Privacy Policy

Last updated: February 2026

Wavera Health, Inc. ("Wavera," "we," "us," or "our") takes your privacy and the security of your data seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our marketing and account-related services.

1. Information We Collect

1.1 Information You Provide

We collect information that you provide directly to us, such as when you request a demo, create an account, or contact support. This may include:

• Contact information (name, email address, phone number, practice name)
• Professional credentials and practice details
• Account credentials
• Billing and payment information
• Communications and correspondence with us

1.2 Information Collected Automatically

When you access or use our website and services, we may automatically collect certain information, including:

• Device and browser information (IP address, browser type, operating system)
• Usage data (pages visited, features used, time spent)
• Log data (access times, error logs, referring URLs)
• Cookies and similar tracking technologies (see our Cookie Policy)

2. Protected Health Information (PHI)

When you use our EMR services, we may process Protected Health Information (PHI) on your behalf as a Business Associate under HIPAA. We handle all PHI in strict compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act.

Our use and disclosure of PHI is governed by the Business Associate Agreement (BAA) entered into with our clients, not by this Privacy Policy. In the event of a conflict between this policy and a BAA, the BAA controls with respect to the applicable PHI.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our services
• Process transactions and send related information
• Send you technical notices, updates, security alerts, and support messages
• Respond to your comments, questions, and requests
• Monitor and analyze trends, usage, and activities in connection with our services
• Detect, investigate, and prevent fraudulent transactions and other illegal activities
• Comply with legal obligations

4. How We Share Your Information

We do not sell or share (as defined under the California Consumer Privacy Act) your personal information for cross-context behavioral advertising. We may disclose your information in the following circumstances:

• Service Providers: With vendors who perform services on our behalf, subject to confidentiality obligations. This includes Google Analytics for website usage analysis (see our Cookie Policy).
• Legal Requirements: When required by law, regulation, legal process, or governmental request
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: When you have given us explicit permission to share your information

5. Data Security

We implement appropriate technical and organizational measures to protect the security of your personal information. Our platform utilizes industry-standard encryption (AES-256 at rest, TLS 1.2+ in transit) and security protocols to safeguard data. We maintain HIPAA-compliant infrastructure and conduct regular security assessments.

6. Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you in accordance with applicable law. Where required, we will provide notification within the timeframe mandated by state and federal law, including within 60 days as required by the Texas Data Privacy and Security Act. Breach notifications related to PHI are governed by HIPAA and the applicable BAA.

7. Data Retention

We retain your personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the information, and applicable legal requirements.

When personal information is no longer required for the purposes outlined in this policy, we will securely delete or de-identify it. Retention of PHI is governed by applicable law and the terms of the relevant BAA.

You may request deletion of your personal information by contacting us at hello@waverahealth.com, subject to any legal obligations that require us to retain certain records.

8. De-identified and Aggregated Data

We may use de-identified and aggregated information that does not identify any individual for research, analytics, benchmarking, and product improvement purposes, including the improvement of our AI-powered features. De-identification is performed in accordance with applicable HIPAA standards (Safe Harbor or Expert Determination methods). De-identified and aggregated data is not subject to this Privacy Policy or the restrictions herein.

9. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information, including:

• Accessing, correcting, or deleting your personal information
• Opting out of marketing communications
• Requesting a copy of the data we hold about you
• Withdrawing consent where processing is based on consent

To exercise these rights, please contact us at hello@waverahealth.com. We will respond to verifiable requests within the timeframe required by applicable law. Note that rights related to PHI are governed by HIPAA and should be directed to the applicable covered entity (your healthcare provider).

9.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to Know: You may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information or share it for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Categories of personal information collected in the prior 12 months:

• Identifiers (name, email address, phone number, IP address)
• Professional or employment-related information (credentials, practice details)
• Commercial information (billing records, transaction history)
• Internet or electronic network activity (browsing history, interactions with our website)

Sources: Directly from you; automatically through your use of our website; from third-party analytics providers.

Business purpose: To provide, maintain, and improve our services; to process transactions; to communicate with you; to ensure security and prevent fraud; to comply with legal obligations.

To submit a verifiable consumer request, contact us at hello@waverahealth.com. We will verify your identity before processing your request and respond within 45 days.

9.2 Texas Residents (TDPSA)

If you are a Texas resident, you have rights under the Texas Data Privacy and Security Act, including the right to access, correct, and delete your personal data, as well as the right to opt out of certain processing activities such as targeted advertising, the sale of personal data, and profiling. To exercise these rights, contact us at hello@waverahealth.com. We will respond within 45 days. If we decline your request, you may appeal by contacting us at the same address.

9.3 European Union, EEA, and United Kingdom Residents (GDPR)

Although our services are directed solely at individuals and entities located in the United States, if you are located in the European Union, European Economic Area, or United Kingdom and have nonetheless provided us with personal data, you may have the following rights under the General Data Protection Regulation (GDPR) or applicable UK data protection law:

• Right to Access: You may request confirmation of whether we are collecting, using, or sharing your personal data and request access to that information.
• Right to Rectification: You may request that we correct your personal data if it is inaccurate or incomplete.
• Right to Erasure: You may request that we erase your personal data where it is no longer necessary for its original purpose, you withdraw consent, you object to processing, the processing was unlawful, erasure is required by law, or the data was collected in connection with online services offered to a child.
• Right to Restriction: You may request that we restrict processing of your personal data where: (i) you contest the accuracy of the data; (ii) you have objected to processing based on legitimate interests and we are assessing whether our legitimate interests override yours; (iii) the processing is unlawful and you request restriction rather than erasure; or (iv) we no longer need the data, but you require it to establish, exercise, or defend a legal claim.
• Right to Data Portability: Where our processing is carried out by automated means and is based on your consent or the performance of a contract, you may request that we provide your personal data in a structured, commonly used, machine-readable format and transmit it to another organization.
• Right to Object: You may object to processing of your personal data based on legitimate interests or the performance of a public task, including profiling on those grounds, as well as processing for direct marketing purposes or for scientific, historical research, or statistical purposes.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement.

To exercise any of these rights, please contact us at hello@waverahealth.com. We will respond within the timeframe required by applicable law.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to collect usage information, remember your preferences, and improve our services. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

11. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit.

12. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will take steps to delete such information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For material changes, we will provide notice via email to the address associated with your account at least 30 days before the changes take effect. Your continued use of our services after such changes constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:

Wavera Health, Inc.
8080 Westpark Drive STE 13502
Houston, TX 77063
hello@waverahealth.com