Privacy Policy | Concorde Health

1. Introduction

Concorde Health ("Concorde," "we," "us," or "our") provides a behavior-driven platform designed to help members build sustainable habits and access employer-sponsored therapeutics responsibly. We are committed to protecting your privacy and handling your data with transparency and care.

This Privacy Policy explains how we collect, use, and share information when you use the Concorde mobile application, web platform, coaching services, and the ConcordeRx eligibility system (collectively, the "Services").

Important Note on Medical Information

Concorde is a behavioral support and coaching platform. We are not a healthcare provider or a medical insurance carrier. While we adhere to strict security standards, we are not a "Covered Entity" under the Health Insurance Portability and Accountability Act (HIPAA). We do not collect or process medical claims, diagnosis codes, or prescription histories from your medical providers.

2. Information We Collect

We collect information to power our behavioral coaching platform and to determine your eligibility for employer-sponsored benefits.

A. Information You Provide to Us

Account Information: Name, email address, phone number, and employer affiliation.
Health Pillar Diagnostic: Information you provide during onboarding regarding your sleep, diet, exercise, stress levels, and general awareness.
Habit & Goal Data: Daily check-ins, habit tracking logs (e.g., "walked 20 mins," "drank water"), and self-reported progress toward behavioral goals.
Coaching Transcripts: Audio, video, and text records of your sessions with Concorde coaches. We use these to generate guided transcripts and a behavioral profile to personalize your care.
Verified Weigh-Ins: Weight data logged via employer-provided scales or self-reported methods verified by your coach. This is used to track habit adherence and program progress.

B. Information We Collect Automatically

Usage Data: App telemetry, login frequency, engagement patterns, and interaction logs.
Device Information: IP address, browser type, and mobile device identifiers.
Authentication Data: When you sign in with Google, we receive your email address and basic profile information from Google.

C. Information We Do Not Collect

To protect your privacy and maintain a clear separation from clinical care, we explicitly do not collect:

Medical records from your doctor
Insurance claims data or diagnosis codes (ICD-10)
Pharmacy prescription history (other than confirmation of eligibility for the ConcordeRx program)

3. How We Use Your Information

We use your data to support behavior change and manage program eligibility. Specifically, we use it to:

Provide Coaching: Enable your dedicated health coach to review your progress, assign habits, and personalize your roadmap.
Determine Benefit Eligibility (ConcordeRx): Analyze your attendance, habit completion, and weigh-in consistency to determine if you meet your employer's criteria for medication subsidies.
Facilitate Payments: Transmit eligibility status to our payment partners to activate or manage your ConcordeRx benefits.
Improve Our Services: Use aggregated data to improve our platform and coaching effectiveness.
Communication: Send you reminders, notifications, and scheduling updates.

4. How We Share Your Information

We do not sell your personal data. We share data only as necessary to operate the Services.

A. With Your Employer

Eligibility Status: We share whether you have met the behavioral requirements (e.g., "Compliant" or "Non-Compliant") to authorize funding for your medication.
Aggregated Insights: We provide employers with de-identified, cohort-level data (e.g., "80% of the group improved sleep," "90% adherence rate"). We do not share your raw coaching transcripts with your employer.

B. With Payment & Pharmacy Partners (ConcordeRx)

We share a limited eligibility signal with our payment partners to facilitate the funding of your medication benefits.
We do not share your behavioral logs, transcripts, or weight data with drug manufacturers or pharmacies.

C. With Service Providers

We use trusted third-party vendors for hosting (Vercel), database management (Supabase), video conferencing (Google Meet), and scheduling. These vendors are contractually obligated to protect your data.

5. Data Security

Although Concorde is not a HIPAA-Covered Entity, we implement enterprise-grade security measures, including:

Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
Access Control: We use strict Row-Level Security (RLS) and Role-Based Access Control (RBAC). Coaches can only access the data of members explicitly assigned to them.
Authentication: We use secure authentication via Google OAuth with PKCE (Proof Key for Code Exchange) and email-based verification.
Session Security: Short-lived access tokens with automatic refresh rotation.

6. Your Rights & Choices

Depending on your location, you may have rights regarding your data, including:

Access: You may request a copy of the personal data we hold about you.
Correction: You may update your habits or personal details directly in the app or by asking your coach.
Deletion: You may request that we delete your account. Note that deletion will immediately terminate your eligibility for the ConcordeRx subsidy program.

7. Data Retention

We retain your habit logs and coaching records to build a longitudinal view of your progress. This allows us to support you across different therapeutic journeys without restarting your progress. If you leave the program, we will retain or delete data in accordance with our data retention policy and applicable laws.

8. Changes to This Policy

We may update this policy as our platform evolves. We will notify you of material changes via the app or email.

9. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Concorde Health, Inc.
Email: support@myconcordehealth.com
Address: 8 The Green STE A, Dover, DE 19901