Privacy Policy

SureMediks is a connected chronic care platform. To support your care we handle
health information, including information that may be protected health information
under HIPAA. This policy explains what we collect, why we collect it, who we
share it with, and the choices and rights you have.

We do not sell, rent, or trade your personal information, and we do not use your
health data for advertising.

SureMediks Privacy Policy

Effective date: July 12, 2026  |  Last modified: July 12, 2026
Published by Rasimo Systems, LLC ("Rasimo," "we," "us," "our"), developer and operator of the SureMediks platform and related services.

1. Scope of this Policy

This Privacy Policy explains how we collect, use, disclose, and protect information when you visit suremediks.com or surefiz.com, use the SureMediks or SureFiz mobile applications, use the ProView provider portal, or use SureMediks-connected devices such as the SureFiz smart scale, the SureMediks smart ring, and other paired health devices (together, the "Services").

This Policy does not apply to the independent privacy practices of your healthcare provider, health plan, employer, pharmacy, or any third-party website or application that we do not control. Your provider's own Notice of Privacy Practices governs how that provider uses your health information.

2. Our Role Under HIPAA

Our role depends on how you reach us:

  • When you are enrolled by a healthcare provider or health plan (for example, in a remote patient monitoring, chronic care management, behavioral health integration, principal care management, or GLP‑1 program), that organization is the HIPAA Covered Entity and we act as its Business Associate. We handle your protected health information ("PHI") only as permitted by our Business Associate Agreement with that organization and by HIPAA. In that relationship, your provider — not Rasimo — controls decisions about your PHI, and requests to access, amend, or restrict your medical record should be directed to your provider.
  • When you use our Services directly as a consumer, without going through a provider, the information you give us is generally not PHI under HIPAA. We nonetheless protect it using the safeguards described in this Policy, and we generally apply the same privacy commitments: no sale of your data, and no use of your health data for advertising.

3. Information We Collect

3.1 Information you provide

  • Account and profile information: name, email address, phone number, password (stored only as a salted hash), date of birth, sex, height, and time zone.
  • Health and program information: weight and body-composition goals, conditions, medications (including GLP‑1 and other therapies), allergies, symptoms, wellness check-in and questionnaire responses, and notes you enter.
  • Insurance and eligibility information (where a billable care-management program applies): payer, member identifier, plan details, and consent records for the program in which you are enrolled.
  • Communications: messages you exchange with your care team, support requests, and content of telehealth video visits only to the extent your provider records them under its own policies and consent process.
  • Optional content: profile photo, and anything you choose to post in a public area of our site. Information you post publicly is not private, and this Policy does not protect it.

3.2 Information from connected devices

When you pair a SureMediks or SureFiz device, or a compatible third-party device, we collect the measurements that device produces. Depending on the device this may include:

  • Weight, body fat, muscle mass, body water, bone mass, BMI, visceral fat, and related body-composition metrics;
  • Heart rate, heart-rate variability, blood oxygen saturation (SpO2), stress index, skin/body temperature, sleep stages and duration, steps and activity;
  • Blood pressure, blood glucose, and blood ketone readings;
  • Device technical data needed to make the connection work — device model, firmware version, hardware identifier / Bluetooth address, battery level, sync timestamps, and pairing and connection logs.

Bluetooth is used solely to communicate with your paired device. We do not use Bluetooth or location permissions to track your physical location for advertising or profiling.

3.3 Information from third parties, with your authorization

  • Health records and laboratory results: if you choose to connect a health system or laboratory account, we retrieve records you authorize through standard SMART on FHIR interfaces. We request only the data classes needed for your care program, and we do not receive your health-system login credentials.
  • Apple Health and Google Health Connect / Google Fit: if you turn this on, we read only the categories you approve and write back only data generated by SureMediks. Details and restrictions are in Section 6.
  • Your care team: clinicians, care managers, and staff at your provider organization may add clinical information, care plans, and billing-related documentation to your record.

3.4 Information collected automatically

  • App and platform usage: features used, screens viewed, app version, operating system, device model, crash and diagnostic logs, and error reports.
  • Server logs: IP address, browser type, referring page, and timestamps, retained for security, abuse prevention, and audit purposes.
  • Cookies and website analytics: our public marketing pages use a self-hosted, privacy-focused analytics system operated on our own infrastructure. Analytics data is not shared with third-party advertising networks. We do not run third-party ad trackers, and we do not deploy analytics on authenticated patient or provider pages where health information is displayed. Essential cookies used for login sessions and security cannot be disabled without breaking the Services.

3.5 Children

The Services are intended for adults. We do not knowingly collect personal information from children under 13, and the consumer Services are not directed to individuals under 18. If a minor is enrolled in a care program, that enrollment is made by the provider and a parent or legal guardian in accordance with applicable law. If you believe a child has provided us information without authorization, contact us and we will delete it.

4. How We Use Information

  • To deliver the Services: create and secure your account, sync your devices, display your trends, and enable messaging and telehealth with your care team.
  • To support treatment and care management, including remote patient monitoring, chronic care management, behavioral health integration, principal care management, and medication-adherence and GLP‑1 programs, at the direction of your provider.
  • To generate alerts, reminders, adherence prompts, coaching, and educational content relevant to your goals.
  • To support your provider's documentation and claims submission for the care-management services delivered to you, where applicable.
  • To maintain security, detect fraud and abuse, keep audit logs, and troubleshoot problems.
  • To improve the Services, using aggregated or de-identified information (see Section 7).
  • To meet legal, regulatory, accreditation, and recordkeeping obligations.

We do not sell, rent, license, or trade your personal information. We do not use your health information for advertising or marketing to you on behalf of third parties, and we do not permit third parties to use it for their own purposes.

5. How We Share Information

We share information only in these circumstances:

WhoWhy
Your healthcare provider and care teamTo deliver and coordinate your care and, where applicable, to document and bill the care-management services provided to you.
Service providers (subprocessors)Cloud hosting, database, communications, and telehealth infrastructure that we use to run the Services. They act only on our instructions, are contractually restricted from using your information for their own purposes, and, where PHI is involved, are bound by a Business Associate Agreement.
People you designateFamily members, caregivers, or others you explicitly authorize.
Legal and safetyWhen required by law, subpoena, or lawful government request, or where necessary to protect the rights, safety, or property of you, us, or others, or to prevent or address a serious threat to health or safety.
Business transferIn connection with a merger, acquisition, financing, or sale of assets, subject to the protections of this Policy and applicable law. We will notify you of any change in control of your information.

6. Apple Health and Google Health Connect

If you grant access to Apple Health (HealthKit) or Google Health Connect:

  • We use that data only to provide you health and fitness features within the Services, and to support your care.
  • We do not use it for advertising, marketing, or any other use-based data mining.
  • We do not sell, rent, or disclose it to data brokers, information resellers, advertising platforms, or any third party for their own purposes.
  • We do not share it with third parties for research without your explicit, separate consent.
  • You can revoke access at any time in your device's Health or Health Connect settings. Doing so stops future syncing; it does not delete data already stored in your SureMediks account, which you can delete separately (see Section 9).

7. De-identified and Aggregated Information

We may de-identify or aggregate information derived from your data. Only after de-identification consistent with HIPAA or other applicable law may that information be used for product improvement, validation, research, and publications. We do not attempt to re-identify such information or permit others to do so. De-identified and aggregated information does not identify you and is not personal information.

8. Data Retention

We keep your information for as long as your account is active and for as long as needed to provide the Services. Where we hold PHI as a Business Associate, retention is governed by our agreement with your provider and by applicable medical-record retention laws, which may require records to be kept for a number of years after the last date of service. Backups, audit logs, and records we must retain for legal, tax, security, or regulatory reasons persist for their defined retention periods and are then deleted or de-identified.

9. Your Choices and Rights

9.1 Account deletion

You can request deletion of your SureMediks or SureFiz account at any time from within the app (Profile → Delete Account) or by emailing us at the address in Section 13. On deletion we remove your profile and the health data associated with your consumer account, except information we are legally required to retain and information that is part of a medical record held on behalf of your provider — that record is controlled by the provider and must be requested from them.

9.2 Access and correction

You can view and edit your profile and measurements in the app. If you are enrolled through a provider and want to access, amend, or restrict the medical record they hold, contact that provider directly; HIPAA gives you those rights against the Covered Entity, and we will support your provider in fulfilling them.

9.3 Permissions and communications

You can turn off Bluetooth, notifications, camera, photo, and health-data permissions in your device settings, and you can unsubscribe from non-essential email at any time. Some features will not function without the permissions they depend on. We may still send you transactional and safety-related messages about your account and your care.

9.4 State privacy rights

Depending on your state of residence (including California, Colorado, Connecticut, Virginia, Texas, and others), you may have rights to know what personal information we hold, to obtain a copy, to correct it, to delete it, and to appeal a denial — and a right not to be discriminated against for exercising them. Note that information governed by HIPAA and information used in clinical research is generally exempt from these state laws; where an exemption applies we will tell you and direct you to the correct route. We do not sell personal information or share it for cross-context behavioral advertising, so there is nothing to opt out of on that front. To make a request, contact us using Section 13; we will verify your identity before acting.

9.5 If you are outside the United States

The Services are operated from the United States and your information is stored and processed there. Privacy laws in the United States may differ from those in your country. By using the Services you understand that your information will be transferred to and processed in the United States.

10. Security

We maintain safeguards designed to align with the administrative, physical, and technical safeguard requirements of the HIPAA Security Rule, where applicable. These include encryption of data in transit (TLS) and at rest, salted password hashing, role-based access controls and least-privilege access, audit logging of access to health records, network segmentation and firewalling, monitoring, and periodic review of our controls.

No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. Protect your own account by using a strong, unique password and keeping your device locked. If we discover a breach of unsecured protected health information or personal information, we will notify affected individuals, our provider customers, and regulators as required by HIPAA and applicable state law.

11. Third-Party Sites and Public Areas

Our Services may link to sites we do not operate. We are not responsible for their content or privacy practices, and we encourage you to read their policies. Likewise, information you choose to disclose in a public forum, blog comment, or public profile area is visible to others and is not protected by this Policy.

12. Changes to this Policy

We may update this Policy from time to time. We will revise the "Last modified" date above and, if the changes are material, provide additional notice through the Services or by email before they take effect. By continuing to use the Services after the effective date, you acknowledge the updated Policy to the extent permitted by applicable law.

13. Contact Us

Questions, privacy requests, or complaints:

Rasimo Systems, LLC
Attn: Privacy Officer
4801 Glenwood Avenue, Suite 200
Raleigh, NC 27612, USA
Email: provider@rasimo.com
Phone: +1 919-457-1947 (Mon–Fri, 9:00 AM – 5:00 PM ET)

If you believe your health information privacy rights have been violated, you may also file a complaint with your healthcare provider or with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you for filing a complaint.

© 2026 Rasimo Systems, LLC. All rights reserved. Rasimo, SureMediks, SureFiz, and Realistic Intelligence® are marks of Rasimo Systems, LLC.