This Privacy Policy explains how Glia Health ("Glia," "we," "us," "our") collects, uses, and shares information in connection with (a) the glia.health marketing website and (b) the Glia practice-management platform ("the Platform"). It applies to visitors of our website, healthcare providers and their staff who use the Platform, and patients whose information is processed on the Platform.

Patient protected health information (PHI) handled through the Platform is governed by the Business Associate Agreement (BAA) we sign with each healthcare organization. Where this Policy conflicts with that BAA, the BAA controls for PHI.

Information we collect

On the marketing website

• Contact requests. Your name, email, and any message you send us when you email hello@glia.health or submit a contact form.
• Basic server logs. IP address, user agent, and the pages you visited, kept for a limited period for security and debugging.

On the Platform (for healthcare organizations)

• Account information. Organization name, admin user name and email, billing details.
• Staff information. Names, email addresses, roles, and sign-in credentials of the staff you invite.
• Patient information you enter. Demographics, contact details, appointment history, clinical notes, messages, and any other data you record in the course of providing care. This is PHI and is governed by your BAA with us.
• Usage and audit data. Which users accessed which records, from what IP address and device, for security and HIPAA audit-log purposes.

On the Platform (for patients)

• Account information. The information your provider enters about you, and information you add yourself, such as contact details, date of birth, and family members you manage.
• Messages and appointments. The content of your messages with your care team and the appointments you schedule.
• Payment information. Handled by Stripe (see "Sharing" below); we don't store your card number.

How we use information

• To provide, maintain, and improve the Platform and website.
• To authenticate you and enforce access controls.
• To produce audit logs required under HIPAA.
• To communicate with you about your account, service changes, or security issues.
• To detect, prevent, and respond to fraud or abuse.
• To comply with legal obligations.

We do not use PHI for marketing, advertising, or model training. We do not sell personal information.

How we share information

We share information only with the parties we need to in order to run the Platform, and only what's necessary:

• Your healthcare organization. As a patient, your record is shared with the staff your provider has authorized, subject to role-based access controls.
• Stripe. For patient-billing payment processing through your provider's own Stripe account. Stripe handles card data directly; we don't store it.
• Our infrastructure provider. The managed hosting that runs our servers and database.
• Legal authorities. When we're required to by law, subpoena, or court order, and only to the extent required.

We do not share PHI with advertisers, data brokers, analytics vendors, or AI training providers.

How long we keep information

For healthcare organizations, we retain Platform data for as long as your account is active and for a period afterward as required by your BAA, your state's medical-records retention laws, and our backup policies. When you close your account we'll work with you on a final data export and deletion timeline.

Website contact-form submissions and server logs are retained for a limited period.

Your rights

Depending on where you live, you may have rights to access, correct, port, or delete information we hold about you. To exercise those rights:

• If you're a patient: contact your healthcare provider, who controls your record. We'll assist them in responding.
• If you're a staff or admin user: contact privacy@glia.health.

We'll respond to verified requests within the timeframes required by applicable law.

Security

We use industry-standard controls to protect personal information, including AES-256 application-level encryption of PHI fields, bcrypt password hashing, role-based access control, audit logging, and optional TOTP two-factor authentication. Details are on our Security page. No system is perfectly secure, but we take this seriously and respond quickly when it matters.

Children

The Platform is used by healthcare providers to care for patients of any age, including minors, through family-account relationships managed by a parent or legal guardian. We do not knowingly collect personal information directly from children outside of this context.

International users

Glia's services are currently provided to practices operating in the United States. If you access the Platform from outside the US, understand that your information may be processed in the US under US laws.

Changes to this policy

We may update this Policy from time to time. When we do, we'll update the "Last updated" date above and, for material changes, give advance notice through the Platform or by email.

Contact us

Questions about this Policy, a privacy request, or a data-handling concern: privacy@glia.health. General questions: hello@glia.health.