Privacy Policy

Avocado Health Solutions Privacy Policy

Last updated: May 8, 2025

This is the Privacy Policy (“Policy“) of Avocado Health Solutions (“Company“), a corporation organized under the laws of the State of [State].

Avocado Health Solutions provides parents with a text message-based virtual parenting assistant powered by Artificial Intelligence (“AI“) to assist with various parenting needs and concerns (the “Services”).

The Company is committed to protecting the privacy and security of users’ personal information, especially sensitive data related to children, ensuring compliance with applicable privacy laws and regulations, including the Health Insurance Portability and Accountability Act (“HIPAA“), the California Consumer Privacy Act (“CCPA“), and other relevant data protection legislation.

The Company utilizes HIPAA-compliant third-party services, including Google Architecture and Twilio, for data storage, communication solutions, and other functions.

The Company understands the importance of obtaining and managing user consent before collecting, using, and sharing personal information and has designed protocols to respond to data breaches, particularly those involving personal health information.

The Company prioritizes trust and transparency in its operations, ensuring that collected data is handled with the highest degree of confidentiality and embedding empathy in its communication to meet the sensitivities of parents managing data related to their children.

When you use and access our Services, you consent to this Privacy Policy and our Terms and Conditions.

1. Purpose And Scope Of The Policy

This Policy aims to define and communicate Avocado Health AI’s principles and practices relating to the collection, use, storage, and sharing of personal information. The Company is committed to collecting personal information only for legitimate business purposes, ensuring its proper use in delivering and improving its Services. Personal information refers to any data that can identify an individual directly or indirectly, such as names, contact details, and any other information deemed personal by applicable laws and regulations. Avocado Health AI ensures the information’s confidentiality and security by in part by utilizing third-party services like Google and Twilio, which comply with all relevant privacy laws. This Policy covers all interactions with users of Avocado Health Solutions’ Services, setting forth the rights of users to access, correct, and delete their personal information, while providing transparency about the practices involving their data. Furthermore, this Policy is designed to be in compliance with laws and regulations such as HIPAA and CCPA, reinforcing the Company’s commitment to lawful and ethical data handling practices.

2. Information We Collect

The Company collects various types of personal information from users to provide and improve its services. The categories of information collected include: 

  1. Contact Information: This may include your name, email address, phone number, and any other contact details you provide.
  2. Child’s Information: Personal data related to children that you provide, such as age, gender, health records, location and other pertinent information.
  3. Health Information: Sensitive health data related to children which you voluntarily provide to our services. This includes but is not limited to health conditions, treatment information, and medical history.
  4. Usage Data: Information about how you use our services, including the time and duration of your interactions, the features you use, and any other interaction details.
  5. Device Information: Data retrieved from the device you use to access our services, including the device type, operating system, browser type, IP address, and any other technical information.
  6. De-Identified Information: Information that has been stripped of all identifiers that can link it to an individual user, used for analytics and improvements without identifying individual users.

3. How We Use The Information

We use the Personal Information we collect to provide, maintain, and improve our Services. This includes the following purposes: 

  1. Service Delivery: To deliver the virtual parenting assistant services, including sending personalized text messages, reminders, and updates based on user needs and preferences.
  2. Service Improvement: To continually enhance and optimize the functionality, relevance, and user experience of our Services by analyzing usage patterns, feedback, and performance metrics.
  3. User Support: To provide customer support and respond to inquiries, technical issues, or complaints, ensuring a smooth and responsive user experience.
  4. Communication: To communicate with users about service updates, changes to policies, or other relevant information that may impact their use of our Services.
  5. Compliance: To comply with legal obligations and ensure our Services adhere to all applicable privacy laws, regulations, and industry standards related to data protection and security.
  6. Research and Development: To conduct research and development activities to identify new and innovative ways to enhance our Services and meet the evolving needs of our users.

4. How We Share Information

We value your privacy and are committed to handling your personal information responsibly. We may share your personal information with third-party services to facilitate our operations, improve our services, comply with legal obligations, or when we have your explicit consent. Specifically, we may share your personal information with: 

  1. Service Providers: We use trusted third-party services such as Google Architecture and Twilio for data storage, communication solutions, and related functions. These service providers are contractually obligated to protect your personal information and are only permitted to process it according to our instructions and in compliance with applicable privacy laws.
  2. Legal and Regulatory Authorities: We may disclose your personal information if required by law or in response to valid requests by public authorities, including to meet national security or law enforcement requirements.
  3. Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction, under the same terms of this Privacy Policy.

Rest assured, we do not sell your personal information to third parties for their marketing purposes. We strive to ensure that your information is shared securely and in compliance with all relevant regulations and our privacy practices.

5. User Consent

The Company respects the privacy of its users and is committed to obtaining their explicit consent before collecting, using, or sharing their Personal Information. Prior to any such activity, the Company will provide clear and comprehensible information about the types of data being collected, the purposes for which the data will be used, and the potential recipients of such data. The consent process includes the following steps:

  1. Informed Consent: Users will be provided with detailed information about the scope of data collection, its use, and sharing practices. This information will be presented in an easy-to-understand format, ensuring users are fully aware of what they are consenting to.
  2. Voluntary Consent: Consent will be obtained freely, without any form of coercion. Users have the right to choose whether to grant or withhold consent.
  3. Specific Consent: Users will be asked to provide consent for specific data collection and processing activities, ensuring that generic or broad consents are avoided. Each category of personal data collected will require separate consent.
  4. Opt-in Mechanism: Users will actively indicate their consent through an opt-in mechanism, such as ticking a checkbox or selecting an appropriate option in the service interface. Passive consent mechanisms, such as pre-ticked boxes, will not be used.
  5. Ability to Withdraw Consent: Users will be informed of their right to withdraw consent at any time. Procedures for withdrawing consent will be straightforward and clearly communicated to users. Upon withdrawal, the Company will cease the collection, use, and sharing of the user’s Personal Information for which consent was provided.

The Company will document each instance of user consent and maintain a record of the information provided to the user at the time of consent, as well as the user’s response. This record-keeping is essential for demonstrating compliance with privacy laws and regulations.

6. Data Security Measures

The Company is committed to ensuring the security and protection of users’ personal information. In order to safeguard personal data, especially sensitive information related to children, the Company implements a variety of robust security measures. These include the following:

  1. Encryption: The Company uses advanced encryption protocols to protect personal information both during transmission and while stored.
  2. Access Controls: Strict access controls are in place to ensure that only authorized personnel can access personal information. Employees undergo regular training on data security and compliance with privacy laws.
  3. Secure Infrastructure: The Company employs HIPAA-compliant third-party services, including Google Architecture and Twilio, to ensure secure data storage and communications.
  4. Audit Trails: The Company maintains detailed audit trails to monitor and log access to user data, ensuring accountability and traceability.
  5. Regular Security Assessments: The Company conducts frequent security audits and vulnerability assessments to identify and address potential security risks.
  6. Data Anonymization: Where applicable, the Company employs data anonymization techniques to enhance privacy and security.
  7. Incident Response Protocols: The Company has established comprehensive protocols for responding to security incidents, which include immediate action to mitigate risks and notifying affected users as outlined in Clause 9.

By implementing these measures, the Company ensures that users’ personal information is protected against unauthorized access, loss, and misuse.

7. Data Retention

The Company retains Personal Information for as long as it is necessary to fulfill the purposes for which it was collected, as described in this Policy, or as required by applicable laws and regulations. The retention periods for different categories of Personal Information are as follows:

  1. User Account Information: Retained for as long as the user maintains an active account with the Company and for a reasonable period thereafter to comply with legal obligations and resolve disputes.
  2. Communication Data: Retained for a period of five (5) years to maintain service history and ensure the quality and functionality of the AI-powered virtual parenting assistant.
  3. Health-related Data: Retained for seven (7) years from the last date of any interaction to comply with HIPAA requirements or other applicable health-related regulations.
  4. Transactional Data: Retained for a period of seven (7) years to comply with tax, accounting, and financial regulations.
  5. Inactive User Data: When a user’s account becomes inactive, the Company retains Personal Information for a period of two (2) years after inactivity and subsequently deletes or anonymizes the data unless longer retention is required by law.

After the relevant retention periods have expired, the Company will securely dispose of or anonymize the Personal Information in order to prevent unauthorized access, use, or disclosure.

8. User Rights

Users of Avocado Health AI have several rights regarding their Personal Information under the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). These rights include the following:

  1. Right to Access: Users have the right to request access to the Personal Information that the Company holds about them. This allows users to understand and verify the lawfulness of the data processing.
  2. Right to Rectification: Users can request the correction of any inaccuracies or incompleteness in their Personal Information held by the Company, thereby ensuring that all data is up-to-date and correct.
  3. Right to Erasure: Also known as the ‘right to be forgotten,’ users can request the deletion of their Personal Information under certain conditions, such as when the data is no longer necessary for the purpose it was collected, or if the user withdraws their consent.
  4. Right to Restrict Processing: Users may request the restriction or suppression of their Personal Information under specific circumstances, such as when they contest the accuracy of the data or object to the Company’s legal grounds for processing.
  5. Right to Data Portability: Users have the right to request a copy of their Personal Information in a structured, commonly used, and machine-readable format. They may also request that the Company transmit this data directly to another data controller where technically feasible.
  6. Right to Object: Users can object to the processing of their Personal Information for certain purposes, including direct marketing and profiling related to direct marketing. This right includes the ability to object to processing carried out based on legitimate interests or the performance of a task in the public interest/exercise of official authority.
  7. Right Against Automated Decision-Making: Users have the right not to be subjected to decisions based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
  8. Right to Withdraw Consent: Where processing is based on consent, users have the right to withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  9. Right to Lodge a Complaint: Users have the right to lodge a complaint with a supervisory authority if they believe their rights under CCPA or GDPR have been violated.

To exercise any of these rights, users can contact Avocado Health AI at [email protected].

9. Response To Data Breaches

In the event of a data breach involving Personal Information, the Company is committed to taking immediate and comprehensive steps to mitigate any potential harm to affected users and to comply with applicable legal obligations. The following actions will be taken: 

  1. Initial Assessment: The Company will promptly conduct an initial assessment to understand the scope and impact of the data breach. This includes identifying the nature of the personal data involved, the number of affected users, and the potential risks to their privacy and security.
  2. Containment: Immediate measures will be taken to contain the breach, prevent further unauthorized access to data, and mitigate any ongoing risk. This may involve isolating affected systems, securing backups, and limiting access to compromised data.
  3. Notification: Affected users will be promptly notified of the breach in accordance with legal requirements. The notification will include a clear description of the breach, the type of data that was compromised, potential consequences, and the steps users should take to protect themselves. Additionally, relevant regulatory authorities will be notified as required by law. 
  4. Investigation: The Company will conduct a thorough investigation to determine the cause of the breach and to evaluate the effectiveness of its current data security measures. This may involve engaging third-party cybersecurity experts to assist in the investigation. 
  5. Remediation: Based on the findings of the investigation, the Company will implement appropriate measures to remediate the breach and prevent future incidents. This may include enhancing security protocols, providing additional employee training, and updating policies and procedures. 
  6. Documentation: Detailed records of the breach, including the Company’s response actions and any communications with affected parties and regulatory authorities, will be maintained in accordance with applicable legal requirements. 
  7. Support: The Company will provide support to affected users, which may include offering guidance on protecting personal information, monitoring for potential identity theft, and other relevant assistance. 
  8. Evaluation: Following the resolution of the breach, the Company will evaluate its incident response process and make necessary improvements to enhance its ability to respond to future data breaches effectively.

10. Children’s Privacy

We recognize the importance of protecting the privacy of children and are committed to fulfilling our obligations under the Children’s Online Privacy Protection Act (“COPPA“). This clause outlines the measures taken to protect child’s information, in compliance with COPPA: 

  1. Parental Consent: We require verifiable parental consent prior to collecting, using, or sharing child’s Information. This includes providing parents with clear and concise information regarding our data practices and obtaining their permission before collecting any data from children.
  2. Data Collection: We limit the data we collect from children to the minimum necessary to provide our services. Child’s Information is collected only for internal use and is not shared with third parties without explicit parental consent, except as required by law.
  3. Data Security: We implement robust security measures to protect child’s Information from unauthorized access, alteration, disclosure, or destruction. This includes using HIPAA-compliant third-party services such as Google Architecture and Twilio for secure data storage and communication.
  4. Parental Rights: Parents have the right to review, delete, and refuse further collection of their child’s Information at any time. Requests for access, modification, or deletion of child’s Information can be made by contacting us at [email protected].
  5. Compliance and Monitoring: We regularly review our data collection processes and employ necessary updates to ensure compliance with COPPA. We provide training to our staff on the importance of children’s privacy and our obligations under COPPA.
  6. Age Verification: We employ appropriate mechanisms to verify that individuals providing personal data are parents or guardians, ensuring compliance with the requirements of COPPA.

11. Liability And Disclaimers

The Company shall not be held liable for any direct, indirect, incidental, special, consequential, or punitive damages, including but not limited to, loss of profits, data, use, or other intangible losses, resulting from (a) the use of or the inability to use the Services; (b) unauthorized access to or alteration of user transmissions or data; or (c) any other matter related to the Services. The Services are provided ‘as is’ and ‘as available’ without any warranties of any kind, either express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement. 

The Company does not warrant that the Services will be uninterrupted, timely, secure, or error-free or that any defects in the Services will be corrected. The Company makes no representation or warranty regarding the accuracy, completeness, or reliability of any information or content provided through the Services. The user acknowledges and agrees that any reliance on such information or content shall be at the user’s sole risk. In jurisdictions that do not allow the exclusion or limitation of certain warranties or liabilities, the Company’s liability shall be limited to the maximum extent permitted by applicable law.

12. Policy Updates

The Company reserves the right to update or modify this Privacy Policy at any time. When the Policy is updated, the revised version will be posted on our website and will include the effective date of the new version. Users will be notified through email or text message of any significant changes that may affect their rights or how their Personal Information is handled. Such updates will come into effect immediately upon posting, unless otherwise stated. Continued use of the Company’s services after any updates to the Policy indicates acceptance of the new terms. Users are encouraged to review this Policy periodically to stay informed about how their Personal Information is being protected.

13. Contact Information

If you have any questions, concerns, or comments regarding this Privacy Policy or your personal information, please contact us at [email protected]. We are committed to addressing your inquiries promptly and supporting you with any concerns you may have about your privacy and data protection.