Effective Date: April 22, 2025
Last Updated: May 20, 2025

Regional Application

Depending on your location, different data protection laws and frameworks apply:

• UAE Users are subject to the UAE version of the Privacy Policy, which complies with the Abu Dhabi Healthcare Information and Cyber Security (ADHICS v2) Standard and UAE Federal Law No. 45 of 2021 (UAE PDPL).
  
  
• U.S. Users are subject to the U.S. version of the Privacy Policy, which complies with the Health Insurance Portability and Accountability Act (HIPAA) and applicable U.S. privacy laws.

Definitions

For the purposes of this Privacy Policy, the following terms are defined as follows:

ADHICS: The Abu Dhabi Healthcare Information and Cyber Security Standard, issued by the Department of Health – Abu Dhabi. It outlines the regulatory framework for safeguarding personal health information and cybersecurity practices in healthcare environments across the Emirate.

UAE PDPL: The United Arab Emirates Federal Decree Law No. 45 of 2021 on the Protection of Personal Data, which governs the processing, transfer, and protection of personal data within the UAE.

HIPAA: The Health Insurance Portability and Accountability Act of 1996, a U.S. federal law that establishes national standards for protecting sensitive patient health information.

Protected Health Information (PHI): Any individually identifiable health information, including medical history, diagnosis, treatment, and personal identifiers such as name, date of birth, or patient ID, collected or processed in connection with healthcare delivery.

Personal Data: Any data relating to an identified or identifiable individual, including but not limited to names, device IDs, IP addresses, biometric data, or any data subject to UAE PDPL or other privacy laws.

De-Identified Data: Information that has been processed to remove or obscure personal identifiers, making it no longer reasonably capable of being associated with a specific individual, in accordance with HIPAA and ADHICS requirements.

Voice Data / Audio Input: Any audio captured by the Orva system through wake-word activation (“Hey Orva”), including voice commands, time-stamped utterances, and associated metadata.

System Metadata: Operational data collected by Orva to support performance monitoring and diagnostics, such as device ID, session logs, time of interaction, and assigned user role.

Data Controller: The entity (typically the healthcare provider or facility) that determines the purpose and means of processing personal or health data, in accordance with ADHICS or HIPAA guidelines.

Data Processor: A third-party organization (such as Orva) that processes data on behalf of the Data Controller, as defined by contractual agreements and applicable data protection laws.

Confidential Data: As classified in Orva’s internal data governance framework, this includes PHI, personal data, audio recordings, and system logs that are subject to strict access, encryption, and retention policies.

Retention Period: The timeframe during which data is maintained by Orva or its partners, as defined by legal, contractual, or clinical requirements, after which data is securely deleted or archived.

Anonymized Data: Data that has been permanently stripped of personal identifiers and cannot be re-linked to an individual, used for benchmarking, training, or analytical purposes without re-identification risk.

Business Associate Agreement (BAA): A legally binding document required under HIPAA that governs the responsibilities of a third party (such as Orva) in safeguarding PHI on behalf of a covered healthcare entity.

Session: A discrete period of Orva usage within an operating room or clinical setting, during which data collection, voice activation, and logging occur under user supervision.

User Roles: Designated permissions assigned within the Orva system to clinicians, administrators, or other authorized users based on least privilege and clinical responsibilities.

Policy

Orva is a clinical-grade voice assistant developed by RAIN Technology, Inc. (for the United States) and RAIN Technology ME LTD (for the United Arab Emirates), collectively referred to as "Orva," "we," "our," or "us." This Privacy Policy outlines how we collect, use, store, and protect data within our software platform (“Orva”) when used in surgical environments.

Your use of the Orva product, whether as a healthcare provider, facility administrator, or end user, constitutes your acceptance of the applicable version of this Privacy Policy, based on your region. If you do not agree, you should not access or use the Orva platform.

Privacy Policy — Orva (UAE Version)

Applies to healthcare providers and patients located in the United Arab Emirates

1. Introduction

We are committed to protecting the confidentiality, integrity, and availability of healthcare data in accordance with ADHICS v2, UAE PDPL, and applicable Ministry of Health (MOHAP) regulations.

2. Data We Collect

The Orva system may collect the following categories of data:

• Surgical Event Data: Time-stamped milestones and voice notes describing clinical or operational events
  
  
• Personal Health Information (PHI): Name, DOB, patient ID, procedure type (as input by facility)
  
  
• Session Metadata: Device ID, room ID, usage timestamps, and user role identifiers
  
  
• Voice Samples: Audio clips triggered after activation via wake word ("Hey Orva"), used only for system functionality and training
  
  

3. Legal Basis & Consent

The use of Orva’s voice-enabled features within clinical settings is governed by applicable data protection and health information privacy laws, including the Abu Dhabi Healthcare Information and Cyber Security (ADHICS) standards, which establish requirements for the collection, processing, and safeguarding of health data.

Patient consent for the use of Orva’s voice technology—including the capture and processing of voice data and any associated protected health information (PHI)—is obtained as part of the healthcare facility’s general surgical consent process. This consent is considered valid under ADHICS, which allows for the integration of digital health technologies into patient care workflows when informed consent has been obtained and documented by the healthcare provider.

Orva’s legal bases for processing personal data under ADHICS and other applicable laws include:

• Legitimate interest: Orva processes voice and clinical data as necessary to operate a clinical decision-support tool, enhance workflow efficiency, and support real-time surgical documentation.
  
  
• Consent (where applicable): In cases where de-identified audio or metadata may be used to improve the system's performance (e.g., model training or validation), additional consent may be required and will be obtained accordingly.
  
  
• Contractual necessity: Orva processes data as necessary to fulfill its contractual obligations with healthcare institutions, which act as data controllers under ADHICS. These institutions are responsible for ensuring lawful patient data processing in accordance with their internal policies and national regulations.

Healthcare institutions deploying Orva are expected to ensure that all patients are informed of the use of such technologies, the purpose for which voice data may be recorded, and the rights afforded to them under ADHICS, including the right to access, rectify, or request deletion of their personal data where applicable.

For more information about the ADHICS guidelines and compliance requirements, please refer to the Department of Health – Abu Dhabi’s official website: https://www.doh.gov.ae

4. How We Use the Data

Collected data is used for the following purposes:

• Intraoperative workflow support (e.g., triggering prompts, recording milestones)
  
  
• Post-operative analysis (e.g., benchmarking, compliance, OR efficiency)
• Product improvement (e.g., improving AI response and NLP accuracy) We do not use PHI/PII for any purpose unrelated to healthcare delivery or product performance.
  
  

5. Data Residency

Data Classification and Handling
All voice recordings and associated PHI are classified as Confidential under Orva’s internal data classification framework. As such, they are subject to strict access controls, encryption requirements, and handling procedures, including:

• Encryption of all data in transit and at rest in accordance with industry standards
  
  
• Access limited to personnel with a documented need and appropriate authorization
  
  
• Secure storage in systems that prevent unauthenticated access
  
  
• Prohibition of storage on unauthorized or personal devices
• Regular review of access privileges and secure data disposal at the end of retention periods
  
  

Retention & Disposal
PHI and voice recordings are retained in accordance with the healthcare provider’s documented retention schedule, in line with legal, regulatory, and contractual requirements. De-identified data and system logs may be retained for up to five (5) years for the purposes of product improvement, system auditing, and incident forensics, unless otherwise restricted by the data controller. Personally identifiable data is securely disposed of when it no longer serves a legitimate business or clinical purpose, or upon verified request from a data subject in compliance with applicable laws.

6. Data Sharing & Access

• Data is only shared internally within the healthcare facility or authorized administrators.
  
  
• We do not share PHI/PII with any external third party, including affiliates, vendors, or research partners, unless:
  
  
  • Data is fully anonymized or aggregated
    
    
  • Required by UAE legal or regulatory authorities with proper authorization
    
• All access is role-based and logged.
  
  

7. Data Security

Orva implements administrative, technical, and physical safeguards:

• AES-256 encryption at rest
  
  
• TLS 1.2 or 1.3 encryption in transit
  
  
• Continuous auditing and role-based access controls
  
  
• ADHICS-aligned security incident response protocols
  
  

8. User Rights (UAE PDPL)

In accordance with the UAE Personal Data Protection Law (PDPL), Federal Decree Law No. 45 of 2021, individuals whose personal data is processed through the Orva platform are granted specific rights regarding the access, correction, use, and deletion of their personal data. These rights may be exercised directly by the data subject or through their authorized healthcare provider, who serves as the data controller under UAE law.

Subject to lawful exceptions and institutional policy, you or your healthcare provider may:

• Request access to your personal data, including voice recordings, system metadata, or account activity processed through the Orva platform.
  
  
• Request rectification or correction of inaccurate or incomplete personal data to ensure its accuracy and relevance to the purpose for which it was collected.
  
  
• Request erasure of personal data that is no longer required or that was processed unlawfully, unless retention is required under healthcare, contractual, or regulatory obligations.
  
  
• Object to further processing of your personal data under legitimate interest or public interest bases, unless compelling lawful grounds exist.
  
  
• Withdraw consent for the processing of voice recordings or other personal data used for non-essential or secondary purposes (e.g., AI model training), provided such data has not already been irreversibly de-identified.
  
  

How to Submit a Request

Requests to exercise any of the above rights may be submitted:

• Through your healthcare provider, which is responsible for overseeing compliance with data subject rights under UAE PDPL and ADHICS, or
  
  
• Directly to RAIN Technology ME LTD by emailing hello@orvahealth.com
  
  

RAIN will acknowledge receipt of your request within five (5) business days and will respond or fulfill the request within thirty (30) calendar days, in accordance with Article 14 of the PDPL. Extensions may apply for complex or high-volume requests, with notice provided.

RAIN reserves the right to verify the identity of the requester and may refer certain requests to the healthcare provider for further processing, where required by contractual or regulatory obligations.

9. Tracking & System Analytics

To maintain a secure, stable, and high-performing platform, Orva collects and processes anonymized technical data and system usage metrics. These analytics are critical for operational reliability, product improvement, and service optimization.

Purpose of Data Collection

RAIN Technology ME LTD collects the following categories of non-identifiable and anonymized system data:

• Usage logs detailing user interactions with the platform, excluding any direct PHI or personally identifiable information
  
  
• Performance metrics related to application responsiveness, system uptime, and infrastructure efficiency
  
  
• Error reports and diagnostic events generated by the software during device use, application crashes, or abnormal behavior
  
  
• Feature utilization trends and workflow telemetry, used to enhance interface design, improve automation performance, and identify common usage patterns
  
  

These analytics are processed exclusively for the following purposes:

• Product support and debugging to ensure smooth clinical usage and respond to platform issues
  
  
• Quality assurance and reliability testing, including proactive monitoring of performance baselines
  
  
• Usage benchmarking, helping RAIN and institutional customers measure the effectiveness of voice workflows and identify optimization opportunities
  
  

Data Protection & Compliance

• All analytics data is anonymized or pseudonymized at the point of collection to ensure no direct patient identifiers (e.g., name, MRN, voiceprints) are retained.
  
  
• These logs do not contain PHI and are never combined with identifiable clinical data.
  
  
• Data is stored in UAE-based secure environments, retained in accordance with institutional policies and ADHICS v2 recordkeeping expectations.
  
  
• Access to anonymized analytics is limited to authorized personnel for operational and compliance functions only.
  
  

RAIN Technology ME LTD does not use tracking data for advertising, commercial profiling, or user behavior analysis unrelated to clinical functionality.

10. Policy Updates

We may amend this policy in response to legal, operational, or regulatory changes. Facilities will be notified of material changes in advance, and a revised effective date will be posted.

11. Contact

RAIN Technology ME LTD
Level 14, Al Sarab Tower
ADGM Square, Al Maryah Island
Abu Dhabi, UAE
Email: hello@orvahealth.com

Privacy Policy — Orva (U.S. Version)

Applies to healthcare providers and patients located in the United States

1. Introduction

RAIN Technology, Inc. ("RAIN," "we," "our," or "us") is committed to protecting the privacy and security of protected health information (PHI) and personally identifiable information (PII) processed through the Orva platform. Orva is a voice-enabled clinical support tool deployed in surgical and procedural environments to assist with intraoperative workflow automation, documentation, and patient safety. This Privacy Policy describes how Orva collects, uses, discloses, and safeguards data under applicable U.S. privacy and security laws.

Orva complies with the following federal and state-level regulatory frameworks:

• Health Insurance Portability and Accountability Act of 1996 (HIPAA) – including the Privacy, Security, and Breach Notification Rules
  
  
• Health Information Technology for Economic and Clinical Health (HITECH) Act – which expands HIPAA’s privacy and security protections and enforces breach response obligations
  
  
• State-specific privacy laws – including but not limited to the California Consumer Privacy Act (CCPA) and its amendments under the California Privacy Rights Act (CPRA), and other emerging U.S. state regulations where applicable
  
  

This Privacy Policy applies to all users of the Orva platform within the United States, including healthcare providers, clinical users, and patients whose data is processed by Orva under the direction of a HIPAA-covered entity.

By using Orva, you agree to the data practices described in this Policy and acknowledge that Orva operates in accordance with Business Associate Agreements (BAAs) signed with covered healthcare entities, which define permitted and authorized uses of PHI under HIPAA.

2. Data We Collect

As part of its operation within clinical environments, the Orva platform collects specific categories of data to facilitate voice-driven workflow support, system functionality, and compliance with healthcare documentation standards. All data collected is either directly provided by the healthcare facility or generated through use of the system by authorized users.

The categories of data collected may include:

1. Surgical Event Data

Structured and unstructured clinical data associated with events in the operating room, including:

• Time-stamped milestones
  
  
• Verbal annotations recorded by clinicians via voice commands
  
  
• Workflow-related notes and intraoperative activity logs
  
  

These data are used to support documentation accuracy, post-operative review, and benchmarking.

2. Personal Health Information (PHI)

Data elements that may be classified as PHI under HIPAA, depending on facility configuration and user input, including:

• Patient name (if entered by the facility)
  
  
• Date of birth
  
  
• Medical record or patient ID number
  
  
• Procedure type and other clinical metadata
  
  

This data is entered or managed exclusively by the healthcare provider and is used solely for clinical support functions.

3. Session Metadata

System-level and environmental metadata automatically collected during each usage session, such as:

• Device identifiers (e.g., tablet or headset ID)
  
  
• Room or location ID
  
  
• Session start/end times and duration
  
  
• Role-based user identifiers (e.g., circulating nurse, anesthesiologist)
  
  

This data supports auditability, system performance monitoring, and access control enforcement.

4. Voice Samples

Voice data collected only after activation by the system’s wake word (“Hey Orva”), including:

• Spoken commands
  
  
• Dictated notes or milestones
  
  
• Contextual verbal input used to operate the platform

Voice samples are used strictly for system functionality and—only after being irreversibly de-identified—for natural language model training and platform improvement.

All data is handled in accordance with HIPAA requirements and is processed under the direction of the healthcare provider as the designated covered entity or data controller.

3. Legal Basis & Consent

The collection and processing of personal and protected health information (PHI) through the Orva platform is governed by U.S. healthcare privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Orva operates exclusively under the authority and direction of licensed healthcare providers that qualify as HIPAA-covered entities.

RAIN Technology, Inc. processes data under the following lawful bases:

1. HIPAA Business Associate Agreement (BAA)

RAIN enters into a Business Associate Agreement with each covered entity using the Orva platform. This agreement governs:

• Permitted uses and disclosures of PHI
  
  
• Safeguards for protecting ePHI (electronic PHI)
  
  
• Obligations in the event of a data breach
  
  
• Restrictions on use of data for marketing or unrelated purposes
  
  

Under each BAA, Orva acts as a Business Associate and is contractually and legally obligated to process data solely for authorized clinical, operational, or administrative purposes as permitted under HIPAA.

2. Patient Consent (Where Required)

In some cases, patient consent may be required for the processing of identifiable voice recordings or clinical data—such as when such data is used for secondary purposes (e.g., analytics or training). In those instances:

• Consent is obtained and documented by the healthcare provider, not RAIN
  
  
• RAIN relies on the covered entity to ensure appropriate notice and consent are in place
  
  
• De-identified data used for system improvement is processed without patient identifiers, in accordance with HIPAA de-identification standards (45 CFR §164.514)

3. User Agreement (Clinicians and Admin Staff)

Clinicians, administrators, and other authorized users of the Orva platform must agree to system terms upon account creation. This agreement includes:

• Acceptance of the platform’s operational scope and access controls
  
  
• Consent to usage tracking and attribution for security and audit purposes
  
  
• Acknowledgment of data protection responsibilities as institutional users
  
  

No data is used for commercial purposes or shared outside the scope defined by the covered entity’s privacy policies and the applicable BAA.

4. Purpose of Data Use

RAIN Technology, Inc. uses the data collected through the Orva platform exclusively for purposes that support clinical care, healthcare operations, and the secure functioning of the system. All data use is governed by applicable Business Associate Agreements (BAAs), and no information is processed outside the scope of the provider’s clinical or operational intent.

Your data may be used for the following purposes:

1. Clinical Workflow Support

• Enabling real-time, voice-based interaction with surgical milestones, time tracking, and intraoperative note-taking
  
  
• Supporting hands-free navigation of clinical workflows and user interfaces
  
  
• Reducing manual documentation burdens and enhancing real-time situational awareness for surgical teams

2. Operational Benchmarking

• Analyzing usage patterns to improve operating room (OR) efficiency
  
  
• Identifying procedural bottlenecks, redundancies, and time-based trends
  
  
• Providing anonymized reports or dashboards to facilities for workflow optimization and compliance reporting

3. System Performance & Platform Enhancement

• Improving the accuracy and responsiveness of Orva’s natural language understanding (NLU) engine
  
  
• Enhancing voice recognition across regional dialects, medical terminology, and variable acoustic environments
  
  
• Supporting debugging, quality assurance, and system reliability monitoring
  
  
• Training machine learning models, only using data that has been irreversibly de-identified in accordance with HIPAA’s de-identification requirements (45 CFR §164.514)
  
  

RAIN does not use your data for any of the following:

• Commercial advertising
  
  
• Behavioral profiling unrelated to clinical performance
  
  
• Resale to third parties or marketing affiliates
  
  

All data use is documented, auditable, and strictly limited to purposes that support the covered entity’s care delivery or operational needs, in accordance with HIPAA and applicable state laws.

5. Data Storage & Residency

RAIN Technology, Inc. is committed to ensuring that all data processed through the Orva platform—particularly Protected Health Information (PHI) and related clinical metadata—is securely stored and managed in accordance with U.S. healthcare data protection laws.

Primary Data Hosting

All PHI, system logs, and user interaction data are:

• Hosted exclusively in HIPAA-compliant data centers located within the United States
  
  
• Protected using administrative, physical, and technical safeguards consistent with the HIPAA Security Rule (45 CFR §§164.302–318)
  
  
• Encrypted at rest and in transit using industry-standard encryption protocols (AES-256, TLS 1.2/1.3)
  
  

RAIN partners only with cloud service providers who have signed HIPAA Business Associate Agreements (BAAs) and who support infrastructure designed to meet U.S. healthcare compliance requirements.

Cross-Border Data Transfers (If Applicable)

RAIN does not routinely transfer identifiable PHI outside the United States. However, in limited circumstances—such as when supporting international provider groups or for system development purposes—international data transfers may occur only if all of the following safeguards are in place:

• Execution of valid Standard Contractual Clauses (SCCs) or another legally recognized mechanism under U.S. and international law
  
  
• Anonymization or de-identification of all identifying data in accordance with HIPAA standards (45 CFR §164.514), such that no PHI or re-identifiable data is transferred
  
  
• Written authorization from the healthcare provider (covered entity), affirming that the transfer is necessary, permitted, and appropriately governed
  
  

RAIN maintains full documentation for all international transfer activities, including legal basis, data categories, recipient entities, and applicable technical safeguards.

6. Access & Disclosure

RAIN Technology, Inc. applies strict access controls and data governance measures to ensure that Protected Health Information (PHI) and Personally Identifiable Information (PII) processed through the Orva platform are only accessible by authorized personnel and only disclosed in compliance with applicable law and contractual obligations.

Access Control

Access to data within the Orva system is limited to:

• Authorized clinical users—such as physicians, nurses, anesthesiologists, or surgical staff—who are authenticated through the healthcare provider’s identity and access management systems
  
  
• Designated system administrators within the healthcare provider organization, who are responsible for maintaining device, user, and session configurations
  
  
• RAIN Technology, Inc. personnel, but only those with a documented and legitimate need (e.g., support engineers or security analysts), governed by strict role-based access controls and monitored through auditable logs
  
  

All system interactions are logged and retained for accountability and compliance verification, per HIPAA’s audit trail requirements.

Data Disclosure

RAIN does not sell, lease, or commercially distribute PHI or PII under any circumstances. Data is not shared with third parties unless one of the following conditions applies:

• Required by law: Disclosure is necessary to comply with a valid legal obligation, such as a subpoena, court order, or request from a regulatory agency (e.g., HHS, OCR).
  
  
• Anonymized Use: Data has been fully de-identified in accordance with HIPAA’s Safe Harbor or Expert Determination methods and is used for:
  
  
  • Internal quality assurance and debugging
    
    
  • Non-identifiable research and development
    
    
  • System performance and feature enhancement
    
    
• Controller Authorization: The healthcare provider or data controller has provided explicit written authorization permitting the release or disclosure of specific data for an approved and documented purpose.
  
  

RAIN maintains detailed records of all data disclosures and supports covered entities in fulfilling their own HIPAA accounting of disclosures obligations upon request.

7. Security Measures

RAIN Technology, Inc. maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of all data processed through the Orva platform. All safeguards are aligned with the HIPAA Security Rule (45 CFR §§164.302–318) and the HITECH Act, and reflect industry-recognized best practices for healthcare systems.

Encryption

All data, including PHI and session metadata, is protected through advanced encryption protocols:

• AES-256 encryption at rest for all data stored in cloud environments and device storage
  
  
• TLS 1.2 or 1.3 encryption in transit, including for voice data, metadata, and session control traffic
  
  

Encryption keys are managed securely in accordance with NIST and HIPAA guidance, with regular rotation and strict access policies.

Access Controls

• Role-based access control (RBAC) enforces the principle of least privilege, ensuring users can only access the data and features necessary for their role
  
  
• All access is authenticated, session-logged, and reviewed periodically to detect unauthorized or anomalous activity
  
  
• Multi-factor authentication (MFA) is enforced for privileged users accessing production systems or PHI repositories
  
  

HIPAA-Compliant Audit Trails

• All system interactions—including access to PHI, configuration changes, and voice command usage—are logged and retained in accordance with HIPAA documentation retention requirements (minimum of six years per 45 CFR §164.316(b)(2)(i))
  
  
• Logs are stored in tamper-resistant formats and are available to covered entities upon request for compliance, investigations, or audits
  
  

Incident Response

RAIN maintains an incident response plan consistent with the HIPAA Breach Notification Rule (45 CFR §§164.400–414). This includes:

• 24/7 security monitoring and alerting for potential threats
  
  
• A documented escalation and containment process
  
  
• Notification to covered entities within legally required timeframes if a breach involving unsecured PHI is confirmed
  
  
• Coordination with affected providers to fulfill their own breach reporting obligations to patients and regulatory bodies (e.g., OCR)
  
  

RAIN regularly tests its incident response procedures and conducts third-party security assessments to validate effectiveness.

8. Your Rights (HIPAA & CCPA)

As a user of the Orva platform or as a patient whose information may be processed through the system, you are entitled to certain rights under applicable U.S. privacy laws, including the Health Insurance Portability and Accountability Act (HIPAA) and, where applicable, the California Consumer Privacy Act (CCPA/CPRA).

These rights may be exercised directly by you or through your healthcare provider, who serves as the data controller (covered entity) under HIPAA.

Your Rights Include the Ability To:

• Request Access or Obtain a Copy of Your Data
  You have the right to request access to the PHI maintained by your healthcare provider, including any data generated or processed through the Orva platform.
  
  
• Request Corrections (Amendment)
  If you believe that any of your information is incorrect or incomplete, you may request that your healthcare provider amend your records in accordance with 45 CFR §164.526.
  
  
• Request Deletion (Where Applicable)
  You may request deletion of certain non-essential data, such as voice recordings used for system improvement. However, deletion requests are subject to HIPAA’s clinical record retention obligations and may be denied if the information is needed for treatment, legal defense, or compliance purposes.
  
  
• Withdraw Consent for Non-Essential Uses
  You may withdraw previously granted consent for the use of your data in system training, analytics, or other non-clinical secondary purposes. RAIN will cease processing such data, unless it has already been de-identified or aggregated.

How to Submit a Request

Requests related to your rights should be directed:

• First, to your healthcare provider, who controls access to PHI under HIPAA and is responsible for fulfilling requests related to clinical records, or
  
  
• Directly to RAIN Technology, Inc. at hello@rain.agency, for platform-specific data not governed by the healthcare provider (e.g., system metadata or non-PHI usage data)
  
  

RAIN will acknowledge all requests within five (5) business days and will respond within thirty (30) calendar days, in accordance with HIPAA and, where applicable, CCPA/CPRA regulations. We may request additional information to verify your identity or confirm institutional authorization before processing your request.

9. Anonymous Usage Logs

RAIN Technology, Inc. collects and processes anonymized usage logs and performance metrics from the Orva platform to ensure continued reliability, product quality, and regulatory alignment. These logs do not contain Protected Health Information (PHI) or Personally Identifiable Information (PII) and are handled in accordance with HIPAA de-identification standards.

Purpose of Collection

Anonymized logs support:

• Product Enhancements
  Identifying usage trends and technical performance to improve system responsiveness, voice recognition accuracy, and feature development.
  
  
• Debugging and Compliance Verification
  Facilitating the diagnosis of technical issues, crash events, or abnormal usage behaviors, and verifying that operational processes meet HIPAA, HITECH, and security policy expectations.
  
  
• Platform Benchmarking
  Evaluating usage across institutions to optimize configuration recommendations, deployment models, and customer support metrics—all without compromising user or patient privacy.
  
  

Data Safeguards

• All logs are stripped of PHI and direct identifiers before being used for analysis or stored in internal systems.
  
  
• Data is processed in a HIPAA-compliant environment and stored with the same encryption and access controls as sensitive production data.
  
  
• Access to anonymized logs is restricted to authorized RAIN personnel under strict role-based permissions.
  
  
• Logs are retained in accordance with internal policies and, where applicable, customer agreements—but never longer than necessary for their operational purpose.
  
  

Anonymous usage data is never sold, shared with third parties for marketing, or used for profiling unrelated to clinical or technical performance.

10. Policy Updates

We may revise this policy from time to time. Changes will be communicated to healthcare providers in advance, and the latest version will always be posted on our website or platform dashboard.

11. Contact

RAIN Technology, Inc.
5526 W 13400 S #60
Herriman, UT 84096
Email:  hello@orvahealth.com

‍