Privacy Policy

1. Introduction

actAVA AI (“Company,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our AI-powered products and services (the “Services”), including the KORA platform (BLUE, RED, GREEN) and Pulse.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. Where applicable law requires consent for specific processing activities (such as cookies, marketing communications, or AI model training), we obtain that consent separately as described below.

Roles. In most enterprise deployments, actAVA AI acts as a data processor (or, under HIPAA, a Business Associate) on behalf of our customers, who serve as the data controller (or Covered Entity). For our own corporate operations — such as managing prospect inquiries, billing, and our website — actAVA AI acts as a data controller.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, phone number, company name, job title, and billing details.
• User Content: Data, files, prompts, agent configurations, workflow inputs/outputs, and other content you submit to or generate through our Services.
• Communications: Messages you send to us via support channels, email, feedback forms, and recorded support calls or screen-shares (where you have been notified and, where required, consented).

2.2 Information Collected Automatically

• Usage Data: Features accessed, actions taken, timestamps, frequency of use, and performance metrics.
• Device & Technical Data: IP address, browser type, operating system, device identifiers, and referring URLs.
• Cookies & Similar Technologies: We use cookies, web beacons, and similar technologies. See Section 14.

2.3 Information from Third Parties

• Single sign-on (SSO) and identity providers (e.g., Google Workspace, Microsoft Entra ID).
• Integration partners you choose to connect to our Services.
• Publicly available sources, where used to enrich business contact information for prospective customers.

2.4 Sensitive Personal Information

Certain information we process may constitute “sensitive personal information” under applicable laws (including the California Privacy Rights Act, Colorado Privacy Act, Connecticut Data Privacy Act, Virginia Consumer Data Protection Act, and Texas Data Privacy and Security Act). This may include health information, precise geolocation, and account credentials. We use sensitive personal information only for the purposes described in Section 3 and do not use it to infer characteristics about an individual.

3. How We Use Your Information and Legal Bases

We use collected information to:

• Provide, operate, and maintain our Services.
• Process transactions and manage your account.
• Improve, personalize, and develop new features (using aggregated or de-identified data; see Section 3.1).
• Communicate with you about updates, security alerts, and support.
• Monitor for fraud, abuse, and security threats.
• Comply with legal obligations, including HIPAA, SOC 2, and EU AI Act requirements.
• Enforce our Terms of Service.

3.1 AI Model Training and Product Improvement

Customer User Content is not used to train our AI models by default. This applies to prompts, files, agent inputs and outputs, and any data processed within a customer tenant. Enterprise customers receive this no-training commitment contractually through our Master Services Agreement and Data Processing Addendum, regardless of any in-product setting.

Optional opt-in. A customer administrator may opt specific workspaces or projects in to contribute User Content to model improvement (including supervised fine-tuning, evaluation, and reinforcement learning workflows used by KORA GREEN). Opt-in is granular, reversible at any time, and is never the default. Protected Health Information is excluded from any opt-in training pathway, with no exceptions.

Aggregated and de-identified telemetry. We may use aggregated and de-identified service telemetry (such as latency, error rates, and feature usage counts) to operate, secure, and improve the Services. This telemetry does not identify any individual or customer and is not used to train foundation models.

3.2 Legal Bases for Processing (EEA, UK, and Switzerland)

Where the EU/UK/Swiss General Data Protection Regulation applies, we rely on the following legal bases:

• Performance of a contract — to provide the Services you have requested.
• Legitimate interests — to secure, improve, and market our Services, balanced against your rights.
• Legal obligation — to comply with applicable laws and regulatory requirements.
• Consent — for non-essential cookies, marketing communications, and AI training opt-in. You may withdraw consent at any time.

4. Automated Decision-Making and AI Transparency

Our Services include AI agents and automated processing capabilities. We are committed to transparent and accountable AI use:

• Human oversight by default. KORA agents are designed to operate with human-in-the-loop (HITL) controls configured by our customers. Decisions that produce legal or similarly significant effects on individuals (for example, eligibility, coverage, or clinical determinations) are presented for human review unless the customer has expressly configured otherwise within their regulatory authority.
• Logic and significance. Where automated decisions occur, our customers can describe the categories of inputs used, the outcome categories, and the significance of those outcomes through documentation generated by actAVA RED.
• Right to human review. Where you are subject to a solely automated decision producing legal or similarly significant effects, you have the right to request human review and to contest the decision. Such requests should generally be directed to the customer (Covered Entity or controller) operating the agent; we will support customers in fulfilling these requests.
• EU AI Act alignment. actAVA AI maintains a compliance program aligned with the EU AI Act, including provider transparency obligations, risk management, post-market monitoring, and conformity documentation for high-risk use cases. Customers receive system cards and use-case-specific transparency artifacts where applicable.

5. Protected Health Information (PHI)

Where actAVA AI processes Protected Health Information on behalf of a Covered Entity or Business Associate:

• PHI is handled exclusively under the terms of an executed Business Associate Agreement (BAA).
• We implement administrative, physical, and technical safeguards as required by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
• PHI is encrypted in transit (TLS 1.3 preferred; TLS 1.2 minimum) and at rest (AES-256).
• Access to PHI is restricted to authorized personnel on a minimum-necessary basis and logged for audit.
• We do not use or disclose PHI for marketing, research, model training, fine-tuning, or evaluation purposes. PHI is excluded from the AI training opt-in described in Section 3.1, with no exceptions.
• Do not submit PHI to our Services without an executed BAA in place.

PHI access requests. Individual rights of access, amendment, accounting of disclosures, and restriction under the HIPAA Privacy Rule are administered by the Covered Entity. We will support our Covered Entity customers in responding to such requests as required by the BAA.

Pediatric PHI. PHI of individuals under 18 received from a Covered Entity is governed exclusively by HIPAA and the BAA, not by Section 12 (Children’s Privacy), which governs direct end-user accounts.

6. How We Share Your Information

We do not sell your personal information, and we do not “share” personal information for cross-context behavioral advertising as those terms are defined under the California Privacy Rights Act or analogous state laws.

We may share information with:

7. Data Retention

• Account Data: Retained for the duration of your account and for up to 90 days after deletion, unless a longer period is required by law.
• User Content: Retained for the duration of the customer subscription. Following termination, customer tenant data is available for export for 30 days, then deleted within 60 days, unless retention is required by law or specified differently in the customer agreement.
• Usage & Log Data: Retained for up to 24 months for security and analytics purposes.
• PHI: Retained and disposed of in accordance with the applicable BAA and HIPAA requirements (minimum 6-year retention for HIPAA-related documentation).
• Backups: Encrypted backups may persist for up to 30 days after data deletion before being overwritten.

You may request deletion of your data at any time (see Section 9).

8. Data Security and Breach Notification

We maintain a comprehensive security program aligned with the SOC 2 Trust Service Criteria and the HIPAA Security Rule, including:

• Encryption in transit (TLS 1.3 preferred; TLS 1.2 minimum) and at rest (AES-256).
• Role-based access controls and multi-factor authentication.
• Continuous monitoring, logging, and alerting via our security infrastructure.
• Regular vulnerability assessments and annual third-party penetration testing.
• Documented incident response procedures with defined breach notification timelines.
• Annual SOC 2 Type II audits conducted by an independent third party.

8.1 Breach Notification Timelines

• Customer notification: Without undue delay and, where feasible, within 72 hours of confirming a security incident affecting customer data.
• HIPAA breach (PHI): Reported to the affected Covered Entity without unreasonable delay and in no event later than 60 days after discovery, in accordance with 45 C.F.R. § 164.410.
• GDPR personal data breach: Where actAVA AI is the controller, reported to the competent supervisory authority within 72 hours of becoming aware, where feasible, in accordance with Article 33 GDPR. Where actAVA AI is the processor, the controller is notified without undue delay.
• State law notifications: Provided in accordance with applicable state data breach notification statutes.

9. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete your personal information (subject to legal retention requirements).
• Export your data in a portable format.
• Opt out of non-essential cookies, profiling, targeted advertising, and the sale or sharing of personal information (note: we do not engage in such sale or sharing).
• Withdraw consent where processing is based on consent.
• Request human review of, and contest, automated decisions producing legal or similarly significant effects (see Section 4).
• Lodge a complaint with the supervisory authority in your country of residence (EEA/UK/Swiss residents) or your state attorney general (US state law residents).

9.1 How to Exercise Your Rights

To exercise any of these rights, contact us at compliance@actava.ai. We will respond within 30 days (or 45 days under the CCPA, extendable by an additional 45 days where reasonably necessary). We will verify your identity before fulfilling requests. You may designate an authorized agent to submit a request on your behalf, subject to verification.

If you believe we have unlawfully denied your request, you have the right to appeal. To appeal, contact compliance@actava.ai with the subject line “Privacy Rights Appeal.”

Note for PHI: Requests concerning Protected Health Information should be directed to the Covered Entity that operates the relevant Service environment. See Section 5.

10. US State Privacy Disclosures

This section provides additional disclosures required by US state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Texas Data Privacy and Security Act (“TDPSA”), and similar laws.

10.1 Categories of Personal Information

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (name, email, IP address, account ID).
• Customer records (billing details, business contact).
• Commercial information (subscription and transaction history).
• Internet/network activity (usage data, log data).
• Geolocation (approximate, derived from IP).
• Professional information (job title, employer).
• Inferences drawn from the above for service personalization.
• Sensitive personal information (account credentials; health information processed only under a BAA — see Section 5).

10.2 No Sale or Sharing

We do not sell personal information and do not share personal information for cross-context behavioral advertising. We have not done so in the preceding 12 months and have no plans to do so.

10.3 Authorized Agents

California, Colorado, Connecticut, and similar-law residents may designate an authorized agent to make requests on their behalf. We will require written authorization and will verify the requester’s identity.

10.4 Right to Limit Use of Sensitive Personal Information (CCPA/CPRA)

We use sensitive personal information only as necessary to provide the Services, ensure security and integrity, and comply with law. We do not use or disclose sensitive personal information for purposes that would trigger the right to limit under CPRA § 1798.121.

10.5 Notice of Financial Incentives

We do not offer financial incentives or price/service differences in exchange for personal information.

11. Subprocessors

We engage carefully selected subprocessors to deliver the Services, including cloud infrastructure providers, telecommunications providers, payment processors, customer support tooling, and analytics providers. Each subprocessor is bound by a written agreement that imposes data protection obligations no less protective than those in this Privacy Policy and our Data Processing Addendum.

A current list of subprocessors is maintained at trust.actava.ai/subprocessors. Customers may subscribe to receive advance notice of new subprocessors. We provide at least 30 days’ notice before engaging a new subprocessor that processes customer personal data, during which a customer may object on reasonable grounds related to data protection.

12. Children’s Privacy

Direct end-user accounts. Our Services are intended for use by enterprise customers and their authorized personnel. We do not knowingly create end-user accounts for, or knowingly collect personal information directly from, individuals under 18. If we learn that we have inadvertently collected such information through a direct end-user account, we will delete it promptly.

Pediatric PHI processed under a BAA. Our Services routinely process Protected Health Information of patients of all ages, including minors, on behalf of Covered Entities. Such processing is governed exclusively by HIPAA, the executed BAA, and the customer’s policies — not by this Section 12. We do not require pediatric patients to interact directly with our Services and do not collect information from them outside of the controller-directed clinical context.

We do not knowingly market our Services to individuals under 18 and do not direct any consumer-facing content to children.

13. International Data Transfers

If you access our Services from outside the United States, your information may be transferred to and processed in the United States and other jurisdictions where we or our subprocessors operate.

For transfers of personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards including the European Commission’s Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and supplementary technical and organizational measures. Where we participate in a recognized data transfer framework (such as the EU-US Data Privacy Framework, UK Extension, and Swiss-US Data Privacy Framework), we will identify our certification on our website.

Customers subject to GDPR or comparable laws may execute our Data Processing Addendum, which incorporates the relevant transfer mechanisms by reference.

14. Cookies and Tracking Technologies

We do not use advertising or cross-site tracking cookies.

Consent management. In the EEA, UK, Switzerland, and other jurisdictions requiring prior consent for non-essential cookies, we set non-essential cookies only after you provide affirmative opt-in consent through our cookie banner. In other jurisdictions, you may manage non-essential cookies through our in-product cookie preference center or your browser settings.

Global Privacy Control. We honor the Global Privacy Control (GPC) browser signal as a valid opt-out request from California, Colorado, and Connecticut residents.

15. Third-Party Links

Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-product notice at least 30 days in advance of the Effective Date. The “Effective Date” at the top reflects when the most recent revision takes effect; the “Last Updated” date reflects when the revised text was published.

17. Contact Us

For questions, concerns, requests, or HIPAA-specific inquiries related to this Privacy Policy: