Privacy Policy
Last updated: February 3, 2026
Introduction
At Genkō Healthcare SaaS ("Genkō", "we", "us", "our"), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you use our healthcare management platform, website, mobile applications, and related services (collectively, the "Services"). We understand the sensitive nature of healthcare data and have designed our platform to meet the highest standards of data protection, including compliance with HIPAA, GDPR, and other applicable privacy regulations. By using our Services, you consent to the practices described in this Privacy Policy. We encourage you to read this policy carefully and contact us with any questions.
Scope and Application
This Privacy Policy applies to: (a) all users of our platform, including healthcare administrators, providers, staff, and patients; (b) visitors to our website and marketing pages; (c) individuals who communicate with us via email, phone, or other channels; (d) business contacts and prospective customers; and (e) any other individual whose personal information we process. This policy covers information collected through our Services, website, mobile apps, email communications, and in-person interactions. For healthcare organizations using our platform, additional terms regarding Protected Health Information (PHI) may be governed by a Business Associate Agreement (BAA) between our organizations.
Information We Collect
We collect information necessary to provide our healthcare management services. The types of information we collect depend on how you interact with our Services.
Personal Information
We collect information you provide directly, including: Full name, email address, phone number, and mailing address; Professional credentials, license numbers, and NPI for healthcare providers; Organization name, business address, and tax identification numbers; Account credentials (email and password); Profile information and preferences; Payment information (credit card numbers, billing addresses) - processed securely through our payment processor Stripe; Resume, application materials, and background check information for job applicants; Any other information you choose to provide.
Usage and Technical Data
We automatically collect certain information when you use our Services, including: Device information (device type, operating system, browser type and version); IP address and approximate geographic location; Unique device identifiers and mobile advertising IDs; Log data (pages viewed, access times, referring URLs, actions taken); Performance data and error reports; Feature usage patterns and preferences; Session duration and interaction data; Cookies and similar tracking technologies data.
Protected Health Information (PHI)
When healthcare organizations use our platform, they may input or upload Protected Health Information about their patients. This may include: Patient demographics (name, date of birth, address, contact information); Medical records, diagnoses, treatments, and medications; Appointment history and scheduling information; Insurance information and billing records; Clinical notes and documentation; Lab results and diagnostic reports; Telemedicine session recordings (if enabled and consented to); and Other health-related information. We process PHI solely on behalf of healthcare organizations (Covered Entities) as a Business Associate under HIPAA. We do not access, use, or disclose PHI for any purpose other than providing our Services unless required by law.
Information from Third Parties
We may receive information about you from third parties, including: Identity verification services; Payment processors and financial institutions; Integration partners and connected healthcare systems; Analytics and marketing service providers; Public databases and social media platforms (for business contacts); and Background check providers (for employment purposes). We use this information only in accordance with this Privacy Policy.
How We Use Your Information
We use the information we collect for the following purposes: Service Delivery: To provide, maintain, and improve our healthcare management platform and features; to process transactions and send related information; to facilitate telemedicine consultations; and to provide customer support. Communication: To send service-related communications (confirmations, updates, security alerts); to respond to inquiries and support requests; to send marketing communications (with consent where required); and to notify you of changes to our Services or policies. Security and Compliance: To verify identity and prevent fraud; to monitor for security threats and unauthorized access; to maintain audit logs for HIPAA compliance; to comply with legal obligations and respond to legal requests; and to enforce our terms and policies. Analytics and Improvement: To understand how users interact with our Services; to identify trends and usage patterns; to develop new features and improve existing ones; to personalize user experience; and to measure the effectiveness of our marketing. Legal Bases: Where required by law (such as under GDPR), we process your information based on: your consent; performance of a contract; compliance with legal obligations; protection of vital interests; or our legitimate interests (balanced against your rights).
Information Sharing and Disclosure
We do not sell your personal information. We share information only in the following circumstances: Service Providers: We share information with trusted third-party vendors who assist us in operating our platform, including cloud hosting providers (for data storage); payment processors (Stripe for billing); email service providers (for communications); analytics providers (for service improvement); and customer support tools. These providers are contractually bound to protect your information. Healthcare Operations: For authorized healthcare operations between Covered Entities and their patients, as directed by our customers. Legal Requirements: We may disclose information if required to do so by law or in response to valid legal requests by public authorities, including to meet national security or law enforcement requirements. We will notify you of such requests when legally permitted. Business Transfers: In connection with any merger, acquisition, reorganization, or sale of assets, your information may be transferred as a business asset. We will notify you of any change in ownership or uses of your information. With Consent: We may share your information for other purposes with your explicit consent.
Cookies and Tracking Technologies
We use cookies and similar tracking technologies to collect information and improve our Services. Essential Cookies: Required for the operation of our platform (authentication, security, preferences). These cannot be disabled. Analytics Cookies: Help us understand how visitors interact with our website and platform. We use services like Google Analytics with privacy-protective settings. Preference Cookies: Remember your settings and preferences to personalize your experience. Marketing Cookies: Used to track visitors across websites and display relevant advertisements. These are only used with your consent. You can control cookies through your browser settings. However, disabling certain cookies may limit your ability to use some features of our Services. For more information about our cookie practices, please see our Cookie Policy.
Data Security
We implement comprehensive security measures to protect your information: Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Access Controls: We implement role-based access controls and require multi-factor authentication for administrative access. Our staff access personal information only on a need-to-know basis. Infrastructure Security: We use secure, SOC 2 Type II compliant data centers with physical security controls, redundancy, and disaster recovery capabilities. Network Security: We employ firewalls, intrusion detection systems, and regular vulnerability assessments. Monitoring: Continuous security monitoring and comprehensive audit logging of all system access. Employee Security: All employees undergo background checks and receive regular security training. Confidentiality agreements are required. Incident Response: We have established procedures for detecting, responding to, and recovering from security incidents. We will notify affected parties and relevant authorities as required by law. Vendor Security: We carefully vet our service providers and require them to meet our security standards through contractual obligations.
Data Retention
We retain personal information for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal obligations. Account Information: Retained for the duration of your account and for a reasonable period afterward to comply with legal requirements and resolve disputes. Health Information: We retain PHI according to the retention policies specified by healthcare organizations and as required by healthcare regulations (typically 6-10 years depending on jurisdiction). Usage Data: Generally retained for 2 years for analytics purposes, then aggregated or deleted. Marketing Data: Retained until you withdraw consent or unsubscribe. Backup Data: May be retained for up to 30 days after deletion for disaster recovery purposes. Legal Requirements: We may retain information longer if required by law (tax records, legal holds, regulatory requirements). We will securely delete or anonymize information when it is no longer needed.
International Data Transfers
Our Services are operated from México and the United States. If you are located in another country, your information may be transferred to and processed in these countries, which may have different data protection laws than your jurisdiction. For users in the European Economic Area (EEA), UK, or Switzerland: We rely on appropriate safeguards for international transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission; Data Processing Agreements with adequate protection provisions; and Our service providers' certifications and security measures. We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data or where appropriate safeguards are in place.
Your Privacy Rights
Depending on your location and applicable law, you may have the following rights regarding your personal information: Right to Access: Request a copy of the personal information we hold about you. Right to Rectification: Request that we correct any inaccurate or incomplete information. Right to Erasure: Request that we delete your personal information, subject to legal retention requirements. Right to Restrict Processing: Request that we limit how we use your information. Right to Data Portability: Request your information in a structured, commonly used format. Right to Object: Object to processing based on legitimate interests or for direct marketing. Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time. Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights. To exercise these rights, please contact us at privacy@getgenko.com. We will respond to your request within the timeframe required by applicable law (typically 30 days). We may need to verify your identity before processing your request.
HIPAA Patient Rights
If you are a patient of a healthcare provider using our platform, you have specific rights under HIPAA regarding your health information. These rights should be exercised through your healthcare provider directly, as they are the Covered Entity responsible for your PHI. These rights include: the right to access your medical records; the right to request amendments to your records; the right to an accounting of disclosures; the right to request restrictions on uses and disclosures; and the right to receive confidential communications. Your healthcare provider can provide you with their Notice of Privacy Practices, which explains these rights in detail.
Children's Privacy
Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. Healthcare organizations may input information about minor patients as part of their healthcare operations, but this is done under the authority and consent management of the healthcare provider and patient's guardians. If we learn that we have collected personal information from a child under 13 without parental consent, we will take steps to delete that information. If you believe we have inadvertently collected information from a child, please contact us immediately.
Do Not Track Signals
Some browsers offer a "Do Not Track" (DNT) setting that sends a signal to websites you visit indicating that you do not wish to be tracked. Currently, there is no accepted standard for how websites should respond to DNT signals. We do our best to honor these signals where possible and limit tracking for users who have enabled DNT, but we cannot guarantee complete tracking prevention. We recommend using our cookie settings to control your tracking preferences.
Third-Party Links and Services
Our Services may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our platform. This includes but is not limited to: integrated healthcare systems and EHR platforms; payment processors; identity verification services; calendar and scheduling integrations; and communication platforms.
California Privacy Rights
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). You have the right to: know what personal information we collect and how it is used; request deletion of your personal information; opt out of the sale or sharing of your personal information (note: we do not sell personal information); not be discriminated against for exercising your rights; and correct inaccurate personal information. To exercise these rights, contact us at privacy@getgenko.com or call us. You may designate an authorized agent to make requests on your behalf. We will verify your identity before processing any request. In the preceding 12 months, we have collected the categories of personal information described in this Privacy Policy. We use this information for the business purposes described above.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes: (a) we will update the "Last Updated" date at the top of this policy; (b) we will notify you via email or prominent notice on our platform at least 30 days before the changes take effect; and (c) we will obtain your consent where required by law. We encourage you to review this Privacy Policy periodically. Your continued use of our Services after any changes constitutes acceptance of the updated policy.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us. Our dedicated privacy team is committed to addressing your concerns promptly and professionally.
Genkō Healthcare SaaS
Luis Pulido Díaz. Calle Fernando 4531
El Paraíso 22106, Tijuana
Baja California, México
Privacy inquiries: privacy@getgenko.com
General support: support@getgenko.com
Data Protection Officer
DPO contact: dpo@getgenko.com