Privacy Policy

Effective Date: February 1, 2026

1. Information We Collect

Agent Lumos ("we", "us", "our") collects the following categories of information in connection with providing our clinical decision support platform:

Protected Health Information (PHI)

  • Patient names, contact information, and demographic data
  • Medical history, surgical procedures, and diagnosis information
  • Pre-operative instructions and care plans
  • Patient-provider conversation logs
  • Assessment responses and preparation tracking data

Account Information

  • Physician names, credentials, and practice information
  • Email addresses and phone numbers
  • Hospital and department affiliations
  • Oversight and approval preferences

Usage Data

  • Service access logs and session activity
  • Feature usage patterns and interaction data
  • Device type, browser, and operating system
  • IP addresses and approximate geolocation

Cookies & Similar Technologies

We use strictly necessary cookies for authentication, session management, and security purposes. We do not use advertising or third-party tracking cookies. See Section 9 for details.

2. How We Use Information

We use your information for the following purposes:

  • Service Delivery: Providing AI-assisted pre-operative patient communications, generating clinical content, and managing care workflows
  • AI Processing: Processing patient queries and generating responses through our AI pipeline, including clinical evidence retrieval, confidence scoring, and safety evaluation
  • Quality & Safety: Monitoring AI output quality, conducting compliance reviews, and maintaining audit logs
  • Account Management: Managing your account, processing billing, and providing customer support
  • Security: Detecting and preventing unauthorized access, fraud, and other security threats
  • Legal Compliance: Complying with HIPAA, state privacy laws, and other applicable regulations

3. AI Data Processing

We want to be transparent about how your data interacts with AI systems:

  • Zero-Retention API: AI-generated content is processed through zero-retention API endpoints. Our AI provider does not store, log, or use your data after processing is complete.
  • No Model Training: Patient health information is never used for AI model training or improvement. Your data is used exclusively for providing the Service.
  • Data Minimization: We send only the minimum necessary information to AI processing endpoints, consistent with HIPAA's minimum necessary standard.
  • Audit Trail: All AI interactions are logged for compliance and quality assurance purposes, with logs retained in accordance with our data retention policy.
  • Partner Content Attribution: When AI responses include educational content from pharmaceutical or medical device partners, the content source is recorded in the audit trail along with the selection reasoning. Partner Content is selected based on contextual relevance to the patient's query, not on financial arrangements. Partners do not receive access to patient data or individually identifiable health information.

4. Information Sharing

We share information only with BAA-covered subprocessors who assist in providing the Service:

  • Anthropic — AI language model provider (zero-retention API processing)
  • Convex — Database and backend infrastructure
  • Bird — SMS and WhatsApp messaging delivery
  • Resend — Email delivery

Each subprocessor has executed a BAA with Agent Lumos and is contractually bound to protect PHI in accordance with HIPAA requirements. We do not sell, rent, or share your information with third parties for marketing purposes.

Pharmaceutical & Device Partners

Agent Lumos receives educational product data from pharmaceutical and medical device companies for inclusion in AI-generated responses. This is a one-way data flow: partners provide content to Agent Lumos, but patient health information is never shared with partners. Partners receive only aggregate, de-identified engagement metrics (e.g., content impression counts) and cannot access individual patient data, conversation logs, or health records. Partner content delivered to patients is always clearly attributed to its source.

We may disclose information when required by law, such as in response to a valid subpoena, court order, or regulatory request.

5. Data Retention

  • Medical Records & PHI: Retained for seven (7) years from the date of creation, or longer if required by state law, consistent with medical record retention requirements
  • Audit Logs: Retained for six (6) years as required by HIPAA
  • Account Information: Retained for the duration of the account and for ninety (90) days after account closure to facilitate data export
  • Usage Data: Retained for twenty-four (24) months in identifiable form, then aggregated for analytics

6. Security Measures

We implement comprehensive security measures to protect your data, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Multi-factor authentication and session management with HIPAA-compliant inactivity timeouts
  • Role-based access controls and audit logging
  • Regular security assessments and penetration testing
  • Incident response procedures and breach notification protocols
  • Employee security training and background checks

7. Your Rights

HIPAA Rights (All Users)

Under HIPAA, patients have the right to:

  • Access and obtain copies of their PHI
  • Request corrections to inaccurate PHI
  • Request restrictions on certain uses and disclosures of PHI
  • Receive an accounting of disclosures of PHI
  • Receive notification in the event of a breach of unsecured PHI

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know what personal information we collect, the right to delete your personal information, the right to opt out of the sale or sharing of personal information (we do not sell personal information), and the right to non-discrimination for exercising your rights.

Texas Residents (TDPSA)

If you are a Texas resident, you have rights under the Texas Data Privacy and Security Act, including the right to access, correct, delete, and obtain a portable copy of your personal data, and the right to opt out of targeted advertising and profiling.

To exercise any of these rights, please contact us at privacy@agentlumos.com. We will respond within the timeframe required by applicable law.

8. Children's Privacy

The Service is not directed to children under 13 years of age. When the Service involves pediatric patients, all information is collected from and managed by the patient's parent, guardian, or the treating healthcare provider in accordance with HIPAA and applicable state laws regarding minors' health information.

9. Cookies & Tracking Technologies

We use the following categories of cookies:

  • Strictly Necessary: Authentication tokens, session identifiers, and CSRF protection. These cannot be disabled as they are essential for the Service to function.
  • Functional: User preferences such as theme settings and language selection.

We do not use analytics, advertising, or third-party tracking cookies. We do not participate in cross-site tracking or retargeting.

10. International Data Transfers

The Service is hosted and operated in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. We implement appropriate safeguards for any international data transfers in accordance with applicable law.

11. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected covered entities without unreasonable delay and no later than sixty (60) days after discovery of the breach, as required by HIPAA. We will also comply with any additional breach notification requirements under applicable state laws.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and through an in-product notification at least thirty (30) days before the changes take effect. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

13. Contact Information

For questions about this Privacy Policy or to exercise your privacy rights, please contact us at:

Agent Lumos, Inc.
Privacy Officer
Email: privacy@agentlumos.com

For HIPAA-related inquiries, you may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.