Jazmine← Back to home

Privacy Policy

Last Updated: March 26, 2026|Effective Date: March 26, 2026

1. Introduction & Identity

This Privacy Policy (“Policy”) describes how Jazmine Inc. (“Jazmine,” “we,” “us,” or “our”) collects, uses, discloses, and protects information obtained through our platform at jazmine.app, including our embeddable website widget, staff dashboard, patient portal, and related services (collectively, the “Services”).

Jazmine operates as a Business Associateunder the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations. We process Protected Health Information (“PHI”) solely on behalf of and under the direction of Covered Entity healthcare practices (“Practices”) with whom we maintain executed Business Associate Agreements (“BAAs”).

2. Information We Collect

2.1 Protected Health Information (PHI)

When you interact with a Practice through our Services (for example, by submitting an inquiry via the embedded website widget), the Practice may provide or cause to be provided the following categories of PHI to Jazmine for processing:

  • Name, date of birth, and contact information (phone number, email address)
  • Procedure interests and cosmetic surgery inquiries
  • Medical photographs and documents uploaded to the patient portal
  • Insurance information (where applicable)
  • Communication history between you and the Practice through our platform

2.2 Personally Identifiable Information (PII)

When Practice staff or authorized users create accounts on our platform, we collect:

  • Full name, email address, and phone number
  • Professional role and Practice affiliation
  • Authentication credentials (managed via Amazon Cognito with multi-factor authentication)
  • Account activity and usage data

2.3 Automatically Collected Data

We automatically collect certain technical information when you use the Services, including:

  • IP address, browser type, operating system, and device identifiers
  • Pages visited, time spent on pages, and navigation paths
  • Referring URLs and search terms
  • Cookies and similar tracking technologies (see Section 2.4)

Automatically collected data does not include PHI and is not combined with PHI at any point.

2.4 Cookies & Tracking Technologies

We use strictly necessary cookies for authentication and session management. Authentication tokens are stored in httpOnly cookies and are never placed in browser localStorage. We do not use third-party advertising or behavioral tracking cookies on pages that process PHI.

3. How We Use Information

We use the information we collect for the following purposes:

  • Lead Management: Processing and routing patient inquiries to the appropriate Practice, surgeon, and patient coordinator
  • AI-Powered Processing: Generating lead scores, personalized response suggestions, and surgeon-matching recommendations (see Section 5)
  • Communication: Facilitating HIPAA-compliant communication between patients and Practices via SMS notifications (containing no PHI) and the secure patient portal
  • Platform Operations: Maintaining, securing, and improving the Services, including fraud prevention, security monitoring, and technical support
  • Analytics: Generating de-identified, aggregate analytics to help Practices understand lead management performance

4. How We Share Information

We may share information in the following circumstances:

  • With Covered Entity Practices: PHI is shared with the Practice on whose behalf it was collected, in accordance with the applicable BAA
  • Infrastructure Subprocessors: We use Amazon Web Services (AWS) as our sole infrastructure provider. All PHI is processed and stored within HIPAA-eligible AWS services covered by an executed AWS BAA. Data resides in the US-East-1 (N. Virginia) region
  • AI Model Providers: Lead scoring and response generation are performed using Amazon Bedrock (Claude). PHI submitted for AI inference is transmitted via private VPC endpoints and is not retained by the model provider for training purposes
  • Legal Obligations: We may disclose information when required by law, regulation, legal process, or governmental request

We do not sell, rent, or trade personal information or PHI to third parties. We do not use PHI for marketing purposes.

5. AI & Automated Processing

Jazmine uses artificial intelligence and automated processing to enhance lead management for Practices. Specifically:

  • Lead Grading: Incoming inquiries are automatically scored based on factors such as procedure type, urgency indicators, and engagement signals. Scores are used to prioritize follow-up by Practice staff
  • Response Generation: AI generates suggested response messages for Practice review. Automated responses sent within the 60-second response window are based on Practice-approved templates and configurations
  • Surgeon Matching: The system recommends the most appropriate surgeon based on the inquiry type and surgeon specialties configured by the Practice

AI-generated outputs are decision-support tools and do not constitute medical advice, diagnosis, or treatment recommendations. All clinical decisions remain with licensed healthcare providers at the Practice.

PHI used for AI inference is processed via Amazon Bedrock through private VPC endpoints. We do not use PHI to train, fine-tune, or improve general-purpose AI models without prior de-identification in accordance with 45 CFR § 164.514.

6. Data Security

We implement comprehensive administrative, physical, and technical safeguards to protect the information we process:

  • Encryption at Rest: All PHI is encrypted using AES-256 encryption via AWS Key Management Service (KMS) customer-managed keys. This includes our primary database (Aurora PostgreSQL), object storage (S3), message queues (SQS), cache layer (ElastiCache Redis), and audit logs (DynamoDB)
  • Encryption in Transit: All data in transit is protected by TLS 1.2 or higher. HTTPS is enforced on all endpoints, and internal service-to-service communication uses VPC endpoints to ensure PHI never traverses the public internet
  • Access Controls: Multi-factor authentication (MFA) is enforced for all platform users via Amazon Cognito. Role-based access controls (RBAC) limit data access to authorized personnel. Multi-tenant isolation ensures Practices can only access their own data
  • Audit Logging: All access to PHI is logged via AWS CloudTrail and application-level audit events. Audit logs are retained for a minimum of six (6) years in compliance with HIPAA requirements
  • Network Security: All data services operate within private VPC subnets with no direct internet access. AWS WAF provides OWASP Top 10 protection and rate limiting at the edge

7. Data Retention

We retain information in accordance with HIPAA requirements and our contractual obligations to Practices:

  • PHI and HIPAA Records:Retained for a minimum of six (6) years from the date of creation or the date when the record was last in effect, whichever is later, in accordance with 45 CFR § 164.530(j)
  • Audit Logs: Retained for a minimum of six (6) years. Audit data is stored in DynamoDB with point-in-time recovery enabled and in CloudWatch Logs with KMS encryption
  • Account Data:Retained for the duration of the Practice’s subscription and for a reasonable period thereafter to facilitate data portability. Upon termination, data is returned or destroyed in accordance with our BAA
  • Automatically Collected Data: Retained for up to twenty-four (24) months for operational and security purposes

8. Your Rights

8.1 HIPAA Rights

If you are a patient whose PHI is processed through our platform, your HIPAA rights (including the right to access, amend, and receive an accounting of disclosures of your PHI) are exercised through the Covered Entity Practice that maintains your records. Please contact your healthcare provider directly to exercise these rights. Jazmine will cooperate with Practices to fulfill such requests in accordance with our BAA.

8.2 CCPA/CPRA Rights (California Residents)

If you are a California resident, you may have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act, to the extent they apply to information not otherwise governed by HIPAA:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information. Note: Jazmine does not sell personal information
  • Right to Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment

To exercise these rights, contact us at support@jazmine.app. We will verify your identity and respond within forty-five (45) days.

9. Communication Channels

Jazmine facilitates communication between patients and Practices through multiple channels:

  • SMS Notifications: Text messages sent via our platform contain only non-sensitive information such as appointment reminders and portal access links. PHI is never included in SMS messages because carrier networks are not covered under the HIPAA BAA
  • Secure Patient Portal: All communications containing PHI (clinical details, medical photographs, insurance information) are conducted through our encrypted patient portal, accessible via time-limited secure links
  • Email: Transactional emails (account verification, password reset) are sent via Amazon SES. PHI is not included in email communications

10. Breach Notification

In the event of a breach of unsecured PHI, Jazmine will notify affected Covered Entity Practices without unreasonable delay and in no case later than sixty (60) days after discovery of the breach, in accordance with 45 CFR § 164.410. Our breach notification will include:

  • A description of the breach, including the date of discovery and the date or period of the breach
  • The types of unsecured PHI involved
  • Steps individuals should take to protect themselves
  • A description of Jazmine’s investigation and mitigation efforts
  • Contact information for further inquiries

We will cooperate with Covered Entity Practices to fulfill their notification obligations to affected individuals and the U.S. Department of Health and Human Services (HHS).

11. Children’s Privacy

The Services are not directed to children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will promptly delete such information. If you believe a child under 13 has provided us with personal information, please contact us at support@jazmine.app.

For patients under the age of eighteen (18), Practices are responsible for obtaining appropriate parental or guardian consent in accordance with applicable law before submitting such patient information through the Services.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

  • Update the “Last Updated” date at the top of this Policy
  • Notify registered users via email at least thirty (30) days before material changes take effect
  • Post a prominent notice on our platform

Your continued use of the Services after the effective date of any updated Policy constitutes your acceptance of the changes.

13. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us:

If you believe your privacy rights have been violated, you also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) at https://www.hhs.gov/hipaa/filing-a-complaint.