Privacy Policy

Last updated: March 2026

1.Introduction

Dox2Dox, Inc. ("Company," "we," "us," or "our") is committed to protecting the privacy and security of your personal information and any Protected Health Information (PHI) processed through our platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Dox2Dox platform ("Service"). By using our Service, you consent to the practices described in this policy.

2.Information We Collect

We collect the following categories of information:

Account Information

  • Name, phone number, and professional credentials
  • Organization and department affiliations
  • Profile information you choose to provide

Usage Data

  • Device information (type, operating system, app version)
  • Log data (access times, pages viewed, IP address)
  • Feature usage analytics (aggregated and anonymized)

Health-Related Communications Metadata

  • Message timestamps and delivery status (not message content — content is end-to-end encrypted)
  • Participant identifiers for message routing
  • File transfer metadata (file size, type, timestamp)

3.How We Use Your Information

  • To provide, maintain, and improve the Service
  • To authenticate your identity and manage your account
  • To facilitate secure communications between healthcare professionals
  • To provide AI clinical assistant functionality through Inara
  • To send service-related notifications and security alerts
  • To comply with legal and regulatory obligations
  • To detect, prevent, and respond to security incidents and fraud
  • To generate aggregated, de-identified analytics to improve our Service

4.HIPAA Compliance & Protected Health Information

We recognize that communications through our Service may contain Protected Health Information (PHI) as defined by HIPAA. We handle PHI in strict accordance with HIPAA regulations:

  • We enter into Business Associate Agreements (BAAs) with all Covered Entities
  • PHI is protected by end-to-end encryption — we cannot access message content
  • We implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule
  • We limit the use and disclosure of PHI to the minimum necessary to provide the Service
  • We maintain comprehensive audit logs of all system access and activity

5.End-to-End Encryption

All messages and file transfers on Dox2Dox are protected with AES-256 end-to-end encryption. This means that only the sender and intended recipients can read message content. Dox2Dox servers cannot decrypt your messages. Encryption keys are generated and managed on your device and are never transmitted to or stored on our servers. Even in the event of a server breach, your message content remains unreadable to any unauthorized party, including Dox2Dox.

6.AI Clinical Assistant Data Processing

When you interact with Inara, our AI clinical assistant:

  • Queries are processed in real-time and are not stored after the response is generated
  • No PHI is used to train or improve AI models
  • AI processing occurs within our HIPAA-compliant infrastructure
  • You can use Inara without sharing any patient-identifiable information
  • All AI interactions are subject to the same encryption and security standards as other communications

7.Data Sharing & Third Parties

We do not sell your personal information or PHI. We may share information with:

  • Service providers: Third-party vendors who assist in operating our Service (cloud hosting, analytics), bound by BAAs and strict confidentiality agreements
  • Legal requirements: When required by law, court order, or government regulation
  • Safety & security: To protect the rights, safety, and property of Dox2Dox, our users, or the public
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with appropriate privacy protections

8.Data Retention

We retain your account information for as long as your account is active or as needed to provide the Service. Encrypted message data is retained in accordance with HIPAA retention requirements (minimum six years for compliance records). Usage data and analytics are retained in aggregated, de-identified form. Upon account termination, we will delete or de-identify your personal information within 30 days, except where retention is required by law or our BAA obligations.

9.Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request that we correct inaccurate or incomplete information
  • Deletion: Request that we delete your personal information, subject to legal retention requirements
  • Portability: Request a copy of your data in a structured, machine-readable format
  • Restriction: Request that we limit how we use your information
  • HIPAA rights: If applicable, you have rights under HIPAA to access, amend, and receive an accounting of disclosures of your PHI

To exercise any of these rights, contact us at privacy@dox2dox.com.

10.Security Measures

We implement comprehensive security measures to protect your data, including AES-256 end-to-end encryption, TLS 1.3 for data in transit, encrypted data at rest, regular security audits and penetration testing, role-based access controls, multi-factor authentication, continuous monitoring and intrusion detection, and employee security training. For more details, see our HIPAA Compliance page.

11.Cookies & Tracking

We use essential cookies to maintain your session and authentication state. We may use analytics cookies to understand how the Service is used, in aggregated and de-identified form. We do not use third-party advertising cookies or tracking pixels. You can manage cookie preferences through your browser settings, though disabling essential cookies may affect Service functionality.

12.Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected information from a minor, we will promptly delete it and terminate the associated account.

13.International Data Transfers

Your information may be processed in the United States or other jurisdictions where our service providers operate. We ensure that any international data transfers comply with applicable data protection laws and that appropriate safeguards are in place, including Standard Contractual Clauses where required. All transfers involving PHI comply with HIPAA requirements.

14.Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on the Service and updating the "Last updated" date. For significant changes affecting how we handle PHI, we will provide direct notice via the Service or email. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

15.Contact Information

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Dox2Dox, Inc. — Data Protection Officer

Email: privacy@dox2dox.com

General: hello@hymnchat.com