Skip to content 
Privacy Policy
1. Overview
Innobot Health (“Innobot,” “we,” “our,” or “us”) is a U.S.-based healthcare-automation company that “puts existing workflows on autopilot”. We design low-code, AI-driven robotic-process-automation (RPA) and revenue-cycle solutions that help hospitals, physician groups, and payers reduce cost and administrative burden. This Privacy Policy governs all personal data processed through:
innobothealth.com and any sub-domain (the “Site”);
demo tenants, APIs, and mobile apps (collectively, the “Services”); and
offline interactions such as events, webinars, sales calls, and recruiting.
The Site is informational only; we do not collect or process payment card data or conduct e-commerce on the public website.
When Innobot acts as a Business Associate under the U.S. Health Insurance Portability and Accountability Act (“HIPAA”), the governing Business Associate Agreement (BAA) prevails for Protected Health Information (“PHI”).
2. Key Definitions
| Term | Meaning |
|---|---|
| Personal Data / Personal Information | Any information relating to an identified or identifiable natural person (GDPR Art 4(1), Cal. Civ. Code §1798.140). |
| Sensitive Personal Data | Special-category data (GDPR Art 9), “Sensitive Personal Information” (CPRA), PHI (HIPAA 45 C.F.R. §160.103), biometric templates, precise geolocation, etc. |
| Processing | Any operation performed on Personal Data (collection, storage, analysis, transfer, deletion, etc.). |
| Applicable Data-Protection Laws (“ADPLs”) | EU GDPR ( GDPR 2016/679GDPR 2016/679 ), UK GDPR & DPA 2018, CCPA/CPRA ( California CCPA/CPRA ), HIPAA ( HIPAA Rules ), India DPDPA 2023 ( India Digital Personal Data Protection Act 2023 ), and any other law that applies to us. |
3. Data We Collect
| Category | Typical Examples | Why We Collect It |
|---|---|---|
| Identity & Contact | Name, business e-mail, phone, employer, job title | Demo scheduling, newsletters, support queries, recruiting |
| Device & Usage | IP address, browser type, OS, referring URLs, pages visited, clickstream, crash logs | Site security, analytics, product improvement |
| Marketing Preferences | Opt-in status, webinar attendance, survey responses | Send thought-leadership, event invites, satisfaction polls |
| Customer-Supplied Content | Files or data uploaded to a secure demo tenant (may include PHI) | Proof-of-concept evaluation, model training (if contract permits) |
No Payment Data: We never request or store credit-card numbers, bank-account details, or ACH information on the public Site.
4. How We Collect Data
Directly from you – web forms, chat widgets, event sign-ups, résumé submissions.
Automatically – server logs, first-party cookies, telemetry SDKs.
Third-party sources – authorized resellers, conference attendee lists, public professional profiles (e.g., LinkedIn).
5. Why & How We Use Data
| Purpose | GDPR Basis | CPRA Category | HIPAA Basis (if PHI) |
|---|---|---|---|
| Provide & improve the Services | Art 6(1)(b) Contract + Art 6(1)(f) Legit. Interest | “Identifiers”, “Internet Activity” | §164.506(a) (TPO) |
| Demo scheduling & customer support | IP addArt 6(1)(b)ress, browser type, OS, referring URLs, pages visited, clickstream, crash logs | “Identifiers” | §164.506(c) |
| Product R&D / AI model training (de-identified) | Art 6(1)(f) | “Inference Data” (aggregated) | De-identification §164.514(b) |
| Marketing communications (opt-in only) | Art 6(1)(a) Consent | “Commercial Info” | N/A |
| Security, fraud, compliance | Art 6(1)(c) Legal Obligation | “Internet Activity” | §164.308(a) Safeguards |
Automated decision-making is limited to non-legal effects (spam filtering, dynamic UI). Human review is available on request.
6. Tracking Technologies
| Type | Examples | Control |
|---|---|---|
| Strictly Necessary | Session cookies, load-balancer tokens | Required to deliver the Site |
| Analytics | First-party telemetry; Google Analytics 4 with IP anonymization | Opt-out via browser add-on or disable cookies |
| Advertising (B2B only) | LinkedIn Insight Tag | Prior consent for EU/UK; opt-out via AdChoices |
We honor Global Privacy Control (GPC) signals and Do Not Track where technically feasible.
7. Data Sharing & Disclosure
| Recipient | Purpose | Safeguard |
|---|---|---|
| Cloud infrastructure & observability (ISO 27001 / SOC 2 providers) | Hosting, logging, performance monitoring | Data-Processing Addendums; encryption |
| Customer-relationship tools | CRM, marketing automation, ticketing | DPAs; role-based access |
| Professional advisors | Legal, accounting, audits | Confidentiality undertakings |
| Regulators & law enforcement | Compliance with subpoenas, court orders | Logged & narrowly scoped |
| Corporate successors | Merger, acquisition, restructure | Notice + continued protection |
We never “sell” or “share” Personal Data as those terms are defined by the CPRA.
8. International Transfers
EEA/UK → USA — Standard Contractual Clauses (SCC 2021/914) + supplementary safeguards (encryption, zero-trust).
Other regions — Adequacy decisions, Binding Corporate Rules, or lawful derogations under GDPR Art 49.
9. Security Measures
TLS 1.3 with HSTS; AES-256 encryption at rest; field-level encryption for PHI.
Zero-trust network segmentation, least-privilege IAM, mandatory MFA.
24 × 7 × 365 Security Operations Centre with SIEM, IDS/IPS, and EDR.
Annual SOC 2 Type II and ISO 27001 audits; HIPAA risk assessment refreshed yearly.
10. Retention & Disposal
| Data Set | Typical Retention | Disposal |
|---|---|---|
| Web & API logs | 24 months | Cryptographic wipe |
| Marketing contact records | Until opt-out + 24 months | Anonymization |
| Contracts & legal docs | 7 years | Secure shred / purge |
| PHI in demo tenant | As defined in BAA (usually ≤ 30 days post-demo) | NIST SP 800-88 media purge |
11. Your Privacy Rights
| Region | Rights Summary | How to Exercise |
|---|---|---|
| EU/UK GDPR | Access, rectification, erasure, restriction, portability, objection, withdraw consent | E-mail info@innobothealth.com; we respond ≤ 30 days |
| California CPRA | Know, delete, correct, opt-out of sale/share, limit sensitive PI, non-discrimination | Web form or toll-free 888-341-1009 |
| India DPDPA | Access, correction, erasure, grievance redress, consent withdrawal | Contact Data Protection Officer |
| HIPAA | Inspect PHI, amend, accounting, restrict, confidential comms | Submit HIPAA Request Form |
Identity verification is required; we maintain request logs for audit.
12. Children’s Privacy
The Services are not directed to children under 13 (COPPA) and we do not knowingly collect data from minors. Parents may request deletion via Section 11.
13. Changes to This Policy
We post updates here and provide 15 days’ advance notice (banner or e-mail) for material changes. Continued use after the effective date constitutes acceptance.
14. Contact
- Data Protection Officer (Global) info@innobothealth.com
- HIPAA Privacy Officer info@innobothealth.com
- Toll-Free +1 (888) 341-1009
