Privacy Policy

1. Who We Are

The COA is operated by Chosen Ones Alliance, LLC. This Privacy Policy describes how we collect, use, store, and protect information when you use The COA platform on mobile or web.

2. Information We Collect

We collect information you provide directly, including your name, email address, and the documents and care records you upload. We collect information about your child or care subject that you choose to enter, including health history, medication records, educational records, and behavioral observations. We collect usage information such as session activity, feature interactions, and device and platform type to operate and improve the service.

3. How We Use Your Information

We use your information to operate the platform, deliver AI-assisted features through Essei, generate care coordination outputs such as Care Reviews and document summaries, and provide customer support. We use aggregated and de-identified data internally to improve the platform. Where you have explicitly opted in, we may use de-identified data to support research initiatives as described in the Research Participation section.

4. Children's Information

The COA is designed for use by caregivers, parents, guardians, and family members, who manage care information on behalf of children or other individuals. Account holders must be 18 years of age or older. The COA does not knowingly collect information directly from children under 13. All information about a child entered into the platform is provided by and remains under the control of the adult caregiver account holder.

5. Protection of Sensitive Information and Use of Artificial Intelligence

The COA is designed to safeguard Protected Health Information (PHI) and personally identifiable information through layered technical, administrative, and contractual safeguards.

Application-Level Protections: Before information is submitted to external generative AI services for chat-based assistance through Essei, The COA applies a PHI tokenization process. This process removes or replaces identifiable data with anonymized placeholder tokens to minimize exposure and protect user privacy.

Embedding and Semantic Search Services: To enable secure search, contextual understanding, and knowledge retrieval, The COA generates vector embeddings from user-authorized content. These embeddings may be processed using Amazon Web Services (AWS) Bedrock, including the Titan embedding model. AWS operates under a Business Associate Agreement (BAA) and provides HIPAA-eligible services that ensure contractual safeguards for sensitive data.

Continuous Security Alignment: The COA continuously evaluates and enhances its privacy and security controls. Where feasible, PHI tokenization is extended across all artificial intelligence workflows to maintain alignment between system architecture, regulatory obligations, and user trust.

The COA does not sell personal data and uses sensitive information solely to provide and improve its services in accordance with applicable privacy laws.

6. Third-Party Infrastructure

The COA uses the following third-party infrastructure providers to operate the platform. Each provider is engaged under appropriate data processing agreements.

Amazon Web Services. Cloud infrastructure, file storage, and document processing. Files are stored in encrypted private S3 buckets. No document is accessible without a time-limited presigned URL.

Supabase. Database and authentication services. All data is encrypted at rest and in transit.

OpenAI. AI language model processing. PHI tokenization is applied before any content reaches OpenAI. See Section 5.

Cloudflare. Traffic routing and DDoS protection.

We do not sell or share your data with any provider beyond what is necessary to operate these services.

7. Data Retention

Personal profile information is retained for as long as your account is active. Upon account closure, personally identifiable information is deleted. Medical and care records are retained for six years following account closure as required by applicable law and then permanently removed. Consent and audit logs are retained permanently to meet compliance requirements. You may request a copy of your data at any time before closing your account.

8. Your Rights

You have the right to access the information we hold about you, to correct inaccurate information, to request deletion of your account and personal data, to download a copy of your data, and to withdraw research consent at any time without affecting your access to the platform. To exercise any of these rights contact us at support@thecoa.io.

9. Security

We apply HIPAA-aligned administrative, technical, and physical safeguards to protect your information. Chosen Ones Alliance, LLC is not a covered entity under HIPAA but operates using healthcare-grade security practices including encryption at rest and in transit, role-based access controls, row-level security policies, and append-only audit logging. We maintain Business Associate Agreements with applicable infrastructure providers.

10. Research and Data Use

We may share de-identified, aggregated, or anonymized data with research partners, healthcare organizations, and institutional partners to advance understanding of neurodevelopmental conditions and improve outcomes for families. All shared data is filtered to remove personally identifiable information before any transfer. We do not sell raw personal data, health records, or individually identifiable care information. We do not share your data for targeted advertising or commercial profiling.

11. Changes to This Policy

When we make material changes to this Privacy Policy we will increment the consent version and prompt you to review and re-accept. The date of the most recent update appears in the consent version displayed on the Legal & Consent screen.

12. Contact

Chosen Ones Alliance, LLC support@thecoa.io