BoneArc

Provider Privacy Policy

Version 1.1  ·  Effective Date: May 26, 2026

BoneArc, Inc. ("BoneArc," "we," "us," or "our") operates the BoneArc provider web portal (the "Portal"). This Provider Privacy Policy describes how we collect, use, and protect information about healthcare providers, practices, and their administrative staff (collectively, "Providers") who access and use the Portal.

This Policy applies to information about Providers as business entities and individuals using the Portal. It is separate from our obligations regarding patient Protected Health Information (PHI), which are governed by the Business Associate Agreement executed between BoneArc and each Provider.

1. What Provider Data We Collect

We collect the following categories of information from and about Providers:

(a) Account and Identity Information: Provider's legal business name, practice name, principal business address, National Provider Identifier (NPI), Tax Identification Number (TIN/EIN), state licensure information, specialty, and the name, email address, job title, and contact information of each Authorized User.

(b) Billing and Payment Information: Credit card or ACH payment information processed through our payment processor (Stripe, Inc.). BoneArc does not store full payment card numbers; payment processing is handled by Stripe in accordance with PCI-DSS standards.

(c) Portal Usage Data: Log data, session information, feature usage patterns, browser type, IP addresses, and other technical data collected when Authorized Users access the Portal. This data is used to maintain Portal security, troubleshoot issues, and improve Platform functionality.

(d) Communications: Emails, support tickets, feedback, and other communications sent to BoneArc by Provider or its staff.

(e) Enrollment and Operational Data: Data related to the Provider's patient enrollment programs, monitoring configurations, and Portal settings. Note that patient health data is governed separately by the BAA.

2. How We Use Provider Data

We use Provider data for the following purposes:

(a) Account Management: To create, maintain, and secure Provider accounts; to authenticate Authorized Users; and to facilitate access to the Portal.

(b) Service Delivery: To provide the Platform services described in the Master SaaS Agreement, including enabling Providers to access patient monitoring data and program management tools.

(c) Billing and Invoicing: To process subscription payments, generate invoices, and manage Provider accounts receivable.

(d) Customer Support: To respond to Provider inquiries, troubleshoot technical issues, and provide training and onboarding assistance.

(e) Platform Improvement: To analyze aggregated and de-identified usage patterns to improve the Portal's performance, usability, and feature set.

(f) Legal and Compliance: To comply with applicable laws, respond to legal process, enforce our agreements, and protect BoneArc's rights.

(g) Communications: To send Providers important notices regarding their accounts, including subscription renewals, policy updates, security alerts, and product announcements.

3. What We Do Not Share

BoneArc does not sell Provider data to third parties. BoneArc does not share Provider business information, NPI, TIN, or practice details with advertisers, data brokers, or any third party for marketing purposes. We do not use Provider data to train general artificial intelligence models that are accessible to third parties outside of BoneArc.

4. Service Providers and Sub-Processors

We share Provider data with trusted service providers who assist us in operating the Platform, subject to appropriate data protection agreements. Key service providers include:

(a) Google LLC (Google Cloud Platform / Firebase): Cloud infrastructure, data storage, and authentication services.

(b) Stripe, Inc.: Payment processing services.

(c) Email and communication service providers: For transactional and account-related email communications.

These service providers are contractually prohibited from using Provider data for any purpose other than providing services to BoneArc.

5. Data Retention

We retain Provider account and business information for the duration of the Provider's subscription and for seven (7) years following termination of the Provider's subscription, or such longer period as may be required by applicable law. Billing records are retained for a minimum of seven (7) years for tax and accounting purposes.

6. Provider Rights

Authorized representatives of Provider organizations may request the following regarding Provider business data (not patient data, which is governed by the BAA):

(a) Access: A copy of the business and account information BoneArc holds about the Provider organization.

(b) Correction: Correction of inaccurate account or business information.

(c) Deletion: Deletion of account information following termination of the Provider's subscription, subject to our legal retention obligations.

To make a request, contact us at service@bonearc.com. We will respond within thirty (30) days.

7. Security

BoneArc maintains administrative, physical, and technical safeguards designed to protect Provider data against unauthorized access, disclosure, and destruction. These include encryption of data at rest and in transit, access controls, and regular security assessments. However, no system is completely secure, and BoneArc cannot guarantee absolute security.

8. Changes to This Policy

We may update this Provider Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated via email or Portal notification at least thirty (30) days before the changes take effect. Continued use of the Portal after the effective date constitutes acceptance of the updated Policy.

9. Contact Information

For questions or requests regarding this Provider Privacy Policy, contact:

BoneArc, Inc.  ·  Attn: Privacy Officer
131 Continental Dr, Suite 305, Newark, DE 19713
Email: service@bonearc.com