Privacy Policy

Amaru Wellness Inc. ("we," "us," or "our") operates a HIPAA-compliant coaching platform designed to provide wellness coaching services. This Privacy Policy explains how we collect, use, disclose, and protect your personal information, including Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. This policy also serves as our Notice of Privacy Practices under HIPAA.

We are committed to protecting your privacy and ensuring the security of your information. By using our platform, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use our services.

This Privacy Policy applies to all users of our platform, including clients, coaches, and visitors. It covers information collected through our website, mobile applications, and any integrated services, such as Google Calendar integration.

Information We Collect

We collect various types of information to provide and improve our coaching services. This includes:

We do not collect information from children under 13 without verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA). Our platform is not directed at children.

How We Collect Information

• Directly from You: When you register, schedule sessions, participate in coaching, complete forms, or communicate with us.
• Automatically: Through cookies, logs, and analytics tools as you interact with our platform.
• From Third Parties: Such as payment processors, health device providers, or Google Calendar (with your authorization).
• From Coaches or Referrers: If you are referred to our platform, we may receive basic contact or health information.

How We Use Your Information

We use your information to provide, maintain, and improve our services, in compliance with HIPAA and other applicable laws. Specific uses include:

• Providing Coaching Services: Scheduling sessions, delivering personalized coaching, tracking progress, and communicating with you.
• Treatment, Payment, and Operations (HIPAA-Specific):
  • Treatment: Sharing PHI with coaches or healthcare providers involved in your care.
  • Payment: Processing payments, billing insurance (if applicable), and managing accounts.
  • Health Care Operations: Quality assessments, training staff, auditing, and business management.
• Communications: Sending appointment reminders, newsletters, or updates about our services (you may opt out of marketing communications).
• Analytics and Improvements: Analyzing usage to enhance platform features and user experience.
• Legal Compliance: Responding to subpoenas, court orders, or regulatory requirements.
• Security: Detecting and preventing fraud, abuse, or security threats.

For Google Calendar data, we use it only to facilitate scheduling and reminders within our platform. This data is not used for advertising, retargeting, or any purpose other than providing the integration's core functionality.

We limit data use to what is necessary (Minimum Necessary standard under HIPAA) and de-identify information where possible for analytics.

Sharing and Disclosure of Information

We do not sell your information. Disclosures are limited and compliant with HIPAA and Google's API Services User Data Policy:

• With Your Consent: We share PHI or other data when you authorize it, such as with a family member or another provider.
• Business Associates: We share with HIPAA-compliant vendors (e.g., cloud storage providers, payment processors) under Business Associate Agreements (BAAs) that require them to protect your information.
• For Treatment, Payment, and Operations: As described above, without additional authorization.
• Public Health and Legal Requirements: To report diseases, abuse, or as required by law (e.g., to health oversight agencies, law enforcement).
• De-Identified Data: Aggregated, anonymized data for research or marketing, ensuring it cannot identify you.
• Google API Data: Google Calendar data is not transferred to third parties except as necessary for our services (e.g., secure storage providers under BAAs). We do not sell, share for advertising, or use it for credit determinations. Human access is limited to security, compliance, or with your explicit consent.

Other disclosures require your written authorization, which you may revoke at any time. We will notify you of any unauthorized disclosures or breaches as required by HIPAA.

Data Security

We implement administrative, physical, and technical safeguards to protect your information, in compliance with HIPAA Security Rule:

• Encryption of data in transit and at rest.
• Access controls, including role-based permissions and multi-factor authentication.
• Regular security audits, vulnerability scans, and employee training.
• Secure servers and compliance with industry standards (e.g., SOC 2, if applicable).

For Google Calendar data, we adhere to Google's security requirements, including limited scopes and secure handling. However, no system is infallible; we cannot guarantee absolute security.

Your Rights Regarding Your Information

Under HIPAA and other laws, you have rights over your PHI:

• Access: Request a copy of your PHI (fees may apply for copies).
• Amendment: Request corrections to inaccurate or incomplete PHI.
• Accounting: Receive a list of certain disclosures made in the past six years.
• Restrictions: Request limits on uses or disclosures (we may not always accommodate, e.g., for treatment).
• Confidential Communications: Request alternative communication methods (e.g., email instead of phone).
• Opt-Out: Opt out of certain disclosures, such as for fundraising.
• Deletion: Request deletion of personal information, subject to legal retention requirements (note: PHI may be retained for compliance).

To exercise these rights, contact our Privacy Officer (details below). We will respond within 30 days (extendable by 30 days). You will not be retaliated against for exercising your rights.

For Google data, you can revoke access via your Google account settings at any time.

International Data Transfers

If you are outside the U.S., note that our servers are in the U.S. We comply with applicable laws for cross-border transfers, including HIPAA.

Children's Privacy

Our platform is not intended for children under 13. If we learn we have collected data from a child under 13 without consent, we will delete it.

Google API Services Disclosure

Amaru Wellness Inc. uses Google API Services, including Google Calendar API, to enable calendar integration. Our use and transfer of information received from Google APIs adhere to the Google API Services User Data Policy, including Limited Use requirements. Specifically:

• We access only the minimum data necessary (e.g., event details for scheduling).
• Data is used solely to provide and improve user-facing features, such as session booking.
• We do not use data for advertising, retargeting, or unrelated purposes.
• Data transfers are limited to security, compliance, or with your consent.
• Human agents do not read data unless necessary for security, legal reasons, or with your agreement.

This complies with Google's policies for Sensitive and Restricted Scopes.

Changes to This Privacy Policy

We may update this policy to reflect changes in our practices or legal requirements. We will post the revised policy on our website with the new effective date and notify you via email or in-app notice for material changes. Continued use constitutes acceptance.

Contact Us

For questions, complaints, or to exercise your rights, contact our Privacy Officer:

You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at:

We will not retaliate against you for filing a complaint.

This Privacy Policy is comprehensive and accurate as of the effective date. For full legal compliance, we recommend consulting with legal counsel tailored to your specific circumstances.