Privacy Policy

Effective Date: March 1, 2026 · Last Updated: March 1, 2026

Pneuma Health, LLC (“Pneuma Health,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our telehealth platform, website, and services (the “Platform”).

We comply with the Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act, and applicable state privacy laws, including the Colorado Privacy Act.

1. Information We Collect

a. Personal Information

When you register for an account or use our services, we collect:

  • Full name, date of birth, email address, phone number
  • Mailing address (for device shipping)
  • Account credentials (password, MFA settings)

b. Protected Health Information (PHI)

In the course of providing telehealth services, we collect:

  • Health screening responses (STOP-BANG, Epworth Sleepiness Scale)
  • Medical history, comorbidities, and current medications
  • Home sleep apnea test (HSAT) results (AHI, ODI, SpO2, sleep staging data)
  • Physician notes, diagnoses, and treatment plans
  • Prescription information and DME fulfillment records
  • Insurance information (if applicable)

c. Technical & Usage Information

  • Device type, browser, operating system, and IP address
  • Pages visited, features used, and interaction patterns
  • Cookies and similar tracking technologies (see Section 7)

d. Payment Information

Payment card details are collected and processed directly by our payment processor, Stripe. Pneuma Health does not store your full credit card number on our servers.

2. How We Use Your Information

We use your information to:

  • Provide and coordinate your telehealth care, including HSAT ordering and prescription fulfillment
  • Communicate with you about your care (appointment reminders, test results, treatment updates)
  • Verify your identity and secure your account
  • Process payments and manage billing
  • Improve the Platform’s functionality and user experience
  • Comply with legal and regulatory requirements
  • Conduct internal quality assurance and clinical audits

3. How We Share Your Information

We do not sell your personal information or PHI. We may share your information only in the following circumstances:

a. For Treatment, Payment, and Healthcare Operations

  • Treating Physicians: Licensed physicians reviewing your screening results, HSAT data, and medical history to make clinical decisions.
  • DME Partners: Contracted durable medical equipment providers (e.g., for CPAP/APAP fulfillment) receive only the information necessary to process your prescription and ship your device.
  • HSAT Device Manufacturer: Itamar Medical receives limited information necessary to facilitate your home sleep test.

b. Service Providers

  • Stripe: Payment processing
  • SendGrid: Transactional email delivery
  • Twilio: SMS-based multi-factor authentication
  • Vercel Analytics: Anonymous usage analytics (no PHI)

All service providers are bound by data processing agreements and, where applicable, Business Associate Agreements (BAAs) as required under HIPAA.

c. Legal Requirements

We may disclose information when required by law, regulation, legal process, or governmental request, or when necessary to protect the rights, safety, or property of Pneuma Health, our users, or the public.

4. Data Security

We implement robust technical and administrative safeguards to protect your information:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
  • Encryption at rest: Sensitive PHI fields (phone number, date of birth, address) are encrypted using AES-256-GCM before storage.
  • Access controls: Role-based access ensures that only authorized personnel can access patient data.
  • Multi-factor authentication: Required for all patient accounts.
  • Audit logging: All access to PHI is logged for security monitoring and compliance.
  • Secure infrastructure: Our servers are hosted on SOC 2-compliant cloud infrastructure.

5. Your Rights

Under HIPAA and applicable state law, you have the right to:

  • Access: Request a copy of your health records and personal data.
  • Amendment: Request correction of inaccurate health information.
  • Accounting of Disclosures: Request a list of certain disclosures of your PHI.
  • Restriction: Request restrictions on certain uses or disclosures of your PHI.
  • Confidential Communications: Request that we communicate with you through specific channels.
  • Data Portability: Receive your data in a structured, commonly used format.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.

To exercise any of these rights, contact us at privacy@pneumasleep.com. We will respond within 30 days.

6. Data Retention

We retain your personal information and medical records for the minimum period required by applicable law. In Colorado, medical records must be retained for a minimum of seven (7) years from the date of last treatment. After the retention period, data is securely deleted or de-identified.

7. Cookies & Tracking

We use the following types of cookies and tracking technologies:

  • Essential cookies: Required for authentication, session management, and security (e.g., JWT tokens).
  • Analytics cookies: Vercel Analytics collects anonymous usage data to help us improve the Platform. No PHI is included.
  • Affiliate tracking: If you arrive via a referral link, a cookie may be set to attribute your registration to the referring partner. No health information is shared with affiliate partners.

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Platform.

8. Children’s Privacy

The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

9. State-Specific Rights

Colorado Privacy Act

Colorado residents have additional rights under the Colorado Privacy Act (CPA), including the right to opt out of targeted advertising, profiling, and the sale of personal data. Pneuma Health does not sell personal data or engage in targeted advertising based on health information.

California (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. Note that HIPAA-covered health information is exempt from CCPA. For non-health data inquiries, contact us at the address below.

10. Changes to This Policy

We may update this Privacy Policy periodically. If we make material changes, we will notify you by email or through a prominent notice on the Platform. Your continued use after notification constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy concern, contact us at:

Pneuma Health, LLC
Privacy Officer
Email: privacy@pneumasleep.com
General: support@pneumasleep.com

12. HIPAA Notice

This Privacy Policy supplements, but does not replace, our Notice of Privacy Practices (NPP) as required under HIPAA. The NPP describes in detail how your medical information may be used and disclosed. You will receive the NPP during the onboarding process.