Legal

Privacy policy.

LAST UPDATED · APRIL 2026

This Privacy Policy describes how OKO Labs, Inc. d/b/a HaloPT (“HaloPT”, “we”, “us”, or “our”) collects, uses, shares, and protects your information when you use our software platform, mobile applications, and related services. By using HaloPT, you agree to the practices described in this policy.

Information we collect

We collect information that you provide directly, information generated through your use of our platform, and information from third parties. The categories below describe what we collect and why.

Personal information

When you create an account or use our services, we collect identifying information such as your name, email address, phone number, professional license number, credentials, organization name, and billing information. For patients, we also collect contact details, emergency contact information, and insurance data as provided by your therapy provider.

Health and clinical information

As a healthcare platform, we process protected health information (PHI) on behalf of our covered entity customers. This includes clinical notes, SOAP documentation, treatment plans, outcome measures, progress reports, voice recordings from sessions, patient-reported outcomes, imaging or exercise attachments, and care coordination communications. We do not use PHI for our own purposes. We only process it as directed by our customers under applicable Business Associate Agreements.

Usage and technical data

We automatically collect information about how you interact with HaloPT, including pages visited, features used, session duration, device type, operating system, browser information, IP address, and diagnostic data. We also collect performance metrics and error logs to maintain platform reliability and security.

How we use information

We use the information we collect for the following purposes.

Service delivery

Providing, maintaining, and improving our platform. Processing clinical documentation. Enabling secure messaging between therapists, patients, and referring physicians. Generating AI-assisted SOAP drafts from voice recordings.

Communication

Sending service updates, appointment reminders, care coordination notifications, and support responses. We do not send marketing communications to patient users without explicit consent.

Platform improvement

Analyzing usage patterns to improve user experience, training models for more accurate clinical documentation (using only de-identified data), and developing new features based on therapist and patient needs.

Security and compliance

Monitoring for unauthorized access, enforcing our terms of service, maintaining audit trails, and complying with legal obligations including HIPAA and state privacy laws.

Billing and operations

Processing payments, managing subscriptions, generating practice analytics for our customers, and supporting our business operations.

Information sharing

We are transparent about who we share information with and under what circumstances.

We do not sell your information

HaloPT does not sell, rent, or trade your personal information or PHI to any third party for monetary or other consideration. This is a firm commitment, not a conditional policy.

Service providers

We work with trusted third-party service providers who help us operate our platform, including cloud infrastructure providers, payment processors, email delivery services, and customer support tools. Each provider is bound by contractual obligations that require them to protect your information and use it only for the specific services they provide to us. All service providers who handle PHI sign Business Associate Agreements.

Legal requirements

We may disclose information when required by law, regulation, legal process, or enforceable governmental request. This includes responding to court orders, subpoenas, or regulatory investigations. We may also disclose information to protect the rights, property, or safety of HaloPT, our users, or the public when we believe disclosure is appropriate in good faith.

With your consent

We may share information with your explicit consent for purposes not described in this policy. You may withdraw consent at any time by contacting us directly.

Data security

We implement industry-standard security measures to protect your information against unauthorized access, alteration, disclosure, or destruction.

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Voice recordings and clinical documents receive additional encryption layers.

Access controls

Role-based access ensures users can only access information necessary for their role. Multi-factor authentication is required for all therapist and administrator accounts.

Audit logging

Every access to PHI is logged with immutable audit trails. We record who accessed what, when, and from where. Logs are retained per HIPAA requirements and are available to customers for their own compliance activities.

Infrastructure security

Our infrastructure is hosted on AWS with SOC 2 Type II certified data centers. We conduct regular penetration testing, vulnerability assessments, and security audits.

Incident response

A documented incident response plan governs our process. Affected customers are notified within 24 hours of any confirmed security incident involving their data.

HIPAA compliance

HaloPT is designed and operated to support our customers’ compliance with HIPAA and the HITECH Act.

Business Associate Agreements

When our customers are covered entities under HIPAA, we execute a Business Associate Agreement that defines our responsibilities as a business associate. The BAA is included automatically for Growth and Enterprise plans. Customers on the Starter plan may request a BAA by contacting our compliance team.

Protection of PHI

We implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule. The platform supports our customers in meeting the Privacy Rule, including minimum-necessary access, patient authorization management, and accounting of disclosures.

Patient rights

The platform enables covered-entity customers to fulfill patient rights under HIPAA, including the right to access, amendment, and accounting of disclosures. The covered entity remains responsible for responding within the timelines required by law.

Breach notification

In the event of a breach of unsecured PHI, we will notify affected customers without unreasonable delay and no later than 24 hours after discovery, in accordance with the HIPAA Breach Notification Rule.

Your rights

Depending on your jurisdiction and role within our platform, you may have the following rights regarding your personal information.

Right to access

Request a copy of the personal information we hold about you. We respond within 30 days. PHI requests should be directed through your covered entity provider.

Right to correction

Request correction if information is inaccurate or incomplete. We review and respond within 30 days.

Right to deletion

Request deletion of your personal information. We comply unless retention is required for legal obligations, dispute resolution, or enforcement of our agreements.

Right to portability

Request a portable, machine-readable copy of your data in CSV or JSON.

Right to opt out

Opt out of marketing communications using the unsubscribe link in our emails.

Right to non-discrimination

We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, contact privacy@halopt.com. We will verify your identity before processing your request.

Cookies and tracking

We use cookies and similar tracking technologies to operate our platform, analyze usage, and improve your experience.

Essential cookies

Required for our platform to function. They enable authentication, session management, security features, and load balancing.

Analytics cookies

Help us understand how users interact with our platform. All analytics data is aggregated and excludes PHI.

Managing your preferences

Manage cookie preferences through your browser settings. We respect Do Not Track signals and do not engage in cross-site tracking for advertising.

Children's privacy

HaloPT is not directed to children under the age of 18. We do not knowingly collect personal information from children under 18 without verifiable parental consent.

Where a healthcare provider collects health information for a minor patient through our platform, the provider (as the covered entity) is responsible for obtaining appropriate parental or guardian consent.

If we learn we have collected personal information from a child under 18 without proper consent, we will delete that information promptly. Contact privacy@halopt.com.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the “last updated” date at the top of this policy.
  • Notify active users via email or in-app notification at least 30 days before material changes take effect.
  • Post the updated policy with a clear summary of material changes.

Continued use of HaloPT after the effective date constitutes acceptance of the changes.

Contact us

If you have questions about this Privacy Policy, our privacy practices, or wish to exercise your rights, please contact us.

OKO Labs, Inc. d/b/a HaloPT — Privacy Team
Address

OKO Labs, Inc. d/b/a HaloPT
Attn: Privacy Officer
200 South Andrew Avenue
Fort Lauderdale, FL 33301

RESPONSE TIME · 5 BUSINESS DAYS