Legal

Privacy Policy

Effective May 26, 2026

This Privacy Policy describes how Sanexus, Inc. ("Sanexus," "we," "us," or "our") collects, uses, and shares information when you use the Asta mobile application, our websites, and related services (collectively, the "Service"). Asta is designed to help patients stay supported and informed between clinical visits.

HIPAA notice. Some information you provide through Asta is Protected Health Information ("PHI") under the U.S. Health Insurance Portability and Accountability Act ("HIPAA"). Where Sanexus operates as a Business Associate of a covered healthcare provider, PHI is handled in accordance with the applicable Business Associate Agreement and HIPAA Privacy and Security Rules. Where you connect Asta directly to your own electronic health record (for example, via Epic's MyChart) under your patient right of access, the data you import is shared with Sanexus at your direction.

1. Information We Collect

Information you provide

Account information: name, email address, age, and (where required) demographic information you supply during onboarding.
Health information: diagnoses, treatments, symptoms, medications, goals, and other health-related information you share through assessments, check-ins, or conversations with Asta's AI.
Conversational content: messages you send to Asta and the responses you receive, including any uploads.

Information from third parties at your direction

Electronic health record (EHR) data: if you connect Asta to an EHR system such as Epic via MyChart, we receive demographic data, conditions, encounters, medications, lab results, vital signs, allergies, procedures, and care plans associated with your patient record at that institution. We only access data within the scopes you authorize.

Information collected automatically

Device and usage data: device identifiers, operating system version, app version, timezone, push notification tokens, crash logs, and aggregated usage analytics.
Coarse location: approximate location may be collected to route you to localized resources (e.g., crisis support).

2. How We Use Your Information

To provide, personalize, and improve the Service, including delivering AI-supported guidance, assessments, and care content tailored to you.
To send notifications you have requested (e.g., check-in reminders, content delivery).
To detect and respond to safety signals such as crisis indicators, including surfacing appropriate emergency resources.
To operate, secure, debug, and maintain the Service.
To comply with legal obligations and enforce our terms.

3. Who We Share Information With

Category	Purpose
Healthcare providers	If you use Asta as part of a clinical engagement, your authorized care team may have access to information you generate through Asta, as described in the engagement-specific notice you receive at sign-up.
Service providers (subprocessors)	Cloud hosting (Amazon Web Services), AI inference (Amazon Bedrock), transactional email (AWS SES), and push notification delivery (Apple Push Notification service). These providers process data only on our behalf under appropriate contracts.
Third-party EHR systems	When you connect Asta to an EHR, we exchange data with that EHR through standards-based APIs (SMART on FHIR) only to the extent you authorize.
Legal and safety	We may disclose information when required by law, court order, or to protect the safety of any person.

We do not sell your personal information, do not use it for cross-context behavioral advertising, and do not share PHI for marketing purposes.

4. Security

Sanexus implements administrative, physical, and technical safeguards designed to protect your information, consistent with HIPAA Security Rule requirements where applicable. These include encryption in transit, access controls, audit logging, and regular security reviews. No system is perfectly secure, and we cannot guarantee absolute security.

5. Data Retention

We retain personal information for as long as your account is active or as needed to provide the Service. We may retain limited information after account closure where required by law, for accounting and audit purposes, or to resolve disputes. You may request deletion of your account and associated personal information as described below.

6. Your Choices and Rights

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, restrict or object to certain processing, or withdraw your consent. To exercise these rights, contact us at privacy@sanexus.ai. You can also:

Disconnect any connected EHR through the Service's settings or directly through your EHR portal (for example, MyChart's "Manage My Linked Apps").
Disable push notifications and location access through your device settings.
Request a copy of your data or its deletion by emailing us.

7. Children's Privacy

Asta is intended for adults aged 18 and older. We do not knowingly collect information from children under 18 except where authorized by a parent or legal guardian.

8. International Users

Sanexus is based in the United States. If you use the Service from outside the United States, your information will be transferred to and processed in the United States, which may have different data-protection laws than your country.

9. Changes to This Policy

We may update this Privacy Policy from time to time. The "Effective" date at the top reflects the most recent revision. Material changes will be communicated through the Service or by email.

10. Contact Us

If you have questions about this Privacy Policy or how your information is handled, contact our Privacy Official at privacy@sanexus.ai.

Sanexus, Inc.
11 E Loop Rd
New York, NY 10044