Your privacy and data security are fundamental to how Vasl Health operates. This Privacy Policy describes how Vasl Health, Inc. ("Vasl Health," "we," "us," or "our") collects, uses, protects, and retains information when you use our platform and services. Please read this policy carefully before using our services.
When you or your organization creates an account, we collect:
To improve our service and ensure platform security, we collect:
The Vasl Language Analysis Platform (VLAP) processes member language from care channels (daily check-ins and coach messaging) in-memory to generate dimensional signal profiles. Verbatim input text is not stored after processing. What is retained is a signal profile — not a transcript, not a quote, not a record of exact language. This is a HIPAA technical safeguard and cannot be overridden by organizational administrators. Individual signal data is accessible only to the assigned coach and licensed clinician.
We collect anonymized, aggregate insights from platform interactions to improve cultural responsiveness, including language pattern analysis and effectiveness metrics. Individual member language is processed in-memory only. No verbatim member language is retained after signal profile generation.
For partner organizations, we provide aggregated, de-identified insights including population mental health trends, program effectiveness and outcome measurements, resource utilization and engagement metrics, and grant reporting and compliance documentation. These insights are never traceable to individual members.
Vasl Health implements comprehensive technical and administrative safeguards to protect your information.
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Care channel communications are encrypted at rest and accessible only to the assigned care team.
The platform is hosted on SOC 2 Type II compliant cloud infrastructure with automated backups and documented recovery procedures.
Strict role-based access controls govern who can access which data within the platform. VLAP signal data is accessible only to the assigned coach (simplified AI Client Insights summary) and assigned licensed clinician (full dimensional profile). Multi-factor authentication is required for all clinical staff accounts. Regular access reviews are conducted quarterly.
24/7 security monitoring and intrusion detection are in place. Regular penetration testing, vulnerability assessments, and security audits are conducted by third-party security professionals. All results are reviewed by our security team and material findings are remediated within documented SLAs.
For healthcare organizations, Vasl Health operates as a HIPAA-compliant platform. Business Associate Agreements (BAAs) are required for all healthcare partner deployments and available upon request. Protected Health Information (PHI) is handled according to HIPAA Privacy and Security Rule requirements. Audit logs and access controls meet HIPAA Security Rule technical safeguard requirements. VLAP's in-memory processing architecture is a HIPAA technical safeguard: verbatim member language is not retained after signal profile generation.
For educational institutions, Vasl Health operates as a direct service provider to students. Student health data generated through Vasl is classified as health information under HIPAA — not as an education record under FERPA — and is structurally inaccessible to school administrators under any circumstances. Parental consent processes for students under 18 are implemented in accordance with applicable law and institutional policy.
Our annual SOC 2 Type II audit covers security, availability, and confidentiality trust service criteria. The full audit report is available to institutional partners under NDA. Audit is conducted by an independent third-party auditor.
Vasl Health does not sell, rent, or trade personal information to third parties for marketing or commercial purposes. We may share information only in the following specific circumstances:
If we detect imminent risk of harm through VLAP signal detection or direct member communication, our licensed clinical supervisor team initiates human review and may contact emergency services or designated contacts as required by law and our duty of care. Automated action is never taken in response to a clinical signal — human clinical judgment initiates every response.
Trusted vendors who help us operate our platform — including cloud hosting, payment processing, and customer support providers — operate under strict data protection agreements and are prohibited from using member data for any purpose other than providing services to Vasl Health.
When required by law, court order, or government regulation, we may disclose information as legally mandated. We will notify affected users where legally permitted to do so.
We may share anonymized, aggregated data for public health research purposes, with no individual identifiers. All such sharing is subject to minimum cohort size requirements to prevent re-identification by inference.
Subject to applicable law, you have the following rights regarding your personal information:
To exercise any of these rights, contact us at privacy@vaslhealth.com. We will respond within 30 days and may need to verify your identity for security purposes. For HIPAA-specific inquiries, contact hipaa@vaslhealth.com. For FERPA-specific inquiries, contact ferpa@vaslhealth.com.
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make significant changes, we will notify you via email at least 30 days before changes take effect, post a notice on our platform and website, and update the "Last Updated" date at the top of this policy. For material changes affecting HIPAA or FERPA compliance, we will provide additional notice as required by law.
Your continued use of Vasl Health after changes take effect constitutes acceptance of the updated policy.
For general privacy questions: privacy@vaslhealth.com — response within 48 hours.
For HIPAA compliance questions: hipaa@vaslhealth.com
For FERPA compliance questions: ferpa@vaslhealth.com
Vasl Health, Inc. is a Delaware Public Benefit Corporation.