Privacy Policy

How Ayra handles your data.

In one sentence: PHI never leaves your covered environment, consent hashes can be anchored to public DLT receipts without putting PHI on ledger, and you can revoke any time. The rest of this page is the full version.

Last updated · May 14, 2026

Overview

Ayra Health, Inc. ("Ayra," "we," "us") operates behavioral health infrastructure spanning workflow software, Payer Proof, and portable records. This Privacy Policy describes how we collect, use, share, and protect personal information — including Protected Health Information ("PHI") under HIPAA — across those services.

If you're a patient seen by a clinician using Ayra: your clinician is the covered entity and your data lives in their workspace. We act as their Business Associate. We never sell, monetize, or use your data for any purpose beyond providing the service.

What we collect.

From clinicians

  • Account details (name, email, NPI, licensed states)
  • Session content (voice, transcripts) created through the platform
  • Clinical notes, treatment plans, and PROM results entered or generated
  • Billing and payment information processed through Stripe

From patients (via clinicians)

  • Demographics needed for claims (name, DOB, insurance)
  • Consent grants tied to specific clinical actions
  • Session content the clinician records with consent
  • Outcomes data (PHQ-9, GAD-7, C-SSRS) the patient completes

From payers

  • Organization details, NAIC ID, integration endpoints
  • Adjudication responses (835/EFT)
  • Payer admin user accounts

How we use it.

We use the information we collect strictly to operate the platform: deliver clinical workflows, generate AI-drafted notes, process claims, anchor SmartConsent proofs, and maintain HIPAA-required audit trails.

We do not use PHI to train general-purpose AI models. The voice-to-note AI pipeline runs under per-customer isolation; consented session audio is used only to produce the immediate clinical note and is purged from active processing within 30 days unless the clinician explicitly retains it for their record.

HIPAA & PHI

Ayra operates as a HIPAA Business Associate. We sign a Business Associate Agreement (BAA) with every covered entity using the platform. PHI is encrypted at rest (AES-256) and in transit (TLS 1.3), stored in HIPAA-compliant infrastructure, and accessed only through audited, role-scoped paths.

Want a copy of our BAA? Email compliance@ayrahealth.com. We respond within one business day with our current BAA template.

SmartConsent™

Every consent grant a patient signs is anchored to the receipt environment as a cryptographic hash. The hash contains no PHI, only a tamper-evident proof that consent of a specific type occurred at a specific moment. Ayra Verifier can recompute the proof path without relying on Ayra's mutable application database.

Revocation is anchored the same way. Once a patient revokes, the receipt path holds both the grant and the revocation, in order. Ayra cannot rewrite that history inside its mutable application database.

Sharing & vendors.

We share PHI only with vendors we've executed BAAs with and only when necessary to operate the service. Current sub-processors:

  • Amazon Web Services — application hosting, encrypted storage
  • Hetzner — secondary compute infrastructure
  • Deepgram — voice transcription (BAA executed)
  • Stedi — EDI 837/835 Payer Proof rails
  • Stripe — payment processing (de-identified)
  • Resend — transactional email (non-PHI)
  • DLT receipt provider — consent receipt anchoring (hashes only)

We never sell personal data. We never share it for advertising. We never use it for purposes the patient did not consent to.

Your rights.

If you're a patient, you have the right to:

  • Access a copy of your records (request via your clinician or privacy@ayrahealth.com)
  • Revoke any SmartConsent grant at any time
  • Request correction of inaccurate information
  • Request deletion subject to legal record-retention requirements
  • File a complaint with HHS Office for Civil Rights

If you're a California resident, you have CCPA rights including the right to know, delete, and opt out of sale (we do not sell). EU/UK residents have GDPR rights including data portability and erasure.

Retention

Clinical records are retained according to the longest applicable state requirement for the clinician's licensed jurisdiction (typically 7–10 years for adults, longer for minors). De-identified analytics data is retained indefinitely. Account metadata is retained for 30 days after account closure and then purged using NIST 800-88-compliant procedures.

Cookies

We use a minimal set of strictly-necessary cookies: session authentication, CSRF protection, and load balancing. We do not use third-party advertising trackers. We do not use analytics that send personal data offsite. Our self-hosted analytics aggregates only counts.

Contact & updates.

Privacy questions: privacy@ayrahealth.com
Compliance & BAA: compliance@ayrahealth.com
Mail: Ayra Health, Inc., Houston, TX

We update this policy as our practices change. Material changes are notified via email to active accounts at least 14 days before they take effect.