Pallas

Privacy Policy

Last updated: June 3, 2026

1. Introduction

Welcome to Pallas Health, a service of Brentmoor, Inc. ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our telehealth platform.

2. Data We Collect

We collect the following types of data to provide and improve our service:

  • Account Information: Your name, email address, date of birth, and login credentials collected during registration.
  • Health Information: Medical history, current medications, health conditions, and other information you provide in your health questionnaire and during provider consultations. This constitutes Protected Health Information (PHI) under HIPAA.
  • Shipping Information: Your mailing address for medication delivery.
  • Communication Data: Messages exchanged between you and your healthcare provider through our platform.
  • AI Interaction Data: Content you choose to submit to the app's AI-powered features — chat messages and any photos you attach, meal photos you log, voice recordings you dictate, and the meal, dose, symptom, weight, and mood entries the in-app assistant uses as context to answer you. This data is collected only when you actively use an AI feature.
  • Usage Data: App interactions, feature usage, and device information.
  • Payment Data: Your subscription status and billing period dates. We do not collect or store payment card numbers or bank account details — all payment processing is handled directly by Stripe.

3. How We Use Your Data

We use your data for the following purposes:

  • Facilitating telehealth consultations between you and licensed healthcare providers.
  • Processing and fulfilling prescription orders through our pharmacy partners.
  • Communicating with you about your treatment plan, appointments, and account updates.
  • Processing subscriptions and managing billing.
  • Powering AI-assisted features — generating chat responses, estimating nutrition from meal photos, and transcribing voice notes — by sending the relevant content to our AI service providers (see Section 5).
  • Improving our platform and service quality.
  • Complying with legal and regulatory requirements.

4. HIPAA Compliance

We handle all Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA). We maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of your health information. We enter into Business Associate Agreements (BAAs) with all third-party service providers who handle PHI on our behalf.

5. Third-Party Service Providers

We share data with the following third-party service providers who process data on our behalf to deliver our service. We do not sell your data to third parties.

  • Clinical Partner Network: A contracted telehealth provider organization and its affiliated state-licensed professional corporations operate the electronic health record (EHR) and clinical workflow used by prescribing clinicians. The contracted clinical partner is the HIPAA Covered Entity for patient medical records; Pallas Health (Brentmoor, Inc.) acts as its HIPAA Business Associate under an executed Business Associate Addendum. The current clinical partner is disclosed on request to support@pallashealth.co.
  • Pharmacy Partners: Licensed US pharmacies (503A compounding pharmacies, 503B outsourcing facilities, and retail or specialty pharmacies for FDA-approved products) that fulfill and ship prescribed medications. Current partners are listed at /clinical.
  • Convex (Convex, Inc.): Application database and serverless backend, on the Convex Professional plan with HIPAA and SOC 2 Type II audit reports and daily backups. Account information, intake responses, and waitlist entries are stored on Convex under an executed Business Associate Agreement.
  • Anthropic (Anthropic, PBC): AI provider that powers the in-app chat assistant and estimates nutrition from the meal photos you log. When you use chat, your messages, any photos you attach, and the meal, dose, symptom, weight, and mood entries the assistant references to answer you are sent to Anthropic's API; when you log a meal by photo, that photo is sent to Anthropic to estimate its nutrition. These requests are sent de-identified — we never include your name, email, phone number, or account identifier, only the content needed to generate a response. Anthropic processes the request to return a response and, under its commercial API terms, does not use the data to train its models. Anthropic's handling of API data is governed by the Anthropic Privacy Policy.
  • OpenAI (OpenAI, L.L.C.): AI provider that transcribes the voice notes you dictate. Only the audio you submit is sent to OpenAI's API for transcription; like our other AI requests, it is sent de-identified, with no name, email, phone number, or account identifier attached. OpenAI processes the request to return the transcript and, under its API data-usage terms, does not use the data to train its models. OpenAI's handling of API data is governed by the OpenAI Privacy Policy.
  • Twilio (Twilio, Inc.): SMS delivery for one-time authentication codes and marketing communications (subject to your opt-in consent and your right to opt out at any time by replying STOP).
  • Resend (Resend, Inc.): Transactional email delivery for account verification, login links, and generic non-PHI notifications. Pallas does not transmit PHI via email; clinical and treatment communications occur in-app through the authenticated patient portal.
  • Vercel (Vercel, Inc.): Web hosting and edge content delivery for the public Pallas website.
  • Stripe: Payment processing. We receive only your subscription status and billing period dates — never your payment card or bank details. Stripe's processing of your payment data is governed by the Stripe Privacy Policy.

A complete record of our data infrastructure and the entities that handle PHI on our behalf is maintained at /clinical.

6. Data Retention

We retain your data for as long as your account is active and as needed to provide the service. Health records are retained in accordance with applicable state and federal medical record retention requirements. You can request deletion of your account and non-medical personal data at any time by contacting us.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including encrypted data transmission (TLS), secure authentication, access controls, and HIPAA-compliant data storage and handling procedures.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Deletion: Permanently delete your account and its associated data at any time directly in the Pallas app, under Settings → Account → Delete Account. This removes your account and the data you logged (meals, doses, symptoms, weight, mood, chats, goals, and settings) from our application backend. You may also request deletion by contacting us. Records that we are legally required to retain (such as medical records subject to state and federal retention requirements) are kept for the mandated period.
  • Correction: Request correction of inaccurate personal data.
  • Portability: Request your data in a portable format.

9. Children's Privacy

Pallas Health is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information.

10. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of Pallas Health after any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions about this privacy policy or our privacy practices, please contact us at: hello@pallashealth.co