Patient Privacy Policy

OcuTree Inc | Effective June 2026 | Version 1.0

1. Introduction

OcuTree Inc (“OcuTree,” “we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect information you provide through the ocuTree patient eye comfort update platform (“Platform”). This Policy is intended to supplement the HIPAA Notice of Privacy Practices provided to you by your eye care Provider. OcuTree acts as a Business Associate of your Provider under HIPAA.

2. Our Role Under HIPAA

OcuTree operates as a Business Associate under HIPAA. Your Provider is responsible for obtaining your HIPAA authorization before you use the Platform. Your rights regarding your Protected Health Information are governed by your Provider’s HIPAA Notice of Privacy Practices. For questions about how your Provider uses your health information, contact your Provider directly.

3. Information We Collect

3.1 Symptom and Health Information

Self-reported information about your eye comfort, including symptom frequency and severity ratings, environmental triggers, and relevant ocular history such as contact lens, lubrication, and eye surgery history.

3.2 Demographic and Visit Information

Limited demographic information (such as age range rather than exact date of birth, and biological sex) and visit-related details such as visit type and appointment date. You are identified by a system-generated patient token that does not contain your name or other direct identifiers, and by a randomly generated six-character reference code that is not derived from any personal information and is used only to help your provider recognize you as a returning patient.

3.3 Ocular Images

If you capture ocular images, we collect those images. Images are biometric identifiers under HIPAA and are handled accordingly. Images are captured on your personal device and are not standardized clinical photographs.

3.4 Technical Information

Basic technical information needed to operate the Platform, such as device and operating system details for compatibility, session timestamps and completion status, and a record of when you agreed to our Terms of Service.

4. How We Use Your Information

To provide Platform services to your eye care Provider on your behalf.
To organize and display your symptom history in the clinical portal accessible by your Provider.
To generate the one-page clinician symptom snapshot reviewed by your Provider before your appointment.
To assess image quality through automated processes to support Platform functionality.
To maintain the security, integrity, and availability of the Platform.
To fulfill legal and regulatory obligations under HIPAA and applicable law.

De-identified and aggregated data from which all patient and clinic identifiers have been removed in accordance with 45 CFR Section 164.514 may additionally be used for Platform improvement, AI model development, clinical research, and publication of aggregate findings. Such use will not identify you individually.

5. How We Protect Your Information

All data is stored within a HIPAA-compliant enterprise cloud environment covered under a current Business Associate Agreement with our infrastructure provider.
Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher.
Access to patient data is restricted to authorized ocuTree personnel and your authorized eye care Provider through role-based access controls.
Comprehensive audit logs of data access and modification are maintained for a minimum of six years.
Your name is never stored in ocuTree’s systems. You are identified only by a system-generated patient token.

6. How We Share Your Information

With your authorized eye care Provider, for whom we collect and organize the information.
With our enterprise cloud infrastructure provider, under a current HIPAA Business Associate Agreement.
With Subcontractors who assist in providing the Platform, under written agreements requiring equivalent privacy and security protections.
As required by law, including in response to valid legal process or to comply with applicable regulations.

We do not sell your personal information. We do not share your information for marketing purposes. We do not share your identifiable information with pharmaceutical companies, medical device manufacturers, or other third parties without your express written consent.

7. Data Retention

We retain your symptom data and ocular images for as long as your eye care Provider maintains an active account with ocuTree, or as required by applicable law, whichever is longer. Upon termination of your Provider’s service agreement with ocuTree, your data will be returned to your Provider or securely destroyed within sixty (60) days of termination.

8. Your Rights

Because OcuTree processes your information as a Business Associate of your Provider, your primary rights regarding your Protected Health Information are exercised through your Provider. To access, correct, or request deletion of your health information, contact your eye care Provider directly. For questions specifically about how OcuTree processes your information, contact us at info@ocutree.com.

9. Children’s Privacy

The Platform is not directed to children under 13. Patients under 18 may only use the Platform with parental or guardian consent. We do not knowingly collect information from children under 13 without verified parental consent. If you believe we have inadvertently collected such information, contact us at info@ocutree.com immediately.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Updated versions will be posted at ocutree.com/privacy with a revised effective date. Material changes will be communicated to your Provider.

11. Contact Us

OcuTree Inc — Privacy inquiries: info@ocutree.com. We will respond to privacy inquiries within thirty (30) business days.