Moxcares logo
Start free trial

Legal

Privacy Policy

VVY Technologies, Inc. (d/b/a Moxcares) — how we handle information from clinics, their staff, and their patients.

Last updated: June 9, 2026

This Privacy Policy for VVY Technologies, Inc. (doing business as "Moxcares," "we," "us," or "our") describes how and why we may access, collect, store, use, and/or share ("process") your information when you use our services ("Services"), including when you:

  • Visit our website at https://www.moxcares.com, or any website of ours that links to this Privacy Policy;
  • Use Moxcares, our patient-engagement, scheduling, and intake platform for healthcare clinics;
  • Register as a clinic, clinic owner, administrator, staff member, or practitioner; or
  • Engage with us in other related ways, including any sales, support, or marketing.

We are responsible for making decisions about how your personal information is processed in our role as a platform provider. Questions or concerns? Reading this Privacy Policy will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you have questions, contact us at legal@moxcares.com.

Summary of key points

What information do we process? We process information about the clinics and clinic users who use Moxcares, and — on behalf of those clinics — Protected Health Information (PHI) about their patients. Our role differs between these two categories.

Are we a Business Associate under HIPAA? Yes. When we process patient PHI on behalf of a clinic, the clinic is the Covered Entity and Moxcares is the clinic's Business Associate under HIPAA. We process patient PHI only as permitted by our Business Associate Agreement with the clinic.

Do we sell or share your mobile information? No. We do not share or sell mobile opt-in data or text-messaging consent information to any third party or affiliate for marketing or promotional purposes at any time.

How do we keep your information safe? We maintain administrative, technical, and physical safeguards consistent with the HIPAA Security Rule. However, no system can be guaranteed to be 100% secure.

What are your rights? Depending on where you are located, you may have rights regarding your personal information. Patient requests regarding PHI are handled through the clinic.

1. The two kinds of information we handle

In Short: Moxcares handles two distinct categories of information, and our role differs between them.

(a) Clinic-user information. Information about the clinics, clinic owners, administrators, staff, and practitioners who use Moxcares to operate their practice. For this information, Moxcares acts as the controller — we make decisions about how it is processed — and this Privacy Policy governs.

(b) Patient Protected Health Information (PHI). Health-related information about patients, processed by Moxcares on behalf of a clinic. For this information, the clinic is the Covered Entity and Moxcares is the Business Associate under the Health Insurance Portability and Accountability Act (HIPAA). We process patient PHI only as permitted by our Business Associate Agreement with the clinic and as directed by that clinic. The clinic's own Notice of Privacy Practices — not this Policy — governs the clinic's relationship with its patients.

2. What information do we collect?

In Short: We collect information that clinic users provide to us, and we process patient PHI on behalf of clinics.

Clinic-user information you disclose to us. When clinic users register, configure their clinic, or otherwise interact with the Services, we may collect:

  • Names
  • Email addresses
  • Phone numbers
  • Business (clinic) names and addresses
  • Practitioner professional profile information (such as education, experience, biography, and specialty)
  • Billing and subscription information
  • Account credentials

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes.

Payment data. We may collect data necessary to process your payment if you make purchases, such as your payment instrument number and associated security code. All payment data is handled and stored by Stripe. You may review Stripe's privacy notice at https://stripe.com/privacy.

Patient PHI processed on behalf of clinics. Depending on a clinic's configuration, we process patient information on the clinic's behalf, which may include patient names, dates of birth, contact information (including phone numbers and email addresses), intake questionnaire responses, appointment information, and clinical notes entered by clinic staff or practitioners. Moxcares does not determine the purposes for which this PHI is processed — the clinic does.

Information collected automatically. We automatically collect limited technical and usage information when you access the Services (such as device and log information) to operate, secure, and improve the Services.

3. How do we process your information?

In Short: We process clinic-user information to provide, improve, secure, and administer the Services, and we process patient PHI solely to provide the Services to clinics.

We process clinic-user information to:

  • Facilitate account creation, authentication, and account management;
  • Deliver and operate the Services;
  • Communicate with you, including for support, billing, and service updates;
  • Maintain security and prevent fraud; and
  • Comply with legal obligations.

We process patient PHI solely to provide the Services to the clinic, as permitted by the Business Associate Agreement and HIPAA, and as directed by the clinic. We do not use patient PHI for our own marketing or for purposes the clinic has not authorized.

In Short: We process information only when we have a valid reason to do so.

We process clinic-user personal information where it is necessary to perform our contract with you, where you have given consent, where processing is in our legitimate business interests (such as security and service improvement) and not overridden by your rights, or where we must comply with law. Where we rely on consent, you may withdraw it at any time by contacting us.

Patient PHI is processed under our Business Associate Agreement with the clinic and the clinic's authority as a Covered Entity.

5. When and with whom do we share your information?

In Short: We share information with service providers ("sub-processors") under written contracts, and — where PHI is involved — under Business Associate Agreements.

We engage the following sub-processors to help us operate the Services. Each is engaged under a written contract, and where the provider processes PHI, under a Business Associate Agreement:

  • Google Cloud Platform — hosting and infrastructure. (Business Associate Agreement in place.)
  • Anthropic — AI-assisted intake processing.
  • Twilio — SMS / text messaging.
  • Postmark — transactional email.
  • Stripe — payment processing.

We may also share information:

  • In a business transfer — in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business; and
  • To comply with law — where required by applicable law, regulation, legal process, or governmental request.

We maintain and update this sub-processor list as our providers change.

6. Do we offer artificial intelligence–based products?

In Short: Yes. We use AI to collect and organize patient intake information. Our AI does not provide medical advice, diagnosis, or treatment decisions.

As part of our Services, we offer features powered by artificial intelligence ("AI Products"), used to conduct conversational patient intake and to organize patient responses into a clinic's intake forms. Moxcares' AI Products do not provide medical advice, diagnosis, or treatment, and do not make clinical decisions. The AI assists with information collection and organization; clinical judgment remains with the clinic's practitioners.

We provide the AI Products through a third-party AI service provider, Anthropic, with whom we maintain a Business Associate Agreement covering PHI. Patient input processed through the AI Products is shared with and processed by Anthropic solely to provide the Services. We do not permit our AI service provider to use patient PHI to train its models other than as permitted under our agreement and applicable law.

7. Text messaging and your mobile information

In Short: With consent, we send text messages on behalf of clinics. We never share or sell mobile opt-in data to third parties.

With the patient's consent, Moxcares sends text messages on behalf of clinics, including appointment confirmations, intake links, appointment reminders, and clinic-authored follow-up messages. Consent is obtained at the time a phone number is collected (for example, during appointment booking) through an affirmative opt-in.

We do not share or sell mobile opt-in data or text-messaging consent information to any third party or affiliate for marketing or promotional purposes at any time. Mobile information is used only to deliver the messages the patient has consented to receive, through our messaging provider.

Patients may opt out of text messages at any time by replying STOP, and may reply HELP for assistance. We honor opt-out requests and will stop sending messages to a number that has opted out. Message and data rates may apply.

8. Calendar integrations

In Short: If a practitioner connects a calendar, we access the minimum information needed to coordinate scheduling.

If a practitioner connects a Google or Microsoft calendar, Moxcares accesses only the calendar information needed to coordinate scheduling:

  • Availability (free/busy) information — to avoid double-booking. For Google, this uses a free/busy permission that returns only busy and free time windows, and not the content, subject, attendees, or location of the practitioner's other events.
  • Moxcares-created appointment events — Moxcares creates and manages only the appointment events it places on the practitioner's calendar. For Google, Moxcares uses a permission limited to the events it creates, and does not access, read, or modify the practitioner's existing or other calendar events.

A practitioner may disconnect a connected calendar at any time, after which we will no longer access that calendar.

9. Do we use cookies and other tracking technologies?

In Short: We use cookies and similar technologies only as needed to operate and secure the Services.

We use cookies and similar technologies to maintain the security of the Services and your account, keep you signed in, remember your preferences, and support basic functionality. We do not use advertising or cross-site tracking cookies on patient-facing or PHI-bearing surfaces.

Most web browsers accept cookies by default. You can usually set your browser to remove or reject cookies, though doing so may affect certain features of the Services.

10. How do we handle account authentication?

In Short: We use secure email-and-password authentication with multi-factor authentication.

Account access uses email-and-password credentials with multi-factor authentication, provided through our identity infrastructure. We do not offer social-media login for the Services. You are responsible for keeping your credentials confidential.

11. How long do we keep your information?

In Short: We keep clinic-user information while the account is active, and we retain patient records consistent with healthcare recordkeeping requirements.

We keep clinic-user information for as long as the account is active and as needed to provide the Services, and thereafter as required for tax, accounting, legal, or legitimate business purposes.

We retain patient PHI in accordance with our Business Associate Agreement and applicable law. Our current posture retains patient records for a period consistent with healthcare recordkeeping requirements — approximately seven (7) years following the termination of a clinic's subscription — after which records are securely deleted, unless a longer period is required by applicable state or federal law.

12. How do we keep your information safe?

In Short: We use organizational and technical safeguards consistent with the HIPAA Security Rule.

We have implemented appropriate and reasonable administrative, physical, and technical safeguards designed to protect the information we process, consistent with the HIPAA Security Rule and our Business Associate obligations. These include access controls, audit logging, and encryption of data in transit and at rest. However, no electronic transmission or storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that unauthorized third parties will never defeat our safeguards. You access the Services at your own risk and should do so within a secure environment.

13. Do we collect information from minors?

In Short: The Moxcares platform is for clinic users 18 and older. Clinics may, under their own authority, treat patients who are minors.

The Moxcares platform is intended for use by clinic users who are at least 18 years old, and we do not knowingly create clinic-user accounts for minors.

Clinics that use Moxcares may treat patients who are minors and may process those patients' PHI through the Services on the clinic's behalf, under the clinic's authority and applicable law (including any parental or guardian consent obtained by the clinic). In that context, a minor patient's PHI is handled under the clinic's Notice of Privacy Practices and our Business Associate Agreement — not as direct collection from a minor by Moxcares.

14. What are your privacy rights?

In Short: Depending on your location, you may have rights regarding your personal information. Patient PHI requests are handled through the clinic.

Depending on where you are located, you may have rights to request access to, correction of, a copy of, or deletion of your personal information, and to withdraw consent where we rely on it. To exercise these rights regarding clinic-user information, contact us at legal@moxcares.com. We will consider and act upon requests in accordance with applicable data protection laws.

Patient PHI. Requests by patients to access, amend, or delete their PHI are directed to and handled by the clinic (the Covered Entity), consistent with HIPAA. Moxcares supports clinics in fulfilling these requests as their Business Associate.

Withdrawing consent. If we are relying on your consent, you may withdraw it at any time by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

15. Controls for Do-Not-Track features

Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature. No uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals. If a standard is adopted that we must follow, we will inform you in a revised version of this Policy.

16. Do United States residents have specific privacy rights?

In Short: If you are a resident of certain US states, you may have specific rights regarding your personal information.

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right, subject to applicable law, to:

  • Request to know whether we are processing your personal data;
  • Access your personal data and request a copy;
  • Correct inaccuracies in your personal data;
  • Request deletion of your personal data;
  • Obtain a list of categories of third parties to which we have disclosed personal data; and
  • Not be discriminated against for exercising these rights.

These rights apply principally to clinic-user information. Patient PHI is governed by HIPAA, and patient requests are routed through the clinic as Covered Entity.

We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding twelve (12) months.

How to exercise your rights. Submit a request to legal@moxcares.com. We will verify your identity before acting on your request. You may designate an authorized agent to act on your behalf, subject to proof of authorization. If we decline a request, you may appeal by contacting legal@moxcares.com; if your appeal is denied, you may contact your state attorney general.

17. Do we make updates to this Policy?

In Short: Yes, we update this Policy as necessary to stay compliant with relevant laws.

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last Updated" date. If we make material changes, we will notify you either by prominently posting a notice or by directly sending you a notification. We encourage you to review this Policy regularly.

18. How can you contact us?

If you have questions or comments about this Policy, email us at legal@moxcares.com, or write to:

VVY Technologies, Inc. (d/b/a Moxcares)
131 Continental Dr, Suite 305
Newark, DE 19713

19. How can you review, update, or delete your data?

Subject to applicable law, you may have the right to request access to the personal information we collect from you, to correct inaccuracies, or to request deletion. To make such a request regarding clinic-user information, contact us at legal@moxcares.com. Patient PHI requests are handled through the clinic, as described above.