privacy

Privacy Policy

Effective January 1, 2026 · Applies to United States residents

Template — review with counsel before publishing. This document is a starting draft prepared for Peek Health. It is not legal advice and must be reviewed and adapted by qualified US healthcare privacy counsel before it is relied on by customers or patients.

1. Who we are

  • Peek Health ("Peek Health," "we," "us," or "our") provides a structured postpartum check-in and population-health analytics platform for maternity care providers in the United States.
  • This Privacy Policy explains how we handle personal information collected through our marketing website, the Peek Health clinician application, and related services (collectively, the "Services"). It is written to meet the disclosure requirements of the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA") and comparable US state privacy laws (including the Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and Texas TDPSA).
  • Protected Health Information ("PHI") that we handle on behalf of a covered entity is governed by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Business Associate Agreement ("BAA") signed with that covered entity. In the event of any conflict between this Policy and a BAA, the BAA controls with respect to PHI.

2. Personal information we collect

  • Identifiers: name, work email address, employer, professional role, and IP address collected when you request a briefing, join the waitlist, or sign in to the clinician application.
  • Commercial information: records of the demonstrations, briefings, and communications you request.
  • Internet or network activity: pages visited on our marketing site, referrer, device type, and browser, collected via first-party analytics.
  • Professional information: NPI number, practice name, and clinical role, where provided by a customer during onboarding.
  • Protected Health Information: when a customer (a HIPAA covered entity) uses the Services, we process patient check-in responses on that customer’s behalf. Peek Health does not collect PHI directly from patients and does not sell, share, or use PHI for our own purposes.
  • We do not knowingly collect information from children under 13, and the Services are not directed to children.

3. How we use personal information

  • Provide, maintain, secure, and improve the Services.
  • Authenticate clinicians, provision accounts, and support customers.
  • Respond to briefing requests, waitlist signups, and support inquiries.
  • Generate de-identified, aggregated population-health insights consistent with the HIPAA Safe Harbor method (45 CFR 164.514(b)).
  • Detect, investigate, and prevent security incidents, fraud, and abuse.
  • Comply with legal obligations and enforce our Terms of Service.
  • We do not use personal information for cross-context behavioral advertising and we do not sell personal information as those terms are defined under US state privacy laws.

4. How we disclose personal information

  • Subprocessors: cloud infrastructure (Amazon Web Services, US regions only), analytics, error monitoring, and email delivery vendors, each under a written data protection agreement and, for PHI subprocessors, a signed BAA.
  • Customers: PHI is disclosed only back to the covered entity that provided it and, where the customer directs, to their designated business associates.
  • Legal and safety: to comply with a valid subpoena, court order, or other legal process; to protect the rights, safety, or property of Peek Health, our customers, or the public.
  • Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality obligations and, for PHI, applicable HIPAA restrictions.
  • We do not sell personal information and we do not share personal information for cross-context behavioral advertising.

5. Data retention & deletion (US)

  • Demo environment: synthetic data only, no PHI. Check-in responses retained 30 days; aggregated demo insights retained 90 days; the environment is reset quarterly.
  • Production environment: raw check-in responses retained for 24 months from capture, then permanently deleted from primary storage within 30 days and from encrypted backups within 90 days.
  • De-identified, aggregated population insights (per HIPAA Safe Harbor) retained indefinitely for longitudinal maternal health research.
  • Audit logs retained for 6 years to meet HIPAA § 164.316(b)(2) requirements.
  • Marketing contacts (briefing, waitlist): retained until you unsubscribe or request deletion, and then removed from primary systems within 30 days.
  • Contract termination: all customer PHI is returned or deleted within 60 days of BAA termination; a signed certificate of destruction is available on request.

6. Your US privacy rights

  • Depending on your state of residence, you may have the right to: (a) confirm whether we process your personal information and access it; (b) correct inaccurate personal information; (c) delete personal information; (d) obtain a portable copy; (e) opt out of the sale or sharing of personal information and of targeted advertising (we do not engage in these activities); and (f) limit the use of sensitive personal information.
  • California residents (CCPA/CPRA): you also have the right to not receive discriminatory treatment for exercising these rights, and to designate an authorized agent to submit requests on your behalf. In the prior 12 months, we have not sold or shared personal information as those terms are defined by the CCPA/CPRA.
  • How to submit a request: email hello@peekhealth.com with the subject line “US Privacy Request.” We will verify your identity using information already in our records and respond within 45 days (extendable by an additional 45 days where permitted).
  • Appeals: if we deny your request, you may appeal by replying to our decision email. We will respond within the timeframe required by your state’s law (typically 60 days).
  • PHI: rights to access, amend, and receive an accounting of disclosures of your PHI are handled through your healthcare provider (the HIPAA covered entity), not Peek Health directly.

7. Security

  • All personal information is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Hosted in HIPAA-eligible AWS US regions (us-east-1 and us-west-2) under a signed BAA with AWS.
  • Role-based access control, least-privilege administration, mandatory MFA for all workforce members, and audit logging.
  • SOC 2 Type II examination in progress; aligned with HITRUST CSF controls.
  • No transmission or storage system is 100% secure; we cannot guarantee absolute security.

8. International users

  • The Services are intended for use in the United States. If you access the Services from outside the US, your information will be transferred to and processed in the US, which may not offer the same level of data protection as your home jurisdiction.

9. Changes to this Policy

  • We will post material changes to this Policy on this page and update the “Effective” date above. Where required by law, we will provide additional notice (for example, by email).

10. Contact

  • Privacy questions or requests: hello@peekhealth.com (subject line “US Privacy Request”).
  • For PHI-related matters, please contact your healthcare provider directly.