Privacy Policy

Effective Date: April 24, 2025

Last Updated: July 2, 2025

Bubbl AI Inc. ("Bubbl", "we", "us", or "our") provides a platform that enables licensed healthcare providers to send secure health screening invitations and authentication messages to their patients. This Privacy Policy describes how Bubbl collects, uses, and safeguards personal information through our software and services.

1. Scope of This Policy

This Privacy Policy applies to:

  • Personal information collected from healthcare providers and clinic staff ("clinics") who use the Bubbl platform.
  • Patient data that Bubbl processes strictly on behalf of clinics, in support of healthcare-related workflows such as pre-screening, communication, and documentation.

Important Note: Bubbl is a business-to-business (B2B) platform. Patients do not create accounts or register directly with Bubbl. Clinics are solely responsible for adding patients to the platform and obtaining any required consent for communication.

Bubbl follows privacy and security best practices aligned with the Health Insurance Portability and Accountability Act (HIPAA), though we are not yet formally certified. Clinics are responsible for maintaining their own HIPAA compliance. Bubbl acts as a Business Associate under HIPAA in our relationships with clinics.

2. Information We Collect

a. From Clinics and Authorized Users

When clinics create and use Bubbl accounts, we collect:

  • Full name, email address, and phone number
  • Clinic name, address, and contact details
  • Login credentials and authentication metadata
  • IP address, device information, and platform usage logs

b. From Patients (via Clinics)

Clinics may upload or input patient information to facilitate screenings and communication. Bubbl processes this information only as instructed by the clinic. Patient data may include:

  • First and last name
  • Mobile phone number
  • Medical history, allergies, medications (if disclosed during screening)
  • Symptom descriptions and screening responses
  • Timestamps (e.g., screening start or completion time)

Bubbl does not collect data directly from patients and does not determine how patient data is used. Clinics are fully responsible for obtaining express written consent before initiating any communication with patients via Bubbl.

3. How We Use Information

We use collected information solely to:

  • Provide, operate, and maintain the Bubbl platform
  • Send secure SMS communications (e.g., screening invites, OTPs)
  • Authenticate sessions and enforce security
  • Monitor performance and improve reliability
  • Fulfill legal, contractual, and regulatory obligations

We do not use personal or patient data for advertising, data mining, product training, or unrelated analytics. Bubbl does not reuse, profile, or retain personal health data for its own benefit.

4. How We Share Information

We may share information under the following conditions:

With Authorized Vendors:

We engage trusted service providers (e.g., SMS delivery platforms, infrastructure hosts, and AI infrastructure vendors) to perform essential services on our behalf. These vendors are contractually bound to handle data securely and only as directed by Bubbl.

For Legal Reasons:

We may disclose information to comply with applicable laws, court orders, or government regulations.

In a Business Transfer:

In the event of a merger, acquisition, or asset transfer, information may be shared as part of the transaction under confidentiality agreements.

We do not sell, rent, or share data for advertising, promotional, or marketing purposes.

5. Data Roles and Responsibilities

  • Clinics retain full ownership and control of the patient data they submit to Bubbl.
  • Bubbl acts solely as a data processor, providing infrastructure and functionality as directed by the clinic.

Clinics are responsible for:

  • Obtaining all required patient consents prior to initiating communication
  • Ensuring lawful use of patient data in accordance with HIPAA, TCPA, and other applicable laws
  • Managing patient access and deletion requests (see Section 7)

Bubbl supports clinics in fulfilling these responsibilities upon request but does not respond directly to patient privacy inquiries unless instructed to do so by the clinic.

6. Data Security

We implement strong technical and organizational safeguards to protect personal data, including:

  • AES-256 encryption for sensitive data in transit and at rest
  • Secure, access-controlled hosting environments
  • Role-based access permissions
  • Audit logging and internal usage monitoring
  • Routine security assessments and penetration testing

7. Rights and Choices

a. For Clinics

Clinic users may:

  • Access, update, or delete their account information
  • Export patient data as permitted by platform functionality
  • Configure consent and privacy settings through the Bubbl admin panel

b. For Patients

Patients do not have accounts with Bubbl and must contact their healthcare provider directly to:

  • Access or update their data
  • Revoke consent for communication
  • Request deletion of screening records

If Bubbl receives a privacy-related request from a patient, we will refer the individual to their clinic and support the clinic in fulfilling the request if needed.

8. Data Retention

  • Clinic account data is retained for the duration of the active account and as required by regulation or contract.
  • Patient screening records are retained in accordance with clinic-defined retention policies or applicable law.

Data is securely deleted upon:

  • Clinic request
  • Account deactivation
  • Expiration of configured retention timelines

9. Cookies and Tracking

Bubbl uses only essential session cookies and limited, non-identifying analytics to:

  • Authenticate user sessions
  • Monitor usage trends
  • Ensure platform reliability and security

We do not use advertising, retargeting, or third-party tracking cookies. Users cannot be tracked across other sites by Bubbl or its service providers.

10. International Hosting

Bubbl is headquartered in Canada and uses globally distributed, secure cloud infrastructure. As such, personal data may be stored or processed in jurisdictions outside your region, including the United States.

Where required, we implement safeguards such as:

  • Standard Contractual Clauses (SCCs)
  • Vendor assessments and Data Processing Agreements (DPAs)
  • Encryption and role-based access restrictions

These measures help ensure data remains protected and accessible only as permitted by applicable law.

11. SMS Consent and Communication

All patient-related SMS messages sent through Bubbl:

  • Are explicitly initiated by licensed clinics
  • Are limited to health-related use cases (e.g., screening links, OTPs, reminders)
  • Require that the clinic has obtained prior express written patient consent
  • Contain opt-out instructions for non-OTP messages (e.g., "Reply STOP to unsubscribe")
  • Are not sent for marketing or promotional purposes

Bubbl facilitates message delivery but does not initiate contact with patients or collect their contact information directly.

12. AI + PHI Safeguard Clause

Bubbl may use real-time AI features to assist clinics during the screening process. These features operate under the following safeguards:

  • Personal Health Information (PHI) is processed solely for the purpose of delivering clinic-requested functionality
  • PHI is never used to train machine learning models
  • PHI is not stored beyond what is needed to serve the clinic
  • All AI infrastructure used by Bubbl adheres to strict data security standards and contractual obligations

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in law, product functionality, or data practices. All changes will be posted at https://www.bubblhealth.ai. Clinics will be notified of material changes via email or in-app alerts.

14. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact:

Bubbl AI Inc.
Email: hello@bubblhealth.ai
Website: https://www.bubblhealth.ai