VagusX Privacy Policy

Last Updated: March 2026

VagusX, Inc. ("VagusX," "we," "us," or "our") is committed to protecting the privacy and security of information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website (vagusx.ai) or use our agentic AI clinical infrastructure platform (the "Service").

1. HIPAA and Protected Health Information (PHI)

VagusX operates primarily as a Business Associate (as defined by HIPAA) to our customers (Healthcare Providers), who are Covered Entities. Most data processed by our Service is Protected Health Information (PHI). Our handling of PHI is governed by the Business Associate Agreement (BAA) between VagusX and the Healthcare Provider, and by applicable law (HIPAA/HITECH). In the event of a conflict between this Policy and a BAA, the BAA shall govern.

2. Information We Collect

• Account Information: Name, professional email, practice name, and contact details.
• Technical & Usage Data: IP addresses, browser type, device identifiers, and interaction logs. We collect this to maintain the security and auditability required by HIPAA.
• Clinical Data: Data ingested from Electronic Health Records (EHR), faxes, and patient interactions via Google Cloud Healthcare API and Vertex AI.

3. Google API Disclosure (Limited Use)

VagusX’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

• Access: Access to Google user data occurs only after the user grants explicit permission through Google's OAuth authorization process.
• Limited Use: We access Google user data only to perform the specific clinical administrative tasks defined in your "Flight Plan" (e.g., retrieving patient referrals from Gmail). Google user data is used solely to provide and improve the user-facing functionality of the VagusX Service and is not used for any unrelated purposes.
• No Selling: We do not sell Google user data to third parties.
• No Advertising: We do not use Google user data for serving, targeting, or delivering advertisements.
• No Credit Scoring: We do not use Google user data for creditworthiness determination.
• AI/ML Restrictions: We do not use Google Workspace data (emails, drive files) to train, fine-tune, or improve generalized or foundation AI/ML models. Clinical reasoning is performed via pre-trained, frozen models within a stateless "Interaction Envelope."

4. Data Sharing & Sub-processors

We only share information with third-party "Sub-processors" who have signed a Business Associate Agreement (BAA) with VagusX and meet our security standards. Our primary sub-processors include:

• Google Cloud Platform: For secure clinical data storage and AI orchestration.
• Google Workspace: For internal administrative operations.

5. Data Subject Rights & Deletion

We respect your control over your data.

• Service Data (Immediate Deletion): Upon request or account termination, all Google OAuth tokens, cached email headers, and user profile data are permanently deleted from our systems within 48 hours.
• Clinical Records (HIPAA Retention): Protected Health Information (PHI) that has been ingested into the clinical record (e.g., a fax processed into the EHR) is retained for the minimum period required by state and federal medical record retention laws (typically 6-10 years). This data is "frozen" and isolated but cannot be legally expunged upon request due to regulatory requirements.
• Access & Portability: Users may request a copy of the personal data we hold about them in a machine-readable format (FHIR/JSON).

6. Data Security & Infrastructure

VagusX utilizes institutional-grade technical safeguards:

• Private VPC: All clinical data is processed within a Private Virtual Private Cloud (VPC) with zero public internet exposure.
• Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
• Tokenized Logging: Proprietary protocols ensure PHI does not enter system logs; identifiers are replaced with non-descriptive UUIDs.

7. Website Cookies and Analytics

The VagusX website may use cookies and similar technologies to maintain secure sessions and analyze general website traffic. These technologies do not collect Protected Health Information and are used solely to improve website performance and security.

8. Contact Us

For questions regarding this policy, please contact our Privacy Officer at:

VagusX, Inc.

Email: info@vagusx.ai

Address: San Ramon, CA