Privacy Policy

Effective Date: April 25, 2026 | Last Updated: April 25, 2026

1. Introduction and Scope

Gabe Technologies LLC ("Gabe Tech," "we," "us," or "our") operates Gabe Care, a HIPAA-compliant, AI-enabled remote patient monitoring and care coordination platform (the "Platform" or "Service"). This Privacy Policy governs the collection, use, disclosure, and safeguarding of information obtained through the Platform, including information accessed via our web application, mobile applications, connected devices, and application programming interfaces (APIs).

This Policy applies to all users of the Platform, including healthcare providers, practice administrators, organizational administrators, patients, caregivers, and authorized representatives (collectively, "Users"). By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service.

This Privacy Policy is intended to satisfy the notice requirements set forth under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and applicable state privacy laws, including but not limited to the California Consumer Privacy Act ("CCPA") as amended by the California Privacy Rights Act ("CPRA").

2. Definitions

For purposes of this Privacy Policy, the following terms shall have the meanings ascribed to them below:

"Protected Health Information" or "PHI" means individually identifiable health information created, received, maintained, or transmitted by a Covered Entity or Business Associate, as defined under 45 C.F.R. § 160.103.

"Covered Entity" means a health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a HIPAA-covered transaction.

"Business Associate" means a person or entity that performs certain functions or activities on behalf of, or provides certain services to, a Covered Entity that involve the use or disclosure of PHI.

"De-identified Information" means health information that has been stripped of all 18 HIPAA-specified identifiers such that there is no reasonable basis to believe the information can be used to identify an individual.

"Personal Information" means information that identifies, relates to, describes, or is reasonably capable of being associated with a particular individual.

3. Our Role Under HIPAA

Gabe Tech operates as a Business Associate to healthcare providers and organizations ("Covered Entities") that utilize the Gabe Care Platform. In this capacity, Gabe Tech creates, receives, maintains, and transmits PHI on behalf of Covered Entities solely for the purposes authorized under executed Business Associate Agreements ("BAAs"). Gabe Tech does not independently control the PHI it processes on behalf of Covered Entities and processes such information only pursuant to lawful instructions from the applicable Covered Entity.

Where Gabe Tech engages subcontractors or sub-processors that access or handle PHI, Gabe Tech requires such parties to execute BAAs and maintain administrative, physical, and technical safeguards no less protective than those required by HIPAA and the HITECH Act.

4. Information We Collect

We collect the following categories of information through the Platform:

4.1 Protected Health Information (PHI)

When transmitted through the Platform by or on behalf of a Covered Entity, we may process PHI including but not limited to: patient name, date of birth, address, telephone number, medical record numbers, health plan beneficiary numbers, diagnosis and condition information, medication records, laboratory results, vital signs, care episode data, imaging results, and other clinically relevant information.

4.2 Account and Registration Information

We collect information provided during account creation, including name, professional credentials, email address, organization affiliation, role designation, and authentication credentials.

4.3 Usage and Technical Data

We automatically collect certain technical information when you access the Platform, including IP addresses, browser type and version, device identifiers, operating system information, session timestamps, pages visited, and feature interaction logs. This information is used for security monitoring, audit trail maintenance, and platform optimization.

4.4 Communications Data

We collect and store communications transmitted through the Platform, including secure messages, care team notifications, patient check-in responses, and AI-assisted interaction logs, to the extent necessary to provide the Service and maintain required audit records.

4.5 Website Forms and Marketing Pages

5. How We Use Information

We use the information collected through the Platform for the following purposes:

• To provide, operate, maintain, and improve the Platform and its features;
• To facilitate care coordination, remote patient monitoring, and clinical workflow management on behalf of Covered Entities;
• To generate AI-assisted clinical insights, alerts, and recommendations through our GabeAI (HUMMA) system, subject to the limitations described in our AI Disclaimer;
• To fulfill obligations under BAAs and applicable healthcare regulations;
• To maintain comprehensive audit trails of all PHI access, modifications, and disclosures as required under 45 C.F.R. § 164.312(b);
• To detect, investigate, and remediate security incidents and unauthorized access;
• To comply with applicable law, regulation, court order, or governmental authority;
• To support billing workflows and reimbursement documentation under applicable CPT codes, including Remote Patient Monitoring (RPM) and Chronic Care Management (CCM) codes.

6. Disclosure of Information

Gabe Tech does not sell, rent, lease, or otherwise commercially exploit PHI or Personal Information. We may disclose information in the following limited circumstances:

To Covered Entities and Authorized Users: PHI is disclosed to the applicable Covered Entity and its authorized personnel in accordance with the BAA and the Covered Entity's instructions.

To Subcontractors and Service Providers: We may engage third-party vendors, such as cloud infrastructure providers and AI service providers, who process PHI or Personal Information solely on our behalf, subject to appropriate data protection agreements.

As Required by Law: We may disclose information to comply with applicable law, regulation, legal process, or enforceable governmental request.

For Public Health and Safety: We may disclose information as permitted under 45 C.F.R. § 164.512 for public health activities, abuse reporting, health oversight activities, or to avert a serious threat to health or safety.

In Connection with Corporate Transactions: In the event of a merger, acquisition, or sale of all or substantially all assets, PHI and Personal Information may be transferred subject to equivalent privacy protections.

7. Data Security

Gabe Tech implements and maintains comprehensive administrative, physical, and technical safeguards designed to protect PHI and Personal Information from unauthorized access, use, disclosure, alteration, or destruction, consistent with the requirements of the HIPAA Security Rule (45 C.F.R. Parts 164.302-318). These safeguards include, without limitation:

• AES-256 encryption of data at rest and TLS 1.2+ encryption of data in transit;
• Role-based access controls (RBAC) with principle of least privilege enforcement;
• Multi-factor authentication for all administrative and clinical access;
• Continuous audit logging of all PHI access and system events;
• Infrastructure hosted on Amazon Web Services (AWS) within HIPAA-eligible service boundaries;
• Regular penetration testing, vulnerability assessments, and security incident response procedures;
• Employee training on HIPAA Privacy and Security Rule requirements.

Notwithstanding the foregoing, no security system is impenetrable. In the event of a breach of unsecured PHI, Gabe Tech will provide notification in accordance with the HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D) and applicable state breach notification laws.

8. Data Retention

Gabe Tech retains PHI and Personal Information for the period necessary to fulfill the purposes described in this Privacy Policy, to comply with our legal obligations, and as directed by the applicable Covered Entity. Medical records and associated PHI are retained in accordance with applicable federal and state medical records retention requirements, which may require retention for a minimum of six (6) years from the date of creation or the date when it was last in effect, whichever is later, pursuant to 45 C.F.R. § 164.530(j).

Upon termination of a Business Associate Agreement, PHI will be returned or destroyed in accordance with the terms of the applicable BAA and HIPAA requirements.

9. Patient Rights

Patients whose PHI is processed through the Platform retain the following rights under HIPAA and applicable law, to be exercised through the applicable Covered Entity:

• Right of Access: The right to access and obtain a copy of their PHI maintained in a designated record set (45 C.F.R. § 164.524);
• Right to Amend: The right to request amendment of inaccurate or incomplete PHI (45 C.F.R. § 164.526);
• Right to an Accounting of Disclosures: The right to receive an accounting of certain disclosures of PHI (45 C.F.R. § 164.528);
• Right to Request Restrictions: The right to request restrictions on certain uses and disclosures of PHI (45 C.F.R. § 164.522);
• Right to Confidential Communications: The right to request that PHI be communicated through alternative means or at alternative locations.

To exercise these rights, patients should contact their healthcare provider directly. Gabe Tech will cooperate with Covered Entities in facilitating the exercise of patient rights as required by law.

10. Third-Party Integrations

The Platform may integrate with third-party healthcare systems, laboratory information systems, EHR platforms, and other health data sources, such as Quest Diagnostics Quanum EHR FHIR API and LabCorp, pursuant to applicable data sharing agreements. Such integrations are conducted only with appropriate authorization from the Covered Entity and patient, and are subject to the privacy practices of the respective third parties. Gabe Tech is not responsible for the privacy practices of third-party systems and encourages Users to review applicable third-party privacy policies.

11. Children's Privacy

The Platform is not directed to individuals under the age of eighteen (18). We do not knowingly collect Personal Information from minors without appropriate parental or guardian consent and applicable legal authorization. Where pediatric patient data is processed, such processing occurs solely under the direction of the applicable Covered Entity and in accordance with applicable law, including the Children's Online Privacy Protection Act ("COPPA").

12. Changes to This Privacy Policy

Gabe Tech reserves the right to modify this Privacy Policy at any time. Material changes will be communicated to Users via email notification or prominent notice within the Platform no fewer than thirty (30) days prior to the effective date of such changes. Continued use of the Platform following the effective date of any modification constitutes acceptance of the revised Privacy Policy.

13. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:

Gabe Technologies LLC - Privacy Office
Email: [email protected]
Website: https://gabetech.tech

If you believe your privacy rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr. Gabe Tech will not retaliate against any individual for filing a complaint.