logo
PROVIDERS
LABS
CROs
PAYORS
PATIENTS
ABOUT US
Schedule a Demo
Contact Us
Overview

PGxAI Privacy Policy

1. Who We Are & Scope of This Notice

PGxAI, Inc. ("PGxAI," "we," "our," or "us") is a provider of AI‑enabled pharmacogenomics decision support and related software and services for healthcare professionals and patients. This Privacy Policy explains how we collect, use, disclose, and protect information in connection with our offerings.

What this Privacy Policy covers. This notice applies when you:

  • visit PGxAI websites and pages (pgx.ai and its subdomains);
  • create or access accounts in our Provider or Patient Portals;
  • upload your own genetic data (e.g., VCF) or submit information through our tools;
  • integrate or exchange data with PGxAI via APIs or healthcare data standards (e.g., HL7/FHIR) with EHR/LIMS/EDC systems; and
  • interact with us via email, phone, or support channels.

What this Privacy Policy does not cover. This notice does not apply to information we process on behalf of customers (for example, healthcare providers, laboratories, CROs, or payors) under a Business Associate Agreement (BAA), Data Processing Agreement (DPA), or similar contract. When we act as a processor/business associate, that processing is governed by the relevant agreement and, where applicable, a Notice of Privacy Practices (NPP) issued by the covered entity. See Section 2 for details.

Audiences. This Policy is intended for patients, healthcare providers, laboratories, CROs, payors, and visitors who engage with PGxAI Services.

Contact & controller details. The controller for your information under this notice is PGxAI, Inc., incorporated in the State of Delaware, USA, with its principal place of business at 730 Moreno Ave, Palo Alto, CA 94306. You can reach us at admin@pgx.ai for privacy questions, admin@pgx.ai for security matters, and admin@pgx.ai for general inquiries.

Effective date. This Privacy Policy is effective 09/17/2025 and replaces prior versions. Terms used but not defined here have the meanings given in our Terms of Use.

2. Our Roles

PGxAI performs different roles depending on how you engage with us:

  • Controller. When you visit our websites, create a PGxAI account, use our Patient or Provider Portals directly, upload your own genetic data, contact support, or otherwise interact with PGxAI outside of a customer contract, we act as a data controller (or equivalent under applicable law) for that information.
  • Processor / Business Associate. When a healthcare provider, laboratory, CRO, payor, or other enterprise customer engages PGxAI under a Business Associate Agreement (BAA) and/or Data Processing Agreement (DPA), we process Personal Data on their documented instructions as a processor/business associate. In those cases, our customer (or the covered entity) is the controller. That processing is governed by the relevant BAA/DPA and—where applicable—by a Notice of Privacy Practices (NPP) issued by the covered entity. For PHI, PGxAI acts only as a HIPAA business associate and is not a HIPAA covered entity.

NPP (BA-only). For PHI that PGxAI processes as a HIPAA business associate, the use and disclosure of Protected Health Information (PHI) is governed by the covered entity’s Notice of Privacy Practices (NPP). Please refer to your healthcare provider’s or partner laboratory’s NPP.

Contract addenda. Our standard DPA/BAA is available upon request at admin@pgx.ai or via your enterprise agreement. Examples of controller/processor data flows are available upon request at admin@pgx.ai.

3. Key Definitions

  • Account Information: Basic identifiers for account creation/management (e.g., name, email, phone, mailing address) plus role/permissions and authentication metadata. Passwords are stored only in hashed form.
  • Aggregate Information: Statistics or metrics combined from many users so no person can reasonably be identified.
  • Business Associate (BA); Business Associate Agreement (BAA): Under HIPAA, a BA is a vendor that handles PHI for a Covered Entity under a BAA.
  • Controller / Processor / Service Provider: The controller decides why/how Personal Data is processed; a processor/service provider (like PGxAI under a DPA/BAA) processes it only on the controller’s instructions.
  • Covered Entity (HIPAA): A healthcare provider, health plan, or clearinghouse subject to HIPAA; its Notice of Privacy Practices (NPP) governs its PHI.
  • De‑identified Information: Data that does not reasonably identify you (e.g., HIPAA Safe Harbor or Expert Determination) and is maintained in de‑identified form. We do not re‑identify it except as permitted or required by law.
  • Genetic Information: Genotype‑level data (e.g., VCF/array files), variant annotations, and derived pharmacogenomic interpretations.
  • Personal Data / Personal Information: Information that identifies, relates to, describes, or could reasonably be linked with an individual or household (includes “personal information” under U.S. state laws).
  • Protected Health Information (PHI): Individually identifiable health information protected by HIPAA.
  • Sensitive Data: Data requiring heightened protection (e.g., genetic and health/PHI, precise geolocation) as defined by applicable laws.
  • Subprocessor: A third party engaged by PGxAI to process Personal Data on our behalf when providing the Services (e.g., cloud hosting, email delivery).
  • Usage Data / Web‑Behavior Information: Technical/usage data collected via logs, cookies, or SDKs (e.g., device, IP, pages viewed, interactions).

4. What We Collect & Sources

Categories of data we may collect (depending on your interactions):

  • Identifiers & contact: name, email, phone, mailing address; for providers, NPI and license details.
  • Account & credentials: account identifiers, authentication metadata (we store passwords only in hashed form), role/permissions.
  • Genetic Information: uploaded VCF/array files, variant calls, interpretation metadata.
  • Clinical/operational data: order/accession identifiers, encounter metadata, relevant clinical context and observations exchanged via HL7/FHIR or other secure interfaces with EHR/LIMS/EDC systems.
  • Self‑Reported Information: survey/intake responses, family history, symptoms, medication lists.
  • Communications: support tickets, emails, calls, portal messages.
  • Billing & payments: limited billing details processed securely by our third-party payment provider; we do not store full card numbers.
  • Technical/usage data: log files, device/browser type, IP address and approximate location, session identifiers, cookie/SDK data.
  • Inferences: product‑usage signals, quality metrics, derived analytics.
  • De‑identified/aggregate datasets: used for analytics, safety, and product improvement as described in this Policy.

Sources. We collect data from you, your healthcare provider or lab (when they use PGxAI), our enterprise customers, integration partners, payment and support vendors, and—where permitted—automated collection via your use of our Services. We do not source Genetic Information from public databases for user profiling.

5. How We Use Data

We use Personal Data to:

  1. Provide and operate the Services: account provisioning; generating PGx interpretations and reports; enabling Provider/Patient Portals; facilitating data exchange with EHR/LIMS/EDC via HL7/FHIR; maintaining audit trails; and providing support.
  2. Safety, security, and compliance: fraud/abuse monitoring; incident detection; access auditing (including provider NPI/licensure/IP telemetry for compliance); and enforcing terms.
  3. Improve and develop: quality assurance, workflow optimization, usability studies, error tracking, and non‑identifying analytics and research.
  4. Communicate with you: service notifications, updates, educational materials, and (where permitted) limited marketing about PGxAI. You can manage preferences as described in Section 21.
  5. Legal obligations: responding to lawful requests; meeting regulatory/records retention requirements (e.g., CLIA/CAP via partners); and protecting rights and safety.

Legal bases (EEA/UK/CH). Depending on context, we rely on contracts (to deliver requested services), legitimate interests (e.g., security, product improvement proportionate to privacy impact), consent (e.g., research participation, certain analytics/marketing), and legal obligation. When acting as a HIPAA business associate, processing is performed under the applicable BAA. We maintain De‑identified Information in de‑identified form and will not attempt to re‑identify it except as permitted or required by law.

6. Provider & Patient Portals (PHI handling)

Our Portals support ordering, delivery, and review of results. PHI in the Portals is handled under the minimum necessary principle and controlled by role‑based access:

  • Authorized access only: providers, their delegates, and patients to whom access is granted; optional caregiver/proxy access where enabled.
  • Audit trails: comprehensive logging of access, disclosures, and key actions; logs retained for a minimum of seven (7) years.
  • Secure exchange: TLS in transit, encryption at rest, and secure interfaces (e.g., HL7/FHIR) to connected systems.
  • Provider direction: when acting as processor/BA, we follow the provider’s instructions under the BAA; the provider (or covered entity) is responsible for Portal user provisioning and access reviews.

7. Special Handling of Genetic & Health/PHI Data

We apply heightened safeguards to Genetic and Health/PHI data:

  • No sale or cross‑context behavioral advertising. We do not “sell” Personal Data or “share” it for cross‑context behavioral advertising.
  • No sharing with insurers/employers or public databases. We do not disclose your Personal Data to insurers or employers, and we do not contribute user data to public databases.
  • Access control & encryption. Role‑based access (least privilege), MFA/SSO for internal access, encryption in transit and at rest, and audited administrator actions.
  • Model/AI improvement policy. PGxAI does not use PHI or Genetic Information to train generalized models unless the data is de‑identified (HIPAA Safe Harbor or Expert Determination) and such use is permitted by applicable contract and/or explicit user consent.

8. Research & Data‑sharing Consents

Current status. PGxAI does not currently conduct its own human‑subject research or recruit participants through our websites, portals, or apps.

Customer‑led research. Enterprise customers (e.g., providers, laboratories, CROs, biopharma) may conduct their own research under their institutional approvals and participant consents. In those cases, they act as the controller/covered entity and PGxAI acts as their processor/business associate under the applicable DPA/BAA. We do not use PHI or Genetic Information for research beyond their documented instructions and applicable consents.

If PGxAI launches research in the future. Any PGxAI‑run research will be opt‑in only and presented with a separate Research Consent describing purpose, data types, retention, sharing, oversight (e.g., IRB), and withdrawal. Withdrawal will be prospective and honored within ~30 days and will not affect analyses already completed or published.

Product improvement (not research). Separately from research, PGxAI may use de‑identified or aggregate data to improve the safety, performance, and quality of our Services as described in this Policy; we do not re‑identify such data except as permitted or required by law.

9. Cookies & Similar Technologies

We use cookies and similar technologies (such as SDKs and local storage) to operate, secure, and improve the Services. Categories include strictly necessary cookies (security, authentication, session management), performance and analytics cookies, and functional cookies that remember preferences. Targeted advertising cookies are not used on clinical or portal surfaces.

You can manage or disable cookies through your browser settings at any time. Most browsers allow you to delete existing cookies, block all cookies, or receive a notification before a cookie is stored. Because disabling cookies may affect site functionality, we recommend keeping essential cookies enabled. For information about Do Not Track (DNT) and Global Privacy Control (GPC) signals, see Section 22.

10. Disclosures: Who We Share With & Why

We disclose Personal Data only as described below:

  • Vendors/Subprocessors: hosting and storage, network/security monitoring, error tracking, analytics (where permitted), email/SMS/voice delivery, ticketing, payments, and similar providers that act on our instructions. See our Subprocessors List (available upon request at admin@pgx.ai).
  • Healthcare partners & integrations: laboratories and connected EHR/LIMS/EDC systems under contracts/BAAs, exchanging the minimum necessary information for treatment, payment, or operations as applicable.
  • Affiliates: entities under common control with PGxAI, for support and operations consistent with this Policy.
  • Business transfers: in connection with mergers, acquisitions, or reorganizations, subject to this Policy.
  • Legal & safety: to comply with law or valid legal process; enforce terms; protect rights, safety, or the integrity of our Services.

We do not sell Personal Data or share it for cross‑context behavioral advertising, and we do not provide Personal Data to insurers or employers.

11. API & Integrations

For enterprise customers, PGxAI supports scoped, auditable APIs and secure data exchange (e.g., HL7/FHIR, SFTP). We apply:

  • Minimum necessary disclosure aligned to the integration’s purpose;
  • Scoped tokens/permissions with expiration/rotation policies;
  • Logging/auditing of API calls and data access; and
  • Enterprise authorization: data flows to third‑party applications only when explicitly authorized by the enterprise/customer and/or the data subject, as applicable.

PGxAI does not operate a public app marketplace. We do not transfer full‑genome datasets by default; if a transfer is necessary, it requires explicit authorization and appropriate safeguards.

12. International Transfers & Residency

We may process and store Personal Data in countries other than where you reside. Where required, we use appropriate transfer mechanisms, such as Standard Contractual Clauses (SCCs) and the UK IDTA/Addendum. For datasets governed by Saudi PDPL, we comply with data residency and transfer requirements.

13. Retention & Deletion

We retain Personal Data only as long as necessary for the purposes described in this Policy or as required by law/contract (e.g., CLIA/CAP obligations via partner labs), then delete or irreversibly de-identify it. Backups purge within 30 days of primary deletion.

Indicative retention schedule:

Data type Examples Primary retention Rationale/notes
Account & profile identifiers, role/permissions life of account + 12 months fraud/debugging, legal holds
Genetic files VCF/array uploads, derived artifacts 7 years or until deletion request + backup window clinical/research needs (if consented)
Clinical reports/results PGx interpretations, report metadata 7 years (or per provider/lab contract) may be subject to medical record rules/CLIA/CAP
Logs & audit trails access logs, API logs 7 years security/audit requirements
Support records tickets, call records 3 years regulatory/audit needs
Billing records invoices, payments 7 years tax/accounting

Deletion requests are handled as described in Section 14; certain legal obligations may require limited retention after a request (see Section 15).

14. Your Rights & Choices

Your privacy rights depend on your location and role. Subject to exceptions, you may have rights to access, rectify, erase, restrict, port, object, withdraw consent, and appeal decisions, as well as to opt out of sale/share/targeted advertising (which we do not practice) and certain profiling.

  • EEA/UK/CH: access, rectification, erasure, restriction, portability, objection, withdraw consent, and lodge a complaint with your supervisory authority.
  • U.S. state laws (e.g., CA/CO/CT/UT/VA, WA MHMDA, and others): know/access, delete, correct, data portability, opt‑out of sale/share/targeted advertising, and appeals.
  • HIPAA Right of Access: when PGxAI acts as a business associate, requests for PHI should be submitted via your provider or covered entity, consistent with the BAA/NPP.

How to exercise rights. Submit a request via admin@pgx.ai. We will verify your identity and respond within 30–45 days (with permissible extensions). You may use an authorized agent where allowed by law (additional verification may be required). Appeals may be sent to admin@pgx.ai.

Portability. You can request a copy of your Genetic Information (e.g., raw VCF) in a portable, machine‑readable format.

Preferences. You can manage cookies through your browser settings (see Section 9) and manage marketing preferences as described in Section 21.

Complaints. You may raise privacy complaints at admin@pgx.ai. Where applicable, you may also contact your data protection authority or state attorney general.

15. Consent, Revocation & Continuing Processing

Where we rely on consent (e.g., research participation, certain analytics/marketing), you may withdraw consent at any time by contacting admin@pgx.ai. Withdrawal does not affect processing carried out before withdrawal and does not override legal obligations to retain certain data (e.g., financial records, security logs, CLIA/CAP requirements via partner labs) or our ability to maintain de‑identified records.

16. Security

We implement administrative, technical, and organizational measures designed to protect Personal Data, including:

  • encryption in transit (TLS) and at rest (e.g., AES‑256);
  • role‑based access control (least privilege), MFA/SSO for privileged access;
  • secure development practices, vulnerability management, and periodic penetration testing;
  • centralized logging, monitoring, and incident response procedures; and
  • business continuity and disaster recovery plans that we test on a regular cadence.

No system can be guaranteed 100% secure. If you believe your account has been compromised, contact admin@pgx.ai. PGxAI maintains a SOC 2 information security program and complies with HIPAA as a business associate. Information about our security program is available upon request at admin@pgx.ai.

17. Account & Credentials (Your Responsibilities)

Portal accounts are issued to individuals and must not be shared. You are responsible for maintaining the confidentiality of your credentials and enabling MFA (strongly encouraged). Notify us immediately of suspected unauthorized access at admin@pgx.ai. We may suspend or revoke access to protect accounts and systems.

18. Risks & Considerations of PGx Insights

Pharmacogenomic insights can be sensitive and may have implications for you and your relatives. You may learn unexpected information. PGxAI’s outputs are decision support and should be interpreted by qualified professionals. Consider discussing results with your clinician and/or a genetic counselor. Be cautious before sharing information externally.

19. Children & Minors

PGxAI is not intended for individuals under 18 except via a healthcare relationship with appropriate authorization. We do not knowingly collect Personal Data from children under 13 for direct accounts. If you believe a child has provided Personal Data to us in error, contact admin@pgx.ai and we will take appropriate steps to remove it.

20. External links

Our Services may link to third‑party websites or services not controlled by PGxAI. We are not responsible for their privacy practices. Please review the privacy policies of any third‑party site or service you visit.

21. Marketing communications

We may send service‑related communications (e.g., account notices, updates). With your consent where required, we may also send marketing communications about PGxAI. You can unsubscribe via the link in our emails or manage settings in your account. Transactional or service notices will continue even if you opt out of marketing. For SMS/push (if used), follow the provided instructions to opt out.

22. Do Not Track & Global Privacy Control

Some browsers send Do Not Track (DNT) signals; because there is no industry standard, we do not respond to DNT. We honor Global Privacy Control (GPC) signals for sale/share/targeted advertising opt‑outs in jurisdictions where required and will apply your choice to the browser and device from which GPC is received. To further limit cookies or trackers, adjust your browser settings as described in Section 9.

23. Governing law & Dispute Resolution (Cross‑reference Terms)

This Privacy Policy is governed by the laws of the State of Delaware, USA, without regard to conflict‑of‑law principles, as further described in our Terms of Use (including dispute resolution and arbitration/class‑action provisions, if applicable). To the extent permitted by law, those provisions apply to disputes relating to this Policy. Nothing in this Policy limits your right to lodge complaints with regulators.

24. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new “Last updated” date and, if changes are material, provide additional notice (e.g., email or in‑product banners) at least 30 days before the effective date.

Effective date: 09/17/2025
Last updated: 11/10/2025

25. Contact us