Back

Privacy Policy – Rima Systems LLC

Effective Date: 10 June 2025

Rima Systems LLC ("Rima," "we," "us," or "our") provides a digital health and care navigation platform that empowers individuals and employers with preventive wellness insights, telemedicine access, and secure personal data custody. Protecting the confidentiality, integrity, and availability of Personal Data—especially Personal Health Information ("PHI")—is fundamental to our mission of re-aligning healthcare incentives for generational health. 

This Privacy Policy explains how we collect, use, disclose, and safeguard your information, the choices you have, and the rights available to you under U.S. federal and state laws and, where applicable, international regulations such as the EU/UK GDPR.

1. Scope

This Policy applies to information we process when you:

• Use any Rima-branded or white-label mobile or web application, portal, API, SDK, or chatbot (the "Services"); 

• Interact with Rima as an employer, broker, provider, or other business customer (collectively, "Enterprise Customers"); 

• Engage with Rima-hosted telemedicine or pharmacy services delivered by integrated vendors; or 

• Communicate with us in any manner (email, phone, social media, events).

Separate Business Associate Agreements ("BAAs") or Data Processing Addenda ("DPAs") executed with Enterprise Customers supplement—and, where they conflict, supersede—this Policy regarding PHI or other regulated data processed on their behalf.

2. Key Definitions

TermMeaningPersonal DataAny information relating to an identified or identifiable natural person, including device identifiers.PHIIndividually identifiable health information subject to the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH").Consumer Health DataHealth-related information regulated by emerging state laws (e.g., Washington "My Health My Data" Act, New York Health Information Privacy Act) that may fall outside HIPAA's scope.Controller / ProcessorRoles under the GDPR; Rima is generally a Processor for Enterprise Customers and a Controller for limited direct-to-consumer relationships.De-identified DataData that has been processed to remove individually identifiable information in accordance with HIPAA standards at 45 CFR §164.514.

3. Privacy by Design Principles

Rima implements privacy by design through:

• Data Minimization: We collect only the minimum data necessary for specified purposes 

• Purpose Limitation: Data is processed only for stated, legitimate purposes 

• Privacy Impact Assessments: Conducted for new processing activities involving sensitive data 

• Security by Default: All systems configured with maximum privacy settings by default 

• Transparency: Clear communication about data practices through this policy and notices 

• User Control: Providing meaningful choices and controls over personal data

4. Lawful Bases & Roles

4.1 HIPAA Business Associate

When Rima processes PHI on behalf of a Covered Entity (e.g., an employer-sponsored group health plan or telemedicine provider), we do so solely under written BAAs and in compliance with HIPAA and HITECH.

4.2 State Consumer & Health Privacy Laws

We observe applicable requirements—including explicit opt-in consent for sale of Consumer Health Data—under Washington RCW 19.373 (effective 2024), the California Consumer Privacy Rights Act (CPRA), the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act (OCPA), and similar statutes enacted or effective in 2025.

4.3 GDPR & UK GDPR Lawful Basis Mapping

Processing Activity

Lawful Basis

Additional Details

Account Creation & Management

Contract Performance (Art. 6(1)(b))

Necessary to provide Services

Clinical & Wellness Services

Explicit Consent (Art. 9(2)(a))

Health data requires explicit consent

Benefit Administration (B2B)

Legitimate Interests (Art. 6(1)(f))

Processing for Enterprise Customers

Payment Processing

Contract Performance (Art. 6(1)(b))

Necessary for billing

Legal Compliance

Legal Obligation (Art. 6(1)(c))

HIPAA audits, tax requirements

Security & Fraud Prevention

Legitimate Interests (Art. 6(1)(f))

Protecting systems and users

Marketing Communications

Consent (Art. 6(1)(a))

Opt-in required for all marketing

Research & Development

Legitimate Interests or Consent

Depending on identifiability

Emergency Medical Situations

Vital Interests (Art. 6(1)(d))

Protecting life in emergencies

For special category data (health data) under GDPR, we rely on:

  • Explicit consent (Art. 9(2)(a)) for direct consumer relationships

  • Healthcare purposes (Art. 9(2)(h)) when acting as a processor for healthcare providers

  • Public interest in public health (Art. 9(2)(i)) for anonymized population health insights

*A full list of active U.S. state privacy laws is available in our Compliance Appendix and is reviewed quarterly.

5. Information We Collect

Category

Examples

Source

Account & Profile Data

Name, email, phone, address, date of birth, employer, plan enrollee ID

User, HRIS integrations, Enterprise Customers

Clinical & Wellness Data

Vital signs, lab results, biometric scans, wearable metrics, medication history, telemedicine encounter notes

User, Providers, Labs, Connected Devices

Benefit & Employment Data

Payroll, eligibility, deductions, census details

HRIS APIs (PrismHR, Viventium, Tempworks), Brokers

Usage & Device Data

Log files, IP address, device identifiers, cookies, chatbot transcripts

User device/browser

Communications

Support tickets, emails, recorded calls (with notice)

User

We may create de-identified or aggregated data that is not subject to this Policy.

6. How We Use Information

We collect and use Personal Data only for the purposes described below and will not process it for materially different purposes without first obtaining additional consent or identifying an independent lawful basis (see Section 4.3 — Lawful Basis Mapping).

  1. Deliver the Services and administer user accounts, benefit plans, telemedicine encounters, and pharmacy fulfillment.

  2. Provide Preventive Insights & AI-Assisted Recommendations while maintaining model transparency and clinical governance.

  3. Operate, Maintain & Improve our platform, microservice architecture, and AI models, including debugging, analytics, and security monitoring.

  4. Facilitate Payments & Invoicing.

  5. Comply with Legal Obligations (e.g., HIPAA audits, state privacy requests, tax, accounting).

  6. Protect Rights & Safety of users, Enterprise Customers, and Rima, including fraud prevention and legal defense.

  7. Research & Development using de-identified data sets or with Institutional Review Board approval where required.

  8. Marketing and Product Communications only with explicit opt-in consent. We do not engage in any marketing activities without your affirmative consent, regardless of legal requirements.

7. Consent Management

7.1 How We Obtain Consent

  • Account Registration: Clear consent checkboxes during sign-up

  • Health Data Processing: Separate explicit consent for health data with clear explanations

  • Marketing: Optional opt-in with granular choices (email, SMS, push notifications)

  • Cookie Consent: Banner with granular category controls (where applicable)

7.2 Granular Consent Options

You can separately consent to:

  • Essential service communications (cannot be disabled while account active)

  • Marketing about new features

  • Health tips and wellness content

  • Third-party partner offers (always optional)

  • Research participation

  • Biometric data processing

7.3 Withdrawing Consent

You may withdraw consent at any time.

Withdrawal of consent:

  • Takes effect immediately for future processing

  • Does not affect lawfulness of prior processing

  • May impact service availability if consent was necessary for core features

8. Sharing & Disclosure

We do not sell or rent Personal Data. We disclose information only:

• With Your Direction or Authorization. For example, when you share data with a clinician, caregiver, or employer. 

• To Covered Entities & Providers performing treatment, payment, or healthcare operations. 

• To Service Providers & Sub-Processors bound by contractual obligations (BAAs/DPAs) and least-privilege access. 

• To Regulators or Law Enforcement when legally required or to protect vital interests. 

• In Corporate Transactions (merger, acquisition) with appropriate safeguards and user notice.

9. Your Privacy Rights

9.1 Rights Overview

Depending on your jurisdiction, you may have the right to:

• Access and receive a copy of your Personal Data or PHI 

• Correct inaccurate or incomplete data 

• Delete certain data (subject to retention exceptions) 

• Port data to another controller (GDPR: in structured, commonly used, machine-readable format) 

• Restrict or Object to processing 

• Withdraw Consent at any time where processing is based on consent 

• Not be subject to automated decision-making including profiling (GDPR) 

• Lodge a complaint with supervisory authorities

9.2 GDPR-Specific Rights

Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV) and transmit it to another controller.

Automated Decision-Making: Rima uses AI for health insights but does not make fully automated decisions with legal or similarly significant effects. All critical health recommendations require human review.

Supervisory Authority Complaints: EU/UK residents may lodge complaints with their local data protection authority.

10. Data Security

Rima maintains an ISO 27001-aligned security program with:

• Encryption in transit (TLS 1.3) and at rest (AES-256) 

• Zero-trust network segmentation 

• Role-based and attribute-based access controls 

• Continuous vulnerability scanning and third-party penetration tests 

• Employee Training on security and privacy annually 

• Vendor Security Assessments for all data processors

11. De-identification Standards

11.1 HIPAA De-identification Methods

We de-identify PHI using one of two HIPAA-approved methods:

Expert Determination (45 CFR §164.514(b)(1))

  • Qualified statistical expert applies scientific principles

  • Very small risk that anticipated recipients could identify individuals

  • Documents methods and results of analysis

Safe Harbor (45 CFR §164.514(b)(2))

  • Removes 18 specific identifiers including:

    • Names, geographic subdivisions smaller than state

    • Dates (except year) related to individual

    • Phone, fax, email, SSN, medical record numbers

    • Health plan beneficiary numbers, account numbers

    • Certificate/license numbers, VINs, device identifiers

    • Web URLs, IP addresses, biometric identifiers, photos

    • Any other unique identifying number, characteristic, or code

11.2 Additional Protections

  • De-identified data is segregated from identified data

  • Re-identification keys are encrypted and access-restricted

  • Regular audits ensure de-identification standards are maintained

  • Contractual prohibitions on re-identification attempts

12. Retention & Deletion

We retain:

• PHI for at least six (6) years after the record's creation or last use, per 45 C.F.R. § 164.316(b)(2)(i) 

• HR & Payroll Data for seven (7) years or longer if required by ERISA or tax laws 

• De-identified Data indefinitely for analytics, unless prohibited by applicable law

Once retention obligations expire, data is securely deleted or de-identified. You may request earlier deletion where allowed.

13. International Data Transfers

Where we transfer Personal Data outside its country of origin (e.g., EEA → U.S.), we rely on:

• SCCs approved by the European Commission 

• The UK International Data Transfer Addendum 

• Additional technical measures (encryption, access controls) per EDPB guidance 

• Transfer Impact Assessments documenting risks and mitigations

14. Children's Privacy

The Services are not directed to children under 13. We do not knowingly collect Personal Data from children under 13 without verifiable parental consent under COPPA.

15. Employee Privacy Notice

For employees of Enterprise Customers whose data we process:

15.1 Data Processed

  • Employment data from HRIS systems

  • Benefit enrollment and eligibility information

  • Wellness program participation (voluntary)

15.2 Legal Basis

  • Legitimate interests of employer for benefit administration

  • Your consent for wellness programs

  • Legal obligations for tax and compliance

15.3 Your Rights

You maintain all rights described in Section 9. Contact your employer's HR department for assistance.

16. Data Breach Notification

16.1 Notification Timeline

In the event of a breach involving unsecured PHI or Personal Data:

  • Internal Escalation: Within 24 hours to Rima Officers

  • Risk Assessment: Within 48 hours to determine notification requirements

  • Regulatory Notice: Without unreasonable delay, maximum 72 hours (GDPR) or 60 days (HIPAA)

  • Individual Notice: Concurrent with regulatory notice via email and account notification

16.2 Notification Content

Breach notifications will include:

  • Description of what occurred and when

  • Types of information involved

  • Steps taken to investigate and mitigate

  • Recommended protective actions

  • Contact information for questions

16.3 Documentation

All breaches are documented including:

  • Risk assessments

  • Notification decisions and timing

  • Remediation measures

  • Lessons learned for prevention

17. Changes to This Policy

We may update this Policy to reflect legal, technical, or business changes. We will:

  • Post the updated version with a new Effective Date

  • Provide 30 days advance notice for material changes via email and in-app notification

  • Obtain consent where required for new processing activities

  • Maintain prior versions for reference

Last Reviewed: 10 June 2025





Compliance Appendix

Law

Scope / Key Obligations

Effective Date

HIPAA & HITECH
PHI privacy, security, breach notification
1996 / 2009
CPRA (California)
Consumer privacy rights, data minimization, opt-out of sale/share
1 Jan 2023
Colorado Privacy Act
Universal opt-out, data protection assessments
1 Jul 2023
Connecticut Data Privacy Act
Consent for sensitive data, global opt-out
1 Jul 2023
Utah Consumer Privacy Act
Processor obligations, no sensitive data consent
31 Dec 2023
Virginia CDPA
Consent for sensitive data, data protection assessments
1 Jan 2023
Washington My Health My Data Act
Consent for collection & sale of consumer health data; geofencing bans
31 Mar 2024
Texas Data Privacy & Security Act
Sensitive data consent, PIAs
1 Jul 2024
Oregon Consumer Privacy Act
Processor obligations, risk assessments
1 Jul 2024
Iowa Data Privacy Law
Controller duties, consumer rights
1 Jan 2025
New York Health Information Privacy Act
Explicit consent for sale of health data, enforcement by AG
TBD (expected 2026)
Nevada SB 220
Opt-out of sale
1 Oct 2019
GDPR / UK GDPR
Lawful bases, DPA, SCCs, data subject rights
25 May 2018 / 31 Jan 2020

  • Rima is transforming how care connects. Explore how our unified platform empowers payers, providers, employers, and patients. Read more.

Rima Data Fabric connects all key players in the healthcare ecosystem - patients, payers, providers, physicians, and employers - on a unified platform that streamlines data flow and enables smarter decisions.

Privacy Policy

Terms of Use

© Rima Systems, All rights reserved