Advokare Privacy and Security Notice
Individual Access Services (IAS) – TEFCA Compliance Notice
Effective Date: February 19, 2026
This Privacy and Security Notice (“Notice”) explains how we collect, use, protect, and disclose your health information when you use Advokare’s Individual Access Services (IAS). It is provided in accordance with the Trusted Exchange Framework and Common Agreement (TEFCA), the IAS Provider Requirements SOP v2.1, and applicable federal and state law.
Advokare Inc. (“Advokare,” “we,” “us,” or “our”) is required to act in conformance with this Privacy and Security Notice and must protect the security of the Individually Identifiable Information it maintains in accordance with the applicable TEFCA Framework Agreement.
By using Advokare’s Individual Access Services, you provide your EXPRESS, DOCUMENTED, AND INFORMED CONSENT to the practices described in this Notice.
ADVOKARE DOES NOT PROVIDE BIDIRECTIONAL SERVICES. YOU WILL HAVE THE ABILITY TO REQUEST ACCESS TO YOUR HEALTH INFORMATION VIA TEFCA EXCHANGE. YOU WILL NOT BE ABLE TO USE ADVOKARE TO SHARE YOUR HEALTH INFORMATION WITH OTHER PARTICIPANTS IN TEFCA.
————————
1. Scope and Purpose of IAS
Advokare provides patient-directed Individual Access Services that allow individuals to securely access, retrieve, and better understand their electronic health records ("EHRs") through TEFCA Exchange.
This Notice describes our privacy and security practices with respect to Individually Identifiable Information that we maintain, including information maintained in connection with Individual Access Services under TEFCA.
Advokare is not a HIPAA Covered Entity when acting solely as a provider of IAS services (“IAS Provider”). In addition, regardless of whether HIPAA applies as a matter of law, Advokare voluntarily applies privacy and security safeguards consistent with the HIPAA Privacy and Security Rules across its operations as a matter of good business practice
————————
2. Categories of Information We Access and Maintain
With your explicit HIPAA Authorization and TEFCA consent, we retrieve your electronic health records from accredited health information networks and TEFCA participants - such as hospitals, clinics, physician practices, and other health care providers where you have received care — to the extent those providers participate in TEFCA exchange.
By using the Platform and providing access to your electronic health records, you authorize Advokare to access, use, and process your protected health information in accordance with this Privacy and Security Notice, the Terms of Use, and applicable law.
Electronic Health Records (EHR):
With your explicit HIPAA Authorization, we retrieve your EHR from accredited, secure health information networks (such as TEFCA participants like EPIC and other software vendors that your hospitals use to manage your health records. These records contain Protected Health Information (PHI), including your name, date of birth, medical conditions, treatments, and more.User-Generated Content:
You may provide additional health information directly to us, such as answers to questions about your health or preferences and other content you upload such as files and images. Also, when you ask questions through our Platform, those inputs and the AI-generated responses become part of your user-generated content..Authentication Information:
A secure authentication token (e.g., Auth0 key) associated with your account for login and secure connection purposes.Usage Data (de-identified):
We collect and analyze anonymized data such as usage statistics, session duration, question topics, and app performance to improve our services.Communication Information:
If you communicate with us, such as via email or our pages on social media sites, we may collect Personal Data like your name, contact information, and the contents of the messages you send (“Communication Information”).Other Information You Provide:
We collect other information that you provide to us, such as when you participate in our events or surveys, Audit logs associated with IAS activity, or when you provide us or a vendor operating on our behalf with information to establish your identity or age (collectively, “Other Information You Provide”).
We encrypt all Individually Identifiable Information in transit and at rest, regardless of whether such data constitute TEFCA Information.
————————
3. How Individually Identifiable Information May Be Used and Disclosed
We may use or disclose your Individually Identifiable Information only for the following purposes:
To provide IAS to you
To provide answers to questions about your health
To comply with subpoenas, court orders, warrants, or other compulsory legal processes
Here's a summary of how your information is used:
Type of Data: Use Case
PHI (from EHR): Used during AI-powered Q&A sessions within our secure environment
Session Data: Used to generate responses to your health-related questions
De-identified Data: Used for analytics, service insights, and commercial research
Optional Stored Data: If you choose to store your data, it will be kept securely based on your preferences
We will not sell, license, trade, or exchange your Individually Identifiable Information for money or other valuable consideration.
————————
4. Third-party Access and Disclosures
A. TEFCA Exchange
Advokare retrieves your Individually Identifiable Information from TEFCA Participants through Qualified Health Information Networks (QHINs) in response to your authorized IAS request. Advokare does not disclose your Individually Identifiable Information back through TEFCA except as required by applicable law. All exchanges conducted under TEFCA are governed by the permitted and required Uses and Disclosures set forth in the TEFCA Common Agreement and applicable U.S. Department of Health and Human Services guidance.
B. Authorized Caregivers
Authorize a trusted caregiver (e.g., a family member) to access and interact with your health information on your behalf.
Caregivers must be explicitly authorized by the patient, and their access is controlled by the patient through our secure invitation system.
C. Service Providers
To vetted vendors operating under contractual confidentiality and data protection obligations, including:
Cloud hosting providers
Security monitoring providers
Identity verification vendors
We require third-party service providers to:
Maintain confidentiality
Implement commercially reasonable security safeguards
Use information only for services provided to Advokare
Not sell or further disclose Individually Identifiable Information
D. Legal and Regulatory Requirements
We may disclose Individually Identifiable Information if required by:
Civil or criminal subpoena
Court order
Search warrant
Government demand for compulsory disclosure
Other lawful process
Such disclosures may include cross-state disclosures consistent with Applicable Law. Once we are legally required to disclose information, we may not be able to control how it is used by the requesting authority.
————————
5. Notification of Compulsory Disclosures
Unless prohibited by Applicable Law, Advokare will provide written or electronic notice to affected Individual(s) within three (3) business days of:
Receiving a civil or criminal subpoena, court order, search warrant, or other compulsory legal demand for Individually Identifiable Information; or
Making Individually Identifiable Information available to law enforcement agencies.
You will have the opportunity to:
Object to production;
Seek a protective order; or
Pursue other appropriate remedies consistent with Applicable Law.
If notice is legally prohibited (for example, under certain national security laws), we will comply with such restrictions.
————————
6. Reproductive Health and Gender-Affirming Care Information
Individually Identifiable Information relating to:
Reproductive health care services (including pregnancy, termination of pregnancy, counseling, referral, or related services), and
Gender-affirming care
may be used and/or disclosed in response to a valid civil or criminal subpoena, court order, search warrant, or other lawful demand for compulsory disclosure, including across state lines, in accordance with Applicable Law.
This applies even if you paid for the service entirely out of pocket.
————————
7. Use of AI and Large Language Models (LLMs)
We use AI to help answer your questions about your health, but we’ve taken special care to protect your privacy:
All AI processing happens within our own secure, HIPAA-compliant environment.
Your PHI never leaves our system and is never shared with external AI providers.
Our AI models do not learn from your data. Each session is like being in a private room with your medical records and an AI assistant—your questions and answers stay in that room.
The AI-generated information provided through the Platform is for informational purposes only and is intended to support discussions with your health care provider. The information may be incomplete, inaccurate, or not appropriate for your situation. Advokare does not provide medical advice, diagnosis, or treatment recommendations. You should consult your physician or other qualified health care provider before making medical decisions.
————————
8. Data Retention and Storage Options
Your use of the Service may involve the temporary or optional storage of session data or health information, depending on your selected preferences. You may update or revoke your data storage choices at any time through your account settings or by contacting us.
After each session, you decide whether to store any session content or health information:
Do not store: Discard all data upon session end.
Temporary storage: Store securely for 1 year, with an option to renew.
Continuous storage: Store data until you withdraw consent or delete your account.
Individually Identifiable Information is retained only:
For the duration of your chosen storage preference
As required for audit logs. Audit logs may be retained for compliance and security monitoring purposes even if other information is deleted.
As required by Applicable Law
If you revoke consent or close your account, we will delete your information when technically feasible, except for audit logs we are required to keep by law.
————————
9. De-identified Analytics and Research
We may use de-identified, aggregated data to improve our services and for research and business analysis. This information does not identify you. We apply technical and organizational safeguards designed to reduce the risk of re-identification and do not attempt to re-identify de-identified information except as required by law.
No PHI or identifying information is shared.
De-identified information will not identify you and will not be re-identified except as permitted or required by law.
We analyze trends such as:
Most common health topics users ask about
Age or gender trends (in a de-identified format)
How often users interact with our Platform
These insights help improve the Platform and contribute to broader healthcare research and development.
————————
10. Sponsored Content and Sale of Information
We may display promotional content that is relevant to your health interests, based on your interactions with the Service. All such content is clearly labeled. Sponsored content is provided to help support the availability of the Service without selling or sharing your personal health information. Sponsored content does not influence the medical or informational responses generated by the Service.
Advokare does not sell, license, trade, or otherwise exchange Individually Identifiable Information for monetary or other valuable consideration. Advokare will not sell Individually Identifiable Information now or at any time in the future. If Advokare ever intends to sell Individually Identifiable Information, receive remuneration in exchange for such information, or use such information for targeted advertising, Advokare will first obtain the individual’s prior, express, and documented “Consent to Sale,” which will be separate and conspicuously labeled from consent to this Privacy and Security Notice.
We do not share your personal data with sponsors, and all targeting happens within our own systems.
————————
11. Data Security
We take your privacy seriously. Our services are built and operated in compliance with HIPAA. We use commercially reasonable administrative, technical, and physical safeguards to protect Individually Identifiable Information, including encryption in transit and at rest, access controls, and monitoring. Protective measures include:
Secure, encrypted data transfers
Storage within HIPAA-compliant infrastructure
Access controls and session monitoring
No third-party sharing or external model training with your PHI
Our obligations under this Notice continue for as long as we maintain your Individually Identifiable Information.
————————
12. IAS Incident Notification
If your Individually Identifiable Information is reasonably believed to have been affected by a TEFCA Security Incident or breach of unencrypted information, we will notify you in accordance with applicable law and TEFCA requirements.
If your Individually Identifiable Information is reasonably believed to have been affected by an IAS Incident, notice will include (to the extent known):
A description of what happened
Date of the incident and discovery
Types of information involved
Steps you should take to protect yourself
Steps we are taking to investigate and mitigate harm
Toll-free phone number, email address, and website contact information
————————
13. Your Rights
When you use Advokare to request your health information through TEFCA, you are in control. Here’s what that means for you:
🔐 You Control Access
Advokare can only retrieve your health information through TEFCA because you asked us to and gave consent.
You can revoke that consent at any time in the app:
Settings → Privacy & Data → Revoke TEFCA Access Consent
👀 You Have the Right to See Your Data
You can view the health information we retrieve for you directly inside the app at any time.
⬇️ You Have the Right to Download Your Data
You can export your information whenever you want from:
Settings → Download My Health Data
Available formats:
FHIR (machine-readable) – for use with other health apps or systems
PDF (human-readable) – easy to read and share with your doctor
🧾 We Cannot Use Your Data Against You
Your health information cannot be used by Advokare to make claims against you, such as for legal, financial, or insurance purposes.
The only exception would be collecting fees — and Advokare currently does not charge any fees for these services.
🚫 We Don’t Sell Your Health Information
Your individually identifiable health information is never sold and is only used to provide the services you request.
🛑 You Can Stop Future Access Anytime
Revoking consent stops us from getting new records through TEFCA.
It does not affect information already retrieved, which you can still manage or delete in your settings.
🗑️ Your Right to Request Deletion of Your Information
You have the right to require that all Individually Identifiable Information maintained by Advokare in connection with IAS be deleted completely, to the extent technically feasible, with respect to any future Uses or Disclosures, unless such deletion is prohibited by Applicable Law; provided, however, that this right does not apply to Individually Identifiable Information contained in audit logs.
⚖️ You’ll Be Told About Legal Demands (When Allowed)
If we are legally required to disclose your information (for example, due to a court order), we will notify you within 3 business days, unless the law prevents us from doing so. You may have the right to object.
🚨 You’ll Be Notified if There’s a Security Incident
If your identifiable health information is ever reasonably believed to be involved in a security incident, we will notify you as required by law.
Instructions for exercising these rights are available within the Notice.
————————
14. Consent and Revocation
We obtain your express, documented, and informed consent before accessing or using your Individually Identifiable Information for IAS.
Consent is:
Collected via electronic or written signature
Maintained in a secure, auditable log sufficient to validate and verify consent
Required prior to any Material Change in how your information is used
You may revoke consent electronically at any time. Revocation will not affect prior lawful uses but will terminate your access to IAS.
Advokare operates as a one-directional, retrieval-only IAS Provider. By providing consent, you authorize Advokare to request and receive your health information from TEFCA Participants. You understand and agree that Advokare does not transmit, share, or disclose your health information back through TEFCA Exchange and does not provide bidirectional exchange services. You cannot use Advokare to send your health information to other TEFCA Participants.
————————
15. TEFCA Compliance Statement
Advokare does not disclose your Individually Identifiable Information via TEFCA Exchange. Therefore, there is no outbound TEFCA disclosure from which to opt out.
All access, exchange, use, and disclosure of Individually Identifiable Information through TEFCA occurs strictly in accordance with:
The TEFCA Common Agreement
IAS Provider SOP requirements
Applicable HHS guidance
Applicable federal and state law
————————
16. Prohibition on Use to Assert Claims Against the Individual
Individually Identifiable Information cannot be accessed, used, or disclosed by Advokare to assert any type of claim against you, except for the collection of disclosed and agreed-upon service fees.
————————
17. Fees
Advokare does not charge any fees for accessing your Individually Identifiable Information through Individual Access Services. Access to your own health information through IAS is provided at no cost to you.
We reserve the right to:
Limit the frequency or volume of IAS requests as reasonably necessary to manage system integrity and operational costs.
Offer optional premium features or enhanced services in the future that build upon your IAS data.
Any paid features will be clearly described before purchase and will require your separate agreement. Core IAS access rights described in this Notice will remain free.
No fees will be charged without your prior disclosure and agreement.
————————
18. How Advokare Makes Money
To keep core services free, Advokare earns revenue in privacy-protective ways:
De-identified analytics. We may create aggregated, de-identified insights about how the Platform is used (for example, common health topics or general usage trends). These insights do not identify you and do not include your medical records.
Sponsored health content. We may display clearly labeled sponsored or educational content inside the Platform. Content may be shown based on general topics you are already exploring. Advertisers never receive your Individually Identifiable Information, and all targeting happens within Advokare’s secure environment. Sponsors may receive de-identified, aggregated reports about campaign performance.
We do not sell your Individually Identifiable Information and do not give sponsors access to your medical records.
————————
19. Children’s Privacy
Our services are not directed to, and we do not knowingly collect personal information from, children under 13 (or under 16 for certain uses in California).
If we become aware that a child has provided us with personal information, we will take reasonable steps to delete it.
Parents or legal guardians may contact us at privacy@advokare.health to request access, correction, or deletion.
————————
20. Updates to This Policy
We may update this Privacy and Security Notice from time to time. This Notice is publicly accessible and conspicuously posted on our website and within any user-facing application related to Individual Access Services (IAS).
If we make a Material Change to how Individually Identifiable Information is accessed, used, disclosed, retained, or commercialized:
We will provide advance notice to enrolled individuals prior to the Material Change taking effect, unless otherwise required by law.
Notice will be delivered consistent with your communication preferences (e.g., in-app notification, email, or other authorized electronic communication).
The updated Notice will be conspicuously posted within the Service.
We will clearly describe the specific changes made, including a summary of what has changed from the prior version, so individuals can readily identify the modifications.
New consent will be obtained where required prior to implementing the Material Change.
Each Material Change to this Notice will include its own effective date, which will be clearly displayed.
We will maintain documentation of Material Changes and the reasonable efforts undertaken to notify enrolled Individuals. In the event of a dispute regarding whether reasonable efforts were made to provide notice of a change to this Notice, we acknowledge that we bear the responsibility to demonstrate that the change was not material or that appropriate notice was provided consistent with applicable requirements.
————————
21. Contact Us
Privacy & Data Protection Officer
Advokare Inc.
30 High Rock Way
Allston, MA 02134
📧 privacy@advokare.health
📞 508.318.8797
Advokare maintains a documented process for receiving, reviewing, responding to, and resolving privacy-related complaints. We retain documentation of complaints and their final disposition in accordance with applicable record retention requirements.
Thank you for trusting Advokare. We’re committed to giving you clarity, control, and confidence in how your health data is used.