Privacy Policy

Mitali ("Company," "we," "us," or "our") is committed to protecting the privacy and security of the information we collect and process. This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with the Mitali Safety Alert System and related services ("Service").

1. Information We Collect

1.1 Facility and Administrator Information

When a memory care facility enrolls in the Service, we collect:

• Facility name and address
• Administrator name, email address, and phone number
• Designated SMS alert recipient name, role, and phone number

1.2 Session and Safety Event Data

During patient interaction sessions, the Service processes:

• Session identifiers and timestamps
• AI-generated safety event classifications (e.g., event category, urgency level)
• Escalation tier and intervention metadata

We do not store verbatim patient speech or conversation transcripts in SMS alerts. Safety alert messages contain only de-identified event metadata.

1.3 SMS Delivery Data

When SMS alerts are sent, we collect delivery metadata including message status, timestamps, and carrier information for service reliability purposes.

2. How We Use Your Information

Data Type	Purpose	Legal Basis
Phone numbers	Delivering transactional safety alert SMS messages	Consent / Legitimate interest (patient safety)
Facility info	Account management and service delivery	Contractual necessity
Safety event data	Generating and routing safety alerts to clinical staff	Legitimate interest (patient safety)
Delivery metadata	Ensuring message delivery reliability and troubleshooting	Legitimate interest (service quality)

We do not use your information for marketing, advertising, or any purpose unrelated to the delivery of safety alerts and platform operation.

3. Information Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share information only in the following circumstances:

• Infrastructure Providers: We use Amazon Web Services (AWS) to host and operate the Service, including AWS SNS for SMS delivery. AWS processes data in accordance with their Privacy Policy and applicable BAA.
• Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Safety: We may disclose information when we believe in good faith that disclosure is necessary to protect the safety of patients, staff, or the public.

We do not share data with third-party advertisers, data brokers, or any entities for purposes unrelated to the Service.

4. HIPAA Compliance

Mitali is designed to comply with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. We maintain:

• Administrative Safeguards: Workforce training, access controls, and incident response procedures
• Physical Safeguards: Secure data center facilities through AWS (SOC 2, HITRUST certified)
• Technical Safeguards: Encryption in transit (TLS 1.2+) and at rest (AES-256), audit logging, and access controls

Facilities using the Service are required to execute a Business Associate Agreement (BAA) with Mitali. SMS safety alerts are designed to minimize PHI exposure by using de-identified event metadata rather than patient-identifiable information.

5. Data Retention

• Session Data: Session records and safety event data are retained for 24 hours and then automatically deleted via TTL-based cleanup.
• Facility Configuration: Alert recipient phone numbers and facility settings are retained for the duration of the service agreement.
• SMS Delivery Logs: Delivery metadata is retained for 90 days for troubleshooting and compliance purposes.

Upon termination of a facility's service agreement, we will delete all associated data within 30 days, unless retention is required by law.

6. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption of all data in transit using TLS 1.2 or higher
• Encryption of all data at rest using AES-256
• Role-based access controls with least-privilege principles
• Regular security assessments and vulnerability scanning
• Automated monitoring and alerting for unauthorized access attempts

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information, subject to legal retention requirements
• Opt-Out of SMS: Reply STOP to any SMS message to immediately cease receiving alerts. Reply HELP for assistance.
• Portability: Request your data in a structured, machine-readable format

To exercise any of these rights, contact us at support@mitali.ai or call +1 (833) 400-3596. We will respond to verified requests within 30 days.

8. Children's Privacy

The Service is designed for use by authorized clinical staff and facility administrators. It is not directed at individuals under the age of 18. We do not knowingly collect personal information from children.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify facility administrators of material changes by email and by updating the "Effective Date" at the top of this page. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

• Email: support@mitali.ai
• Phone: +1 (833) 400-3596
• Website: https://mitali.ai