Privacy Policy

1. Introduction

Welcome to 3 Billion Beats. This Privacy Policy explains how 3 Billion Beats, Inc., a Delaware C-Corporation ("3BB," "we," "us," or "our") collects, uses, stores, shares, and protects your information in connection with our website, mobile application, and related services (collectively, the "Service").

We are deeply committed to protecting the privacy and security of our users and their sensitive health information. This policy is designed to be transparent about our data practices in compliance with applicable federal and state privacy laws, including the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") where applicable.

2. What Information We Collect

We collect various types of information to provide and improve our Service, including:

• User-Provided Information: When you create an account or use our Service, you provide us with Personal Information such as your name, email address, phone number, date of birth, and any other information you enter into our assessments, intake forms, clinical questionnaires, or lifestyle notes.
• Insurance Information: If you elect to use insurance coverage for eligible clinical services facilitated through our platform, you may provide insurance carrier information, policy numbers, and related documentation. This information is collected solely to facilitate claims processing and coverage verification by the Affiliated Clinical Providers (see Section 4).
• Health Information from Partners: With your explicit consent and authorization, we retrieve and store health data on your behalf from our third-party partners. This includes:
  • Lab Results from partners like Quest Diagnostics (via Fullscript), which may include specific biomarker names, values, units, and collection dates.
  • Continuous Glucose Monitoring (CGM) Data from partners like Dexcom, which may include real-time glucose values, trends, and historical data.
  • Wearable Device Data from Apple Health (HealthKit) and Oura Ring, which may include heart rate, HRV, resting heart rate, SpO₂, VO₂ max, step counts, sleep data, and activity metrics.
• Uploaded Health Information: We collect and process information from documents you choose to upload, such as lab reports, medical records, or imaging reports (e.g., Coronary CT Angiography results from Cleerly AI). This may involve extracting text and structuring the data to integrate it into your 3BB profile.
• Genomic Information: If you choose to use our genomic analysis feature, you may upload raw DNA data files (e.g., from 23andMe). We extract only specific genetic modifiers relevant to cardiovascular health (e.g., MTHFR, COMT variants). Raw genomic data files are processed in-memory and are not stored on our servers.
• AI Interaction Data: We collect the questions and conversations you have with our AI health coach, "Corwin," via the mobile app, web chat, and SMS text messaging, to provide you with responses and improve our AI models.
• Nutrition and Exercise Data: We collect food logs, calorie tracking data, exercise logs, GPS route data, and step counts that you enter or that are automatically captured through the Service.
• Clinical Imaging Data: If you elect to undergo a Coronary CT Angiography (CCTA) facilitated through the Service, we may receive and store imaging data, including DICOM files and AI-processed results (e.g., from Cleerly AI), at your direction and with your authorization.
• Technical and Usage Information: We and our service providers (like Google Firebase) automatically collect technical data when you use our Service, such as your IP address, device type, operating system, and app usage analytics. This information is used for service improvement, security, and debugging.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To Provide and Personalize the Service: To create your account, display your health data, track trends over time, calculate your personalized cardiometabolic risk score (including our proprietary "Harmonized SSoT" scoring), and customize your guided "Journey" within the app.
• To Power "Corwin": Your health data is used as essential context to allow our AI health coach to provide relevant, personalized, and informational responses to your questions via chat, voice, and SMS. "Corwin" is for informational and wellness guidance purposes only and does not provide medical advice.
• To Facilitate Clinical Services: With your explicit authorization, we share necessary information with the Affiliated Clinical Providers and their designated laboratories to facilitate lab ordering, Coronary CT Angiography (CCTA) scheduling and booking, insurance coverage verification, and the delivery of clinical services you have elected.
• To Communicate with You: To send you service-related notifications, security alerts, SMS messages (with your consent), and updates about your account or our Service.
• For Analytics and Improvement: We use aggregated and de-identified data to understand how users interact with our Service, allowing us to fix bugs, improve features, and enhance the user experience. De-identified data may also be used for internal research and product development.
• For Compliance and Safety: To comply with legal obligations, enforce our Terms of Service, and protect the security and integrity of our platform and our users.

4. How We Share and Disclose Information

We do not sell, rent, lease, or share your personal health information with third parties for their marketing or advertising purposes. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

We only share information in the following limited circumstances:

• With Essential Service Providers: We share information with the third-party vendors who help us operate our Service, under strict confidentiality agreements. These include:
  • Google Cloud / Firebase: For data hosting, database management, authentication, and backend functionality in the United States.
  • Google's Vertex AI: To power our AI chat features. Only the necessary, de-identified data is sent to the model to generate a response. Google does not use this data to train its general-purpose models.
  • Twilio: To deliver SMS text messages to users who have opted in to SMS Wellness Messages.
  • PayPal / Braintree: To process payments for lab bundles, CCTA consultations, and other service purchases.
  • Fullscript: To facilitate laboratory test ordering and fulfillment through our lab partners.
• With Affiliated Clinical Providers: To deliver clinical services, we facilitate the sharing of your information with independent, physician-owned professional corporations ("Affiliated Clinical Providers") operating under a Management Services Agreement (MSA) with 3BB. The supervising physician is licensed and authorized to practice in all 50 U.S. states. This includes sharing information necessary for:
  • Ordering and interpreting laboratory tests.
  • Ordering and facilitating Coronary CT Angiography (CCTA) imaging.
  • Providing clinical oversight of services facilitated through the platform.
  • Processing insurance claims when applicable.
  This is done at your explicit direction and authorization, including via HIPAA-compliant Release of Information (ROI) consent.
• With Third-Party Facilities: When you elect to undergo a CCTA, we may share limited information (e.g., your name, date of birth, physician order, and insurance status) with the imaging facility you select or that is assigned to fulfill the order.
• For Legal Reasons: We may disclose your information if required by law, subpoena, or other legal process, or if we have a good-faith belief that disclosure is reasonably necessary to protect the rights, property, or safety of 3BB, our users, or the public.
• In Case of a Business Transfer: If 3BB is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to the promises made in this Privacy Policy.

5. HIPAA Compliance

3BB operates as a Management Services Organization (MSO) providing administrative, technological, and management services to the Affiliated Clinical Providers under a Management Services Agreement (MSA). In this capacity:

• 3BB acts as a Business Associate under HIPAA with respect to Protected Health Information (PHI) handled on behalf of the Affiliated Clinical Providers.
• We maintain a Business Associate Agreement (BAA) with the Affiliated Clinical Providers.
• All PHI is handled in accordance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
• Access to PHI is restricted to authorized personnel on a need-to-know basis, in accordance with the Minimum Necessary Standard.

When you sign a Release of Information (ROI) within the app, you are authorizing the release and transmission of your PHI as described in that authorization, in accordance with 45 CFR Parts 160 and 164.

6. Insurance Information

If you provide insurance information in connection with clinical services facilitated through our platform:

• Your insurance information is shared only with the Affiliated Clinical Providers and the imaging or laboratory facility necessary to verify coverage and process claims.
• 3BB does not file insurance claims directly. Claims are filed by the Affiliated Clinical Providers or the facility rendering the service.
• We store insurance information securely using the same encryption and access controls applied to all health data on our platform.
• You may elect to pay as self-pay/cash-pay at any time, regardless of whether you have insurance on file.

7. Data Security and Storage

We take the security of your data very seriously and implement industry-standard technical and organizational measures to protect it.

• Storage Location: All user data is stored on secure servers provided by Google Cloud Platform / Firebase, located within the United States.
• Encryption: Your data is encrypted at rest (AES-256) in our databases and encrypted in transit using industry-standard TLS/HTTPS for all communications between your device, our backend, and our partners.
• Access Control: Access to your Personal and Health Information is strictly limited to authorized 3BB personnel and the affiliated clinical team who require access to perform their job functions, in accordance with the Principle of Least Privilege and the HIPAA Minimum Necessary Standard.
• Secure Architecture: Our platform is designed with a Zero Trust security architecture, requiring authentication for all data access and employing proactive monitoring to detect unauthorized activity. Sensitive operations and API keys are not stored or exposed on your device.
• Automated Backups: Your data is backed up daily using secure, automated processes to ensure data integrity and disaster recovery.

Despite these measures, no security system is impenetrable. We cannot guarantee the absolute security of our systems, but we are committed to promptly addressing any security incidents in accordance with applicable breach notification laws.

8. Data We Do NOT Store

• We do not store raw genomic data files (e.g., .txt files from 23andMe). These are processed in-memory and discarded.
• We do not store payment card details. These are handled entirely by our secure payment processors (PayPal / Braintree).

9. Your Rights and Choices

• Access and Review: You can access and review your personal and health information at any time within the 3 Billion Beats application.
• Account Deletion: You may request the deletion of your account and associated data by navigating to the "Profile" or "Settings" section of the app and selecting the "Delete Account" option, or by contacting us at the email below. We will process your request in accordance with applicable law. Note that certain records related to clinical services provided by the Affiliated Clinical Providers may be retained as required by medical records retention laws.
• Revoking Third-Party Access: You can manage and revoke our app's access to third-party services like Dexcom, Apple Health, or Oura Ring through the settings within those services or by contacting us for assistance.
• Communications: You can opt out of receiving promotional emails from us by following the unsubscribe link in those emails. For SMS opt-out options, see Section 10 below.
• State-Specific Rights: Depending on your state of residence, you may have additional rights under applicable state privacy laws (e.g., CCPA/CPRA for California residents). To exercise any such rights, please contact us at the email below.

10. SMS and Text Message Communications

If you opt in to SMS Wellness Messages during onboarding or in your account settings, you consent to receive text messages from 3 Billion Beats at the phone number you provide. These messages may include:

• Health check-ins and wellness reminders from your AI health coach, Corwin.
• Goal reminders and motivational tips.
• Account verification codes for authentication.
• Service-related notifications (e.g., lab order status, appointment reminders).

We will not sell, rent, or share your phone number with third parties for marketing purposes. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

11. Children's Privacy

Our Service is not intended for or directed at individuals under the age of 18. We do not knowingly collect Personal Information from children under 18. If we become aware that we have collected such information, we will take steps to delete it.

12. Important Disclaimers

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service prior to the change becoming effective. We encourage you to review this policy periodically.

14. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

3 Billion Beats, Inc.
Email: bbadmin@3billionbeats.org