Skip to main content
Legal

Privacy Policy

Last updated: May 28, 2026

1. Introduction

HealthHaven, Inc. ("HealthHaven," "we," "us," or "our") operates the HealthHaven.ai platform ("Platform"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our mobile applications, or interact with our services. We are committed to protecting the privacy and security of your personal information, especially any health-related data you may share with us during the booking and recovery lodging process. Please read this policy carefully. By using our Platform you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Registration: Name, email address, phone number, and password when you create an account.
  • Booking Information: Check-in/check-out dates, guest count, hospital or medical facility name, and accessibility or mobility requirements.
  • Payment Information: Billing address and payment method details. Payment card numbers are processed and stored by our PCI-DSS-compliant payment processors and are never stored on our servers.
  • Sensitive Booking Details: Recovery lodging needs such as mobility requirements, proximity to a care location, equipment preferences, dietary restrictions, or special requests. Please avoid sharing diagnosis, treatment, or medication details unless they are necessary to arrange your stay.
  • Communications: Messages sent through our platform, customer support inquiries, reviews, and feedback.

2.2 Information Collected Automatically

  • Device Information: IP address, browser type, operating system, device identifiers, and screen resolution.
  • Usage Data: Pages viewed, coarse page categories, click patterns, referral sources, session duration, and interactions with our matching and ranking features. Analytics events are designed to exclude health-related booking details, full URLs, query strings, diagnosis, procedure, hospital names, special requests, accessibility needs, and contact information.
  • Location Data: Approximate location derived from IP address, and precise location if you grant permission for hospital-proximity search features.
  • Cookies and Tracking: We use cookies, web beacons, and similar technologies as described in our Cookie Policy.

2.3 Information from Third Parties

  • SSO Providers: If you sign in using a third-party identity provider, we receive your name and email address from that provider.
  • Provider Partners: With your explicit consent and any required written partner terms, providers may share lodging-relevant referral information to support a booking request.
  • Payer or Sponsor Partners: Eligibility or pre-approval information only when you opt into a written payer, sponsor, or assistance-program workflow. Direct payer billing is not active by default.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: To process bookings, rank recovery lodging based on your search criteria, and manage your stays.
  • Personalization: To tailor search results and recommendations based on your recovery needs, hospital location, and preferences.
  • Communication: To send booking confirmations, pre-arrival instructions, in-stay updates, and post-stay follow-ups.
  • Safety and Security: To verify identities, prevent fraud, enforce our Terms of Service, and maintain platform integrity.
  • Analytics and Improvement: To analyze limited, privacy-filtered usage patterns, improve matching and ranking logic, and enhance the overall user experience without sending health-related booking details to analytics tools.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.
  • Marketing: With your consent, to send promotional communications about new features, partner programs, or special offers. You can opt out at any time.

4. Health Information and HIPAA

HealthHaven primarily operates as a lodging marketplace and may not be a HIPAA-covered entity in all contexts. When a covered entity or business associate uses HealthHaven in a way that requires us to create, receive, maintain, or transmit protected health information on its behalf, appropriate written terms, such as a Business Associate Agreement when required, must be in place before that data exchange begins. For sensitive lodging details, we use privacy-conscious controls:

  • Sensitive booking details are limited to what is reasonably needed to arrange lodging, support, payment, safety, and partner coordination.
  • Access to sensitive booking details is restricted by role and business need, with audit-oriented logging for administrative access.
  • Third-party analytics or advertising tools are not permitted on authenticated booking, payer, provider-referral, or support pages unless reviewed for applicable health-privacy, consumer-protection, and partner-contract requirements.
  • Analytics and advertising tools are not permitted to receive diagnosis, treatment, procedure, hospital, special request, accessibility need, or similar sensitive booking fields.
  • Property partners receive only the minimum lodging coordination details needed to prepare for the stay. We do not share a guest's diagnosis or treatment plan with property partners.
  • We do not sell sensitive booking details or use them for targeted advertising.

Consumer Health Data and Breach Notification

Some information you share with HealthHaven may be health-related consumer information even when HIPAA does not apply. We treat lodging needs, care-location context, payer-support records, provider-referral records, and similar details as sensitive data and use them only for lodging coordination, support, payment, safety, legal compliance, and the partner workflow you requested.

If we determine that a breach of unsecured identifiable health-related information requires notice under applicable law, including the FTC Health Breach Notification Rule or state breach-notification laws where they apply, we will notify affected individuals and regulators as required. We will also review whether vendors or partner workflows require additional contractual, HIPAA, business associate, or consumer-health-data obligations before sensitive data exchanges begin.

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

  • Property Partners: We share your name, booking dates, and accessibility needs with property partners to fulfill your reservation. We do not share your medical condition or diagnosis.
  • Service Providers: We engage third-party vendors for payment processing, email delivery, limited analytics, and cloud infrastructure, including Stripe, AWS, email delivery providers, and Google Analytics 4 for consented public-page analytics. Analytics vendors receive only privacy-filtered event metadata and are not permitted to receive sensitive booking details.
  • Provider, Payer, and Sponsor Partners: Only with your explicit consent or other required authorization, written partner terms where needed, and only the minimum information needed for lodging referral, documentation support, eligibility review, or the partner workflow you requested.
  • Legal Requirements: When required by law, subpoena, or court order, or to protect the rights, safety, or property of HealthHaven, our users, or the public.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.

6. Data Security

We use technical and organizational safeguards intended to protect your personal information:

  • Encryption is used for data transmission and storage where supported by our systems and service providers.
  • Multi-factor authentication is available and encouraged for all accounts.
  • Security reviews, vulnerability remediation, and access-control reviews are part of our operational process.
  • Role-based access controls limit employee access to personal data on a need-to-know basis.
  • Administrative access to sensitive data is logged for security and operational review.
  • Production secrets are kept out of frontend code and managed through server-side secret storage.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security.

7. Data Retention

We retain personal information for as long as needed to provide the Platform, meet legal, accounting, tax, security, and dispute-resolution obligations, and honor partner agreements. Core booking transaction records may be retained for up to seven (7) years where needed for legal and tax records. Sensitive free-text booking details, such as special requests, accessibility notes, procedure-type fields, and hospital-name fields, should be reviewed for deletion or de-identification after the stay and related support window, and no later than ninety (90) days after account closure unless a longer period is required by law, an active dispute, fraud prevention, payment records, or applicable partner terms. You may request access, correction, or deletion at any time, subject to these obligations. Aggregated data that cannot reasonably identify you may be retained for analytics and service improvement.

8. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your personal information, subject to certain exceptions.
  • Portability: Request your data in a structured, machine-readable format.
  • Opt-Out: Opt out of marketing communications at any time by clicking "unsubscribe" in any email or updating your account preferences.
  • Do Not Sell: We do not sell your personal information. California residents may still submit a "Do Not Sell" request for documentation purposes.
  • Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, contact us at privacy@healthhaven.ai. We will respond to your request within 30 days.

9. State-Specific Disclosures

California (CCPA/CPRA)

California residents have the right to know what personal information we collect and how it is used, to request deletion of personal data, to opt out of the sale or sharing of personal data, and to non-discrimination for exercising these rights. HealthHaven does not sell personal information as defined by the CCPA. To submit a request, email privacy@healthhaven.ai or call our privacy line.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Other States

Residents of states with comprehensive privacy laws have similar rights to access, correct, delete, and obtain a copy of their personal data. You may also opt out of targeted advertising and profiling. To exercise these rights or appeal a decision, contact privacy@healthhaven.ai.

10. Children's Privacy

Our Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. Bookings for minor patients must be made by a parent or legal guardian. If we learn that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a minor, please contact us at privacy@healthhaven.ai.

11. International Data Transfers

HealthHaven is based in the United States and processes data primarily in the United States. If you access our Platform from outside the United States, your information may be transferred to, stored, and processed in the United States where data protection laws may differ from those in your country. By using our Platform, you consent to such transfer. We implement appropriate safeguards, such as standard contractual clauses, for any international data transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page, updating the "Last updated" date, and sending an email notification to registered users. We encourage you to review this policy periodically. Your continued use of the Platform after changes are posted constitutes your acceptance of the revised policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us:

HealthHaven, Inc.

Attn: Privacy Team

Email: privacy@healthhaven.ai

Web: Contact Form