Legal

Privacy Policy

Effective date: January 1, 2025 · Last updated: January 1, 2025

1. About This Policy

Lily AI, Inc. ("Lily," "we," "us," or "our") operates asklily.health and the Lily Care, Lily Practice, and Lily Admin platforms. This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our services.

2. Information We Collect

Information you provide

  • Account registration data (name, email, role)
  • Profile information (demographics, preferences, identity dimensions you choose to share)
  • Communications with practitioners and support
  • Assessment and quiz responses
  • Payment information (processed by Stripe; we do not store card numbers)

Information collected automatically

  • Usage data (pages visited, features used, session duration)
  • Device and browser information
  • IP address and approximate location
  • Cookies and similar tracking technologies (see our Cookie Policy)

3. Protected Health Information (PHI)

Lily is a HIPAA-covered entity and business associate. Protected Health Information — including clinical notes, diagnosis data, session records, and assessment results — is handled under our HIPAA compliance program and never used for advertising, sold, or shared with unauthorized parties.

PHI is stored in HIPAA-eligible cloud infrastructure in the United States. Access is role-based, logged, and audited. You have rights under HIPAA to access, amend, and receive an accounting of disclosures of your PHI.

4. How We Use Your Information

  • To match you with practitioners using our identity-aware algorithm
  • To facilitate telehealth, scheduling, and secure messaging
  • To generate AI-assisted clinical notes and outcomes analytics (de-identified for organizational reporting)
  • To send transactional emails and, with your consent, product updates
  • To improve our matching model and platform safety
  • To comply with legal obligations

5. Information Sharing

We do not sell your personal information. We share information only:

  • With practitioners you are matched with or engage, with your consent
  • With your sponsoring employer or health plan in de-identified, aggregated form only
  • With service providers under data processing agreements (cloud, email, payments)
  • As required by law, court order, or to protect safety

6. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or port your data. California residents have additional rights under the CCPA. To exercise any rights, email privacy@asklily.health.

7. Data Retention

We retain account data for the life of your account plus 7 years, consistent with healthcare record-keeping requirements. Clinical records are retained per applicable state law (minimum 7 years; 10 years for minor patients).

8. Security

We use AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, and annual third-party security audits (SOC 2 Type II). No system is perfectly secure; we will notify you of any breach affecting your PHI within the timeframes required by law.

9. Contact

Privacy Officer: privacy@asklily.health
Lily AI, Inc. · Philadelphia, PA & New York, NY