Privacy Policy
Last updated: January 8, 2026
At Aether Health Solutions Inc. ("Aether," "we," "us," or "our"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Cleo, Halo, and our other products and services.
1. Information We Collect
1.1 Cleo Browser Extension Data
The Cleo browser extension collects and processes the following data to provide EHR automation features:
Data Collected Locally (stored on your device only)
- Page Content: Text and DOM structure from EHR web pages you visit, used to identify patient context and automate workflows. This data is processed locally in your browser and is not transmitted to our servers unless you explicitly use a feature that requires it.
- Screenshots: Visual captures of EHR screens, cached locally for session continuity and automatically deleted after use.
- User Preferences: Your extension settings, EHR configurations, and workflow preferences stored locally via browser storage APIs.
- Session State: Temporary data about your current session, including active patient context and workflow progress, stored locally to maintain continuity.
- Learning Data: Patterns learned from your interactions to improve automation accuracy, stored locally on your device.
Data Transmitted to Servers (when required)
- Authentication Data: Your login credentials are securely transmitted to verify your identity and subscription status.
- Anonymized Usage Metrics: Non-identifiable information about feature usage to improve our services. This never includes patient data or PHI.
- AI Text Requests: When using AI-powered features, text data may be sent to AI providers. Our privacy protection system automatically redacts patient names, SSNs, MRNs, dates of birth, phone numbers, and email addresses from text before transmission.
- AI Vision Requests: When using visual navigation features, screenshots may be sent to HIPAA-compliant AI providers for analysis. These providers have signed Business Associate Agreements (BAAs) and are bound by HIPAA regulations for protecting health information.
Browser Permissions Used
| Permission | Purpose |
|---|---|
| activeTab | Read content from the current EHR tab to provide automation assistance |
| storage | Save your preferences, settings, and workflow data locally on your device |
| tabs | Manage EHR tabs during multi-step workflows and cross-tab operations |
| tabCapture | Capture visual screenshots for AI-assisted navigation and verification |
| scripting | Execute automation scripts on EHR pages to perform actions on your behalf |
| sidePanel | Display the Cleo assistant interface alongside your EHR |
| alarms | Schedule background tasks like previsit preparation |
| offscreen | Process data in the background without requiring a visible window |
| host_permissions (all URLs) | Access any EHR system regardless of vendor, as EHR URLs vary by healthcare organization |
1.2 Information You Provide
- Account Information: Name, email address, organization, and professional credentials when you create an account.
- EHR Configuration: URLs and connection settings for your Electronic Health Record systems.
- User Preferences: Settings, preferences, and customizations you make within our products.
1.3 Information Collected Automatically
- Usage Data: Information about how you interact with our services, including features used and actions taken.
- Device Information: Browser type, operating system, and device identifiers.
- Log Data: IP addresses, access times, and pages viewed.
1.4 Clinical Data
When you use Cleo to interact with EHR systems, we may process clinical data including:
- Patient identifiers visible on EHR screens
- Clinical notes and documentation
- Laboratory results and vital signs
- Medication lists and orders
Important: Clinical data is processed locally in your browser by default. We only transmit data to our servers when necessary for specific features, and always in compliance with HIPAA and applicable regulations.
2. How We Use Your Information
We use collected information to:
- Provide, maintain, and improve our services
- Personalize your experience and provide AI-powered clinical assistance
- Process transactions and send related information
- Send technical notices, updates, and security alerts
- Respond to your comments, questions, and support requests
- Monitor and analyze usage trends to improve our services
- Detect, prevent, and address technical issues and security threats
3. Data Security
We implement industry-standard security measures to protect your information:
- Encryption: All data is encrypted in transit using TLS and at rest using strong encryption.
- Access Controls: Role-based access controls limit who can access your data.
- Audit Logging: Logging of data access for security and compliance purposes.
- Security Best Practices: We follow industry best practices for security, availability, and confidentiality.
- Regular Security Reviews: We conduct regular security assessments and reviews.
4. HIPAA Compliance
For healthcare organizations subject to HIPAA:
- We will enter into a Business Associate Agreement (BAA) upon request.
- We maintain administrative, physical, and technical safeguards as required by HIPAA.
- We limit use and disclosure of Protected Health Information (PHI) to the minimum necessary.
- We provide breach notification as required by HIPAA regulations.
5. Data Sharing and Disclosure
We do not sell your personal information. We may share your information with:
5.1 Service Providers
Third-party vendors who assist us in providing our services, subject to confidentiality obligations:
- Cloud Infrastructure: Secure cloud hosting providers for data storage and processing
- Authentication Services: Identity providers for secure user authentication and account management
- AI Services: AI providers for clinical assistance features. Data sent to these providers is automatically sanitized to remove protected health information before transmission.
- Analytics: Anonymized usage analytics to improve our services (no PHI or PII included)
All service providers with access to protected health information have signed Business Associate Agreements as required by HIPAA. AI providers only receive sanitized, de-identified text.
5.2 Legal Requirements
We may disclose information if required by law, court order, or government request, or to protect our rights, privacy, safety, or property.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
6. Data Retention
We retain your information for as long as your account is active or as needed to provide services. After account deletion:
- Personal account data is deleted within 30 days
- Anonymized usage data may be retained for analytics
- Backup copies are purged within 90 days
- Legal hold requirements may extend retention periods
7. Your Rights and Choices
Depending on your location, you may have the following rights:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate personal information.
- Deletion: Request deletion of your personal information.
- Portability: Request your data in a portable format.
- Opt-out: Opt out of certain data processing activities.
To exercise these rights, contact us at support@aether.inc.
8. Cookies and Tracking
We use cookies and similar technologies to:
- Maintain your session and authentication
- Remember your preferences
- Analyze usage patterns
- Improve our services
You can control cookies through your browser settings, though some features may not function properly without them.
9. Children's Privacy
Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected such information, we will delete it promptly.
10. International Data Transfers
Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses where required.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. Your continued use of our services after such changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Aether Health Solutions Inc.
Email: support@aether.inc
13. California Privacy Rights (CCPA)
California residents have additional rights under the California Consumer Privacy Act (CCPA):
- Right to know what personal information is collected
- Right to know whether personal information is sold or disclosed
- Right to opt out of the sale of personal information
- Right to non-discrimination for exercising privacy rights
We do not sell personal information as defined by the CCPA.