Skip to main content
Partners

Privacy Policy

Last updated: January 6, 2026

  • • We act as your authorized agent to retrieve and manage your health records
  • • We only collect what's needed to retrieve and share your health records at your direction
  • • We never sell your personal information or health data
  • • You control who sees your records and can revoke access anytime
  • • You can request deletion of your account and data within 30 days

See also: Terms of Service

Our Role

LuminaryHD ("we," "our," or "us") acts as your authorized agent to retrieve, store, and share your medical records on your behalf. We do not provide medical care, and we do not create or modify your health records. All actions we take with your data are initiated and directed by you.

We participate in the Trusted Exchange Framework and Common Agreement (TEFCA) as an Individual Access Services (IAS) provider. This enables us to retrieve your health records from participating healthcare providers at your request. Our participation is governed by the TEFCA Common Agreement, applicable Qualified Health Information Network (QHIN) policies, and related federal and state requirements.

Because we act on your behalf rather than on behalf of healthcare providers, we are not a HIPAA Covered Entity or Business Associate. Our privacy and security practices are governed by the FTC Health Breach Notification Rule, applicable state health privacy laws, and our TEFCA obligations.

Information We Collect

Information You Provide

We collect personal information that you voluntarily provide to us, including:

  • Name and contact information (email address, phone number)
  • Identity verification information
  • Account credentials and authentication data
  • Your authorization instructions for retrieving and sharing records

Health Records

When you authorize us to retrieve your medical records, we receive health information from your healthcare providers. This may include medical history, diagnoses, medications, lab results, immunization records, clinical notes, and other health-related information contained in your medical records.

Automatically Collected Information

When you access our platform, we automatically collect certain information about your device and usage:

  • Log data (IP address, browser type, operating system)
  • Usage data (pages visited, time spent, features used)
  • Device information

Authorization and Consent

Before we retrieve or share your records, you must provide explicit authorization. This includes:

  • Identifying which records to retrieve and from which providers
  • Specifying who you want to share your records with (such as law firms, insurance providers, healthcare providers, claims processors, or other parties you choose)
  • Confirming each sharing request before transmission

You may revoke your authorization at any time through your account settings or by contacting us. Revocation applies to future actions only and does not affect data already retrieved or shared at your prior direction.

How We Use Your Information

We use your information to:

  • Retrieve health records from providers at your request
  • Store and organize your records for your access
  • Transmit your records to parties you authorize
  • Verify your identity and maintain account security
  • Communicate with you about your requests and our services
  • Improve and develop our platform
  • Comply with legal and regulatory obligations

Sharing Your Records

At Your Direction

When you choose to share your records with a third party, we transmit only the data you authorize to that recipient. You control each sharing transaction. We do not share your records with anyone without your explicit direction.

Once shared, the recipient's own privacy practices govern how they use and protect your information. We recommend reviewing their privacy policies before authorizing a share.

Service Providers

We use third-party service providers to help operate our platform, such as cloud hosting, identity verification, and customer support. These providers are contractually bound to protect your information and may only use it to perform services on our behalf.

Legal Requirements

We may disclose your information when required by law, regulation, legal process, or government request, or when necessary to protect rights, safety, or property.

No Sale of Data

We do not sell your personal information or health data.

Data Security

We implement industry-standard safeguards to protect your information, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication requirements
  • Regular security assessments and monitoring
  • Employee training on privacy and security practices

No method of transmission over the internet is completely secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security.

Breach Notification

If we discover unauthorized access to or disclosure of your health information, we will notify you promptly, and no later than 60 days from discovery. Our notice will describe:

  • What happened, including the date of the breach and date of discovery
  • The types of information involved
  • Steps you can take to protect yourself
  • What we are doing to investigate, mitigate harm, and prevent future incidents
  • How to contact us with questions

Where required by law, we will also notify the Federal Trade Commission and, in cases affecting 500 or more individuals, the media.

Data Retention

We retain your personal information and health records as long as your account is active or as needed to provide services to you. If you request deletion, we will delete your data within 30 days, except where retention is required by law or necessary to resolve disputes or enforce our agreements.

Your Rights

You have the right to:

  • Access your personal information and health records through your account
  • Request correction of inaccurate data
  • Request deletion of your account and data
  • Revoke authorization for future data retrieval or sharing
  • Receive a copy of your data in a portable format
  • Object to processing of your personal information where applicable

To exercise any of these rights, contact us at privacy@luminaryhd.com or through your account settings.

Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we learn we have collected information from a child under 18, we will delete it promptly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the "Last updated" date, and, where appropriate, notifying you by email. Your continued use of our services after changes become effective constitutes acceptance of the revised policy.

Contact Us

If you have questions about this Privacy Policy or our privacy practices, contact us at:

Email: privacy@luminaryhd.com