How We Protect Your Health Data

Built for HIPAA from day one

Ethia handles personal health information, so we follow the same rules as your doctor's office and hospital. That's HIPAA — the U.S. law that governs how health data must be protected.

Every system we use has been chosen because it meets HIPAA requirements. Every employee with access to your data is trained on these requirements. Every connection between systems uses signed legal agreements (called Business Associate Agreements) that hold our partners to the same standards.

We don't sell your data

We will never sell your personal health information to advertisers, data brokers, insurance companies, or anyone else. This isn't a policy we could change next year — it's how we built the company.

When research organizations work with us, they only see anonymized data. That means your name, email, and any details that could identify you are removed before any researcher ever sees the information. You always have the right to opt out of research entirely.

Your data isn't training anyone's AI

Ethia uses artificial intelligence to help interpret your lab results and answer your questions. The AI runs on Amazon's healthcare-compliant cloud, under a legal agreement that prohibits your data from being used to train any AI model.

This is different from typing your medical information into ChatGPT or another general-purpose AI. Those services may use what you type to train future versions of their software. Ethia does not. Period.

Encrypted everywhere

Every page on Ethia is loaded over a secure connection — the same kind your bank uses. When you upload a lab result or send a message, that information is scrambled in transit so no one can intercept it.

Your password is never stored as text we can read. We use one-way encryption, which means even our own engineers couldn't tell you what your password is — they could only help you reset it.

Your identity stays separate from your health data

We deliberately store who you are (your name, email, account information) in a different place than what's wrong with you (your lab results, symptoms, conditions). The two are linked only by an internal reference number that means nothing on its own.

What this means in practice: even in a worst-case scenario where one part of our system was compromised, an attacker would not have a usable list of people and their conditions. The two halves can only be connected through our application, which has its own protections.

Every access is tracked

Whenever something significant happens in your account — a login, a password change, a data export, a deletion request — we record it. This creates a permanent trail that protects you if something ever goes wrong.

You can request a copy of your access history at any time. We also use these records to detect suspicious activity, like someone trying to log in from an unusual location.

You're in control

Your health data belongs to you. We make sure you can:

• See everything we have on you — anytime, in plain language
• Export your data in a format you can take elsewhere
• Delete your account and all associated data with one request
• Choose what's shared with research and advocacy partners (or share nothing at all)
• Turn on extra protection like two-step login when you sign in

Visit your privacy settings any time you're logged in to manage these.

Why we built it this way

Ethia was founded by someone who spent twelve years navigating the U.S. healthcare system as a patient with chronic illness. That experience taught us how much trust patients are asked to give — and how rarely it's earned.

We're trying to build the kind of company we wish we had encountered along the way. One that treats your data the way you would: carefully, privately, and on your terms.