Privacy Policy

Effective: 2026-04-17 · Rev 2

Recovery Network Inc. ("Recovery Network", "we") provides a behavioral-health platform to licensed behavioral-health facilities ("Covered Entities"). This Privacy Policy explains how we collect, use, and protect information in that capacity.

Business Associate Relationship

For Protected Health Information ("PHI"), Recovery Network acts as a Business Associate of each Covered Entity. PHI is handled exclusively under the Business Associate Agreement ("BAA") executed with that Covered Entity and under HIPAA's Privacy and Security Rules. Patients' rights regarding their PHI are described in the Covered Entity's Notice of Privacy Practices and in our HIPAA Notice of Privacy Practices.

Data Usage / AI Processing

Recovery Network processes identifiable PHI solely within each Covered Entity's environment for clinical and operational purposes. Recovery Network does not use identifiable PHI across clients for model training or system optimization. Recovery Network may use de-identified data, in accordance with 45 CFR §164.514, to improve system performance, AI-assisted analysis of patient communications, risk scoring and alert generation, and safety monitoring. Such data is aggregated, non-identifiable, and cannot reasonably be used to re-identify any individual.

The Council

Recovery Network operates The Council — a multi-doctor AI system that performs AI-assisted analysis of patient communications, wearable signals, and voice/video journaling. The Council produces risk scoring and alert generation to support licensed clinicians. All Critical-tier outputs are reviewed by a licensed clinician before any clinical action is taken. Dr. Chen (Compliance Authority) holds absolute veto power over all escalation decisions. The Council supports — and does not replace — licensed clinical judgment.

Categories of Information Collected

Clinical & Operational PHI — received from Covered Entities under their BAAs
Wearable Signals — HRV, sleep, heart rate, SpO2, steps, stress, respiratory rate, temperature, and related biometric data from devices connected with patient consent
Voice & Video Journal — patient-initiated audio captures, transcribed by Google Cloud Speech-to-Text under a HIPAA BAA and discarded after transcription; video processed on-device and never transmitted
Account & Account-Holder Data — facility contacts, clinicians, administrators
Usage Telemetry — de-identified surface interactions for safety monitoring and system performance

42 CFR Part 2 — Substance Use Disorder Records

Records that identify an individual as having or having had a substance use disorder are protected under 42 CFR Part 2 in addition to HIPAA. Recovery Network will not disclose such records except as permitted by the patient's written consent or as otherwise authorized by 42 CFR §2.12 through §2.67. Re-disclosure is prohibited except as permitted by Part 2.

Security

Recovery Network implements administrative, physical, and technical safeguards required by 45 CFR §164.308, §164.310, and §164.312: encryption in transit and at rest, role-based access controls, audit logging of every clinical action, facility_id scoping on every data path, and the PHI boundary architecture that prevents cross-facility data mixing.

Retention & Deletion

Audio and video from the Voice & Video Journal are never stored
Wearable data is retained for the duration of the patient's enrollment plus 30 days
De-identified aggregates are retained in accordance with 45 CFR §164.514
Patients may request deletion of retained data through their Covered Entity

Changes to This Policy

We will post updates to this Policy at this URL and, where required, provide notice through the Covered Entity.

Contact

Recovery Network Inc.
Attn: Privacy Officer
info@recoverynetwork.ai