delete and Correct: request deletion or correction of your personal information.
- Right to Limit: limit the use of sensitive personal information to what is necessary to provide the Services.
- Non-Discrimination: we will not discriminate against you for exercising these rights.
D. GDPR / UK GDPR (Europe and the UK)
- Controller and Processor: TheoVex is a controller for its own accounts and a processor for data handled on behalf of enterprise customers.
- Legal Bases: we process data based on contract, legal obligation, legitimate interests, and consent.
- Transfers: cross-border transfers rely on appropriate safeguards such as Standard Contractual Clauses.
- Your Rights: you may access, rectify, erase, restrict, port, or object to processing of your data.
Data Retention and Security
A. Retention
We retain personal data only as long as necessary for the purposes described in this Policy and to meet legal, regulatory, accounting, and reporting obligations. Healthcare and insurance records may be subject to longer statutory retention periods set by applicable law.
B. Security
- Encryption: data is encrypted in transit and at rest using industry-standard algorithms.
- Access Control: role-based access, least-privilege provisioning, and tenant isolation.
- Monitoring: logging, auditing, and ongoing vulnerability management and testing.
No method of transmission or storage is perfectly secure; we cannot guarantee absolute security, but we work continuously to protect your information.
Children's Privacy
The Services are intended for businesses and professionals and are not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children except where a healthcare customer processes a minor patient's records under appropriate authority and consent.
Changes to This Policy
We may update this Policy from time to time. Material changes will be reflected by updating the date below and, where appropriate, by additional notice. Your continued use of the Services after an update constitutes acceptance of the revised Policy.
Contact Us
For privacy questions, data-subject requests, or to reach our privacy team, contact us using the details below.
- TheoVex: Privacy and Compliance
- Address: [registered mailing address to be confirmed]
- Email: ariel@theovex.com

