Privacy Policy

1. Introduction

This Privacy Policy describes how Alethiom LLC (“Alma,” “we,” “us,” or “our”) collects, uses, discloses, and protects your personal information when you use our website (heyalma.ai), mobile application, and AI-powered phone-based wellness check-in service (collectively, the “Service”).

Alma provides daily AI companion calls to older adults (“Elders”) and shares wellness updates with their designated family caregivers (“Caregivers”). Because a Caregiver may set up the Service on behalf of an Elder, this Privacy Policy applies to both Caregivers and Elders, as well as anyone who visits our website.

By creating an account and affirmatively accepting this Privacy Policy (via checkbox, electronic signature, or verbal confirmation during the first call), you agree to the collection and use of information in accordance with this Privacy Policy. Browsing our public website without creating an account subjects you only to the data collection practices described in Sections 2.3 and the Cookie Policy.

If you are a Caregiver setting up the Service on behalf of an Elder, you represent and warrant that: (a) you have legal authority to consent on behalf of the Elder (whether through the Elder’s direct informed consent, a valid power of attorney, legal guardianship, or healthcare proxy); and (b) you have informed the Elder about the nature of the Service, including that they will receive AI-powered phone calls and that their health and wellness data will be shared with you as described herein. We may require documentation of legal authority at our discretion.

2. Information We Collect

2.1 Information You Provide Directly

Account Information: When you create an account, we collect your first name, last name, preferred name, email address, phone number, and login credentials (via Firebase Authentication or OAuth providers such as Google or Apple).

Caregiver Information: If you are a Caregiver, we may collect your mailing address, city, state, zip code, and country, as well as your relationship to the Elder and your notification preferences (e.g., whether to be notified of missed check-ins, pain reports, or missed medications).

Elder Profile Information: Caregivers provide information about the Elder, including name, date of birth, gender, education level, preferred language, hearing status, address, city, state, country, and timezone. Caregivers may also specify preferred conversation topics, topics to avoid, and AI companion voice and persona preferences.

Payment Information: If you subscribe to a paid plan, payment is processed by Stripe, Inc. We store a Stripe customer identifier and transaction records (amount and event type) but do not store full credit card numbers on our servers.

Feedback and Communications: We collect information you provide when you submit feedback, ratings, comments, or contact us for support.

2.2 Information Generated Through the Service

Conversation Transcripts: When Alma conducts a call with an Elder, the conversation is transcribed using AssemblyAI. Transcripts are stored as files associated with the Elder’s account. Calls are not audio-recorded at this time; only text transcripts are generated.

Health and Wellness Data: During calls, Alma may collect self-reported health information including mood, sleep quality, appetite, pain levels, medication adherence, and exercise activity. These are stored as health metrics tied to the Elder’s profile. This data constitutes sensitive personal information under applicable state privacy laws and may constitute Protected Health Information (PHI) as described in Section 6.

Cognitive Assessment Data: If the Elder participates in cognitive wellness exercises, we collect test scores, response times, and composite performance metrics. These are used to track cognitive wellness trends over time. This processing constitutes profiling as defined under the VCDPA; see Section 9.2 for your rights regarding profiling.

Biographical and Story Data: Alma collects life stories, memories, and personal narratives shared by the Elder during guided biography conversations. These are stored as biography fragments and may be compiled into a published biography document for the family.

Recipes: If the Elder shares family recipes during conversations, we store the title, ingredients, instructions, and any associated photos.

Call Metadata: We record call start and end times, duration, call type (e.g., wellness check-in, biography session), who initiated the call, and whether the call was completed, missed, or disconnected.

Check-in Records: We track whether scheduled check-ins were completed, missed, or rescheduled.

2.3 Information Collected Automatically

Device Information: When you use our mobile app, we may collect device identifiers (device fingerprint), device platform (iOS/Android), and push notification tokens.

Website Analytics: We use Google Analytics on our website to collect information about page views, traffic sources, and general usage patterns. Google Analytics uses cookies and may collect IP addresses, which are transmitted to Google. You may opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Add-On or by adjusting your cookie preferences. See our Cookie Policy for details.

Cookies: Our website uses cookies and similar technologies. Please see our Cookie Policy for details.

2.4 Information We Do Not Currently Collect

The following data types are not collected today. If we choose to collect any of these in the future, we will update this Privacy Policy, provide you with advance notice, and obtain your explicit opt-in consent before any such collection begins:

  • Location Data: GPS-based location from the mobile app.

  • Wearable Device Data: Health and activity data from connected wearable devices (e.g., heart rate, step count, sleep data).

  • Voice Recordings: Audio recordings of calls, in addition to transcripts.

  • Voice Models: AI voice replicas based on the Elder’s voice.

3. Legal Bases for Processing

We process your personal information under the following legal bases, as applicable under the VCDPA, CCPA/CPRA, and other applicable law:

  • Account Information. Purpose: Account creation and management. Legal Basis: Contract performance.

  • Elder Profile Information. Purpose: Providing personalized AI calls. Legal Basis: Contract performance.

  • Health and Wellness Data. Purpose: Wellness monitoring and alerts. Legal Basis: Explicit opt-in consent (sensitive data).

  • Cognitive Assessment Data. Purpose: Cognitive wellness tracking and profiling. Legal Basis: Explicit opt-in consent (sensitive data; profiling).

  • Conversation Transcripts. Purpose: Service delivery and summarization. Legal Basis: Contract performance; consent for sharing with Caregiver.

  • Biographical Data. Purpose: Story collection and compilation. Legal Basis: Contract performance; consent.

  • Payment Information. Purpose: Subscription billing. Legal Basis: Contract performance.

  • Device/Analytics Data. Purpose: Service improvement and security. Legal Basis: Legitimate interest; consent (cookies).

  • Call Metadata. Purpose: Service operations, billing, safety. Legal Basis: Contract performance; legitimate interest.

4. How We Use Your Information

We use your personal information for the following purposes:

  • Providing the Service: To conduct AI companion calls, generate wellness summaries, deliver notifications to Caregivers, and compile biography documents.

  • Health Monitoring: To track self-reported health metrics over time, identify trends or changes, and alert Caregivers when concerning patterns are detected.

  • Cognitive Wellness: To administer cognitive exercises, calculate performance scores, and monitor cognitive health trends. This constitutes automated profiling; see Section 9.2.

  • Personalization: To tailor conversations to the Elder’s interests, personality, language preferences, and hearing needs.

  • Account Management: To manage subscriptions, process payments, authenticate users, and provide customer support.

  • Service Improvement: To analyze aggregated, de-identified usage data to improve our AI models, conversation quality, and overall service. We do not use identifiable customer data to train third-party AI models.

  • Communications: To send service-related notifications, alerts, and updates via email, SMS, push notification, or phone call, based on your notification preferences.

  • Safety and Security: To detect and prevent fraud, maintain audit logs, and protect the security of our systems and users.

  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.

5. How We Share Your Information

We do not sell or share (as defined under the CCPA/CPRA) your personal information for cross-context behavioral advertising. We share your information only in the following circumstances:

  • With Caregivers: Call summaries, health metrics, mood assessments, cognitive wellness trends, and care alerts are shared with the Elder’s designated Caregiver through the app and via notifications. Full conversation transcripts are shared with the Caregiver only if the Elder’s preferences permit this (controlled by the “caregiver_can_read_convos” setting, which defaults to OFF and requires the Elder’s affirmative consent to enable).

  • Service Providers: We share information with third-party service providers who help us operate the Service, as described in Section 6 below. These providers are contractually obligated to use your information only to provide services to us and to protect your information.

  • Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is reasonably necessary to protect our rights, your safety, or the safety of others, including in cases of suspected elder abuse.

  • Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will provide you with at least 30 days’ advance notice via email before any such transfer and, if the acquiring entity intends to use your personal information in a materially different manner, we will provide you with the opportunity to opt out or delete your data before transfer.

6. Third-Party Service Providers

We use the following third-party services to operate Alma. The table below identifies each provider, its function, and the categories of data it processes:

  • Microsoft Azure. Function: Cloud hosting and infrastructure. Data processed: All data categories. Data location: United States.

  • OpenAI. Function: AI language model for conversations. Data processed: Conversation content, Elder profile data. Data location: United States.

  • Twilio. Function: Telephony services. Data processed: Phone numbers, call metadata, audio streams. Data location: United States.

  • Firebase (Google). Function: Authentication, push notifications. Data processed: Account credentials, device tokens. Data location: United States.

  • AssemblyAI. Function: Speech-to-text transcription. Data processed: Audio streams for transcription. Data location: United States.

  • Stripe. Function: Payment processing (PCI-DSS compliant). Data processed: Payment card data, billing info. Data location: United States.

  • Google Analytics. Function: Website usage analytics. Data processed: IP address, browsing behavior, cookies. Data location: United States (Google servers).

We ensure that all third-party service providers are bound by data processing agreements and maintain appropriate security measures. OpenAI does not use Alma customer data to train its models under our contractual terms. Where required, providers have entered into Business Associate Agreements (BAAs) as described in Section 7.

7. Health Data Protections

Alma collects health-related information, including self-reported health metrics, cognitive assessment data, and medication adherence information. We implement security and privacy safeguards that align with the standards set forth in the Health Insurance Portability and Accountability Act (HIPAA), regardless of whether Alma is a “covered entity” or “business associate” under that statute.

Where Alma contracts with covered entities (such as healthcare providers or senior living facilities) and receives or creates protected health information (PHI) on their behalf, Alma operates as a Business Associate and complies fully with HIPAA, including by entering into Business Associate Agreements (BAAs).

Regardless of our HIPAA status, we implement the following safeguards for all health-related data:

7.1 Administrative Safeguards

  • Access to health data is restricted to authorized personnel on a need-to-know basis.

  • We maintain audit logs of all data access and system actions.

  • Our designated Privacy Officer oversees all privacy and security compliance matters. Contact: privacy@heyalma.ai.

  • We conduct regular workforce training on data privacy and security practices.

7.2 Technical Safeguards

  • Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent).

  • We use role-based access controls, secure authentication, and encryption key management with regular key rotation.

  • We maintain access audit trails for all systems containing health data.

7.3 Physical Safeguards

  • Our infrastructure is hosted on Microsoft Azure, which maintains SOC 2, HIPAA, and ISO 27001 certifications for its data centers.

7.4 Business Associate Agreements

Third-party service providers who process health data on our behalf are required to enter into Business Associate Agreements (BAAs) where HIPAA requires it. We maintain executed BAAs with our cloud hosting, transcription, and telephony providers. A current list of BAA-covered providers is available upon request by contacting privacy@heyalma.ai.

7.5 Notice of Privacy Practices

Where Alma operates as a Business Associate under HIPAA, individuals whose PHI we process have the right to receive a Notice of Privacy Practices from the applicable covered entity. Alma’s own practices for handling health data are described in this Privacy Policy. For HIPAA-specific requests, contact our Privacy Officer at privacy@heyalma.ai.

8. Data Security

We take the security of your data seriously and implement industry-standard measures to protect it, including:

  • Encryption of data in transit using TLS 1.2+ and at rest using AES-256 or equivalent.

  • Firebase Authentication and OAuth 2.0 for secure user login.

  • Phone-based one-time password (OTP) verification.

  • Device fingerprinting and compromise detection.

  • Encryption key management with rotation schedules.

  • Comprehensive audit logging of system actions and data access.

  • Regular backups with success/failure tracking.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents in accordance with our Breach Notification obligations (Section 12).

9. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specifically:

  • Active Accounts: Your data is retained for the duration of your subscription and active use of the Service.

  • Canceled Accounts: If you cancel your subscription, we retain your data for 90 days following cancellation to allow for account reactivation requests, after which it is permanently deleted. Exceptions: (a) data we are required by law to retain for longer periods (such as financial transaction records required by tax law, which are retained for 7 years); and (b) de-identified, aggregated data as described below.

  • Deletion Requests: Upon receiving a verified deletion request, we will delete your personal information within 30 days. This includes a full cascade deletion of all associated data: conversation transcripts, health metrics, cognitive assessment data, biography fragments, recipes, call history, and any other personal data linked to your account.

We may retain de-identified, aggregated data that cannot reasonably be used to identify any individual for analytical and service improvement purposes indefinitely.

10. Your Rights

10.1 All Users

Regardless of your location, you have the following rights:

  • Access: Request a copy of the personal information we hold about you.

  • Correction: Request that we correct inaccurate or incomplete personal information.

  • Deletion: Request that we delete your personal information, subject to certain legal exceptions.

  • Data Portability: Request a copy of your data in a structured, commonly used, machine-readable format (JSON or CSV).

  • Withdraw Consent: Withdraw your consent to data processing at any time, where consent is the legal basis for processing. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal.

  • Opt-Out of Communications: Manage your notification preferences or unsubscribe from marketing communications at any time.

10.2 Virginia Residents (VCDPA)

If you are a Virginia resident, you have additional rights under the Virginia Consumer Data Protection Act (VCDPA):

  • Right to Access: Confirm whether we are processing your personal data and access that data.

  • Right to Correct: Correct inaccuracies in your personal data.

  • Right to Delete: Delete your personal data.

  • Right to Data Portability: Obtain a copy of your personal data in a portable format.

  • Right to Opt Out of Profiling: Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. Our cognitive wellness trend analysis constitutes profiling; you may opt out by contacting us.

  • Right to Opt Out of Sale/Targeted Advertising: We do not sell personal data or process it for targeted advertising.

To exercise these rights, contact us at privacy@heyalma.ai. We will respond within 45 days. If we decline your request, you have the right to appeal by emailing privacy@heyalma.ai with the subject line “VCDPA Appeal.” We will respond to appeals within 60 days. If your appeal is denied, you may contact the Virginia Attorney General at https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.

10.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA):

  • Right to Know: You have the right to know what personal information we collect, the sources of that information, the business purposes for collection, the categories of third parties with whom we share it, and the specific pieces of personal information we have collected about you.

  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.

  • Right to Correct: Request correction of inaccurate personal information.

  • Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.

  • Right to Limit Use of Sensitive Personal Information: Health data, cognitive assessment results, and other sensitive personal information (as defined under CPRA) are used only for the purposes described in this Privacy Policy, which are permitted under CPRA. You may direct us to limit our use of sensitive personal information by contacting us.

  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise these rights, contact us at privacy@heyalma.ai or call us at [toll-free number to be added]. We will verify your identity before processing your request and respond within 45 days.

10.4 Notice at Collection (CCPA/CPRA)

At or before the point of collection, we collect the following categories of personal information for the following purposes:

  • Identifiers (name, email, phone). Purpose: Account management, communications. Retention: Duration of account + 90 days.

  • Health information. Purpose: Wellness monitoring, caregiver alerts. Retention: Duration of account + 90 days.

  • Cognitive assessment data. Purpose: Cognitive wellness tracking. Retention: Duration of account + 90 days.

  • Financial information. Purpose: Payment processing. Retention: 7 years (tax/legal requirement).

  • Internet/electronic activity. Purpose: Website analytics, security. Retention: 26 months (Google Analytics default).

  • Biographical/story data. Purpose: Legacy story compilation. Retention: Duration of account + 90 days.

We do not sell or share any of these categories for cross-context behavioral advertising. We do not offer financial incentives for the collection of personal information. Our free trial is offered to all users on the same terms and does not condition pricing on data collection.

11. Consent and Authorization for Elders

Because our Service involves a Caregiver setting up an account on behalf of an Elder, we implement the following multi-layered consent framework:

11.1 Caregiver Representations

At the time of account creation, the Caregiver must affirmatively represent that:

  • The Elder has been informed about the Service and understands that they will receive AI-powered phone calls.

  • The Elder understands and agrees that conversation summaries, health data, and wellness updates will be shared with the Caregiver.

  • The Caregiver has legal authority to enroll the Elder, whether through the Elder’s direct consent, a valid power of attorney, legal guardianship, or healthcare proxy.

11.2 Direct Elder Consent Verification

During the first AI call with an Elder, Alma will verbally confirm with the Elder that:

  • They understand they are speaking with an AI companion service arranged by their Caregiver.

  • They consent to ongoing wellness check-in calls.

  • They understand that health summaries will be shared with their Caregiver.

This verbal consent is logged with a timestamp in our system. If the Elder does not consent or expresses confusion about the Service, the call will be ended and the Caregiver will be notified.

11.3 Elder’s Right to Revoke Consent

The Elder may revoke consent to the Service at any time through any of the following methods, without needing the Caregiver’s involvement:

  • Telling Alma during any call: “Stop calling me,” “I don’t want to do this anymore,” or similar language indicating withdrawal of consent.

  • Calling our support line at [phone number to be added].

  • Emailing privacy@heyalma.ai.

  • Hanging up on three consecutive calls (triggering an automated consent review).

Upon revocation, calls will cease immediately. The Caregiver will be notified that the Elder has withdrawn consent, but the Elder’s decision is final and the Caregiver cannot override it.

11.4 Elders Who Lack Capacity

If an Elder lacks the cognitive capacity to provide informed consent (e.g., due to advanced dementia or legal incapacity), the Caregiver must hold a valid legal instrument (power of attorney, legal guardianship, or healthcare proxy) authorizing them to make decisions on the Elder’s behalf. We reserve the right to request documentation of this authority at any time. Even where a Caregiver has legal authority, the Elder retains the right to refuse individual calls at any time by hanging up.

11.5 Consent Records

We maintain records of all consent events, including the type of consent (Caregiver representation, Elder verbal confirmation, or Elder revocation), the version of the consent document, and the timestamp of each event.

11.6 Data Sharing Granularity

Caregivers receive wellness summaries and health alerts by default. The following data sharing settings are controlled separately and require affirmative consent:

  • Full Conversation Transcripts: Sharing of complete call transcripts with the Caregiver is controlled by the “caregiver_can_read_convos” setting, which is OFF by default and requires the Elder’s affirmative consent to enable.

  • Cognitive Assessment Scores: Detailed cognitive performance data is shared with the Caregiver as part of wellness summaries unless the Elder opts out.

12. Breach Notification

In the event of a data breach involving your personal information, we will:

  • Notify Affected Individuals: We will notify you without unreasonable delay and in no event later than 60 days after discovery of a breach involving your unencrypted personal information, consistent with Virginia’s breach notification statute (Va. Code § 18.2-186.6) and HIPAA breach notification requirements (where applicable).

  • Notification Contents: Notifications will include a description of the incident, the types of information involved, steps we are taking to address the breach, and steps you can take to protect yourself.

  • Notification Method: We will notify you via the email address associated with your account. Where required by law, we will also notify the Virginia Attorney General and, for HIPAA-covered breaches, the U.S. Department of Health and Human Services.

  • Breach Log: We maintain a log of all security incidents, including those that do not rise to the level of a reportable breach.

13. Children’s Privacy

Alma is designed for older adults and their adult family caregivers. Our Service is not directed to children under the age of 18, and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information within 30 days.

14. International Users and Data Transfers

Alma’s Service is operated from and data is stored in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your country. By using the Service, you consent to this transfer. If you are located in the European Economic Area or United Kingdom, we rely on your explicit consent as the legal basis for transferring your data to the United States.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

  • Non-Material Changes: We will post the updated policy on our website with a revised “Last Updated” date.

  • Material Changes: For material changes—particularly any changes affecting how we collect, use, or share health data, sensitive personal information, or PHI—we will notify you via email and in-app notification at least 30 days before the changes take effect. Material changes to health data processing will require your affirmative re-consent before taking effect.

If you do not agree to material changes, you may cancel your subscription and request deletion of your data at any time.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Alethiom LLC

1550 Wilson Blvd, Ste 700 PMB629

Arlington, VA 22209

General Inquiries: info@heyalma.ai

Privacy Officer: privacy@heyalma.ai

HIPAA/Breach Reports: privacy@heyalma.ai (subject line: “HIPAA Inquiry” or “Data Breach Report”)

VCDPA Appeals: privacy@heyalma.ai (subject line: “VCDPA Appeal”)

CCPA Requests: privacy@heyalma.ai or [toll-free number to be added]

We will respond to all privacy-related inquiries within 30 days, or within the timeframes required by applicable law, whichever is shorter.

Last updated: February 24, 2026

Create a free website with Framer, the website builder loved by startups, designers and agencies.