Australia and New Zealand

Belgique (Français)

Belgique (Nederlands)

Canada

Deutschland

España

France

Italy

Luxembourg (Français)

Luxemburg (Deutsche)

Magyarország

Nederland

UK

US (English)

US (Español)

US

Privacy Policy
Introduction

We are dedicated to improving care and treatment for people with all kinds of health conditions—especially in orthopedic surgery and musculoskeletal care, where we have deep experience.

We are committed to protecting your Personally Identifiable Information (PII) and Protected Health Information (PHI) (PII and PHI, collectively hereafter Personal Information) and respecting your privacy. 

Transparency and clarity are important for us and we want you to feel in control of and understand how we handle your Personal Information. We appreciate that you do not want your Personal Information distributed indiscriminately and in this policy we explain how we collect information, what we do with it and what rights you have in relation to your Personal Information.

We may revise this policy from time to time and will notify you if we are making any significant changes. This Privacy Policy was last updated on 1 Dec 2025.

Please read this policy carefully so that you understand the terms and how they apply to you.

If you have any questions about how we process your information, please do not hesitate to get in touch by contacting us at help@myrecovery.com.

Important information and who we are

This is the Privacy Policy for the www.msk.ai and www.myrecovery.com websites ("Site"), any application we provide ("App") and any online dashboard portal that accompanies an App ("Dashboard") (together, the "Services").

HOPCo Ltd is a company registered in England and Wales with company number 09336986, with its registered office at 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT, United Kingdom.

Who this policy applies to

By accessing or using the Services you acknowledge and consent to the collection and use of information in accordance with this Privacy Policy, our Terms of Service (either our Terms of Service for App and Site Users or Terms of Service for Dashboard Users, as applicable to you), together with our End-User License Agreement (EULA) and any additional terms of use incorporated by reference into the EULA. By accessing our Services you agree that we may treat your information as set out in this Privacy Policy. If you do not agree with any of the terms of this Privacy Policy, our EULA or Terms of Service, you should refrain from using our Services.

Please take the time to read and understand how this policy applies to you, according to the different categories of user described below and referred to throughout this document:

  • as a Patient, who has been referred by a charitable organization or your surgeon, doctor or other healthcare professional to download and use the App as part of your care and recovery process pre- or post- treatment, or invited to use the App as part of your involvement in a clinical study or research project;
  • as a Healthcare Professional User (HCP), being an individual who accesses the App and Dashboard in your capacity as a person responsible (whether as a surgeon, doctor or other healthcare professional) for the medical care and treatment of Patients, and with permission from those Patients to monitor such activity and other medical data as they may submit to the App in order to inform their care pre- and post- treatment, or as a person administering a clinical research trial or study involving consenting App users for medical and device research purposes;
  • as a Healthcare Administrator, being an individual or entity responsible for the management and oversight of a healthcare institution and its HCPs, or an employee of a healthcare organization, and who is a registered user of the Dashboard for the purposes of managing and/or supporting HCPs engaged in medical care and treatment, as well as viewing practice summaries and statistics for your clinical practice, or being an administrator involved in a clinical study or research project; or
  • as a Partner, being an entity (or individual acting on behalf of an entity) involved in research and development relating to the treatment of diseases, including the improvement of existing technologies and development of new technologies, to improve the treatment and care of patients and support patient safety, and who is a registered user of the Dashboard in order to access information relating to Patients pre- and post- treatment of health conditions and diseases and the use and effectiveness of medical devices or medication used by surgeons, doctors and other healthcare professionals as part of treatment.

We reserve the right to change this Privacy Policy from time to time by changing it on the Site or by updating the App or Dashboard. 

Children’s privacy

Our Services are not intended for use by children under the age of 13. By using the App, you confirm that you are at least 13 years old. If you are between the ages of 13 and 17, you may only use the App with permission from a parent or legal guardian.

We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without verified parental consent, we will delete that information as soon as possible.

If you believe that we may have collected information from a child under 13, please contact us at help@myrecovery.com.

Our Key Privacy Commitments

We are committed to protecting your Personal Information and Protected Health Information (PHI). To support this, we make the following commitments:

  • We only collect Personal Information and PHI as instructed by healthcare organizations and as necessary to provide and improve our Services.
  • We use PHI only as permitted by HIPAA, HITECH, applicable state privacy laws, and our Business Associate Agreements (BAAs).
  • We do not use PHI for advertising, marketing, or sales-based analytics.
  • We do not sell your Personal Information or PHI, and we do not “share” PHI for cross-context behavioral advertising (as defined under CPRA).
  • We do not engage in targeted or cross-context behavioral advertising, and we do not use PHI or Personal Information for such purposes.
  • You can request access, correction, or deletion of your data at any time where permitted by law.
  • You remain in control of all device‐based health app permissions (e.g., Apple Health, Google Fit, Samsung Health) and may withdraw access at any time.
  • We apply industry-standard security measures, including encryption, access controls, continuous monitoring, and third-party security testing.
  • Any automated insights or data-driven predictions we generate are used only to support clinical care and are never used to replace clinical judgment or to make decisions that have legal or significant effects on you.

Information we may collect from you

Personal Information means any information about an individual that can distinguish or trace an individual’s identity (Personal Information). It does not include data where sufficient information has been removed or randomized such that an individual can no longer be identified directly or indirectly (Deidentified Data).

We collect information about you if you:

  • register with or use our Site;
  • download and use our App; or
  • access our Dashboard.

We may collect, use, store and process the following different kinds of Personal Information about you that you submit through your use of the Services:

  • Identity information including your first and last names, date of birth and gender that you provide by completing forms on the Site, the App or the Dashboard, including if you register as a user of the Services, upload or submit any material via the Services, or when you request any information;
  • Contact information including your email address and telephone numbers;
  • Login information including information in connection with an account sign-in facility, such as your login and password details; and
  • Technical information including additional data which, when you access the Services we may (like most modern websites and online applications - for more information, please refer to the 'All About Cookies' website), by means of cookies and/or other similar technologies, automatically collect about you – such as the type of internet browser or mobile device you use, any website from which you have come to the Site, your IP address (the unique address which identifies your computer or mobile device on the internet) and/or the operating system of your computer or mobile device. See the Cookies & other technologies section for more information.

If you are a Patient: 

By providing us with additional information about you and your recovery, we are able to provide better and more personalized services and information to you and the healthcare professionals responsible for your treatment, and as a result your healthcare professional will be able to better tailor the care to your individual needs. We may collect the following additional data (including medical data):

  • Treatment-specific Health information including information about your surgery or treatment, including pre- and post- treatment care information, such as the dates and details of your treatment, the type of medical device you have received and the details of that device, and the details of your healthcare team;
  • Other Health information including data relating to you, your treatment, and how your recovery is progressing, including pain scores, exercise compliance data, and responses to surveys and questionnaires, as well as any other content that you choose to create and post or upload to the App (which may include videos, photographs, audio, messages or other materials);
  • Third-party Health App data including data collected where, if you install the App onto an Android or Apple device which has the respective Google Fit or HealthKit features enabled, we will request access to third-party health app data such as your exercise and fitness level through your device. You will be prompted by your device to allow access the first time this content is requested by us and, even if you grant us access, you can stop this access at any later point by changing the settings on your device. You are under no obligation to provide this information. However, if you should choose to withhold requested information, this may reduce our ability to provide you and your healthcare team with information on your recovery from treatment. We do not store or transmit third-party health app data for advertising, marketing, analytics unrelated to your care, or any purpose prohibited by Apple, Google, or Samsung.;
  • Communication and App Usage information including details of any communications you send to us, for example to report a problem or to submit queries, concerns or comments regarding the Services or content made available through the Services; information from videos you have watched or surveys that we may, from time to time, run on the Services for research purposes, if you choose to respond to, or participate in, them; and
  • Location information including information provided by your device to enable us to show you content that is local to you and to help authenticate the use of the Services. We may approximate your location from your device using the GPS connection information used by your device to help your healthcare team understand your recovery from treatment, for example to understand your activity levels. If we collect location data via the App, we will always prompt you about sharing your location and you can disable location sharing at any time through the settings of your device. 
Health and Fitness Data We Collect

In addition to the categories described above, we may collect and process the following health- and fitness-related information where you choose to provide it or authorize access:

  • Activity and mobility data, such as step count, distance, mobility patterns, activity duration, or other device-derived measures, including data accessed through Apple HealthKit, Google Fit, Google Health Connect, or Samsung Health (with your permission).
  • Self-reported wellbeing and symptom data, including pain scores, symptom tracking, patient-reported outcomes, mood or function assessments, and recovery questionnaires.
  • Rehabilitation and exercise-adherence data, including completion of exercises, duration, repetitions, frequency, and range-of-motion assessments.
  • Treatment-related health information, including procedure dates, type of surgery, device or implant identifiers, post-operative recovery information, and complication reports (if provided).
  • Sensor-derived recovery or performance data, including gait data, mobility indicators, accelerometer or gyroscope signals, or other digital biomarkers used to support clinical monitoring.
  • Multimedia with health content, such as photos or videos you upload for assessment, wound monitoring, mobility evaluation, or communication with your care team.

  • In-app communication data, including text messages, images, videos, or other materials you send to your care team within the App.. These data points and communications may form part of your clinical record and may contain PHI.

You may decline to provide any of this information, but doing so may reduce the features available to you and limit the information available to your care team.

If you are a HCP, Healthcare Administrator or Partner, we may collect the following additional data (the below categories of information are not collected from Patients):

  • Employee information including Identity Information and Contact Information of your employees. You should properly inform your employees on the processing of their Personal Information in compliance with the applicable law and other relevant local regulations.
  • Practice information including data relating to the management of a healthcare organization, such as performance assessments and ratings, number of patient registrations, staff and patient demographic information, and number and type of treatments offered and patient outcomes. 

Notice to U.S. Users

We comply with applicable U.S. privacy laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and relevant state-level privacy laws such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), where applicable.

We define Protected Health Information (PHI) under HIPAA as any individually identifiable health information maintained or transmitted by a covered entity or its business associate, in any form or medium, as described in 45 CFR §160.103.

This Privacy Policy is intended to comply with HIPAA’s requirements for Business Associates when applicable. We may also enter into Business Associate Agreements (BAAs) with Covered Entities when required and will use or disclose PHI only for purposes permitted under HIPAA, HITECH, and the relevant BAA.

Breach Notification

In accordance with HIPAA’s Breach Notification Rule (45 CFR §§164.400–414), if we discover a breach of unsecured PHI, we will notify affected individuals without unreasonable delay, as well as the U.S. Department of Health and Human Services (HHS) and other regulatory bodies, if applicable.

Minimum Necessary Policy

We are committed to using or disclosing only the minimum necessary amount of PHI needed to accomplish the intended purpose of the use, disclosure, or request, as required under HIPAA.

Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us at help@myrecovery.com or with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). You will not face any retaliation for filing a complaint.

Retention of PHI

We retain PHI in accordance with the terms of our Business Associate Agreement (BAA) with the relevant healthcare organization. This typically includes retaining PHI for at least six years, as required under HIPAA, or longer if needed to meet contractual, regulatory, or legal obligations. At the end of a contract, PHI may be deidentified in line with the BAA and either returned to the healthcare organization or retained by us in de-identified form, as agreed. We may continue to use de-identified or aggregated data beyond this period for research, analysis, or to improve our services, consistent with the BAA and applicable law.

Additional Rights for California Residents

If you are a California resident, you may have additional rights under the CPRA, including:

  • The right to know what personal data is collected about you;
  • The right to delete your personal data (subject to exceptions);
  • The right to correct inaccurate personal data;
  • The right to opt out of the sale or sharing of your personal data;
  • The right to non-discrimination for exercising your rights.

You may exercise these rights by contacting us at help@myrecovery.com.

HIPAA Notice of Privacy Practices (NOPP)

If you use the myrecovery platform as part of a healthcare service provided by a HIPAA Covered Entity, you may also receive a separate Notice of Privacy Practices (NOPP) from that provider. The NOPP describes how your PHI may be used and disclosed and how you can access your PHI. This Privacy Policy supplements but does not replace any HIPAA NOPP issued by your provider.

Deidentified  Data

We create and use de-identified and/or aggregated data about our users (for example, statistical or demographic data before and after treatment) to help us and our partners evaluate and improve treatments, devices, digital health tools, and patient safety. Once data has been de-identified in accordance with applicable standards, it is no longer considered Personal Data/Personal Information or PHI.

We may license or share HIPAA-de-identified data (as defined under 45 CFR §164.514(b)), which is no longer Personal Information or PHI. Such data may be used for research, analytics, scientific study, or to support development of technologies that improve patient care. We do not sell Personal Information or PHI.

Deidentified  Data could be derived from your de-identified Personal Information having been combined with a pool of data from other users of our Services, but is not considered Personal Information as it has been sufficiently deidentified  such that it cannot be used to directly or indirectly reveal your identity. For example, we may use Deidentified  Data in the following ways:

  • Product Improvement: We may use Deidentified Data to improve our Service or help third-parties to evaluate their products and Services e.g. we may use your usage data to calculate the percentage of users accessing a particular feature of the App to inform how we develop and improve our products, or we may use Deidentified Data to help your healthcare provider or a manufacturer of medical devices or therapeutics understand how well their treatment, device or therapeutic is functioning and how it can be improved to inform and advance the development of more effective and safer treatments
  • Research: We may use Deidentified Data for research purposes, whether scientific, marketing, or business in nature. This research may be made public through publications such as within a clinical studies, scientific articles, medical conferences or health reports e.g. we may aggregate pain score data that you provide following treatment to conduct research on the effectiveness of a particular treatment or calculate average recovery times for a particular treatment to better understand the recovery process
  • Business Purposes: We may also license, sell or otherwise share Deidentified Data with institutional clients, partners, investors and contractors for any purposes related to our business practices e.g. we may use Deidentified Data to develop, train and improve analytical healthcare systems based on machine learning or artificial intelligence technologies.

How is your Personal Information collected?

We use different methods to collect data from and about you, including through:

  • Direct interactions: you may provide us with your identity and contact details when you register to use our Services. You may provide further data by submitting information to the App or Dashboard, responding to surveys or providing feedback.
  • Automated technologies or interactions: when you interact with our Services, we will automatically collect technical data about the device you are using, your browsing actions and patterns and (if you enable location sharing) your location data, using cookies or other similar technologies (explained further below). 
  • Integration with third-party health apps: if you choose, when prompted, to grant the App permission to access other health or fitness related applications installed on your device, we may access and use your Third-party Health App data collected by those third-party applications, as defined above. You may disable such permissions at any time in your device settings and/or via the relevant third-party application.

Use of Apple HealthKit, Google Fit, Google Health Connect, and Samsung Health

Where you choose to connect the App to Apple HealthKit, Google Fit, Google Health Connect, or Samsung Health:

  • We only access the data categories that you explicitly authorize.
  • We use such data solely to provide health-related features and clinical-support services within the App.
  • We do not use this data for advertising, marketing, analytics unrelated to your care, or profiling for commercial purposes.
  • We do not sell this data or share it with third parties except as permitted by HIPAA, applicable law, or a Business Associate Agreement.
  • We comply with all Apple, Google, and Samsung developer terms, including restrictions on secondary use, data handling, and security requirements.
  • You may withdraw access at any time through your device settings; once withdrawn, the App will no longer receive new data from that service.

How we use your Personal Information 

We take the protection of your Personal Information very seriously and will only ever use your Personal Information lawfully and in accordance with the requirements of any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Information (Data Protection Legislation). 

Uses of Personal Information

The most common purposes for which we use your Personal Information are as follows:

  • to enable us to perform our contract we have entered into or are about to enter into with you to provide you with the services and information offered through the Site, App and Dashboard (as applicable), subject to our EULA and Terms of Service with you, and to improve those services;
  • where it is necessary for our legitimate interests (or those of a third-party) as a commercial organization for the purposes of managing and planning our business, and your interests and fundamental rights do not override those interests, in which case we may (keeping our information secure at all times and in a way that is proportionate and respects your privacy rights) use your Personal Information which we collect  in the course of running and/or improving our business and developing new products and services, including to:
    • audit the downloading of the App and data from the Services;
    • improve the layout and/or content of the pages of the Site, App and Dashboard and customize them for users;
    • identify visitors to the Site and/or users of the Dashboard and App;
    • conduct analysis and carry out research to further and improve medical care and treatment of health conditions and diseases;
    • analyze aggregated and deidentified outcome data to provide recommendations on patients journeys and develop technology to automate guidance;
    • forecast demand of service and to understand other trends in use, including which features users use the most and find the most helpful, and what features users require from us. This does not involve making any decisions about you - it is only about improving the Services we deliver to you and other users. Strict confidentiality and data security provisions will apply at all times;
    • troubleshoot bugs within the Services; and
    • troubleshoot and help you with any questions/enquiries; or 
  • where we need to comply with a legal or regulatory obligation.
  • as we believe necessary or appropriate: (a) under applicable law, including laws outside your state or country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities including public and government authorities outside your state or country of residence; (d) to enforce our terms and conditions; (e) to protect our operations or those of any of our affiliates; (f) to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.

How We Use Health and Fitness Data

We use your health and fitness data, including PHI where applicable, only for the purposes described below:

  • Direct care and recovery support: enabling your healthcare professionals to monitor your progress, assess outcomes, adjust treatment plans, and support your recovery.
  • Clinical communication: delivering reminders, care-pathway content, follow-up prompts, educational materials, and messages approved or provided by your care team.
  • Service functionality: powering app features such as activity tracking, symptom logging, dashboards, care-pathway automation, and personalized insights.
  • Quality, safety, and performance analytics: evaluating treatment effectiveness, device performance, clinical outcomes, and safety signals, using de-identified or aggregated data when possible.
  • Research and innovation: supporting approved research, clinical studies, scientific publications, algorithm development, and digital-health innovation, using PHI only as permitted by HIPAA and your BAA, and otherwise relying on de-identified or aggregated data.

We do not use your health or fitness data for advertising, commercial profiling, or selling to third parties.

Profiling for Clinical Care

We may use limited forms of automated analysis (“profiling”) to support your care. This may include analyzing symptom trends, recovery patterns, mobility data, or activity information to generate insights for your healthcare team. This type of profiling does not constitute automated decision-making or profiling with legal or similarly significant effects as defined under applicable state privacy laws.

These techniques are used solely for clinical-support purposes and never to make automated decisions that affect your legal rights. Any insights generated are reviewed and interpreted by licensed healthcare professionals and do not replace medical judgment. We do not use profiling for advertising, marketing, cross-context behavioral advertising, or other commercial purposes.

Use of Protected Health Information

We may use Protected Health Information (PHI) in the same manner as Personal Information, described above, except our use and disclosure of PHI is further limited as provided by the administrative simplification provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) and the Omnibus regulations promulgating Standards for Privacy of Individually Identifiable Health Information and Security Standards for the Protection of Electronic PHI promulgated thereto.

Specifically, as described above, all uses or disclosures of PHI shall require Patient authorization or a valid authorization on the patient’s behalf, except: (1) uses or disclosures by or to the Patient; (2) uses or disclosures for treatment, payment or healthcare operations; (3) as part of any valid use or disclosure; or (4) in compliance with and pursuant to Applicable Law. 

We will enter into business associate agreements with the Patient’s Providers who are “Covered Entities” when we are functioning as a “Business Associate” to the particular Covered Entity (as those terms are defined by HIPAA). We will use and disclose PHI only for those uses and disclosures permitted by HIPAA and under the applicable business associate agreement. We may use or disclose PHI to provide Services to the Patient or the Provider. We may also use PHI for our proper management and administration or to carry out our legal responsibilities.

HIPAA Patient Rights

If your information is considered Protected Health Information (PHI), you have the right to:

  • Request access to and receive a copy of your PHI (45 CFR §164.524)
  • Request amendments to your PHI (45 CFR §164.526)
  • Request an accounting of disclosures of your PHI (45 CFR §164.528)
  • Request restrictions on certain uses and disclosures (45 CFR §164.522)
  • Request to receive communications by alternative means or at alternative locations (45 CFR §164.522(b))
HIPAA Authorization

We will only use or disclose PHI for purposes not described in this Privacy Policy or as permitted by HIPAA (such as treatment, payment, and healthcare operations) if we have a valid HIPAA-compliant authorization signed by you or your legal representative. You may revoke this authorization at any time in writing, except to the extent that we have already relied on it.

Retention of PHI

We retain PHI for a minimum of six (6) years from the date of creation or the date when it was last in effect, whichever is later, in accordance with 45 CFR §164.530(j)(2). We may retain de-identified or aggregated data beyond this period for research and analytical purposes.

Clarification on De-identified Data

We use the term “De-identified Data” to refer to data that has been de-identified in accordance with HIPAA’s de-identification standards under 45 CFR §164.514(b). Such data is not considered Personal Information as it does not reasonably identify any individual.

No General Marketing to Patients 

For Patient users, to help the surgeon, doctor or other healthcare professionals involved in your care to better track your progress pre- or post- treatment, we may contact you via email, over the phone or through the App, requesting you to fill out a survey or answer questions about your treatment and recovery progress. We may still contact you, even if you uninstall the App. Please note, we will only contact you with information related to your treatment and use of the Site and App, including to share articles, referrals or other content related to your treatment which we think would be of particular interest to you. We will not, without your express opt-in permission in compliance with applicable Data Protection Legislation, use it to send you general marketing emails from our Company and/or on behalf of third-parties.

Information sharing

If you are a Patient, we may share your Personal Information, including information that you submit to the App, with:

  • your nominated surgeon, doctor or healthcare professional responsible for your care and other non-clinical healthcare personnel involved in the administration of your care, for the purposes explained above so they can understand and evaluate your condition and recovery progress. In accordance with the terms of our contractual arrangements with surgeons, doctors and healthcare professionals, your surgeon, doctor or healthcare professional will be legally required only to share this information to the extent necessary to provide your treatment to you;
  • our Partners, to enable them to improve existing technologies and treatments and develop new and advanced technologies and treatments to provide patients with more effective and safer care;
  • registry providers, for tracking post-treatment progress for surgical implants or medical devices in cases where individual users have separately consented to this; 
  • if required or authorized by law or a legal process, such as to law enforcement bodies to assist in their functions and courts of law; and
  • third-parties in connection with negotiations prior to any merger, sale of our assets, financing or acquisition of part or all of our business to another company (at this stage, we would only share Anonymous Data and not your Personal Information).

In the event that we undergo re-organization or are sold to a third-party, you agree that any Personal Information we hold about you may be transferred to that re-organized entity or third-party.

We may disclose your Personal Information if required to do so by law or if we believe that such action is necessary to prevent fraud or cyber-crime or to protect the Services or the rights, property or personal safety of any person.

We may disclose aggregate statistics about visitors to the Site and users of the App and Dashboard in order to describe our services to prospective partners, sponsors and other reputable third-parties and for other lawful purposes, but these statistics will include no personally identifiable information.

Summary of When We Share Health Data

We may share health data with the recipients below, and only for the purposes described:

Your healthcare professionals and healthcare organisations:
To provide direct care, treatment, monitoring, and care coordination. This may include identifiable health information.
Legal basis: HIPAA treatment purposes; applicable Business Associate Agreements (BAAs).

Healthcare provider administrators:
To support care management, quality improvement, utilization review, and clinical governance activities. This may include identifiable health information.
Legal basis: HIPAA healthcare operations; applicable Business Associate Agreements (BAAs).

Research partners (where permitted):
For clinical research, outcome evaluation, and safety monitoring. Data is typically de-identified. Identifiable data is shared only with your explicit authorization or where permitted under HIPAA and applicable agreements.
Legal basis: HIPAA authorization; IRB/Privacy Board approval as applicable; 45 C.F.R. § 164.512(i).

Registry providers (if authorized):
To support device, implant, or treatment outcome tracking, including post-market surveillance and public health reporting. This may include identifiable health information.
Legal basis: HIPAA authorization; public health and regulatory exceptions where applicable.

Infrastructure and service providers:
To provide essential services such as data hosting, secure communications, analytics, and customer support. We limit the use and disclosure of health information to the minimum necessary.
Legal basis: HIPAA Business Associate Agreements.

Legal or regulatory authorities:
Where required to comply with applicable laws, regulations, court orders, audits, or lawful investigations. This may include identifiable health information.
Legal basis: HIPAA disclosures required by law.

No Sale of Personal Information or PHI

We do not sell your Personal Information or Protected Health Information (PHI). We also do not “share” Personal Information for cross-context behavioral advertising as defined under the California Privacy Rights Act (CPRA). We do not allow any partner, processor, or analytics provider to sell or repurpose your information for their own use.

SMS communications

We use SMS messaging to send important service-related communications from the myrecovery platform, such as appointment or treatment reminders and two-factor authentication (2FA) messages. These messages are delivered through trusted third-party providers, such as Twilio, who act as data processors on our behalf.

These providers receive only the minimum amount of personal data necessary to deliver the message (such as your phone number and message content). This information is securely transmitted and is not accessed, retained, or used by these providers for any other purpose.

We do not sell, rent, trade, or otherwise share your mobile opt-in data with third parties for marketing purposes. SMS opt-in data and related personal information are used solely to deliver requested services and messages and are never used for advertising.

All SMS communications are handled in accordance with applicable privacy and data protection laws, including the Telephone Consumer Protection Act (TCPA). Our providers apply strong safeguards such as encryption in transit and at rest to protect your information. For more details about their privacy practices, please refer to their respective privacy and security documentation.

Security

We place great importance on the security of all Personal Information associated with our users. We implement administrative, technical, and physical safeguards consistent with HIPAA and industry standards. For example, our security and privacy policies are periodically reviewed and enhanced as necessary and only authorized personnel have access to Personal Information. Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we use all reasonable efforts to prevent it.

You should bear in mind that submission of information over the internet is never entirely secure. We cannot guarantee the security of information you submit via the Site, App or Dashboard whilst it is in transit over the internet and any such submission is at your own risk.

You are responsible for keeping your password confidential to prevent unauthorized access to your Personal Information and we ask that you not share your password with anyone.

Additional Security Measures

In addition to the safeguards described above, we implement:

  • Strict data-minimization practices, accessing only the information necessary for the specific purpose.
  • Encryption of Personal Information and PHI in transit (TLS 1.2/1.3) and at rest.
  • Role-based access controls ensuring only authorized personnel may access PHI.
  • Audit logs and continuous monitoring of PHI access.
  • Regular penetration testing and vulnerability scanning by accredited security firms.
  • Segregated production, development, and analytics environments with technical safeguards preventing PHI exposure.
  • Contractual and technical controls ensuring that third-party processors may not use PHI for any purpose other than delivering the contracted service.
  • A documented incident-response and breach-notification procedure compliant with HIPAA and HITECH.

Data Storage, Security and Transfers

We are committed to protecting the security of your data by endeavoring to ensure appropriate technologies and processes are maintained to avoid unauthorized access or disclosure. We store all your Personal Information on secure servers.

Where you have chosen a password that enables you to access certain parts of our App or Dashboard, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.

Your Personal Information which we collect is generally transferred to and stored on secure third-party servers located in the United States. Such storage is necessary in order to process the information. Any transfers made will be in full compliance with the Data Protection Legislation.

We encrypt your data at transmission to and from the App and Dashboard and at rest. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access. We ensure that processing, analysis and research environments in relation to deidentified data and Personal Information are separated and that access to this data is restricted. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. 

Retention

We retain Personal Information for as long as necessary to provide our Services and fulfill our contract with you, to fulfill the purposes we have collected it for, or for other essential purposes such as complying with our legal obligations, and enforcing our agreements. Because these needs can vary for different data types in the context of different products, actual retention periods can vary.

We may also retain aggregate information without limit beyond this time for research purposes and to help us develop and improve our services. You cannot be identified from aggregate information retained or used for these purposes. Where retention requirements for PHI conflict with general Personal Information retention rules, HIPAA retention obligations govern.

Your rights

The information we provide in this section is a brief summary of certain of your rights under Data Protection Legislation and you should still read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.

Accessing, Changing, and Deleting Your Information: You may request access, changes, or deletions to your Personal Information and request information about our collection, use and disclosure of such information by contacting us at help@myrecovery.com. We use best efforts to keep our records as accurate and complete as possible. You can help us maintain the accuracy of your information by notifying us of any changes to your Personal Information as soon as possible. Your rights to access, change, or delete your Personal Information are not absolute. We may deny you such rights under certain situations permitted by applicable Data Protection Legislation such as when required by law or if the request would likely reveal Personal Information about a third party.

Deletion Requests (Including Partial Deletions)
You may request deletion of some or all of your Personal Information by contacting help@myrecovery.com. You may, for example, ask us to delete a specific item or entry (such as a survey response submitted in error) without deleting your entire account.

To help us process your request, please describe what information you want deleted (or corrected) and, if known, the approximate date and context (e.g., “progress survey”, “weekly check-in”). We may ask for additional information to verify your identity and to locate the specific information you want deleted.

We will delete the requested information to the extent permitted by law and our obligations, and except where we are legally required or permitted to retain information, including:

  • PHI retained under HIPAA and applicable recordkeeping requirements
  • Medical record retention laws in the state where you reside
  • Contractual obligations under a Business Associate Agreement (“BAA”)
  • Legal, regulatory, or audit-related retention requirements
  • Security, fraud-prevention, and system integrity needs (e.g., maintaining logs necessary to protect our services)

If we hold PHI on behalf of a Covered Entity, we will notify the Covered Entity. The Covered Entity will determine whether and how the request is fulfilled in accordance with HIPAA and the applicable BAA. In some cases, HIPAA may require that information be amended rather than deleted; where deletion isn’t permitted, we may instead correct it, append an amendment, or restrict certain uses as directed by the Covered Entity and applicable law.

Upon deletion (where permitted):

  • If you request it, your account will be deactivated.
  • If you request partial deletion, we will delete only the specific items you identified, and your account may remain active. Certain residual copies may remain for a limited period in backups or security logs, but we will protect them and delete/overwrite them in accordance with our retention schedules, unless legal obligations require longer retention.
  • Any de-identified data used for research or service improvement will exist only in de-identified or aggregated form. Since it has been de-identified, it cannot be identified as belonging to you, and cannot be deleted.

Cookies & other technologies

When you interact with the Services, we try to make that experience simple and meaningful. When you visit the Site or access or use the App or Dashboard, a web server sends a cookie or other similar technology to your computer or mobile device (as the case may be). Cookies are small pieces of information which are issued to your computer or mobile device (as the case may be) when you visit a website or access or use a mobile App and which store and sometimes track information. A number of cookies we use last only for the duration of your web or App session and expire when you close your browser or exit the App. Other cookies are used to remember you when you return to the Site, App or Dashboard and will last for longer.

The cookies and/or other similar technologies we use collect information, such as the type of internet browser or mobile device you use, any website from which you have come to the Site, App or Dashboard, your IP address and/or the operating system of your computer or mobile device.

We use cookies to remember that you have visited us before. This means we can identify the number of unique visitors we receive. This allows us to:

  • make sure we have enough capacity for the number of users that we get;
  • customize elements of the promotional layout and/or content of the pages of the Services; and
  • collect anonymous statistical information about how you use the Services (including how long you spend on the Services and which devices you use to access them) and where you have come to the Services from, so that we can improve the Site and learn which parts of the Services are most popular with users.

Some of the cookies used by the Services are set by us, and some are set by third-parties who are delivering services on our behalf. These third-parties each have their own cookie policies. As we make changes to our App and Services, the list of third-parties is subject to change. An up to date list of third-parties can be provided on request.

Most web and mobile device browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting the 'All About Cookies' website which includes additional useful information on cookies and how to block cookies using different types of browser or mobile device.

Please note, however, that by blocking or deleting cookies used on the Services, you may not be able to take full advantage of the Services.

Our Site currently does not respond to “Do Not Track” (DNT) signals and operates as described in this Privacy Policy whether or not a DNT signal is received. If we do respond to DNT signals in the future, we will update this Privacy Policy to describe how we do so. 

We do not use third-party tracking pixels (such as Meta Pixel or similar tools) on pages where PHI is created, viewed, or transmitted, or in any emails. 

External links

The Services may, from time to time, contain links to external sites. We have not reviewed the content of and are not responsible for the privacy policies or the content of such sites.

Changes to this Privacy Policy and Further Information

We may revise this Privacy Policy from time to time and in doing so we may change what kind of information we collect, how we store it, who we share it with and how we use it. The most current version of the policy will govern our use of your information and will always be at https://www.myrecovery.com  - please regularly refer to this website for the latest version of our privacy policy. If we make a change to this policy that we believe, in our sole discretion, is material, we will notify you via an App or Dashboard notification or email to the email address associated with your account. By continuing to access or use our services after those changes become effective, you agree to be bound by the revised Privacy Policy.

Please submit any questions, concerns or comments you have about this Privacy Policy or any requests concerning your Personal Information by emailing help@myrecovery.com, or writing to us at: HOPCo Digital Data Protection Officer, 18444 N. 25th Ave., Ste. 320, Phoenix, AZ 85023.

Back to top