← Back to Arcolia

Note: Arcolia is designed with HIPAA compliance as a core principle. We are in the process of completing formal BAA agreements with all covered cloud providers. Full HIPAA compliance documentation will be available at general availability.

HIPAA Notice

Last updated: March 2026

Our design philosophy

Arcolia is built with HIPAA compliance as a design constraint, not an afterthought. Every architectural decision — from data storage to AI processing to authentication — is made with Protected Health Information (PHI) handling requirements in mind.

Technical safeguards

  • Encrypted storage: All data encrypted at rest using AES-256. All data encrypted in transit via TLS 1.3.
  • Access controls: Row-Level Security enforced at the database layer. Users can only access their own records. Authentication required for all PHI access.
  • AI processing: AI model calls use zero-data-retention endpoints. PHI is de-identified before any AI processing where possible.
  • Audit logging: All PHI access is logged with timestamps and user identifiers. Logs are retained for a minimum of 6 years.

Business Associate Agreements

Arcolia signs Business Associate Agreements with all cloud providers that handle PHI, including our primary infrastructure provider (Supabase) and any AI processing services that receive health information.

Your rights under HIPAA

As a user, you have the right to access, amend, and request deletion of your health information. To exercise these rights, contact privacy@arcolia.org.

Scope

Arcolia is a personal health documentation tool for organizational use. It is not a covered entity or business associate under HIPAA by default, as it is a consumer-facing personal health record application. However, we design and operate as if these standards apply, because your family's health data deserves that level of care.

Questions

privacy@arcolia.org

Ready to get started?

Join the waitlist for early access.

Join the waitlist →