Privacy Policy

Clinical Independence

Independent clinicians and clinical partners exercise their own medical judgment. August does not control or direct a clinician's diagnosis, treatment, prescribing, or other clinical decision-making.

Information You Provide

• Account information: name, email address, phone number, date of birth, state of residence, login credentials, account preferences, and other registration details.
• Health conversations and content: symptoms, conditions, diagnoses, medications, allergies, labs, vitals, lifestyle information, care questions, goals, photos, documents, messages, and other information you enter into August.
• Telehealth intake information: chief complaint, symptom history, medication and allergy information, medical history, consent acknowledgments, preferred pharmacy, and other information needed to facilitate a clinical service.
• Insurance, payment, and cost information: insurance plan details, member ID, explanation-of-benefits documents, medical bills, cost documents, payment status, and transaction metadata. Payment card details may be processed by our payment processors and may not be stored directly by August.
• Support and feedback: support requests, survey responses, ratings, product feedback, bug reports, and communications with us.

Information from Clinical Partners and Third Parties

• Clinical partners: information related to a telehealth request, clinical encounter, prescription, referral, care plan, or follow-up, where provided by or through a clinical partner.
• Pharmacy and prescription infrastructure: prescription-routing, pharmacy-selection, medication, or prescription-status information where available and relevant to the service you requested.
• User-authorized sources: medical records, EHR exports, wearable data, lab reports, pharmacy information, identity verification results, or other information you authorize us to receive.
• Service providers and partners: fraud-prevention signals, analytics, attribution, communications, identity verification, payment, or operational information needed to provide and secure the Services.

Information Collected Automatically

• Device identifiers, IP address, browser type, operating system, app version, approximate location inferred from IP address, language, and time zone.
• Usage information, including pages viewed, features used, session duration, referral source, clicks, errors, crash logs, diagnostic logs, and security events.
• Cookies, pixels, local storage, SDKs, and similar technologies used for authentication, security, analytics, performance, preferences, and service operations.
• Bot-mitigation: Cloudflare Turnstile verifies human visitors on signup, login, and contact forms. It sets short-lived security cookies (cf_clearance, _cf_bm) and receives IP address, HTTP headers, and browser/device characteristics; it does not receive account content or health information. See the Cloudflare Turnstile privacy notice.

Advertising and Sale Limits

We do not sell your health information. We do not use your health information for third-party targeted advertising or cross-context behavioral advertising.

How August Uses Data to Improve AI Systems

• Improve response quality, personalization, clinical reasoning, summarization, routing, retrieval, and safety systems.
• Evaluate model performance, safety, hallucination risk, refusal behavior, escalation behavior, benchmark performance, and clinical consistency.
• Develop and test prompts, classifiers, guardrails, triage logic, synthetic patient actors, simulated conversations, evaluation datasets, and other model-improvement workflows.
• Review conversations, feedback, logs, and outcomes for quality assurance, debugging, safety monitoring, and product development.
• Create and use de-identified, aggregated, pseudonymized, derived, or synthetic data for analytics, research, development, model training, model fine-tuning, and service improvement.

De-identified, Aggregated, Derived, and Synthetic Data

We may de-identify, aggregate, pseudonymize, transform, derive, or synthesize data from information collected through the Services. We may use and disclose such data for lawful purposes, including analytics, research, product development, safety evaluation, AI model training, model fine-tuning, publications, and business operations.

Where information is protected health information under HIPAA, we treat it as de-identified only when it has been de-identified in a manner permitted by HIPAA or applicable law. De-identified, aggregated, derived, and synthetic data may be retained indefinitely unless applicable law requires otherwise.

Third-Party AI Providers and Subprocessors

We may use third-party AI providers, cloud providers, analytics providers, infrastructure providers, security vendors, and other service providers to process information on our behalf. These providers may process information only to provide services to August, subject to contractual restrictions.

We do not allow third-party AI providers to use your identifiable health information to train their own general-purpose models without your consent. This does not limit August's ability to use information, including de-identified, aggregated, pseudonymized, derived, or synthetic data, to improve, evaluate, develop, train, and fine-tune August's own Services and AI systems as described in this Policy.

Human Review

Authorized August personnel, contractors, reviewers, clinicians, or service providers may review information where needed to provide support, improve the Services, evaluate quality and safety, debug systems, investigate abuse, comply with law, or operate the Services. We limit access based on role and business need.

Clinical and Telehealth-Related Sharing

• Clinical partners and treating clinicians: We share intake, health, account, and related information with the applicable clinical partner or treating clinician to facilitate the clinical service you request.
• Pharmacies and prescription networks: If a treating clinician prescribes medication, information may be shared with prescription-routing networks, pharmacies, and related service providers to transmit or support the prescription.
• Labs, referrals, or other care partners: Where available and requested or authorized, information may be shared to support referrals, lab orders, follow-up, or other care coordination.

Operational Sharing

• Service providers: cloud hosting, database infrastructure, AI processing, analytics, customer support, payment processing, identity verification, communications, security, fraud prevention, and product operations.
• User-directed sharing: people or organizations you ask us to share with, such as a caregiver, family member, clinician, health plan, employer, attorney, or other third party.
• Business transfers: in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, subject to appropriate confidentiality or privacy protections.
• Legal, safety, and compliance: where we believe disclosure is required or permitted by law, legal process, regulation, professional obligations, or is necessary to protect rights, safety, security, or prevent serious harm.
• De-identified or aggregated data: data that does not identify you may be shared for analytics, research, product development, benchmarking, publication, or other lawful purposes.

Government and Law-Enforcement Requests

We do not voluntarily disclose health information to government or law-enforcement agencies except as described in this Policy, when required or permitted by law, or where necessary to prevent serious harm. Where appropriate and legally permitted, we may seek to narrow or challenge overbroad requests.

Practical Rule

If information is created or used for a clinical service provided by an independent clinician or clinical partner, the clinical partner's privacy practices and medical-record obligations may also apply.

Rights Available to Many Users

• Access: request a copy of personal information we maintain about you.
• Correction: ask us to correct inaccurate personal information.
• Deletion: ask us to delete personal information, subject to legal, clinical, security, fraud-prevention, backup, dispute-resolution, and operational exceptions.
• Portability: request a copy of certain information in a portable format where required by law.
• Opt-out: opt out of sale, sharing, targeted advertising, or certain profiling where those rights apply. August does not sell health information or use health information for third-party targeted advertising.
• Limit or withdraw consent: limit use of certain sensitive information or withdraw consent where applicable law gives you that right.

How to Exercise Your Rights

• In-app: Account Settings → Privacy → Manage My Data, where available.
• Email: [email protected]. Include your account email and the request type.
• We may need to verify your identity before completing a request.
• We will not discriminate against you for exercising privacy rights required by applicable law.

California and Other State Privacy Rights

Residents of California and other states may have additional rights under state privacy laws, including rights to know, access, correct, delete, port, opt out of certain processing, limit certain uses of sensitive personal information, or appeal a decision. We honor these rights where required by applicable law.

California residents may designate an authorized agent to submit requests on their behalf. We may require proof of authorization and identity verification.