Hearth & Alloy

Privacy Policy

Last updated: October 29, 2025

Our Commitment to Privacy

At Hearth & Alloy, we build Safe AI infrastructure for regulated industries, starting with healthcare. Privacy and security are fundamental to everything we build, not an afterthought.

Guardian Health Platform

Guardian Health is designed as a HIPAA-compliant Safe AI Workbench. During our design partner phase, we adhere to strict privacy principles:

  • HIPAA Compliance: All Protected Health Information (PHI) is encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Data Minimization: We collect only the data necessary to provide and improve our services.
  • Multi-Tenant Isolation: Each organization's data is completely isolated with dedicated configurations and access controls.
  • Audit Logging: All data access and modifications are logged with comprehensive audit trails (7-year retention).
  • No Sale of Data: We never sell your data, healthcare information, or personal information to third parties.
  • Secure Infrastructure: Hosted on Azure with enterprise-grade security, key management via Azure Key Vault, and infrastructure-as-code governance.

What We Collect

During Design Partnership:

  • Contact information (name, email, organization) for communication and access management
  • AI interaction data (prompts, responses) for policy enforcement and audit purposes
  • Usage analytics to understand feature adoption and improve the platform
  • Technical logs for debugging and security monitoring

How We Use Data

  • To provide Guardian Health Safe AI Workbench services
  • To enforce organizational policies and detect PHI in AI interactions
  • To improve platform features and policy accuracy
  • To communicate with design partners about product development
  • To ensure security and prevent unauthorized access
  • To comply with legal and regulatory requirements

Data Retention

We retain data only as long as necessary to provide services or as required by law. Design partners can request data deletion at any time by contacting us.

Your Rights

  • Access your data and request copies
  • Correct inaccurate information
  • Request deletion of your data
  • Export your data in standard formats
  • Withdraw consent at any time

Security Measures

We implement industry-leading security practices including encryption, secure authentication (OAuth 2.0, JWT), regular security assessments, and incident response procedures. We are working toward HITRUST certification.

Contact Us

Questions about privacy or data handling? Contact us at hello@hearthandalloy.com.

Note: As we're in the design partner phase, this policy may be updated as we refine our practices. We'll notify partners of material changes.