Legal Documentation

Privacy & Security Policy

Last Updated: April 17, 2026

Introduction

Torna Health, Inc. ("Torna," "we," "us," or "our") operates the website tornahealth.com and provides AI-driven clinical appeal and prior authorization software strictly for healthcare providers. This Privacy Policy explains how we collect, use, disclose, and mathematically safeguard your information when you visit our website or use our secure enterprise services.

1Protected Health Information (PHI) & HIPAA Compliance

Unlike standard software, Torna Health handles highly sensitive clinical oncology data.

Business Associate Agreement (BAA)

We process patient data strictly under an executed BAA with the healthcare provider.

Permitted Use

We use PHI exclusively to perform the services outlined in our BAA. We do not own your PHI, and we do strictly forbid the sale of PHI to data brokers or third parties.

2Our AI and "Zero Retention" Policy

We utilize specialized Agentic AI to process medical appeals, operating under a strict "Preventative Engineering" philosophy.

No Model Training

Client PHI is never used to train foundational AI models.

Ephemeral Processing

Once an AI Agent processes a clinical document, the context window is immediately flushed to ensure zero data retention by the AI provider.

3. Information We Collect

Outside of secure clinical data, we collect standard business information when you interact with our public website:

  • Personal & Business Information: Name, practice name, NPI numbers, email address, and phone number provided during demo requests.

  • Usage Data: Information about how you access our website (IP address, browser type, pages visited).

  • Cookies and Tracking: We use standard cookies to analyze public site traffic and ensure our marketing site functions properly. (Note: We do not use tracking pixels inside the secure clinical vault).

4. How We Use Your Information

  • To provide, maintain, and secure our clinical software.
  • To communicate with you about service updates, BAAs, and support.
  • To analyze usage trends to optimize our platform.
  • To comply with federal healthcare regulations and protect our legal rights.

5. Data Sharing and Disclosure

We do not sell your personal or business information. We only share information in the following circumstances:

Enterprise Service Providers

With highly vetted, BAA-compliant infrastructure providers (e.g., Google Cloud Platform) who assist in operating our secure vault.

Legal Requirements

When required by law, regulation, or legal process.

Business Transfers

In connection with a merger, acquisition, or sale of assets, subject to strict HIPAA confidentiality transfers.

6. Enterprise Security & Data Residency

We implement military-grade technical measures to protect your data:

Data Residency

All clinical data is locked to U.S.-based servers (US-East). We explicitly forbid global edge-caching of clinical data.

Encryption

Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

Disclaimer: While we use FedRAMP-aligned architecture, no method of electronic storage is 100% secure, and we cannot guarantee absolute physical security.

7. Data Retention

We retain your business information only for as long as necessary to fulfill our services, comply with medical record retention laws, and enforce our agreements.

8. Your Rights

Depending on your jurisdiction, you have the right to:

Access, correct, or delete your personal business data.

Request a record of how your data is processed.

Important NoteRequests regarding specific patient PHI must be handled through the clinic's designated HIPAA Privacy Officer as outlined in the BAA.

9. Contact Us

If you have questions regarding our security architecture, HIPAA compliance, or this Privacy Policy, please contact our Security & Compliance team at:ashwin@tornahealth.com