Last Updated: [January 2026]
Guroo AI, Inc. ("Guroo Health," "we," "us," or "our") respects your privacy and is committed to protecting personal data and health information entrusted to us. This Privacy Policy describes how we collect, use, disclose, and safeguard information when healthcare organizations and their authorized users (collectively, "Customers" or "Users") use the Guroo Health platform, including our AI-driven and voice-driven knowledge management tools, SOP manager, and configurable productivity and back‑office applications (the "Platform").
This Privacy Policy is designed for use in healthcare environments, including medical practices, clinics, hospitals, and related healthcare organizations.
1. Scope and Applicability
This Privacy Policy applies to:
Healthcare organizations that license or use the Platform;
Authorized healthcare professionals, staff, contractors, and administrators using the Platform on behalf of a healthcare
organization;
Visitors to our websites and portals that link to this Privacy Policy.
This Privacy Policy does not apply to third-party websites, services, or applications that may integrate with or be linked from the Platform.
Where Guroo Health processes Protected Health Information (PHI) on behalf of a Customer, we act as a Business Associate (as defined under the U.S. Health Insurance Portability and Accountability Act of 1996, "HIPAA") or equivalent service provider under applicable data protection laws, and our handling of such data is governed by a separate Business Associate Agreement (BAA) or data processing agreement.
2. Information We Collect
2.1 Information Provided by Customers and Users
We may collect information that Customers or Users provide directly, including:
Account Information: Name, work email address, role, organization name, and authentication credentials;
Organizational Data: SOPs, workflows, policies, internal documentation, task definitions, and operational content uploaded or created within the Platform;
Communications: Messages, support requests, feedback, and other communications with Guroo Health;
Configuration Data: Customizations, preferences, and settings for practice‑specific workflows and mini‑apps.
2.2 Voice and Audio Data
When enabled by the Customer, the Platform may collect:
Voice Inputs and Audio Recordings submitted by Users for the purpose of knowledge retrieval, SOP guidance, task execution, or documentation support;
Transcriptions and Derived Outputs generated from voice inputs.Voice features are configurable and may be disabled or restricted by the Customer at any time.
2.3 Health and Patient-Related Information
Depending on Customer configuration and use, the Platform may process limited patient-related or clinical context information, including PHI, strictly as instructed by the Customer. Guroo Health does not require Customers to upload PHI unless necessary for a specific, authorized use case.
2.4 Automatically Collected Information
We may automatically collect certain technical information, including:
IP address, device type, browser type, operating system;Log data, usage metrics, feature interaction data;Performance and diagnostic data.This information is used to operate, secure, and improve the Platform.
3. How We Use Information
We use collected information to:
Provide, operate, and maintain the Platform;
Enable AI‑driven and voice‑driven knowledge management, SOP guidance, and workflow assistance;
Configure and deliver practice‑specific mini‑apps and productivity tools;
Improve Platform performance, reliability, and usability;
Monitor security, prevent fraud, and ensure compliance;
Provide customer support, training, and communications;
Comply with legal, regulatory, and contractual obligations.
AI and Machine Learning Use
AI models used within the Platform:
Operate primarily on Customer-provided data for the purpose of delivering requested functionality;
Generate outputs such as recommendations, summaries, task guidance, and SOP navigation;
Are designed to support—not replace—professional judgment.
We do not use Customer PHI to train generalized AI models without explicit contractual authorization.
4. How We Share Information
We may share information only as follows:
4.1 With Customers
Information is made available to the Customer organization and its authorized Users according to access controls and roles defined by the Customer.
4.2 Service Providers and Subprocessors
We may share information with trusted third‑party service providers who perform services on our behalf, such as cloud hosting, transcription, analytics, and security services. These providers are contractually obligated to protect data and use it only as instructed.
4.3 Legal and Regulatory Disclosures
We may disclose information if required to do so by law, regulation, court order, or governmental request, or to protect the rights, safety, or security of Guroo Health, Customers, or others.
4.4 Business TransfersIn the event of a merger, acquisition, restructuring, or sale of assets, information may be transferred as part of the transaction, subject to appropriate confidentiality protections.
5. Data Security
Guroo Health implements administrative, technical, and physical safeguards designed to protect information, including:Encryption in transit and at rest;Role‑based access controls;Audit logging and monitoring;Secure development and operational practices;Regular security reviews and risk assessments.No system can be guaranteed to be 100% secure; however, we take reasonable and appropriate measures consistent with healthcare industry standards.
6. Data Retention
We retain information only for as long as necessary to:
Provide the Platform and services;
Meet contractual obligations;
Comply with legal and regulatory requirements.
Retention periods for PHI are governed by the applicable BAA or data processing agreement. Upon termination of services, data will be returned or deleted in accordance with contractual terms.
7. User Rights and Choices
Depending on applicable law, Users may have rights to:
Access, correct, or update personal information;
Request deletion or restriction of processing;
Object to certain processing activities.
Requests should be directed to the Customer organization, which controls data access and permissions. Guroo Health will assist Customers in responding to verified requests as required by law.
8. International Data Transfers
Guroo Health is headquartered in the United States. Our engineering, operations, and customer success teams, as well as certain service providers, may be located in other countries, including the Philippines.
When personal data or PHI is accessed or processed outside the United States, such processing is performed solely to support U.S.-based healthcare Customers and is subject to:
HIPAA and applicable U.S. healthcare privacy requirements;
Contractual safeguards, including confidentiality obligations, access controls, and security requirements;
Policies and procedures designed to ensure that offshore access does not alter the Customer’s role as Covered Entity or Guroo Health’s role as Business Associate.
We implement appropriate technical and organizational measures to ensure that cross-border access does not compromise the confidentiality, integrity, or availability of data.
9. Children’s Privacy
The Platform is not intended for use by individuals under the age of 18, and we do not knowingly collect personal information from children.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the Platform or other appropriate means. Continued use of the Platform after updates constitutes acceptance of the revised Privacy Policy.
11. Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact:
Guroo AI, Inc.
Email: privacy@guroohealth.com
Address: 600 Park Offices Drive, Suite 300, #4128 Durham, NC 27713
Appendix A: HIPAA-Specific Disclosures
A.1 Role Under HIPAA
When providing services to healthcare organizations, Guroo Health acts as a Business Associate to Covered Entities, as defined under HIPAA. We process PHI solely on behalf of and in accordance with written instructions from our Customers and applicable Business Associate Agreements (BAAs).
A.2 Permitted Uses and Disclosures of PHI
Guroo Health may use or disclose PHI only to:
Perform services as described in our agreements with Customers;
Support Platform functionality, including AI-assisted knowledge retrieval and workflow support;
Comply with applicable legal requirements;
Support internal operations, provided such use does not involve training generalized AI models.
A.3 Safeguards
We maintain safeguards consistent with the HIPAA Security Rule, including administrative, physical, and technical protections designed to:Ensure the confidentiality, integrity, and availability of PHI;Protect against reasonably anticipated threats or hazards;Prevent impermissible uses or disclosures.
A.4 Subcontractors
All subcontractors that may access PHI are required to enter into written agreements imposing HIPAA-compliant obligations consistent with Guroo Health’s role as a Business Associate.
Appendix B: AI & Voice Transparency
B.1 Purpose of AI and Voice Features
Guroo Health’s AI-driven and voice-driven features are designed to support healthcare staff by:
Enabling fast retrieval of SOPs, policies, and institutional knowledge;
Assisting with task guidance, workflow navigation, and documentation support;
Improving operational efficiency for both clinical-adjacent and back-office activities.
These features are intended as decision-support tools and do not provide medical advice or replace professional judgment.
B.2 Data Inputs
Depending on Customer configuration, AI and voice features may process:User-submitted text, voice inputs, and audio recordings;Transcriptions and metadata derived from such inputs;Customer-provided operational content, SOPs, and workflows.
B.3 Model Behavior and Training
AI models operate within defined scopes based on Customer configurations.Customer data, including PHI, is not used to train generalized or cross-customer AI models. Any model improvement activities involving Customer data require explicit contractual authorization.
B.4 Human Oversight
Customers retain full control over:
Whether AI and voice features are enabled;
Which Users may access such features;
The content made available to AI systems. AI outputs should be reviewed by Users prior to reliance or action.
B.5 Data Retention and Deletion
Voice recordings and transcriptions are retained only as long as necessary to provide requested functionality and in accordance with Customer-defined retention settings and contractual obligations.
Appendix C: Privacy Summary (Short Form)
What Guroo Health Does
Guroo Health provides an AI-enabled platform that helps healthcare organizations manage SOPs, operational knowledge, and back-office workflows.
Who We Serve
Enterprise hospital systems, multi-site practices, and small clinics.
Our Role
We act as a Business Associate when handling PHI and process data only on Customer instructions.
AI & Voice
AI and voice features support staff efficiency and do not replace professional judgment. Customer PHI is not used to train generalized AI models.
Security
We apply healthcare-grade security controls aligned with HIPAA requirements.
Your Data
Customers control their data, configurations, and access permissions.
Questions
Contact us at privacy@guroohealth.com
This Privacy Policy is provided for informational purposes and does not constitute legal advice.
