HealthFlow Privacy Policy | EVBOhealth
EVBOhealth HealthFlow Patient Portal

Privacy Policy

This policy explains how Evidence Based Outcomes LLC collects, uses, shares, retains, and protects information when you use HealthFlow and related remote patient monitoring services.

Last Updated: March 12, 2026 HIPAA-aware health data safeguards Contact: info@evbohealth.com
Important: HealthFlow is an informational and remote monitoring support tool. It does not provide medical advice, diagnosis, or treatment. For medical questions, contact a qualified healthcare professional. In an emergency, call 911 or your local emergency number.

1. Overview

This Privacy Policy explains how Evidence Based Outcomes LLC ("we", "us", or "our") collects, uses, discloses, and protects information when you use HealthFlow, including the HealthFlow Patient Portal, mobile app, connected device features, monitoring tools, alerts, and related services collectively referred to as the “Service.”

By using HealthFlow, you agree to this Privacy Policy. If you do not agree, do not use the Service.

Eligibility and age

You must be at least 18 years old to use the Service, or use the Service under the supervision and consent of a parent or legal guardian. We do not knowingly collect personal information from children without appropriate authorization.

2. Information We Collect

Account and profile information

When you create an account, we may collect information such as your name, email address, phone number, date of birth, timezone, profile details, and emergency contact details including name, phone number, and relationship.

Health and device data

If you connect health devices or manually enter health readings, we may collect health-related information that you provide or that connected devices transmit. This may include vital signs, measurements, timestamps, device identifiers, firmware and app versions, battery or signal metrics, sync events, and related logs.

Usage and technical data

We may collect technical information such as IP address, device type, browser, operating system, pages or screens viewed, feature usage, diagnostics, crash reports, and system logs to operate, secure, troubleshoot, and improve the Service.

Communications

If you contact us by email, support form, phone, or another communication channel, we may collect the contents of your message and related contact information so we can respond and maintain support records.

3. How We Use Information

We use information to provide, maintain, secure, support, and improve HealthFlow. This includes using information to:

  • Create, authenticate, and manage your account.
  • Display your health data and provide tracking, monitoring, alerting, and reporting features.
  • Connect supported health devices and synchronize readings.
  • Send notifications you request or consent to, including email, SMS, medication reminders, task reminders, and service-related messages.
  • Improve performance, reliability, user experience, and accessibility.
  • Detect, prevent, investigate, and address fraud, misuse, security incidents, or technical issues.
  • Comply with legal obligations, respond to lawful requests, and enforce our Terms.

4. No Medical Advice & Device Data Accuracy

HealthFlow is an informational and support tool only. The Service is not intended to provide medical advice, diagnosis, or treatment, and it should not be used to make medical decisions.

Always seek the advice of a qualified healthcare professional with questions regarding a medical condition. In an emergency, call 911 or your local emergency number.

Wearables and home medical devices can produce inaccurate, incomplete, delayed, or missing readings. HealthFlow does not guarantee the accuracy of device data, calculations, alerts, trends, or insights. Clinically significant readings should be confirmed with appropriate medical evaluation and/or approved clinical devices.

5. How We Share Information

Service providers

We use third-party providers to operate the Service, such as Firebase/Google Cloud services, device vendors and integration partners, email and SMS delivery providers, hosting providers, analytics tools, and support systems. These providers may process information on our behalf to provide hosting, authentication, data storage, messaging, analytics, support, and related operational functions.

We are not responsible for third-party outages or actions outside our control. However, we generally require service providers to handle data in a manner consistent with this Privacy Policy and to use it only for providing services to us.

Legal and safety reasons

We may disclose information if required by law, subpoena, court order, regulatory request, or if we believe disclosure is necessary to protect the rights, property, or safety of users, our company, providers, caregivers, or others.

Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, information may be transferred as part of that transaction, subject to applicable law.

With your direction or consent

We may share information when you request it, authorize it, or provide consent. For example, if HealthFlow offers provider, caregiver, emergency contact, or care team sharing features, we may share information with those parties at your direction or as configured in your account.

6. HIPAA & Protected Health Information

HealthFlow is designed to support HIPAA-aligned safeguards when handling Protected Health Information, also called PHI, in contexts where HIPAA applies. We take health data privacy seriously and implement administrative, technical, and physical safeguards intended to protect sensitive information.

What is PHI?

Protected Health Information includes individually identifiable health information such as medical history, health conditions, vital signs, medications, lab results, device readings, and other information that relates to your past, present, or future health or healthcare.

Administrative safeguards

  • Workforce training on privacy, security, and HIPAA compliance.
  • Designated privacy and security responsibilities.
  • Risk assessments, security reviews, and documented policies.
  • Business Associate Agreements with vendors who access PHI where required.
  • Incident response and breach notification procedures.

Technical safeguards

  • Encryption of data in transit using TLS/SSL and encryption of stored data where supported.
  • Unique user identification and authentication.
  • Session timeout and access controls.
  • Password and credential protections.
  • Audit controls, activity logging, and role-based access controls.

Physical safeguards

  • Use of cloud infrastructure with physical data center security controls.
  • Facility access controls at data center locations.
  • Workstation, device, and operational security policies.

Your HIPAA-related rights

Where HIPAA applies, you may have the right to access and obtain a copy of your health information, request corrections, request restrictions on certain uses and disclosures, receive an accounting of disclosures, request confidential communications, and file a complaint if you believe your privacy rights have been violated.

Minimum necessary standard

We apply the minimum necessary standard where applicable, meaning access to PHI is limited to the information needed for a specific purpose. Staff, providers, and authorized users should only access the patient data necessary for their role.

Business Associate relationships

When HealthFlow is used by healthcare providers, clinics, or organizations, we may act as a Business Associate under HIPAA. In those cases, we enter into Business Associate Agreements that define our obligations for protecting PHI.

7. Breach Notification

In the unlikely event of a data breach involving PHI, we will notify affected individuals and relevant authorities as required by HIPAA and applicable state laws. Notification will occur without unreasonable delay and no later than 60 days after discovery of a breach where HIPAA notification requirements apply.

Breach notifications may include a description of what happened, the types of information involved, steps you can take to protect yourself, what we are doing to investigate and mitigate harm, and contact information for questions.

8. Data Retention, Account Closure & Deletion

We retain information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, maintain security and audit records, and support legitimate operational needs. Retention periods may vary depending on data type and context.

Protected Health Information retention

In accordance with our health technology operations and applicable obligations, we retain Protected Health Information for a minimum of six months following account closure or deletion. This applies to independent patients and provider-managed patients. During this retention period, data is maintained with the safeguards described in this policy.

30-day restoration window

If you delete your account, you may restore it within 30 days by logging back in with your existing credentials. Upon restoration, your account and associated health data may be reinstated. After the 30-day restoration window, your account remains deactivated and data is retained according to the applicable retention schedule before permanent purging.

Data export

Before deleting your account, you may request a copy of your health data. During the 30-day restoration window, you may also log in to download available data. To request a data export after the restoration window has closed, contact us at info@evbohealth.com.

Permanent deletion

After the applicable retention period, PHI and personally identifiable information associated with your account will be permanently deleted from active systems where reasonably feasible. Backups, security logs, anonymized audit records, and aggregated data that cannot reasonably be linked to an individual may be retained as required or permitted by law.

9. Your Choices

  • Access and updates: You may be able to update certain profile details within the Service.
  • Device connections: You can disconnect supported devices, which may stop future data syncing.
  • Communications: You can opt out of certain non-essential messages where applicable. Service, security, account, and legal messages may still be sent.
  • Account closure: You may request account closure or deletion according to the retention and restoration process described above.

10. SMS/Text Message Communications

By providing your phone number and consenting to SMS communications during registration or account setup, you agree to receive text messages from HealthFlow related to your health monitoring and Service use.

Types of SMS messages

  • Health alerts about abnormal vital signs or readings that may require attention.
  • Vital sign notifications, including daily or periodic summaries.
  • Medication reminders.
  • Task reminders for scheduled health-related tasks.
  • Emergency contact alerts where configured and supported.

Message frequency and carrier charges

Message frequency varies based on your health data, device readings, configured alerts, and notification preferences. You may receive multiple messages per day if abnormal readings are detected, or no messages on days when your data is within normal ranges. Message and data rates may apply depending on your mobile carrier plan. HealthFlow does not charge for SMS messages, but your carrier may charge standard messaging rates.

How to opt out

You can stop receiving SMS messages at any time by replying STOP to any message from HealthFlow, updating your notification preferences in your account settings where available, or contacting us at info@evbohealth.com.

Important: Opting out of SMS messages may prevent you from receiving critical health alerts by text. Make sure you have another way to monitor your health data and receive important notifications.

Help and SMS provider

For help with SMS messages, reply HELP to any message or contact us at info@evbohealth.com. We use Twilio, a third-party telecommunications provider, to deliver SMS messages. Twilio may process your phone number and message content to deliver notifications. Where required, we maintain appropriate agreements and safeguards for SMS-related data processing.

Consent records

We maintain records of your SMS consent, including the date and time you provided consent and the version of the consent language you agreed to. This information is retained for compliance and audit purposes.

11. International Data Transfers

If you access the Service from outside the United States, your information may be processed and stored in the United States or other locations where our service providers operate. By using the Service, you consent to such transfers, subject to applicable law.

12. Security

We use reasonable administrative, technical, and physical safeguards designed to protect information. These safeguards may include encryption, access controls, audit logging, monitoring, workforce policies, vendor review, and incident response procedures.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we work to protect information using safeguards appropriate to the sensitivity of the data and the nature of the Service.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will update the “Last Updated” date at the top of the policy. If changes are material, we may provide additional notice, such as an in-app notice, website notice, or email, where appropriate.

14. Contact

If you have questions about this Privacy Policy, your data, account access, SMS preferences, or data deletion, contact us at:

Evidence Based Outcomes LLC

Email: info@evbohealth.com

For urgent medical situations, do not use email or the app. Call 911 or your local emergency number.