Privacy Policy

Your privacy is important to us. This policy explains how Zelicare collects, uses, stores, and protects your personal and health information.

Last Updated: June 2026

1. Introduction

This Privacy Policy describes how Zeli Health, Inc. ("Zeli Health," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use the Zelicare remote patient monitoring platform, including our website at zelicare.com, our web application at api.zelicare.com, and our mobile applications for Android and iOS (collectively, the "Service").

This policy applies to all users of the Service, including patients, clinicians, nurses, telesitters, organization administrators, and any other individuals who interact with the Service.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, please do not use the Service.

2. Information We Collect

We collect several categories of information depending on your role and how you interact with the Service.

a) Account and Identity Information

When an account is created for you (by your healthcare organization administrator or by us), we collect your name, email address, phone number, date of birth, and role within the platform (such as patient, doctor, nurse, telesitter, or administrator). We also store your login credentials in encrypted form.

b) Health and Vital Signs Data

If you are a patient, the Service collects health-related data transmitted from connected Bluetooth medical devices, including blood pressure readings (systolic, diastolic, and pulse), blood oxygen saturation (SpO2) and pulse rate, and body weight measurements. These readings are transmitted from your device through the Zeli Care mobile application to our servers over an encrypted connection.

Clinicians may also set personalized clinical ranges for your vital signs and review alerts triggered when readings fall outside those ranges. This data constitutes Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act ("HIPAA").

c) Clinical and Care Data

The Service stores clinical notes, patient medical records, medication information, appointment records, and secure messages exchanged between patients and their assigned care team members. Alerts generated when vital signs fall outside defined ranges — including their status, assignment, and resolution history — are also retained.

d) Video Consultation Data

If you participate in a video consultation through the Service, we collect session metadata such as participant identifiers, session start and end times, and call duration. Video consultations are facilitated through a third-party provider. We do not record the audio or video content of consultations unless explicitly disclosed at the time of a session.

e) Device and Technical Information

When you use the mobile application, we may collect:

  • Device type, model, operating system, and version
  • Unique device identifiers
  • Application version
  • Bluetooth device identifiers for paired medical devices

When you use the web application, we collect IP address, browser type, and pages accessed. We use this information for security monitoring, audit logging, troubleshooting, and service improvement.

f) Usage and Audit Data

We maintain detailed audit logs of actions taken within the Service, including logins, logouts, data access events, account changes, and alert activity. These logs are maintained to comply with HIPAA requirements and to ensure the integrity and security of the Service.

g) Contact and Inquiry Information

If you submit a query through our Contact Us page, we collect your name, email address, phone number (optional), organization name (optional), the service you are inquiring about, and the content of your message. This information is used solely to respond to your inquiry and is not combined with health data.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing healthcare services: To enable remote patient monitoring, clinical alerts, vital sign tracking, secure messaging between patients and their care team, video consultations, and care coordination between authorized members of your healthcare organization.
  • Clinical decision support: To evaluate vital sign readings against clinician-defined ranges and system safety thresholds, generate out-of-range alerts, and route those alerts to appropriate care team members.
  • Account administration: To create, manage, and authenticate user accounts; to enforce role-based access controls; and to manage organizational settings such as nurse–patient assignments.
  • Security and compliance: To maintain audit trails required by HIPAA; to detect and prevent unauthorized access, fraud, or security threats; and to enforce account lockout policies after failed login attempts.
  • Service operations: To monitor platform performance, diagnose technical issues, and improve the reliability of the Service.
  • Communication: To respond to inquiries submitted through our Contact Us page, and to send transactional notifications related to your use of the Service.
  • Legal obligations: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

We do not use your health data for advertising, marketing, data mining, or any purpose unrelated to providing and improving healthcare services. We do not sell your personal information or health data to any third party.

4. How We Share Your Information

We share your information only in the following limited circumstances:

a) Within Your Healthcare Organization

Your health data is accessible to authorized members of the healthcare organization to which your account belongs, in accordance with role-based access controls. For example, your assigned nurse can view your vital sign readings; doctors within your organization can view patient data for treatment purposes; and organization administrators can manage user accounts and view organizational reports. Access is governed by the principle of minimum necessary disclosure.

b) Service Providers

We use a limited number of third-party service providers to operate the Service. These include our cloud hosting provider (Amazon Web Services) for infrastructure, and a third-party provider for video consultation functionality. These providers process data on our behalf and are contractually obligated to protect your information and to use it only for the purposes we specify.

c) Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Zeli Health, our users, or the public.

d) Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

We do not sell, rent, or trade your personal information or health data. We do not share your information with advertisers or data brokers.

5. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information. These measures include:

  • Encryption of all data transmitted between your device and our servers using TLS (Transport Layer Security)
  • Role-based access controls that restrict data access to authorized personnel based on their role and organizational membership
  • Comprehensive audit logging of all data access, account activity, and security events
  • Automatic session timeout on the mobile application after a period of inactivity
  • Server-side protections including SSH brute-force prevention, automated security patching, daily encrypted database backups, and log rotation
  • Secure credential storage using industry-standard hashing
  • JWT-based authentication with token expiration and refresh mechanisms

While we strive to protect your personal information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we continuously work to improve our safeguards.

6. Data Retention

We retain your personal information and health data for as long as your account is active or as needed to provide the Service. Health data and audit logs are retained in accordance with applicable healthcare record retention requirements.

If your healthcare organization terminates its use of the Service, we will retain data for the minimum period required by applicable law and then securely delete or de-identify it. Contact inquiries submitted through our website are retained for the period necessary to respond to and resolve your inquiry.

7. Your Rights and Choices

Depending on your location and the laws that apply to you, you may have certain rights regarding your personal information.

a) Access and Portability

You have the right to request access to the personal information we hold about you. Patients can view their health readings and out-of-range alerts directly within the Service. For a comprehensive copy of your data, you may submit a request to us using the contact information below.

b) Correction

You have the right to request correction of inaccurate personal information. You can update certain account information directly through the Service, or contact your organization administrator or us for assistance.

c) Deletion

You may request deletion of your personal information, subject to our legal obligations to retain certain records (such as health records and audit logs required by HIPAA or other applicable law). To request deletion, please use the contact information below or the account deletion feature if available in the Service.

d) Restriction and Objection

Where applicable law provides, you may request that we restrict processing of your personal information or object to certain types of processing.

e) Withdrawal of Consent

Where we process your data based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.

To exercise any of these rights, please contact us at privacy@zelicare.com or use the contact information provided in Section 11 below. We will respond to your request within the timeframe required by applicable law.

8. HIPAA Notice

The Service is designed with the Health Insurance Portability and Accountability Act (HIPAA) in mind. As a technology platform provider, we support healthcare organizations in meeting their HIPAA obligations by implementing appropriate administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).

Your healthcare organization, as a HIPAA Covered Entity, is responsible for providing you with a Notice of Privacy Practices that describes how your health information may be used and disclosed. This Privacy Policy is supplementary to and does not replace your healthcare organization's Notice of Privacy Practices.

Where required, we enter into Business Associate Agreements with healthcare organizations that use our Service to ensure appropriate protections for PHI.

9. Information for California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These include:

  • The right to know what personal information we collect, use, and disclose
  • The right to request deletion of your personal information
  • The right to opt out of the sale or sharing of your personal information — we do not sell or share your personal information as defined under the CCPA
  • The right to correct inaccurate personal information
  • The right to non-discrimination for exercising your privacy rights

Note that the CCPA does not apply to Protected Health Information that is collected by a covered entity or business associate governed by HIPAA. To the extent your information falls outside the HIPAA exemption, the rights above apply.

To exercise your California privacy rights, contact us at privacy@zelicare.com.

10. Information for Users Outside the United States

If you access the Service from outside the United States, please be aware that your information may be transferred to and processed in the United States, where our servers are located. By using the Service, you consent to this transfer.

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with data protection laws, we will take appropriate measures to ensure your personal data receives an adequate level of protection in accordance with applicable law. If the General Data Protection Regulation (GDPR) applies to our processing of your data, the legal bases for processing include the performance of a contract, compliance with legal obligations, and our legitimate interests in operating and securing the Service.

You have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

11. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe that a child under 13 has provided us with personal information, please contact us immediately, and we will take steps to delete such information.

Where the Service is used to monitor a minor patient, the minor's parent, legal guardian, or authorized healthcare provider is responsible for consenting to data collection and managing the minor's account.

12. Third-Party Links

Our website and application may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a concern about how your data is handled, please contact us:

Zeli Health, Inc.

Email: privacy@zelicare.com

Website: zelicare.com/contact

We aim to respond to all inquiries within 30 days.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page and, where required by law, provide you with notice through the Service or by email.

We encourage you to review this Privacy Policy periodically.