Trust & Safety

At Alma, we understand that inviting an AI companion into your loved one’s daily life requires a deep foundation of trust. We take that responsibility seriously. This page explains how we protect your family’s privacy, secure sensitive health information, and ensure that every interaction with Alma is built on informed consent and transparency.

This page is a plain-language summary of our practices. For full legal details, please refer to our Privacy Policy, Terms of Service, and Cookie Policy, which are linked at the bottom of this page and govern your use of the Service.

How We Protect Health Data

During daily check-in calls, Alma may collect self-reported health information from your loved one, including mood, sleep quality, appetite, pain levels, medication adherence, and physical activity. We also offer optional cognitive wellness exercises that generate assessment scores over time.

We apply security and privacy safeguards aligned with the standards set forth in the Health Insurance Portability and Accountability Act (HIPAA) to all health-related data collected through the Service. Where Alma contracts with healthcare providers or senior living facilities and handles Protected Health Information (PHI) on their behalf, we comply fully with HIPAA as a Business Associate, including by entering into Business Associate Agreements (BAAs).

Regardless of our HIPAA status in any given context, all health-related data receives the following protections:

Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 or equivalent industry-standard encryption. Your loved one’s health information is protected whether it’s being transmitted during a call or stored in our systems.

Access Controls: Access to health data is strictly limited to authorized Alma personnel on a need-to-know basis. We use role-based access controls to ensure that only the right people can see the right information.

Audit Logging: Every access to and action on health data is logged. We maintain comprehensive audit trails so that any unauthorized access can be detected and investigated.

Secure Infrastructure: Our systems are hosted on Microsoft Azure, which maintains SOC 2, HIPAA, and ISO 27001 certifications. Azure’s data centers meet the highest standards for physical and digital security.

Privacy Officer: Our designated Privacy Officer oversees all privacy and security compliance matters. You can reach them at privacy@heyalma.ai.

Our Data Practices

What We Collect

Alma collects only the information necessary to provide the service. This includes:

  • Account information (name, email, phone number) for Caregivers and Elders.

  • Self-reported health and wellness data shared during calls.

  • Conversation transcripts (text only — calls are not audio-recorded at this time).

  • Cognitive wellness assessment scores and response times.

  • Biographical stories and memories shared during guided conversations.

  • Call metadata (time, duration, completion status).

  • Payment information (processed by Stripe; we do not store full credit card numbers).

What We Do Not Do

Under our current policies and contractual terms with our service providers:

  • We do not sell your personal information or health data to anyone.

  • We do not share your loved one’s private conversations with advertisers or marketers.

  • We do not use your health data for targeted advertising or profiling for marketing purposes.

  • We do not store full credit card numbers on our servers.

  • Our AI provider (OpenAI) is contractually prohibited from using Alma customer conversations to train their models.

Who Processes Your Data

To provide the Service, your data is processed by Alma and by the following third-party service providers. We want you to understand exactly which companies handle your loved one’s information and why:

  • Microsoft Azure: Cloud hosting. All Alma data is stored on Azure servers in the United States.

  • OpenAI: AI language model. When Alma speaks with your loved one, the conversation content is sent to OpenAI’s API in real time so the AI can generate responses. OpenAI processes this data only to provide the response and does not use it for model training under our contractual terms.

  • AssemblyAI: Speech-to-text transcription. During each call, the audio stream is sent to AssemblyAI to generate a text transcript. AssemblyAI processes the audio only for transcription purposes.

  • Twilio: Telephony. Twilio places and connects the phone calls between Alma and your loved one. Twilio processes phone numbers, call metadata, and audio streams during the call.

  • Firebase (Google): Authentication and push notifications. Firebase handles secure login and delivers push notifications to the Caregiver’s mobile device.

  • Stripe: Payment processing. Stripe handles all credit card transactions directly and is PCI-DSS compliant. We never see or store your full card number.

All of these providers are bound by data processing agreements that require them to protect your data and use it only for the purposes described above. Where HIPAA requires it, we maintain executed Business Associate Agreements (BAAs) with the applicable providers. For a current list of BAA-covered providers, contact privacy@heyalma.ai.

Who Can See Your Loved One’s Data

Only the designated Caregiver receives call summaries, health updates, and wellness alerts through the app and via notifications.

Full conversation transcripts are not shared with the Caregiver by default. Transcript sharing is controlled by a privacy setting (“caregiver_can_read_convos”) that is OFF by default and requires the Elder’s affirmative consent to enable. This setting can be changed at any time.

Authorized Alma personnel may access data on a need-to-know basis solely for service operation, technical support, and safety review (such as reviewing flagged calls for potential elder abuse). All such access is logged and audited.

Data Deletion

You have the right to request deletion of all personal data at any time. When a verified deletion request is received, we permanently remove all associated personal information within 30 days, including conversation transcripts, health metrics, cognitive assessment data, biographical stories, recipes, and call history.

After deletion, we may retain: (a) de-identified, aggregated data that cannot reasonably be used to identify any individual, for service improvement purposes; and (b) financial transaction records that we are legally required to retain (e.g., payment records retained for 7 years under tax law). All other personal data is permanently deleted.

Consent & Authorization

Because Alma involves a Caregiver setting up the service on behalf of an older adult, we take extra care to ensure proper consent at every step.

What We Require

  • The Caregiver must confirm that the Elder has been informed about Alma and understands they will receive AI-powered, automated phone calls.

  • The Caregiver must confirm that the Elder consents to having their conversations transcribed and wellness data shared with the Caregiver.

  • The Caregiver must represent that they have legal authority to enroll the Elder — either because the Elder has directly consented, or because the Caregiver holds a valid power of attorney, legal guardianship, or healthcare proxy. We may request documentation of legal authority at any time.

  • Consent records, including the type of document, version, and timestamp, are securely stored in our system.

Direct Verification with the Elder

During the first call, Alma will verbally verify with the Elder that they understand they are speaking with an AI companion service, that they consent to ongoing calls, and that they understand health summaries will be shared with their Caregiver. This verification is logged with a timestamp. If the Elder does not consent or expresses confusion, the call will end and the Caregiver will be notified.

What the Elder Controls

The Elder controls the conversation experience:

  • The Elder can hang up any call at any time — there is never any obligation to continue.

  • The Elder can ask Alma to skip any question they don’t want to answer.

  • The Elder can ask Alma to avoid certain topics entirely.

  • The Elder’s affirmative consent is required to enable sharing of full conversation transcripts with the Caregiver (off by default).

What the Caregiver Controls

The Caregiver controls account and service settings:

  • Call scheduling (times and frequency).

  • Notification preferences (which alerts to receive and how).

  • Subscription and billing management.

  • Data export and deletion requests.

The Caregiver’s account controls are subject to the Elder’s right to revoke consent entirely, as described below.

Withdrawing Consent

Either the Elder or the Caregiver may withdraw consent at any time. The Elder does not need the Caregiver’s permission or involvement to stop calls.

The Elder can revoke consent through any of these methods:

  • Telling Alma during any call: “Stop calling me,” “I don’t want to do this anymore,” or similar language.

  • Calling our support line at [phone number to be added].

  • Emailing privacy@heyalma.ai.

The Caregiver can revoke consent by canceling the subscription through the app or by contacting info@heyalma.ai.

When the Elder revokes consent, calls stop immediately. The Caregiver will be notified that the Elder has withdrawn consent, but the Caregiver cannot override the Elder’s decision. Data deletion can be requested separately by either party.

Elder Safety

Alma is committed to the safety and well-being of every Elder using our Service. If during a call an Elder discloses or the AI detects indicators of potential abuse, neglect, self-harm, or exploitation:

  • The AI will respond with empathy and, where appropriate, encourage the Elder to contact a trusted person, a healthcare provider, or emergency services.

  • Alma may flag the call for internal review by authorized Alma personnel.

  • Alma may notify the designated Caregiver of a welfare concern, unless the Caregiver is the suspected source of harm.

  • Alma may report suspected elder abuse, neglect, or exploitation to appropriate authorities as permitted or required by applicable law.

Alma does not undertake a duty to monitor for or detect elder abuse, and the absence of a report from Alma does not indicate the absence of abuse or neglect. Caregivers and family members retain primary responsibility for the Elder’s safety and welfare.

Alma Is Not a Medical Service

We want to be completely transparent: Alma is a wellness and companionship service, not a medical provider or emergency response system.

  • Alma does not diagnose, treat, or cure any disease or medical condition.

  • Health metrics collected during calls are self-reported and not clinically validated.

  • Cognitive wellness exercises are for wellness tracking only and are not diagnostic tools.

  • Alma is not a substitute for professional medical advice, diagnosis, or treatment.

  • Alma is not a substitute for in-home care, medical alert systems, or personal emergency response systems (PERS).

  • In case of a medical emergency, always call 911 or your local emergency number.

What Alma can do is help families notice changes over time. If Alma’s AI detects a significant change in mood, routine, or responsiveness, your Caregiver is notified promptly so your family can take appropriate action. These alerts are generated automatically by AI analysis of self-reported data — they are not reviewed by a human before delivery, and they should not be treated as a clinical assessment. The AI may fail to detect concerning patterns, and the absence of an alert does not mean everything is fine.

AI Transparency

Alma is powered by artificial intelligence. We believe you deserve to know exactly how it works.

AI Voice Companion: Alma’s calls are conducted by an AI, not a human. The AI is designed to sound warm, natural, and conversational, but it is not a real person. When your loved one speaks with Alma, they are speaking with an automated AI system.

How Conversations Work: During each call, the Elder’s spoken words are converted to text by our transcription provider (AssemblyAI). The text is then sent to our AI language model (OpenAI) along with relevant context from previous conversations, so the AI can generate a personalized, contextually appropriate response. The AI’s response is converted back to speech and delivered over the phone.

Conversation Memory: To make each call personal and meaningful, Alma stores a history of previous conversations in a secure, searchable database. Before each call, the AI retrieves relevant details from past conversations (such as names of family members, favorite topics, or previously discussed stories) to provide continuity. This memory is stored securely and is accessible only to the Elder’s account and authorized Alma personnel.

AI-Generated Health Alerts: When Alma notices a change in the Elder’s self-reported mood, sleep, pain, or other wellness metrics, it automatically generates an alert for the Caregiver. These alerts are produced by AI algorithms analyzing patterns in self-reported data. They are not reviewed by a human before delivery. Cognitive wellness trend scores are also computed algorithmically. These automated analyses constitute a form of profiling as defined under certain privacy laws; see our Privacy Policy for your rights regarding profiling.

AI Limitations: AI technology is not perfect. Alma may occasionally misunderstand something, respond inaccurately, miss important context, or fail to detect a concerning pattern in health data. We continuously work to improve the AI, but it should never be relied upon for critical health or safety decisions. The Service is designed to supplement — not replace — human attention and care.

No AI Training on Your Data: Under our current contractual terms with OpenAI, Alma customer conversations are not used to train OpenAI’s models. Your loved one’s stories and health information are processed only to generate real-time responses during calls and are not retained by OpenAI for model improvement purposes.

What Happens If There’s a Security Incident

While we implement robust security measures, no system is perfectly secure. If we discover a data breach involving your personal information:

  • We will notify affected individuals without unreasonable delay and in no event later than 60 days after discovery.

  • Our notification will describe what happened, what types of information were involved, what steps we are taking, and what you can do to protect yourself.

  • We will notify you via the email address associated with your account.

  • Where required by law, we will also notify the Virginia Attorney General and, for health-data breaches where applicable, the U.S. Department of Health and Human Services.

We maintain a log of all security incidents and conduct post-incident reviews to prevent recurrence. For full details, see Section 12 of our Privacy Policy.

Your Privacy Rights

Depending on where you live, you may have specific legal rights regarding your personal data. Here is a plain-language summary:

All Users

  • Request a copy of the personal data we hold about you.

  • Request correction of inaccurate data.

  • Request deletion of your data.

  • Export your data (including biographical stories) in a portable format.

  • Withdraw consent to data processing at any time.

Virginia Residents (VCDPA)

You additionally have the right to:

  • Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. Our cognitive wellness trend analysis and automated health alerting constitute profiling; you may opt out by contacting us.

  • Appeal a denied privacy request by emailing privacy@heyalma.ai with the subject line “VCDPA Appeal.” We will respond within 60 days.

California Residents (CCPA/CPRA)

You additionally have the right to:

  • Know what personal information we collect, the sources, the purposes, and who we share it with.

  • Direct us to limit our use of sensitive personal information (including health data).

  • Not be discriminated against for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@heyalma.ai or [toll-free number to be added]. For full details, see Sections 10 of our Privacy Policy.

Our Policies

For complete legal details on how Alma handles your data and the terms governing your use of the service, please review our full policy documents:

  • Privacy Policy — What we collect, how we use it, your rights, and our data protection practices.

  • Terms of Service — The agreement governing your use of Alma, including billing, liability, and dispute resolution.

  • Cookie Policy — How our website uses cookies and tracking technologies.

In the event of any conflict between this Trust & Safety page and the Privacy Policy or Terms of Service, the Privacy Policy and Terms of Service govern.

Questions or Concerns?

We welcome questions about our privacy and security practices. If you have any concerns, need to report a potential data issue, or want to exercise your data rights, please contact us:

Alethiom LLC

1550 Wilson Blvd, Ste 700 PMB629

Arlington, VA 22209

General Inquiries: info@heyalma.ai

Privacy Officer: privacy@heyalma.ai

HIPAA/Breach Reports: privacy@heyalma.ai (subject line: “HIPAA Inquiry” or “Data Breach Report”)

Support Line: [phone number to be added]

Last updated: February 24, 2026

Create a free website with Framer, the website builder loved by startups, designers and agencies.