1. Overview
Alpine Labs, Inc. operates MedLocker, a consumer health platform that helps individuals collect, store, organize, understand, and share health information. This Policy explains how we collect, use, disclose, protect, and retain information when you use MedLocker, visit our websites, communicate with us, or participate in optional MedLocker programs.
MedLocker is designed around patient control. You decide whether to connect sources, upload records, share information with caregivers, participate in research or data programs, and delete or export your information, subject to legal and operational limits described below.
2. HIPAA and Consumer Health Data Context
MedLocker is primarily a consumer directed personal health record service. When you direct a healthcare provider, health plan, laboratory, pharmacy, health information network, QHIN where available, or other record holder to send your information to MedLocker, that record holder may be subject to HIPAA or other healthcare privacy laws when making the disclosure. In that consumer directed context, Alpine Labs generally receives the information on your behalf and generally does not receive it as a HIPAA Covered Entity or Business Associate.
HIPAA may continue to govern the covered entity or business associate that discloses information to MedLocker. MedLocker handling of consumer directed information is governed by this Policy, our Terms of Service, your consent choices, the Federal Trade Commission Health Breach Notification Rule where applicable, state consumer health privacy laws, contracts, and other applicable law.
If Alpine Labs provides services to a healthcare provider, health plan, employer health plan, or another HIPAA regulated entity on that entity behalf, Alpine Labs may act as a Business Associate for that specific data flow and will operate under an applicable Business Associate Agreement.
Governance position: Plain English summary: HIPAA follows certain regulated relationships. MedLocker may be outside HIPAA when it acts at the direct request of the user, but MedLocker still treats the data as highly sensitive and applies strong privacy, consent, and security controls.
3. Key Terms
Term
Meaning
Health Information
Information about your health, healthcare, health insurance, medications, conditions, tests, treatments, devices, health preferences, or health related activity.
Consumer Health Data
Health related information that may be protected by state consumer health privacy laws even when it is not covered by HIPAA.
Protected Health Information or PHI
Health information subject to HIPAA while held by or on behalf of a HIPAA Covered Entity or Business Associate. MedLocker does not use PHI as the default label for consumer directed data that is not governed by HIPAA while held by MedLocker.
De identified or Aggregated Information
Information processed so that it does not identify you, or information combined with information from many people in a way not intended to identify any individual.
4. Information We Collect
Category
Examples
Account and Contact
Name, email, phone, login credentials, account settings, authentication information, and communication preferences.
Health Records
Clinical notes, diagnoses, medications, allergies, labs, imaging reports, procedures, immunizations, care plans, claims, EOBs, bills, dental records, pharmacy records, device data, and uploaded files.
Connected Sources
Providers, payers, labs, pharmacies, EHR portals, patient portals, health information networks, QHINs where available, APIs, health apps, and wearables that you authorize.
Derived and Extracted Data
Text extracted from documents, FHIR resources, structured fields, timelines, indexes, summaries, data quality notes, and metadata.
Caregiver and Sharing
Authorized people, access levels, sharing history, invitations, revocations, and records of disclosures through your account.
Support, Payment, and Technical
Support messages, feedback, payment or compensation records, device type, browser, operating system, IP address, logs, app events, crash reports, and security events.
5. How We Use Information
Create and manage your account.
Retrieve, receive, store, organize, normalize, convert, and display records you provide or authorize us to obtain.
Create timelines, indexes, summaries, search features, data quality checks, exports, and user controls.
Support user directed sharing with caregivers, providers, researchers, life sciences organizations, or others you choose.
Operate optional research, survey, clinical trial matching, analytics, data licensing, or compensation programs only with required separate consent.
Provide support, troubleshoot issues, improve usability, protect security, prevent fraud, comply with law, and enforce agreements.
6. AI Assisted Tools
MedLocker may use software, machine learning, and AI assisted tools to extract, classify, structure, normalize, summarize, translate, and display health information. These tools may create timelines, map information to standards such as FHIR, identify duplicate or conflicting records, and generate user facing explanations.
AI assisted outputs may be incomplete, outdated, or incorrect and are not medical advice. Alpine Labs does not use your identifiable health information to train third party foundation models unless you provide explicit opt in consent. Alpine Labs does not permit third party AI vendors to use your identifiable health information to train their general purpose models unless you have explicitly authorized that use in a separate consent.
7. How We Share Information
Sharing Context
Description
People You Authorize
Caregivers, family members, personal representatives, healthcare providers, or others you select. Recipients may further disclose information outside MedLocker.
Connected Sources
Providers, payers, labs, pharmacies, portals, networks, APIs, apps, and devices as needed to retrieve or manage information you request.
Service Providers
Cloud hosting, storage, security, authentication, analytics, communications, payments, support, and infrastructure vendors under confidentiality and security terms.
Research, Life Sciences, Analytics, or Data Partners
Identifiable health information is shared only under required explicit opt in consent. De identified or aggregated information may be used as described in this Policy and applicable law.
Legal, Safety, or Business Transfer
Disclosures required by law or reasonably necessary to protect rights, safety, security, or continuity in a merger, financing, acquisition, reorganization, or sale of assets.
8. Sales, Advertising, and Data Licensing
We do not sell your identifiable personal information or identifiable health information to advertisers or data brokers. We do not use cookies or similar technologies for behavioral advertising based on your health information.
MedLocker may offer optional data sharing, research, life sciences, analytics, clinical trial matching, survey, or data licensing programs. Participation is voluntary. We will not disclose identifiable health information for those programs unless you provide explicit opt in consent describing the data, purpose, recipient or recipient category, compensation, recontact, and withdrawal process.
9. Your Choices and Rights
Access, view, and download information in your account.
Correct account information and request correction of stored information.
Connect or disconnect data sources.
Authorize, limit, or revoke caregiver and other sharing permissions.
Opt in to or withdraw from optional research, survey, clinical trial matching, analytics, data licensing, or compensation programs.
Request deletion of your account and associated information, subject to backup, legal, security, fraud prevention, dispute resolution, and recordkeeping limits.
Contact privacy@alpinelabs.ai to exercise privacy rights or ask questions.
10. State Consumer Health Privacy Rights
Some state laws provide additional rights for consumer health data, including rights to know, access, delete, withdraw consent, and receive information about sharing. Some laws require consent before collecting or sharing consumer health data for certain purposes, and separate authorization before selling consumer health data. The separate Consumer Health Data Privacy Notice provides more detail.
11. Security
We use administrative, technical, and organizational safeguards designed for sensitive health information, including encryption in transit and at rest, access controls, authentication, least privilege permissions, audit logging, monitoring, vulnerability management, secure development practices, incident response procedures, vendor security reviews, and workforce confidentiality obligations.
MedLocker is hosted on Google Cloud Platform using security controls appropriate for sensitive health information. Where Alpine Labs handles HIPAA regulated PHI as a Business Associate, Alpine Labs uses eligible cloud services under applicable Business Associate Agreements and implements HIPAA aligned controls for that data flow. Alpine Labs may also apply HIPAA grade controls to consumer directed MedLocker data even when HIPAA does not legally apply.
12. Retention and Deletion
We retain information for as long as needed to provide MedLocker, maintain your account, comply with law, resolve disputes, enforce agreements, support security, preserve audit logs, and meet legitimate business needs. We may retain backup copies for a limited period after deletion, subject to ordinary backup cycles and security controls.
Deleting your account or revoking an authorization stops future use or collection where applicable, but it may not require deletion of information already disclosed to third parties under prior consent.
13. Children and Minor Dependents
MedLocker accounts are intended for adults at least 18 years old. A parent, legal guardian, or authorized personal representative may use MedLocker to manage health information for a minor or dependent where permitted by law. Minor records may be subject to additional legal protections that vary by state and type of care.
14. International Users
MedLocker is operated from the United States and is intended primarily for users in the United States. If you access MedLocker from outside the United States, information may be transferred to and processed in the United States.
15. Changes and Contact
We may update this Policy from time to time. Material changes will be noticed through MedLocker, email, or another reasonable method where required. Contact: Alpine Labs, Inc., Attn: Privacy and Compliance, 15 Highland Meadow Dr, Alexander, NC 28701, privacy@alpinelabs.ai.