BRILL.health

Privacy Policy

BrilLiquid LLC · Published v4.0 · 2026-04-22

Effective Date: to be determined

Pre-publication draft This document is a working draft under counsel review. It is published at this URL so that identity-verification partners and regulators may review the policy substance during BRILL.health's build phase; the final counsel-reviewed version will replace it before real patient data is served beyond closed pilots.

This is the plain-English Privacy Policy for BRILL.health, written to be readable — not dense legalese — so you can actually understand what happens with your information. A more detailed counsel-reviewed version is maintained internally and available on request; substantive commitments are identical between the two.

1. Our philosophy

BRILL.health is built around a simple idea: your health records belong to you and live with you, not in a BrilLiquid database. We act as a relay between you and the providers you choose to share with — not a data lake that collects and aggregates your records.

Everyone is welcome. We don't condition platform access on citizenship, residency, or documentation status. A specific feature — Direct Secure Messaging with licensed healthcare providers — requires stronger identity verification because federal rules require it; if you don't complete that verification, you still have access to every other platform feature. You can upgrade whenever you're ready.

We never collect your country of birth or immigration status.

2. Where your data lives

Your clinical records and health history are designed to live on your personal device, encrypted.
Some data types are too large to fit practically on a phone (for example, diagnostic imaging like CT or MRI scans, which can be gigabytes per study). For those, we maintain a reference (a pointer you control) to the originating imaging system, or store encrypted data in our cloud with your own encryption key. You choose the approach at onboarding.
Data in transit is protected by industry-standard encryption. Data at rest is encrypted.
If you lose access to your device and its backups, you may lose access to records we cannot decrypt. Before enabling device-based encryption for your account, we'll give you plain-language backup guidance.

3. How we help you share

We facilitate sharing only through channels you choose.

3.1 Three distinct roles for the people in your care circle

HIPAA recognizes three different kinds of people involved in your care, each with different legal standing. BRILL.health lets you designate any, all, or none of these — separately:

Emergency Contact — someone to reach in an emergency. They don't get access to your records and can't make decisions for you.
Personal Representative — someone you've formally authorized (through a healthcare power of attorney, advance directive, or similar legal document) to make decisions on your behalf when you can't. This role has the full legal authority under HIPAA.
Records-Access Proxy — someone you want to receive copies of your records. No decision-making authority.

You can designate the same person for multiple roles, different people for different roles, or nobody at all. You can change these at any time.

3.2 Short-lived access codes

For times when you need to share records with a provider who isn't on a secure health-network (a specialist you're seeing once, a caregiver without a provider account), BRILL.health can generate a short-lived code (typically valid 6 hours) that gives the recipient time-limited read-only access. You can revoke the code anytime.

3.3 BrilLiquid as your delivery agent (optional)

If you'd prefer, you can authorize us to transmit records to providers on your behalf. Records are clearly attributed to you as their author and originator. This service requires your explicit consent and is revocable any time.

3.4 Text messages (SMS)

If you invite a care-team member by text, we send only brief notifications — never any health information. Reply STOP to opt out.

↑ Back to top

4. Connecting to other services

You can connect BRILL.health to services where you already store health data:

Apple Health (on iPhone)
Google Health Connect (on Android)
Your hospital's patient portal (via Apple Health Records or CommonHealth)
Your health insurer's Patient Access feature
Health devices and wearables (through their manufacturers' integrations)

For each, you control what flows to us at the operating system level — not through our app. The Health app on iOS or Health Connect on Android is your authoritative control surface.

Important commitments on HealthKit and Health Connect data:

We never use HealthKit or Health Connect data for advertising.
We never sell HealthKit or Health Connect data to advertising platforms, data brokers, or information resellers.
We share HealthKit data with a third party only with your express permission, and even then only if the third party also provides a health or fitness service to you. For research, we share only with your specific research consent.

We will never build integrations whose primary purpose is monetizing your health data through advertising or resale.

5. Research and clinical trials

You may choose to contribute de-identified data to research. Participation is entirely optional and requires your affirmative consent for each study. You may receive financial rewards for participation in qualifying programs.

What you should understand before consenting

De-identification reduces privacy risk but doesn't eliminate it:

Re-identification is possible, though uncommon. A bad actor with partial information about you could, in theory, cross-reference published research results to determine that you participated in a study and learn related information about you.
Breach risk exists. We maintain strong security, but no system is perfect.
If your contribution includes genetic data, a breach could implicate biological relatives who share genetic material with you. You may want to consider informing relatives.
Unforeseeable risks. New techniques or datasets could introduce risks we can't currently anticipate. We'll update this disclosure as our understanding evolves.

Changing your mind

Revocation takes effect within 30 days (often faster). It stops future uses of your data but can't reverse research already completed or un-publish results already published.

Declining research doesn't affect your access to any other BRILL.health feature.

↑ Back to top

6. Security

We use industry-standard protections:

Encryption of your data in transit and at rest
Multi-factor authentication (Passkeys preferred, TOTP authenticator apps as a fallback)
Role-based access with least-privilege principles
Audit logging of administrative actions, with minimization (see §11)
Business Associate Agreements with all sub-processors that handle Protected Health Information
Regular internal security review

Our target architecture makes encryption keys device-held so our servers never have the ability to decrypt your content. We're implementing this in phases; the current phase uses HIPAA-acceptable server-side encryption.

7. How long we keep things

We retain only the minimum necessary to run the platform and meet legal requirements.

Data type	Retention
Your account profile	Until you close your account
Identity verification records (if you enable Direct Secure Messaging)	As required by applicable rules
Message envelope metadata (addresses, timestamps, delivery receipts)	As required by audit rules
Message content (encrypted)	Short-lived after delivery to your device
Transaction and audit logs	As required by applicable rules
Administrative access logs	90 days
AI-service inputs	Not currently applicable — no AI features are in production

When you close your account, we delete platform account data except what legal retention rules require us to keep. Your records on your device remain yours.

8. What we collect

The minimum we need for any service:

Your name
Your date of birth
A way to contact you (email or phone)
A password hash (never the password itself)

Optional additions — you choose when or whether:

Social Security Number or ITIN (enables certain record-pulls from providers)
Home address (enables location-aware features)
Insurance card data (enables pulls from your insurer)
Government-issued ID (enables Direct Secure Messaging)
Citizenship (used only for jurisdictional routing if you provide it)

Platform-operation data we collect:

Identity-verification results from our verification partner (structured data; not photos of your ID after verification completes)
Message metadata (to route and audit)
Browser/device type (for security and data provenance)
Audit logs

What we never collect:

Country of birth
Immigration status
Proxies for either (visa history, countries-lived-in, etc.)

If we ever changed any of these commitments, we'd notify you in advance.

↑ Back to top

9. What we never do

We never sell your information to anyone, for any purpose.
We never share your information for marketing.
We never aggregate your health records into a central BrilLiquid repository.
We never train AI on your clinical content.
We never use your data for advertising targeting.
We never block or impede your access to your records (see §10).
We never voluntarily share information with any government agency outside properly-served legal process (see §14).

10. Our information-access commitments

BRILL.health is built to make your information more accessible to you, not less:

We comply with 21st Century Cures Act rules prohibiting information blocking.
We maintain multiple ways for you to get your data — on-device, machine-readable export, secure messaging, and time-limited access links. No single partner controls any class of your data.
Your statutory rights (HIPAA, Cures, your state's privacy laws, international privacy laws) are not waivable by your acceptance of these terms. We don't ask you to waive them, and we won't retaliate if you exercise them.
We won't enter agreements with third parties that restrict your data access or portability.
We support complaints you file against third parties who block your access. We won't retaliate against you for filing, and we won't notify the third party unless you authorize us to.

11. Administrative access logs

We log administrative access to our systems as required by security and HIPAA audit rules. We apply minimization:

We collect only the logs we're required to collect.
We keep them for 90 days in full detail.
We don't use access logs to build behavioral profiles.
We don't use access logs for marketing, recommendations, or advertising.

↑ Back to top

12. Identity verification

BRILL.health uses identity verification for two distinct purposes:

Platform onboarding and account security — performed by our trusted third-party identity-verification partner (Plaid, Inc.) using industry-standard methods: document authentication, live selfie with biometric match, and fraud-signal checks. This partner handles only identity attributes (name, date of birth, address, ID document images, biometric selfie) for verification purposes — no Protected Health Information, clinical data, or health records are shared with them. They operate as a general identity-verification service, not as a healthcare business associate.
Direct Secure Messaging activation (optional) — additional identity proofing, performed by a federally-compliant verification provider, is required by federal rules if you choose to activate Direct Secure Messaging. Your Direct address is issued as a cryptographic credential under standards-based messaging partners.

13. Artificial intelligence

No AI-assisted features are in production on BRILL.health today. We're evaluating narrow, specific uses of AI where they'd genuinely help you — for example, pulling fields off an insurance-card photo instead of making you type them. We will not introduce any AI-assisted feature that handles your health information without a Business Associate Agreement with the AI provider. When we do add AI features, we'll describe them here first — what it does, what data it sees, what contractual protections apply, and how to opt out.

14. Law enforcement and government access

Our architecture holds as little information about you as possible. Where we must hold information, we encrypt it so (in our target state) only you can decrypt.

Compelled disclosure. If we receive a valid legal request (subpoena, warrant, court order), we comply. Legal process should be sent to legal@brilliquid.com. Where law permits, we notify you first so you have a chance to object or seek a protective order.
We can only produce what we actually hold. If it's encrypted and we don't have the key, we produce ciphertext and disclose that we can't decrypt it.
Transparency reports. We publish a semi-annual report on legal process received (aggregate counts, categories, how many we produced, narrowed, rejected, or received gag orders on — to the extent law permits).
No voluntary sharing. We don't voluntarily share your information with any government agency. We do not participate in voluntary data-sharing programs with immigration enforcement, tax enforcement, or any other agency.
No backdoors. We don't build backdoors for any government or third party. If law ever required us to, we'd disclose the requirement here before it took effect.

↑ Back to top

15. Your choices

You may at any time:

Revoke any consent you previously gave.
Delete your account (audit logs required by law are retained in minimized form).
Export the data we hold for you in a machine-readable format (multiple formats supported).
Correct inaccurate information.
Ask us how your data has been handled.
Exercise rights under state, national, or international privacy laws (see Appendices B, C, D).

16. If there's a breach

If an incident affects the confidentiality, integrity, or availability of your information, we'll notify you without unreasonable delay, and within the legal timeframes that apply (HIPAA's 60-day outside limit; state-specific timelines for California, Washington, and Nevada residents). We'll tell you what happened, what was affected, what we're doing, and what you can do.

17. Changes to this policy

If we make material changes, we'll notify you in advance — by in-app notice, email, or both — before the change takes effect. The "Effective Date" above shows the current version date. Prior versions are available on request.

18. Our legal role

BRILL.health operates principally as a Business Associate under HIPAA — meaning we handle health information on behalf of healthcare providers, labs, and health plans, and we're subject to those entities' Business Associate Agreements.

For Direct Secure Messaging, we also act as a Registering Agent for the industry-standard healthcare-messaging network. If our role expands in the future, we'll update this section in advance.

↑ Back to top

Contact

BrilLiquid LLC (a New Jersey limited liability company)
Florham Park, NJ 07932
General inquiries (email): am@brilliquid.com
Direct Secure Messaging (for healthcare correspondence): am@brill.health
Business continuity: +1-201-637-1765
Data Protection Officer / Privacy Questions: privacy@brilliquid.com

Note on email: brilliquid.com is our corporate email. brill.health is a Direct Secure Messaging address — a standards-based secure channel reserved for healthcare correspondence, not a regular email inbox. A healthcare corporate email on brilliquid.health will activate later; we'll update this policy when it does.

Appendix A — Service Providers

We rely on a small number of trusted partners. Each has a contract with confidentiality and security obligations. Where Protected Health Information is involved, we have Business Associate Agreements in place.

Provider	Role
Amazon Web Services	Cloud infrastructure
MaxMD, Inc.	Secure healthcare messaging infrastructure
Plaid, Inc.	Identity verification at platform onboarding — handles only identity attributes (name, date of birth, address, government-ID images, biometric selfie) for verification purposes. Does not receive Protected Health Information, clinical data, or health records. Operates as a general identity-verification service, not as a healthcare business associate.
Accredited Credential Service Provider (specific vendor named when integration is live)	Federal-grade identity proofing required for Direct Secure Messaging
BoldSign (by Syncfusion)	Electronic signatures
Twilio, Inc.	Text-message delivery for invitations and reminders (never PHI)

Program-specific sub-processors (testing laboratories, telemedicine providers, insurance partners, payment processors) are introduced as distinct programs become available, each with its own consent flow. Those sub-processors will be named here when the programs enter general availability.

We may add or change sub-processors over time. Material additions appear in the next version of this policy; immediate updates are available on request.

Appendix B — California Residents

If you live in California, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you these rights, in addition to those in §15:

Right to know what we've collected and how we use it.
Right to delete your personal information (subject to legal exceptions).
Right to correct inaccurate information.
Right to limit use of sensitive personal information to what's needed for service you requested.
Right to opt out of sale or sharing for cross-context behavioral advertising — we don't sell or share for advertising, so there's nothing to opt out of, but we confirm this right.
Right to non-discrimination for exercising any of these rights.

How to exercise: email am@brilliquid.com or mail us. We respond within 45 days (extendable 45 more with notice).

California's Confidentiality of Medical Information Act (CMIA) also applies to your medical information and coexists with CCPA/CPRA rights.

Appendix C — Washington and Nevada Residents

Washington's My Health My Data Act and Nevada's Health Privacy Act give you additional rights over "consumer health data":

Granular consent — we obtain your affirmative consent before collecting or sharing consumer health data, separately for each purpose.
Right to withdraw consent at any time.
Right to access, delete, and obtain a list of third parties we've shared your consumer health data with.
No geofencing around health facilities — we don't and won't do this.
Private right of action (Washington) for violations of the My Health My Data Act.

How to exercise: email am@brilliquid.com. We respond within 45 days.

Appendix D — Patients with International Ties

If your care crosses international borders — you live abroad, you're a dual citizen, you're traveling for care, you're an international student or worker — we're built to accommodate you:

Your data travels with you. Clinical records on your device are yours to take anywhere you have a lawful right to travel.
Your home country's privacy laws apply to you. Residents of the EU, UK, Canada, Australia, India, and other jurisdictions with data-protection laws have those laws' rights (access, deletion, correction, portability, objection). Our policy meets or exceeds most of these.
Sub-processors are U.S.-based. By using BRILL.health from a non-U.S. jurisdiction, you understand your data may be processed in the U.S. Where your jurisdiction requires specific legal bases for cross-border transfer, we rely on your consent and (where applicable) Standard Contractual Clauses.
If you provide your citizenship, we use it only for jurisdictional routing.

How to exercise: email am@brilliquid.com. Identify your country of residence and we'll apply the relevant framework.