Mobile Apps Privacy Policy

Privacy Policy for CoreyHealth™, CoreyPatient™, CoreyGAMMA™, CoreyOCH™ and CoreyAir™

The privacy policy below applies to Core Mobile's mobile and smartwatch applications, including CoreyHealth™, CoreyPatient™, CoreyGAMMA™, CoreyOCH™ and CoreyAir™. Core Mobile executes a Business Associate Agreement (BAA) with each of the healthcare providers that use our products and services. The BAA clauses supersede the clauses in this policy as applicable to specific health care providers including Veterans Affairs of the United States Federal Government.  

Core Mobile operates as a technology service provider to healthcare organizations and does not independently act as the primary data controller for patient data. 


Purpose

The following privacy policy is adopted to ensure that Core Mobile, Inc. (the Company) complies fully with all federal and state privacy protection laws and regulations. Protection of patient privacy is of paramount importance to this organization. Violations of any of these provisions will result in severe disciplinary action including termination of employment and possible referral for criminal prosecution.  

Enterprise Access and Account Provisioning

Core Mobile applications are not intended for public consumer account creation. 

Access to the applications is provisioned and managed by authorized healthcare organizations (such as hospitals and government agencies including the U.S. Department of Veterans Affairs). Users authenticate using enterprise identity systems such as Single Sign-On (SSO), Personal Identity Verification (PIV), or other secure credentialing mechanisms. 

Core Mobile does not independently create or manage end-user accounts outside of these enterprise systems. 

Effective Date

This policy is in effect since May 11, 2023 and updated in 2026.

It is the policy of the Company to adopt, maintain and comply with our privacy practices of customer and end-user data, which shall be consistent with HIPAA, FISMA, GDPR and California, USA, UK and European Union laws. 

Notice of Privacy Practices

It is the policy of the Company that a notice of our privacy policy be published on our website, and that all uses and disclosures of protected health information be done in accord with the Company’s privacy policy and practices for web site and for mobile and smart watch applications.  

Assigning Privacy and Security Responsibilities

It is the policy of the Company that specific individuals within our workforce are assigned the responsibility of implementing and maintaining this HIPAA Privacy Policy. Furthermore, it is the policy of the Company that these individuals will be provided sufficient resources and authority to fulfill their responsibilities. 

Deceased Individuals

It is the policy of the Company that privacy protections extend to information concerning deceased individuals. 

User Activity and Health Data (Mobile Apps)

On Android devices, CoreyPatient™, CoreyGAMMA™, CoreyOCH™, and CoreyHealth™ (as applicable) may read certain health and fitness data only through Android Health Connect, and only after the user explicitly grants permission in the Health Connect system settings or in-app permission flow. The app does not access this data without the user's consent.

On iOS devices, where supported, the app may read similar data through Apple HealthKit, only after the user explicitly grants permission.

Data may include step count, heart rate, height, and weight, depending on which permissions the user chooses to allow. The app requests only the data types needed for the features described below.

This information is used to:

  • Display daily activity, fitness summaries, and trends within the patient Health & Fitness / Wearable Data features of the app;

  • Optionally prefill weight, height, and heart rate on Self Check-in or similar patient forms when the user opens those features;

  • Optionally transmit summaries to the user's healthcare provider's systems only when the user enables upload or sync features and in accordance with the user's relationship with that provider.

Health and fitness data accessed through Health Connect or HealthKit is not used for advertising, is not sold to third parties, and is not used for credit, lending, or marketing profiling. Users may revoke access at any time through Health Connect (Android) or the Health app (iOS), or through device settings. Where Health Connect or HealthKit data is unavailable or permission is denied, the user may still enter information manually where the app supports manual entry.

All such data transmitted to provider systems is protected using encryption and handled in accordance with this policy, our Business Associate Agreements, and applicable HIPAA, FISMA, and other requirements described elsewhere in this policy.

Minimum Necessary Use and Disclosure of Protected Health Information

It is the policy of the Company that for all routine and recurring uses and disclosures of PHI (except for uses or disclosures made 1) to or as authorized by the customer, client or end-user or 2) as required by law for HIPAA compliance such uses and disclosures of protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the use or disclosure. It is also the policy of the Company that non-routine uses and disclosures will be handled pursuant to established criteria. It is also the policy of the Company that all requests for protected health information (except as specified above) must be limited to the minimum amount of information needed to accomplish the purpose of the request. 

Collection, Use and Storage Limitation

The following categories of data Will be collected by the App but is not saved in the device and is instead transmitted in encrypted format to servers inside the care provider’s secure network: 

User data

Data Retention and Deletion

Core Mobile retains user and patient data only for as long as necessary to provide services to healthcare providers and to comply with applicable legal, regulatory, and contractual obligations, including HIPAA and FISMA requirements. 

As a technology provider operating under Business Associate Agreements (BAAs), Core Mobile processes data on behalf of healthcare organizations (such as hospitals and the U.S. Department of Veterans Affairs), which are the primary data controllers. 

Data Retention:

  • Clinical and operational data may be retained in accordance with healthcare provider policies and legal requirements (e.g., HIPAA retention requirements, typically six (6) years or longer as required).  

  • Certain anonymized or aggregated data may be retained for analytics, system improvement, and compliance purposes.  

User Data Deletion Requests:
Users have the right to request deletion of their personal data. 

Users may request deletion: 

  • Through their healthcare provider (e.g., hospital or VA facility), OR  

Processing of Deletion Requests:

  • Upon receiving a valid request, Core Mobile will coordinate with the relevant healthcare provider to process the request.  

  • Data will be deleted or anonymized within 7–30 days, unless retention is required by law or healthcare regulations.  

Limitations:

  • Certain data may be retained if required for legal compliance, patient safety, audit, or regulatory obligations.  

  • Once deleted or anonymized, the data cannot be recovered.

Permissions Requested by CoreyPatient, CoreyGAMMA™,CoreyOCH™ and CoreyHealth App

The enclosed list of permissions and their use that are explicitly requested from end-users after which these are used for the specific purposes only.   

  • Location: Location permission is used in the background and foreground for getting location-based auto check-in push notifications for contactless check-in and RTLS service to track a patient within the hospital premises. 

  • Nearby devices: Nearby devices permission is used in the background and foreground RTLS service. 

  • Notifications: Notifications permission is used to receive ePros and reminder notifications to the device. 

  • Photos and Videos: Photos and Videos permission is used to share photos and Videos to the provider for getting better care. 

  • Health Connect (Android 14 and later, where available): The app may request read access to step count, heart rate, height, and weight through Android Health Connect. These permissions are used only to display health and fitness information in the app, to support optional Self Check-in vitals prefill, and to support optional secure upload or sync to the user's healthcare provider when the user chooses to use those features. Access is controlled by the user in Health Connect and can be revoked at any time.

  • Physical activity (legacy / platform summary): Physical activity and related health data are used to support fitness tracking and wellness features for the user's care program, as authorized by the user and their healthcare organization.

  • Data Types and In-App Use

The app does not require Health Connect access to use non-fitness features such as messaging, appointments, or check-in when manual entry is available.

Health Connect Data on the Device

Health Connect data is read from the user's device through Google's Health Connect platform. CoreyPatient and related apps do not use Health Connect data for advertising or sale to data brokers. When the user enables upload or sync, only data relevant to the user's healthcare or wellness program may be transmitted to servers operated or designated by the user's healthcare provider, as described in this policy and the user's provider agreements.

When the user revokes Health Connect permissions or uninstalls the app, the app stops reading new data from Health Connect. Deletion of data already stored on provider systems is handled according to the Data Retention and Deletion section of this policy and the user's healthcare organization's procedures.

  • Bluetooth: Bluetooth permissions are used to scan nearby Bluetooth devices for RTLS service. 

  • Biometric: Biometric permission is used for Login with Fingerprint. 

  • Internet: Internet is Mandatory permission to login to the Application. 

  • Access Network state: This permission is used to know the state of the internet whether it is connected or disconnected. 

  • Access Wi-Fi state: This permission is used to know the state of Wi-Fi whether it is connected or disconnected. 

  • Calendar: Calendar permission is used for date time formats in the Application. 

  • Permissions used for Video Consultation:

    • Camera 

    • Microphone 

    • Music and Audio 

    • Photos and Videos 

    • Phone 

Information Security
We work hard to keep your data safe. We use a combination of technical, administrative, and physical controls to maintain the security of your data. This includes using Transport Layer Security (“TLS”) to encrypt many of our Services. No method of transmitting or storing data is assured to be completely secure in future. However, we continue to enhance security processes and methods as new security standards become available and implemented by the United States Federal Government.  

Marketing Activities

It is the policy of the Company that any uses or disclosures of protected health information for marketing activities will be done only after a clearly documented and valid authorization is in effect and maintained by us. 

Prohibited Activities

No Retaliation or Intimidation:

It is the policy of the Company that no employee or contractor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA regulations. It is also the policy of the Company that no employee or contractor may condition payment on the provision of an authorization to disclose protected health information except as expressly authorized under federal and state regulations. 

Responsibility

It is the policy of the Company that the responsibility for designing and implementing procedures to implement this policy lies with the Privacy Official. 

Verification of Identity

It is the policy of the Company that the identity of all persons who request access to protected health information be verified before such access is granted. 

Mitigation

It is the policy of the Company that the effects of any unauthorized use or disclosure of protected health information be mitigated to the extent possible. 

Safeguards

It is the policy of the Company that appropriate physical safeguards will be in place to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. 

Material Change

It is the policy of the Company that the term “material change” for the purposes of these policies is any change in our HIPAA compliance activities. 

Sanctions

It is the policy of the Company that sanctions will be in effect for any member of the workforce who intentionally or unintentionally violates any of these policies or any procedures related to the fulfillment of these policies. Such sanctions will be recorded in the individual’s personnel file. 

Retention of Records

Core Mobile retains records in accordance with HIPAA Privacy Rule requirements, which generally require retention for a minimum of six (6) years, unless a longer retention period is required by applicable law, regulation, or healthcare provider policy. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at this Company’s discretion to meet with other governmental regulations or those requirements imposed by our professional liability carrier. 

Regulatory Currency

It is the policy of the Company to remain current in our compliance program with HIPAA regulations which are further mandated for us by our customers at Veterans Affairs and the United States Federal Government. 

Cooperation with Privacy Oversight Authorities

It is the policy of the Company that oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services be given full support and cooperation in their efforts to ensure the protection of health information within this Company. It is also the policy of the Company that all personnel must cooperate fully with all privacy compliance reviews and investigations. 

Changes to this Privacy Policy

We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page. 

We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the "Effective Date" at the top of this Privacy Policy. 

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page. 

Contact Us

If you have any questions about this Privacy Policy or would like to request access, correction, or deletion of your data, you can contact us: 

• By email: privacy@coremobileinc.com

• By visiting: https://www.coremobileinc.com/