Privacy Policy

This Policy applies to information we collect when you visit our website, contact our sales or support team, or otherwise interact with us as a prospective or existing customer. It does not apply to Customer Data (including Protected Health Information, or “PHI,” and records subject to 42 CFR Part 2) that we process on behalf of our customers through the Athon platform. Our processing of Customer Data is governed by the applicable Master Services Agreement, Data Processing Addendum, and Business Associate Agreement (“BAA”) between Athon and the customer. In the event of any conflict between this Policy and the BAA, the BAA controls with respect to PHI.

Website and marketing interactions. Athon is the “controller” (under GDPR/UK GDPR) or “business” (under CCPA/CPRA) of personal information collected through our website, marketing events, and sales process.

Platform operations. When our customers use the Athon platform to process their own data, Athon is a “processor” (GDPR) or “service provider” (CCPA) acting on our customer’s documented instructions. Where Customer Data includes PHI, Athon is a Business Associate under HIPAA and signs a BAA with the customer.

We collect the following categories of information:

• Contact information you provide — name, business email, company, job title, phone — when you request a demo, subscribe to updates, or contact us.
• Usage and device data about your visit to our website — pages viewed, referring URL, IP address, approximate location, browser and device type, session timestamps.
• Communications you send us by email or through our Services, including support tickets and meeting notes.
• Customer Data. When a customer connects the Athon platform to their systems, Customer Data flows into the customer’s environment. Athon does not collect, store, or mirror Customer Data on our own infrastructure in customer-hosted deployments. See Section 8.

We do not knowingly collect sensitive categories of personal information for website visitors other than what you voluntarily submit.

We use website and business-contact information to:

• Respond to inquiries and schedule demos or data assessments.
• Provide and improve our Services, including diagnosing and fixing technical issues.
• Send operational communications and, with your consent, marketing updates.
• Comply with legal obligations, enforce our terms, and prevent fraud or abuse.

We process Customer Data only on the documented instructions of the customer and for the purposes defined in the Master Services Agreement and BAA.

We share information only as described below:

• Service providers and subprocessors that support our operations (infrastructure, analytics, customer support, email delivery, billing), bound by written contracts with confidentiality and data-protection terms at least as protective as this Policy. Our current subprocessor list is available on request and we provide at least 30 days’ notice of material changes to customers.
• Customer-directed third parties. When a customer configures Athon to route outputs to a third-party AI provider or destination, we transmit Customer Data to that provider under the customer’s instructions.
• Legal and safety. We may disclose information when required by valid legal process or to protect the rights, property, or safety of Athon, our customers, or the public.
• Corporate transactions. In the event of a merger, acquisition, or asset sale, information may transfer to the successor entity, which will be bound by terms no less protective than this Policy and the applicable BAA.

We do not sell personal information. We do not share personal information with third parties for their independent marketing purposes.

We understand that how AI systems handle your data is a central concern. Our commitments:

• We do not use Customer Data or PHI to train, fine-tune, or improve any generalized or foundation AI models, whether our own or those of third parties.
• When customer-configured workflows route data to third-party model providers (e.g., Anthropic, OpenAI, Google), those providers are contractually bound to (i) not retain inputs or outputs beyond the processing window, (ii) not use Customer Data for model training, and (iii) operate under a zero-retention configuration where available.
• Athon is AI-agnostic. Customers choose which model providers operate within their tenant; we do not impose a default model or require use of any specific provider.
• Any internal model improvement work uses only de-identified data (meeting HIPAA Safe Harbor or Expert Determination standards) or aggregate service telemetry, and only where permitted by the governing BAA.

HIPAA. Where Athon processes PHI on behalf of a customer, we act as a Business Associate and sign a BAA before any PHI is exchanged. We implement administrative, physical, and technical safeguards consistent with the HIPAA Security Rule, including role-based access controls, encryption at rest and in transit, audit logging, and incident response procedures.

42 CFR Part 2. Where Customer Data includes records relating to substance use disorder treatment, Athon processes such records as a lawful holder or qualified service organization and will not re-disclose them except as permitted by Part 2 or with patient consent meeting Part 2 requirements. Breach notification follows the aligned HIPAA and Part 2 framework.

We do not independently make decisions about medical care and we do not maintain a designated record set. Customers remain the data controller and the covered entity (or Part 2 program) with respect to their patient information.

Athon is cloud-agnostic. Customers deploy on Google Cloud, AWS, Azure, or on-premise infrastructure, and choose the region in which their Customer Data resides. In customer-hosted deployments, Customer Data and PHI never leave the customer’s cloud boundary. Athon’s control plane does not store, copy, or mirror Customer Data on Athon-operated infrastructure.

For managed deployments, we honor customer-specified data-residency requirements and document the processing region in the order form or Data Processing Addendum.

We maintain a security program aligned to industry frameworks, including SOC 2 Type II readiness, HIPAA Security Rule safeguards, and NIST CSF practices. Controls include encryption at rest and in transit (TLS 1.2+, AES-256), role-based access controls with least-privilege and MFA, tenant isolation, continuous vulnerability scanning, logging and audit trails, and documented incident response and breach notification procedures. No system is perfectly secure, but we work hard to protect information entrusted to us and will promptly notify affected customers in the event of a confirmed security incident involving their data, in accordance with the BAA and applicable law.

We retain website and business-contact information for as long as necessary to fulfill the purposes described in this Policy or as required by law — typically no longer than 24 months after your last interaction, unless a contractual relationship continues or a legal hold applies.

Customer Data is retained and deleted according to the customer’s configuration and the Master Services Agreement. Following contract termination, Customer Data is returned or deleted within 30 days, with a 30-day backup purge window after that. Customers may request earlier deletion at any time.

If personal information is transferred outside your country of residence, we rely on lawful transfer mechanisms — including Standard Contractual Clauses, the EU–US Data Privacy Framework where applicable, and supplementary safeguards. Customers with data-residency requirements may deploy Athon in a region that avoids international transfers entirely.

Depending on your location, you may have rights to access, correct, delete, port, or restrict the processing of your personal information; to object to certain processing; and to withdraw consent. To exercise these rights for information Athon controls, contact privacy@athonai.com. For information processed on behalf of an Athon customer, please contact the customer directly; we will support the customer’s response to your request.

US residents (California, Virginia, Colorado, Connecticut, Utah, Texas, and others): you may have specific rights under state privacy laws, including the right to know, delete, correct, opt out of certain sharing, and non-discrimination. Athon does not sell personal information and does not engage in cross-context behavioral advertising with Customer Data.

EU/UK/Switzerland residents: you may lodge a complaint with your local supervisory authority. Our representative in the EU, where required, is available on request.

Our Services are designed for businesses and are not directed to children under 16. We do not knowingly collect personal information from children through our website. Where Customer Data concerns minors in a clinical context, the customer acts as the controller and is responsible for obtaining any required parental or guardian consent.

We may update this Policy from time to time. If we make material changes, we will notify customers by email or in-product notice and update the “Last updated” date above. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

Questions or requests related to this Policy: