Privacy Policy
Effective date: 2025-09-15 Last updated: 2025-09-15
1. Introduction
V.E. Andrei MD–Bariatric Associates, P.A. (the “Practice”) operates BariAccess, a digital health program. In this policy, “BariAccess,” “we,” “us,” or “our” refers to the Practice in connection with the BariAccess program. We are committed to protecting your privacy.
This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our mobile app and web app (the “Services”). This policy is designed to align with healthcare privacy expectations, including HIPAA-related practices when we handle protected health information (PHI).
By using our Services, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Services.
Contact for privacy questions
- Entity: V.E. Andrei MD–Bariatric Associates, P.A.
- Address: 22 Old Short Hills Rd, Suite 110, Livingston, NJ 07039
- Email: privacy@bariatricassociates.com
- Phone: (800) 200-5553
- Privacy Officer: privacy@bariatricassociates.com
2. Scope
This policy applies to:
- Visitors and users of our website and app
- Patients and users who create an account or use our Services
- Information we collect through our Services, including when integrated with third-party devices, apps (e.g., glucose monitoring or activity tracking), and integration partners
It does not apply to:
- Third-party websites, apps, or services linked from our Services
- Practices of other healthcare providers or partners that are separate from our Services (they may have their own privacy notices)
3. Information We Collect
We may collect the following categories of information.
3.1 Information You Provide
- Account and profile: Name, contact details, date of birth, and identifiers used to access the Services
- Health and wellness information: Symptoms, goals, medications (if provided), notes, survey responses, and treatment context (e.g., diabetes-related conditions, medications affecting glucose) when you or your care team provide or authorize it
- Communications: Messages, feedback, and support requests you send to us
- Demographic or preference data: Language, time zone, notification preferences, and similar settings when you configure them in the Services
3.2 Information Collected Automatically
- Device and usage: Device type, operating system, browser type, IP address, app version, dates and times of use, log data, device identifiers, and diagnostics
- Identifiers: App/device identifiers and session IDs used for security, analytics, and functionality
3.3 Information From Other Sources (Integrations)
When you connect devices or apps (e.g., glucose monitoring, activity tracking, CGM integrations such as Dexcom), we may receive:
- Device and app integration data: Metrics such as glucose readings (real-time and historical with timestamps), activity, sleep, weight, heart rate, alerts/notifications, time-in-range statistics, and related timestamps
- Device information: Device model/serial identifiers, settings/configuration, sensor/transmitter identifiers, calibration (if applicable), connectivity status
- Usage and adherence signals: Wear time, sync timestamps, app usage statistics related to the integration
- Basic demographic identifiers needed to match the patient: (e.g., name, DOB, MRN or internal patient ID), as applicable
We do not sell your personal information.
4. How We Use Your Information
We use the information we collect to:
- Provide and improve the Services (e.g., accounts, features, generating views, trends, and reports)
- Support clinical care coordination with your care team and the Practice when appropriate (e.g., integrating CGM trends and other metrics into your profile to support care coordination and coaching)
- Provide customer support and respond to your requests
- Maintain security, prevent fraud, and troubleshoot issues
- Comply with legal obligations
- Technical support and device/data synchronization for integrations you enable
We will not use your information for purposes materially different from those described here without notifying you and, where required by law, obtaining your consent.
5. Legal Bases for Processing (if applicable)
Where required by law (e.g., GDPR), we process personal data based on:
- Contract: To perform our agreement with you (e.g., providing the Services)
- Consent: Where you have given clear consent (e.g., optional marketing, certain data sharing)
- Legitimate interests: To operate, secure, and improve our Services, where not overridden by your rights
- Legal obligation: To comply with applicable laws and regulations
6. Sharing and Disclosure
We share information only as described below:
- With your care team and the Practice for treatment and care coordination
- With Business Associates (vendors) who help us operate the Services (e.g., hosting, analytics, secure messaging, device integrations) under contracts that require them to safeguard PHI and use it only as permitted by law and our agreement
- With integration partners you choose to connect (e.g., device platforms such as Dexcom) to enable the functionality you request; such sharing is based on your authorization
- For legal reasons when required by law or to protect rights, safety, and security
- Business transfers: In connection with a merger, sale, or other transfer of assets, subject to the same privacy commitments
We do not sell your personal information or PHI. We do not share your information with third parties for their marketing purposes without your written/electronic authorization.
7. Data Security
We use administrative, physical, and technical safeguards appropriate to the sensitivity of the information we process, including:
- Encryption: TLS for data in transit; encryption at rest for stored ePHI (electronic protected health information)
- Access control: Role-based access, least-privilege access model, and multi-factor authentication for administrative access
- Audit logging: We capture access and consent events; audit logs are retained for at least six (6) years
- Secure development: Code review, secrets management, and vulnerability management as part of our secure SDLC
- Incident response: Breach assessment and notification consistent with HIPAA/HITECH timelines; we will let you know promptly if a breach occurs that may have compromised the privacy or security of your information
No method of transmission or storage is 100% secure; we cannot guarantee absolute security.
8. Data Retention
We retain information for as long as needed to provide the Services and meet legal, clinical, and operational obligations. Our Record Retention & Secure Destruction Policy defines minimum retention periods; unless a longer period is required by state law, payer contract, litigation hold, or clinical needs, we apply the following:
| Record type | Examples | Minimum retention |
|---|---|---|
| Consent/authorization records | Opt-in selections, electronic signatures, revocations, confirmation IDs | 6 years |
| Audit logs | Access logs, disclosure logs, admin actions, consent view events | 6 years |
| Integration transaction logs | API calls, sync status, error logs (excluding sensitive payloads where feasible) | 6 years (or shorter if de-identified and not needed) |
| Patient-provided health data | Metrics, notes, surveys, reports, uploaded files | Per medical record retention schedule (typically 7–10 years; we follow Practice counsel) |
| Support tickets and communications | Emails, chat support, issue tracking (if tied to PHI) | 6 years |
| Security incidents and investigations | Incident reports, forensic notes, notifications | 6 years from closure |
Litigation holds: If we reasonably anticipate litigation, audit, or investigation, relevant records are preserved until the hold is lifted; holds override normal retention schedules.
Secure destruction: When retention periods end, we dispose of records securely (e.g., cryptographic erasure or secure wipe for electronic records; cross-cut shredding or certified shredding service for paper; backups remain encrypted and access-restricted and are deleted via normal backup lifecycle).
You may request deletion of your account and associated data subject to applicable law and these retention obligations. When you disconnect integrations, data sharing stops; previously received data may remain in the patient record as permitted by law and policy.
9. Your Rights and Choices
Your choices in the Services
- Device and app connections: You can manage device/app connections in the Services (connect, disconnect, and revoke authorizations where available). Revocations are processed within 5 business days, and data sharing ceases within 10 business days after processing.
- Account information: You can request access to, correction of, or deletion of certain account information, subject to healthcare record retention obligations.
- Communications: You can opt out of non-essential communications.
Your rights (including under HIPAA where applicable)
- Access: Get an electronic or paper copy of your medical record / personal information we hold about you
- Correction: Ask us to correct your medical record or other inaccurate or incomplete information
- Confidential communications: Request that we communicate with you in a certain way or at a certain location
- Restriction: Ask us to limit what we use or share (we may not be able to agree to all requests)
- Accounting of disclosures: Get a list of disclosures in certain cases
- Copy of this Notice: Get a copy of this Privacy Policy and our Notice of Privacy Practices at any time
- Someone to act for you: Choose a healthcare proxy, legal guardian, or other representative to act for you
- Complaint: File a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights; we will not retaliate against you for filing a complaint
Depending on where you live, you may also have rights to data portability, restriction/objection to certain processing, withdrawal of consent, or lodging a complaint with a supervisory authority.
To exercise these rights, contact us at privacy@bariatricassociates.com or (800) 200-5553 (Option 3 for Privacy). We will respond within the timeframes required by applicable law. We may need to verify your identity before processing a request.
Account settings: You can update certain information and preferences (e.g., email, notifications) through your account settings in the Services.
10. Children’s Privacy
The Services are intended for users who can legally consent to the collection and use of their information, or who use the Services under the direction of a parent/guardian and the Practice, as applicable.
We do not knowingly collect personal information from children in violation of applicable age limits. If you believe we have collected information from a child inappropriately, please contact us at privacy@bariatricassociates.com and we will take steps to address it.
11. International Transfers
BariAccess is operated from the United States. Your information may be processed in the United States or by service providers in other countries. Where we transfer data from jurisdictions that require additional safeguards (e.g., the EEA or UK) to a country not deemed to provide adequate protection, we use standard contractual clauses or other approved mechanisms to help ensure your data is protected.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated policy in the Services (app and web app) and update the effective date. The updated policy will also be available upon request. We encourage you to review this policy periodically.
13. Additional Notices
- Notice of Privacy Practices (NPP): We are required by law to maintain the privacy and security of your protected health information (PHI) and to provide you with our Notice of Privacy Practices describing our legal duties and privacy practices with respect to PHI. Our BariAccess Notice of Privacy Practices describes how we may use and disclose your PHI (e.g., for treatment, payment, health care operations, as required by law, and with your authorization for other uses). Where there is a conflict between that Notice and this Privacy Policy with respect to PHI, the NPP governs. You may obtain a copy of the NPP in the BariAccess app/web app or upon request.
- Region-specific terms: Additional terms may apply in certain jurisdictions (e.g., California, EU/EEA, UK). We will make those available in an addendum or on a regional page as applicable.
14. Contact Us
For questions, requests, or complaints about this Privacy Policy or our privacy practices:
- Privacy Officer / Email: privacy@bariatricassociates.com
- Phone: (800) 200-5553 (Option 3 for Privacy)
- Mail: Privacy Officer, V.E. Andrei MD–Bariatric Associates, P.A., 22 Old Short Hills Rd, Suite 110, Livingston, NJ 07039
Security contact: security@bariatricassociates.com (or route via Privacy Officer if not yet established)
Complaints: You may complain to us or to the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate against you for filing a complaint.
