Privacy Policy

Last Updated: June 3, 2026

Version: 2.0

1. Overview and Scope

RhythmX AI (“RhythmX,” “we,” “our,” or “us”) provides clinical decision support software to healthcare organizations and their clinicians. This Privacy Policy explains how we collect, use, disclose, and protect information across three contexts:

  • Our public websites, marketing channels, events, and other direct interactions with you
  • Protected Health Information (PHI) that we process on behalf of healthcare organization customers, where we operate as a Business Associate under HIPAA
  • Our application and AI functionality made available through partner platforms and marketplaces

Different parts of this Policy apply depending on how you interact with us. Section 2 explains how this Policy fits together with our customer agreements and with HIPAA.

This Policy applies to the RhythmX AI website and marketing interactions, as well as the RhythmX AI product family, including offerings made available through partner marketplaces and platforms.

2. How This Policy Relates to Customer Agreements and HIPAA

RhythmX AI serves healthcare organizations, including health systems, hospitals, and clinics. When we provide our application to clinicians and patients through a healthcare organization customer, we generally operate as a Business Associate of that customer under the Health Insurance Portability and Accountability Act (HIPAA).

In that role:

  • The healthcare organization is the Covered Entity and the controller of patient PHI
  • A Business Associate Agreement (BAA) between RhythmX AI and the customer governs how we handle PHI, including permitted uses and disclosures, safeguards, breach notification, and termination
  • The customer’s HIPAA Notice of Privacy Practices governs the privacy rights of patients whose PHI we process on the customer’s behalf

This Policy does not replace or modify the BAA or the customer’s Notice of Privacy Practices. To the extent any term of this Policy conflicts with the BAA in connection with PHI, the BAA controls.

This Policy applies in full to visitors to our public websites, people who contact us, attend our events, or apply for employment with us, and information we collect through our marketing and direct interactions, whether online or offline. The PHI-specific commitments in Section 4 supplement, and do not replace, the BAA.

3. Information We Collect

3.1 Information You Provide Directly

We collect information you give us when you:

  • Register or request information. Name, email, organization, phone number, and other information you provide for access to our services or content.
  • Subscribe, download, or request content. Email address and any other information you provide to receive newsletters, presentations, podcasts, articles, whitepapers, or demos.
  • Contact us. Name, email, organization, phone number, and the contents of your communication.
  • Attend our events. Contact information, work profile, interests, and any other information you choose to provide.
  • Apply for employment. Contact information, resume, employment and education history, and any other information you submit through our application process or LinkedIn.

3.2 Information We Collect Automatically

When you use our websites, we may collect:

  • Device and connection information, including IP address, browser type, and operating system
  • Usage information, including pages viewed, content requested, dates and times of visits, and duration
  • General location inferred from your IP address

We describe cookies and similar technologies in Section 16.

3.3 Information From Third Parties

We may receive information about you from:

  • Customers. If you use our application as part of a healthcare organization customer’s deployment, we receive information from that customer as needed to provide the service. The customer’s privacy practices govern this information, with RhythmX AI’s BAA obligations layered on top where PHI is involved.
  • Social media platforms. If you interact with us on platforms like LinkedIn, we may receive profile information you have made available there.
  • Service providers and partners. We may receive information from partners and vendors that support our operations.

4. Protected Health Information Under HIPAA

When RhythmX AI processes PHI on behalf of a healthcare organization customer, the following applies in addition to the BAA between RhythmX AI and that customer.

4.1 Our Role

RhythmX AI acts as a Business Associate. The healthcare organization is the Covered Entity and controls the PHI. We process PHI only as permitted or required by the BAA and applicable law.

4.2 Permitted Uses and Disclosures

We use and disclose PHI only:

  • To perform the services we are contracted to provide
  • As required by law
  • For the proper management and administration of RhythmX AI, where the BAA permits
  • For data aggregation services relating to the customer’s healthcare operations, where the BAA permits

We do not sell PHI. We do not use or disclose PHI for marketing.

4.3 AI Model Training

RhythmX AI does not use customer PHI to train, fine-tune, or improve general-purpose AI models without explicit authorization from the customer.

RhythmX AI does not use customer data, including transcripts, draft notes, prompts, outputs, PHI, or other customer content processed through partner platforms, to train, fine-tune, or improve shared artificial intelligence models across customers without the customer’s express written authorization.

Where customer-specific model adaptation occurs, it is governed by the BAA and any associated data use agreement, remains within the customer’s environment or under contractual safeguards, and is subject to the customer’s instructions.

Customer data remains logically segregated from other customer environments and is not used to create shared model improvements across customers unless expressly authorized in writing by the customer.

4.4 Safeguards

We maintain administrative, physical, and technical safeguards designed to protect PHI consistent with the HIPAA Security Rule. Section 9 describes our security program in more detail.

4.5 Breach Notification

We will notify the affected customer of any breach of unsecured PHI in accordance with the HIPAA Breach Notification Rule and the BAA, generally without unreasonable delay and in no case later than 60 calendar days after discovery.

4.6 Patient Rights

Patient rights with respect to PHI, including the right to access, amend, and request an accounting of disclosures, are exercised through the Covered Entity per its Notice of Privacy Practices. RhythmX AI supports the customer in responding to such requests as set out in the BAA.

5. Use of Artificial Intelligence and Automated Processing

RhythmX AI uses artificial intelligence to surface evidence-based clinical guidance to licensed healthcare professionals.

5.1 What the AI Does

The application is guidelines-grounded and encounter-native. It retrieves relevant clinical practice guidelines from leading U.S. and international medical societies, and presents them alongside relevant patient context drawn from the electronic health record. Every recommendation is presented with inline attribution to its originating guideline so the clinician can independently review the basis.

5.2 What the AI Does Not Do

Our AI does not diagnose, treat, screen, or predict in a manner intended to direct clinical care. It does not take autonomous clinical action. It does not issue time-critical alerts or alarms intended to compel immediate action. It is not directed to patients or caregivers as users. A licensed clinician remains in the loop for every recommendation. The clinician verifies and decides appropriate action.

5.3 Data Used by the AI

The AI processes structured and unstructured clinical record data accessed through standard interfaces, the documented clinical narrative for the encounter, and the curated clinical guideline library. The AI does not process medical images, raw diagnostic device signals, or physiological waveforms. Where the encounter is captured by voice through a partner platform, transcription is performed by that platform, and RhythmX AI consumes the resulting documented text.

5.4 Automated Decision-Making

The application supports but does not replace clinicians, and does not make decisions that produce legal or similarly significant effects on individuals. Recommendations are informational and require clinician review before any clinical action.

5.5 Model Training and Data Minimization

As stated in Section 4.3, we do not use customer PHI to train, fine-tune, or improve general-purpose AI models without explicit authorization. Where data is used to improve model performance for a specific customer, it occurs under contractual safeguards and in line with the customer’s instructions.

6. How We Use Information

We use information we collect through our websites and direct interactions to:

  • Provide and improve our services, websites, and content
  • Communicate with you, respond to requests, and provide support
  • Customize your experience
  • Detect and respond to fraud, abuse, and security issues
  • Comply with legal obligations and enforce our agreements
  • De-identify and aggregate information for any lawful purpose

We use PHI only as described in Section 4 and the applicable BAA. We do not use customer PHI to train general-purpose AI models without explicit authorization.

7. How We Share Information

7.1 Service Providers and Contractors

We share information with vendors that provide services on our behalf, including cloud hosting, security, customer support, analytics, and AI infrastructure. These vendors are bound by contract to use information only to provide services to us and to maintain appropriate safeguards. Where PHI is involved, vendors are engaged as our subcontractors under the BAA.

7.2 Affiliates

We may share information with our affiliated companies for purposes consistent with this Policy. RhythmX AI is part of SAI Group, which also includes SymphonyAI and ConcertAI. Where information is shared with affiliates, it remains subject to this Policy and to any applicable BAA.

7.3 Healthcare Organization Customers

PHI is shared with the customer that is the Covered Entity controlling that PHI, and with parties the customer directs us to share with, in accordance with the BAA.

7.4 Partner Platforms

Where our application is made available through a partner platform or marketplace, information may be exchanged between RhythmX AI and the partner as required for the integration to function. Section 8 addresses this in more detail.

7.5 Legal and Regulatory

We may disclose information to regulators, law enforcement, courts, or other authorities when required by law, when responding to legal process, or when we believe in good faith that disclosure is necessary to protect rights, property, safety, or the public interest.

7.6 Business Transfers

If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to confidentiality protections.

7.7 With Your Consent

We may share information for other purposes with your consent or at your direction.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

8. Partner Platform and Marketplace Integrations

RhythmX AI may make certain functionality available through partner platforms and marketplaces. This section describes how data flows when you use RhythmX AI through such an integration.

8.1 How the Integration Works

When a customer enables RhythmX AI through a partner platform, the platform may pass relevant clinical context to RhythmX AI so that RhythmX AI can surface guideline-based recommendations to the clinician. The clinician interacts with RhythmX AI’s outputs within the partner platform experience.

8.2 Roles and Responsibilities

The partner platform operator is responsible for data handling within its own environment, in accordance with its agreements with the customer and its own privacy and security commitments.

RhythmX AI is responsible for data handling within its environment in accordance with this Policy, the BAA between RhythmX AI and the customer, and applicable law.

The customer remains the Covered Entity controlling the underlying PHI. Where applicable, both the partner platform operator and RhythmX AI operate as Business Associates of the customer with respect to PHI processed through the integration, each under its own BAA with the customer.

8.3 Where to Learn More

For information about how a specific partner platform handles data, please refer to that platform’s privacy and security documentation. This Policy governs the RhythmX AI side of any integration.

8.4 Voice and Ambient Integration

When integrated with ambient documentation platforms, RhythmX AI generally receives structured clinical context, transcripts, draft notes, encounter summaries, or other outputs generated by the platform. RhythmX AI’s role does not include audio capture, speech recognition, or transcription. Those activities are performed by the partner platform under its own privacy and security framework. Audio capture, speech recognition, and transcription activities remain governed by the ambient platform provider’s agreements and privacy commitments.

8.5 Customer Data and AI Training

Information exchanged through partner platforms and integrations is processed solely to provide the contracted services. Customer data processed through partner platforms is subject to the AI training commitments in Section 4.3.

Any customer-specific model optimization or configuration is performed only under applicable contractual agreements, customer instructions, and appropriate safeguards.

9. Security

We maintain a security program designed to protect information against unauthorized access, use, modification, and disclosure. Key elements include:

  • Encryption of data in transit and at rest in our production environments
  • Role-based access controls with administrative access monitored and logged
  • Logical isolation of customer data so that one customer’s data is not accessible to another
  • Centralized management of credentials and keys
  • Logging and monitoring of security events
  • Regular vulnerability scanning, penetration testing, and patching
  • A documented incident response program with defined roles and notification procedures
  • Privacy and security training for personnel with access to customer data, and background checks where permitted by law

Security controls are aligned with HIPAA Security Rule requirements and industry-recognized frameworks. We make our current security and compliance documentation available to customers and qualified prospects under appropriate confidentiality protections.

While we maintain reasonable safeguards, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

10. Data Retention

We retain information for as long as reasonably necessary to provide our services, communicate with you, comply with legal obligations, resolve disputes, and enforce our agreements.

Retention of PHI is governed by the BAA and by the customer’s documented retention obligations under HIPAA and applicable law. On termination of the customer relationship, PHI is returned or destroyed as required by the BAA, subject to its exceptions.

For information collected through our websites, marketing, events, and recruiting, we retain it for the period reasonably needed for the purpose(s) described in this Policy or as required by law.

11. Breach Notification

If we discover a breach of security that has compromised personal information or PHI in our custody, we will notify the affected customer and, where required, affected individuals and regulators in accordance with HIPAA, the BAA, and applicable state breach notification laws. PHI breach notification commitments are set out in Section 4.5.

12. Geography

Our services and websites are operated in and intended for users in the United States. If you access our websites from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

13. United States State Privacy Rights

RhythmX AI does not sell personal information and does not share personal information for cross-context behavioral advertising. RhythmX AI does not engage in profiling that produces legal or similarly significant effects on individuals.

13.1 California

This California Resident Privacy Notice supplements this Policy and applies to California residents under the California Consumer Privacy Act, as amended (CCPA). The terms used in this Section 13.1 have the meanings ascribed to them under the CCPA.

Categories of personal information we may have collected in the preceding 12 months:

Category Collected Disclosed to Service Provider or Contractor for a Business Purpose Sold or Shared to Third Parties Retention Period
Identifiers (name, email, IP address, account name) Yes Yes, limited to name, email, and phone number No As long as reasonably necessary to manage our business relationships, comply with legal obligations, resolve disputes, and enforce agreements
Personal information categories listed in Cal. Civ. Code § 1798.80(e) Yes Yes, limited to name, email, and phone number No As long as reasonably necessary to manage our business relationships, comply with legal obligations, resolve disputes, and enforce agreements
Protected classification characteristics Yes No No As long as reasonably necessary to manage our business relationships, comply with legal obligations, resolve disputes, and enforce agreements
Commercial information Yes No No As long as reasonably necessary to manage our business relationships, comply with legal obligations, resolve disputes, and enforce agreements
Biometric information No No No N/A
Internet or other electronic network activity Yes No No As long as reasonably necessary to manage our business relationships, comply with legal obligations, resolve disputes, and enforce agreements
Geolocation data Yes No No As long as reasonably necessary to manage our business relationships, comply with legal obligations, resolve disputes, and enforce agreements
Professional or employment-related information Yes No No As long as reasonably necessary to manage our business relationships, comply with legal obligations, resolve disputes, and enforce agreements
Non-public education information (per FERPA, 20 U.S.C. Section 1232g, 34 C.F.R. Part 99) No No No N/A
Inferences drawn from personal information Yes No No As long as reasonably necessary to manage our business relationships, comply with legal obligations, resolve disputes, and enforce agreements
Sensitive personal information as set forth in Cal. Civ. Code § 1798.140 Yes No No As long as reasonably necessary to manage our business relationships, comply with legal obligations, resolve disputes, and enforce agreements

PHI processed under a BAA is exempt from CCPA per Cal. Civ. Code § 1798.146.

Your rights. Subject to verification and applicable exceptions, California residents may request to know, access, correct, or delete personal information; opt out of any sale or sharing (we do not sell or share); limit use of sensitive personal information (we do not use sensitive personal information for purposes that trigger this right); and receive equal service and price. To exercise these rights, contact us at [email protected] or via the Contact Us page on our website. Authorized agents may submit requests on your behalf with appropriate verification.

13.2 Other Comprehensive State Privacy Laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Indiana, Delaware, Minnesota, New Jersey, New Hampshire, Maryland, Kentucky, Rhode Island, or another state with a comprehensive consumer privacy law, you generally have the following rights, subject to verification and applicable exceptions:

  • The right to know whether we process your personal information and to access it
  • The right to correct inaccuracies in your personal information
  • The right to delete personal information we have collected
  • The right to data portability
  • The right to opt out of the sale of personal information, targeted advertising, and profiling that produces legal or similarly significant effects

RhythmX AI does not sell personal information, does not use personal information for targeted advertising, and does not profile in a manner that produces legal or similarly significant effects.

To exercise these rights if they are applicable to you, contact us at [email protected] or via the Contact Us page on our website. If we deny a request, you may appeal by submitting a written notice of appeal to the same contact. We will respond within the timeframe required by applicable law.

PHI processed under a BAA is generally exempt from these state privacy laws.

13.3 Nevada

Nevada residents have the right to opt out of the sale of certain personal information. RhythmX AI does not sell personal information as defined by Nevada law.

14. Consumer Health Data

Our healthcare products are directed solely to healthcare organizations and are not directed to consumers. We process PHI on behalf of Covered Entities as a Business Associate. Accordingly, much of the information we process is subject to HIPAA and is generally exempt from certain state consumer health data laws like the Washington My Health My Data Act and the Nevada Consumer Health Data Privacy Act.

RhythmX AI does not intentionally collect consumer health data through its public websites or other marketing interactions. To the extent any individual voluntarily provides health-related information through our website forms or communications, we process such information only to respond to the inquiry and in accordance with applicable law, including these statutes where applicable.

15. Children’s Privacy

Our public websites and direct services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 through these channels.

Further, we are required by California law to inform you that we have no actual knowledge that we have sold or shared the personal information of California residents under 16 years of age.

Where our application is deployed by a healthcare organization customer that provides care to pediatric patients, PHI relating to pediatric patients is processed under the BAA and the customer’s HIPAA obligations, including any applicable parental authorization requirements.

If you believe a child has provided us with personal information through our websites, please contact us at [email protected] and we will take appropriate steps.

16. Cookies and Similar Technologies

Our public websites use a limited set of cookies and similar technologies for site operation and analytics. You can adjust your browser settings to refuse cookies, which may affect certain features of our websites. We do not currently respond to “Do Not Track” browser signals because no uniform standard for these signals has been established.

17. Job Applicants

If you apply for employment with RhythmX AI, we collect the information you provide through our application process, including resume content, work history, education, and any information you make available through LinkedIn if you apply that way. We use this information to evaluate your application, communicate with you, comply with applicable laws, and maintain records. We may share this information with service providers that support our recruiting process. California applicants see Section 13.1 and any supplementary disclosures provided during the application process.

18. Changes to This Privacy Policy

We may update this Policy from time to time. When we do, we will revise the “Last Updated” date at the top of this Policy and, for material changes, provide additional notice through our services, by email, or by other reasonable means. Material changes will not apply retroactively without your consent where consent is required by law.

19. Privacy Officer and Contact

We have designated a Privacy Officer responsible for overseeing our privacy program and responding to privacy inquiries and requests. You can reach the Privacy Officer at:

Privacy Officer
RhythmX AI, Inc.
3300 Hillview Avenue
Palo Alto, CA 94304
Email: [email protected]

For HIPAA matters relating to PHI processed on behalf of a healthcare organization, please contact that organization first. RhythmX AI will support the organization in responding to patient requests as required by the BAA.

For general questions about this Policy, you can also reach us through the Contact Us page on our website.